Merge pull request 'multi-redis' (#1) from multi-redis into master

Reviewed-on: #1

bundles/nextcloud/files/managed.config.php

@@ -25,4 +25,7 @@ $CONFIG = array (
   "memcache.local" => "\\OC\\Memcache\\Redis",
   "memcache.locking" => "\\OC\\Memcache\\Redis",
   "memcache.distributed" => "\OC\Memcache\Redis",
+  "redis" => [
+    "host" => "/var/run/redis-nextcloud/redis.sock",
+  ],
 );

bundles/nextcloud/metadata.py

@@ -52,6 +52,9 @@ defaults = {
             },
         },
     },
+    'redis': {
+        'nextcloud': {},
+    },
     'systemd-timers': {
         'nextcloud-cron': {
             'command': '/usr/bin/sudo -u www-data /usr/bin/php -f /opt/nextcloud/cron.php',

bundles/redis/items.py

@@ -1,5 +1,54 @@
 directories = {
+    '/etc/redis': {
+        'purge': True,
+        'needs': [
+            'pkg_apt:redis-server',
+        ],
+    },
     '/var/lib/redis': {
         'owner': 'redis',
+        'needs': [
+            'pkg_apt:redis-server',
+        ],
     },
 }
+
+files = {
+    '/etc/systemd/system/redis.service': {
+        'delete': True,
+        'needs': [
+            'pkg_apt:redis-server',
+        ],
+    },
+}
+
+svc_systemd = {
+    'redis': {
+        'running': False,
+        'enabled': False,
+        'needs': [
+            'pkg_apt:redis-server',
+        ],
+    },
+}
+
+for name, conf in node.metadata.get('redis').items():
+    files[f'/etc/redis/{name}.conf'] = {
+        'content': '\n'.join(
+            f'{key} {value}'
+                for key, values in sorted(conf.items())
+                for value in ([values] if isinstance(values, str) else sorted(values))
+                if value is not False
+        ) + '\n',
+        'owner': 'redis',
+        'triggers': [
+            f'svc_systemd:redis-{name}:restart'
+        ],
+    }
+    
+    svc_systemd[f'redis-{name}'] = {
+        'needs': [
+            'svc_systemd:redis',
+            f'file:/etc/redis/{name}.conf',
+        ],
+    }

bundles/redis/metadata.py

@@ -8,7 +8,12 @@ defaults = {
         'paths': {
             '/var/lib/redis',
         },
-    }
+    },
+    'redis': {
+        'server': {
+            'port': '6379',
+        },
+    },
 }
 
