podman.pp 7.93 KB
Newer Older
1
2
# Weblate Docker container
class tails::weblate::podman (
3
4
5
6
  String $weblate_admin_password,
  String $weblate_secret_key,
  String $postgres_password,
  String $redis_password,
7
  Array[String] $weblate_alternative_domains = [],
8
9
  String $weblate_admin_name = 'Weblate Admin',
  String $weblate_admin_email = 'tails-weblate@boum.org',
10
  String $weblate_email_host = '10.0.2.2',
11
12
13
14
15
  String $weblate_email_port = '25',
  String $weblate_server_email = 'tails-sysadmins@boum.org',
  String $weblate_default_from_email = 'weblate@translate.tails.boum.org',
  String $weblate_default_commiter_email = 'tails-l10n@boum.org',
  String $weblate_default_commiter_name = 'Tails translators',
Zen Fu's avatar
lint    
Zen Fu committed
16
  String $weblate_mt_tmserver = 'http://10.0.2.2:8888/tmserver/',
17
  String $postgres_host = '10.0.2.2',
18
19
  String $postgres_user = 'weblate',
  String $postgres_port = '5432',
20
  String $redis_host = '10.0.2.2',
21
22
  String $redis_port = '6379',
  String $redis_db = '1',
23
  Array[String] $extra_volumes = [],  # Used for testing purposes
24
) inherits tails::weblate::params {
25
26

  class { 'podman':
27
28
29
    manage_subuid            => true,
    # podman-docker is currently only available in Debian experimental repo
    podman_docker_pkg_ensure => 'absent',
30
31
  }

32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
  # Application data needs to be accessible to:
  #
  #   1. the `weblate` host user that starts the container and is root inside
  #      of it; and
  #   2. the `weblate` container user used to run the application.
  #
  # To satisfy those, we do the following:
  #
  #   - Set the UID/GID of the (host) user/group `weblate` to a chosen value
  #     with enough slack for assigning a uid/gid namespace to it.
  #
  #   - Map a user namespace of subuids/subgids to the (host) `weblate` user to
  #     allow it to use a range of values inside the container.
  #
  #   - Set the owner of app data files/dirs to the UID that corresponds to the
  #     `weblate` user inside the container.
  #
  #   - Set the group of app data files/dirs to the GID that corresponds
  #     to the `weblate` group outside the container.
  #
  # This is an example of the mapping that we do:
  #
  #        | In the host                   | In the container     |
  #  , --- | ----------------------------- | -------------------- |
  #  | UID | 2001000 (in subuid namespace) | 1000 (weblate)       |
  #  | GID | 2000000 (weblate)             | 0    (root)          |
  #

  # Map a set of subuids and subgids to the selected user and group.

62
63
  $subuid_start = $system_uid + 1
  $subgid_start = $system_gid + 1
64

65
  podman::subuid { $system_user:
66
    subuid  => $subuid_start,
67
    count   => 65536,
68
    require => User[$system_user],
69
70
  }

71
  podman::subgid { $system_group:
72
    subgid  => $subgid_start,
73
    count   => 65536,
74
    require => Group[$system_group],
75
76
77
78
79
80
  }

  sysctl::value {
    'kernel.unprivileged_userns_clone': value => 1
  }

81
82
  ## Container configuration

83
84
85
86
87
88
89
90
  # Weblate config will, by default, try to grab a secret key from
  # `${weblate_data_dir}/secret` if that file exists, replacing the value
  # passed here through `$weblate_secret_key` in such case. Because of that, we
  # want to make sure that that file is absent.
  file { "${weblate_data_dir}/secret":
    ensure => absent,
  }

Zen Fu's avatar
Zen Fu committed
91
  file { "${weblate_config_dir}/podman.env":
92
93
94
    ensure  => present,
    content => epp('tails/weblate/podman.env.epp', {
      weblate_site_domain            => $weblate_site_domain,
95
      weblate_alternative_domains    => $weblate_alternative_domains,
96
97
98
99
100
101
102
103
104
105
      weblate_admin_name             => $weblate_admin_name,
      weblate_admin_password         => $weblate_admin_password,
      weblate_admin_email            => $weblate_admin_email,
      weblate_email_host             => $weblate_email_host,
      weblate_email_port             => $weblate_email_port,
      weblate_server_email           => $weblate_server_email,
      weblate_default_from_email     => $weblate_default_from_email,
      weblate_default_commiter_email => $weblate_default_commiter_email,
      weblate_default_commiter_name  => $weblate_default_commiter_name,
      weblate_secret_key             => $weblate_secret_key,
106
      weblate_mt_tmserver            => $weblate_mt_tmserver,
107
108
109
110
111
112
113
114
115
116
      postgres_database              => $postgres_database,
      postgres_host                  => $postgres_host,
      postgres_user                  => $postgres_user,
      postgres_password              => $postgres_password,
      postgres_port                  => $postgres_port,
      redis_host                     => $redis_host,
      redis_port                     => $redis_port,
      redis_db                       => $redis_db,
      redis_password                 => $redis_password,
    }),
117
118
    owner   => $system_uid,
    group   => $system_gid,
119
120
    mode    => '0640',  # contains passwords
    notify  => Podman::Container['weblate'],
Zen Fu's avatar
Zen Fu committed
121
    require => File[$weblate_config_dir]
122
123
124
125
126
  }

  # We need a patched settings file to fix https://github.com/WeblateOrg/weblate/issues/4037
  # XXX This needs to be updated each time we upgrade to a version < 4.1.1.
  # XXX Remove when upgrading to Weblate 4.1.1
Zen Fu's avatar
Zen Fu committed
127
  file { "${weblate_config_dir}/settings_docker.py":
128
129
    ensure  => present,
    source  => 'puppet:///modules/tails/weblate/config/settings_docker.py',
130
131
    owner   => $system_uid + 1000,  # Owner is `weblate` inside the container (UID 1000)
    group   => $system_gid,
132
133
    mode    => '0644',
    notify  => Podman::Container['weblate'],
Zen Fu's avatar
Zen Fu committed
134
    require => File[$weblate_config_dir]
135
136
  }

137
138
139
140
141
142
143
144
145
146
147
148
  # XXX Overlaying some libraries is needed because the libgnutls30 version in
  #     the Weblate 3.11.3 container is now unable to verify the current Let's
  #     Encrypt certificate used in our GitLab instance.
  # XXX Remove (from here and from `run_in_container.sh` once we runa newer
  #     container with an up-to-date versino of libgnutls30.
  $overlay_libraries = [
    '/usr/lib/x86_64-linux-gnu/libgnutls.so.30:/usr/lib/x86_64-linux-gnu/libgnutls.so.30:z',
    '/usr/lib/x86_64-linux-gnu/libhogweed.so.6:/usr/lib/x86_64-linux-gnu/libhogweed.so.6:z',
    '/usr/lib/x86_64-linux-gnu/libnettle.so.8:/usr/lib/x86_64-linux-gnu/libnettle.so.8:z',
    '/usr/lib/x86_64-linux-gnu/libffi.so.7:/usr/lib/x86_64-linux-gnu/libffi.so.7:z',
  ]

149
150
  podman::container { 'weblate':
    image   => "docker.io/weblate/weblate:${weblate_version}",
151
    user    => $system_user,
152
153
154
    flags   => {
      'publish'  => '8080:8080',
      'volume'   => [
155
        "${weblate_data_dir}:/app/data:z",
Zen Fu's avatar
Zen Fu committed
156
        "${weblate_config_dir}/settings_docker.py:/usr/local/lib/python3.7/dist-packages/weblate/settings_docker.py:Z",
157
      ] + $overlay_libraries + $extra_volumes,
Zen Fu's avatar
Zen Fu committed
158
      'env-file' => "${weblate_config_dir}/podman.env",
159
160
      # this container will be able to see the hosts localhost at 10.0.2.2
      'network'  => 'slirp4netns:allow_host_loopback=true',
161
162
    },
    require => [
163
      User[$system_user],
164
165
166
167
      Sysctl::Value['kernel.unprivileged_userns_clone'],
    ]
  }

168
169
170
171
172
173
174
175
176
  # We need Python's YAML module for some of our custom scripts that need to be
  # run inside the container. But the container itself doesn't include it, so
  # we link to a package installed on the host.
  #
  # XXX: remove this (and fix the run_in_container.sh script sccordingly) if
  #      ever (a) we stop depending on YAML or (b) a newer version of the
  #      Weblate container includes it.
  ensure_packages(['python3-yaml'])

Zen Fu's avatar
Zen Fu committed
177
  file { "${weblate_scripts_dir}/run_in_container.sh":
178
179
    ensure  => present,
    content => epp('tails/weblate/run_in_container.sh.epp', {
180
181
182
183
184
185
      weblate_home        => $weblate_home,
      weblate_config_dir  => $weblate_config_dir,
      weblate_data_dir    => $weblate_data_dir,
      weblate_scripts_dir => $weblate_scripts_dir,
      weblate_repos_dir   => $weblate_repos_dir,
      weblate_logs_dir    => $weblate_logs_dir,
Zen Fu's avatar
Zen Fu committed
186
      staging_www_dir     => $staging_www_dir,
187
      weblate_version     => $weblate_version,
188
    }),
189
190
    owner   => $system_uid,
    group   => $system_gid,
191
    mode    => '0755',
192
    require => [
Zen Fu's avatar
Zen Fu committed
193
194
      File[$weblate_data_dir],
      File[$weblate_scripts_dir],
195
      Package['python3-yaml'],
196
    ],
197
198
  }

199
}