 if node.has_bundle('zfs'):
@@ -23,3 +28,139 @@ if node.has_bundle('zfs'):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'redis',
+)
+def config(metadata):
+    redis = {}
+    
+    for name, conf in metadata.get('redis').items():
+        redis[name] = {
+            'bind': '127.0.0.1 ::1',
+            'protected-mode': 'yes',
+            'port': '0',
+            'tcp-backlog': '511',
+            'unixsocket': f'/var/run/redis-{name}/redis.sock',
+            'unixsocketperm': '777',
+            'timeout': '0',
+            'tcp-keepalive': '300',
+            'daemonize': 'yes',
+            'supervised': 'no',
+            'pidfile': f'/var/run/redis-{name}/redis.pid',
+            'loglevel': 'notice',
+            'logfile': f'/var/log/redis/{name}.log',
+            'databases': '16',
+            'always-show-logo': 'yes',
+            'save': {
+                '900 1',
+                '300 10',
+                '60 10000',
+            },
+            'stop-writes-on-bgsave-error': 'yes',
+            'rdbcompression': 'yes',
+            'rdbchecksum': 'yes',
+            'dbfilename': f'{name}.rdb',
+            'dir': '/var/lib/redis',
+            'lazyfree-lazy-eviction': 'no',
+            'lazyfree-lazy-expire': 'no',
+            'lazyfree-lazy-server-del': 'no',
+            'appendonly': 'no',
+            'appendfilename': '"appendonly.aof"',
+            'appendfsync': 'everysec',
+            'no-appendfsync-on-rewrite': 'no',
+            'auto-aof-rewrite-percentage': '100',
+            'auto-aof-rewrite-min-size': '64mb',
+            'aof-load-truncated': 'yes',
+            'aof-use-rdb-preamble': 'yes',
+            'lua-time-limit': '5000',
+            'slowlog-log-slower-than': '10000',
+            'slowlog-max-len': '128',
+            'latency-monitor-threshold': '0',
+            'notify-keyspace-events': '""',
+            'hash-max-ziplist-entries': '512',
+            'hash-max-ziplist-value': '64',
+            'list-max-ziplist-size': '-2',
+            'list-compress-depth': '0',
+            'set-max-intset-entries': '512',
+            'zset-max-ziplist-entries': '128',
+            'zset-max-ziplist-value': '64',
+            'hll-sparse-max-bytes': '3000',
+            'stream-node-max-bytes': '4096',
+            'stream-node-max-entries': '100',
+            'activerehashing': 'yes',
+            'client-output-buffer-limit': {
+                'normal 0 0 0',
+                'pubsub 32mb 8mb 60',
+            },
+            'hz': '10',
+            'dynamic-hz': 'yes',
+            'aof-rewrite-incremental-fsync': 'yes',
+            'rdb-save-incremental-fsync': 'yes',
+            **metadata.get(f'redis/{name}', {}),
+        }
+    
+    return {
+        'redis': redis,
+    }
+
+
+@metadata_reactor.provides(
+    'systemd/units',
+)
+def units(metadata):
+    units = {}
+    
+    for name, conf in metadata.get('redis').items():
+        units[f'redis-{name}.service'] = {
+            'Unit': {
+                'Description': f'redis {name}',
+                'After': 'network.target',
+            },
+            'Service': {
+                'Type': 'notify',
+                'ExecStart': f'/usr/bin/redis-server /etc/redis/{name}.conf --supervised systemd --daemonize no',
+                'PIDFile': f'/run/redis-{name}/redis.pid',
+                'TimeoutStopSec': '0',
+                'Restart': 'always',
+                'User': 'redis',
+                'Group': 'redis',
+                'RuntimeDirectory': f'redis-{name}',
+                'RuntimeDirectoryMode': '2755',
+                
+                'UMask': '007',
+                'PrivateTmp': 'yes',
+                'LimitNOFILE': '65535',
+                'PrivateDevices': 'yes',
+                'ProtectHome': 'yes',
+                'ReadOnlyDirectories': '/',
+                'ReadWritePaths': [
+                    '-/var/lib/redis',
+                    '-/var/log/redis',
+                    f'-/var/run/redis-{name}',
+                ],
+                
+                'NoNewPrivileges': 'true',
+                'CapabilityBoundingSet': 'CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE',
+                'MemoryDenyWriteExecute': 'true',
+                'ProtectKernelModules': 'true',
+                'ProtectKernelTunables': 'true',
+                'ProtectControlGroups': 'true',
+                'RestrictRealtime': 'true',
+                'RestrictNamespaces': 'true',
+                'RestrictAddressFamilies': 'AF_INET AF_INET6 AF_UNIX',
+                
+                'ProtectSystem': 'true',
+            },
+            'Install': {
+                'WantedBy': {'multi-user.target'},
+                'Alias': f'redis-{name}.service',
+            },
+        }
+    
+    return {
+        'systemd': {
+            'units': units,
+        }
+    }

bundles/rspamd/files/local.d/redis.conf

@@ -1 +1 @@
-servers = "127.0.0.1";
+servers = "/var/run/redis-rspamd/redis.sock";

bundles/rspamd/metadata.py

@@ -10,6 +10,9 @@ defaults = {
             'rspamd': {},
         },
     },
+    'redis': {
+        'rspamd': {},
+    },
     'rspamd': {
         'web_password': repo.vault.password_for(node.name + ' rspamd web password'),
         'ip_whitelist': set(),