diff --git a/data/common/sentry.yaml b/data/common/sentry.yaml index f79b9c5a..a4efa3ae 100644 --- a/data/common/sentry.yaml +++ b/data/common/sentry.yaml @@ -1,28 +1,29 @@ --- # sentry::secret_key in private-data sentry::postgres::host: db.internal.softwareheritage.org sentry::postgres::port: 5432 sentry::postgres::dbname: sentry sentry::postgres::user: sentry # sentry::postgres::password in private-data sentry::admin_email: sysop+sentry@softwareheritage.org sentry::mail::host: "%{lookup('smtp::relay_hostname')}" sentry::mail::from: sentry@softwareheritage.org +sentry::mail::list_namespace: sentry.softwareheritage.org sentry::backend::url: http://riverside.internal.softwareheritage.org:9000/ sentry::vhost::name: sentry.softwareheritage.org sentry::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" sentry::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" sentry::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" sentry::vhost::hsts_header: "%{hiera('apache::hsts_header')}" sentry::relay::id: "a3b8b08d-6c09-4065-b944-5d96b132d69f" sentry::relay::public_key: "VmNbDVTyLBKeRaUwu-_cwuvj2ZhH6R0-JBCjC6Pehzs" # sentry::relay::secret_key in private-data sentry::geoip::account_id: 464966 # sentry::geoip::license_key in private-data diff --git a/site-modules/profile/manifests/sentry.pp b/site-modules/profile/manifests/sentry.pp index a1704504..c2129e93 100644 --- a/site-modules/profile/manifests/sentry.pp +++ b/site-modules/profile/manifests/sentry.pp @@ -1,192 +1,193 @@ # Deploy a Sentry instance class profile::sentry { include profile::docker include profile::docker_compose $onpremise_dir = '/var/lib/sentry-onpremise' $onpremise_repo = 'https://forge.softwareheritage.org/source/getsentry-onpremise.git' $onpremise_repo_branch = 'softwareheritage' vcsrepo {$onpremise_dir: ensure => latest, provider => 'git', source => $onpremise_repo, revision => $onpremise_repo_branch, notify => [ File_Line['sentry_environment_kafka'], Exec['run sentry-onpremise install.sh'], ], } -> file {$onpremise_dir: ensure => directory, owner => 'root', group => 'root', mode => '0700', } $requirements_file = "${onpremise_dir}/sentry/requirements.txt" $config_yml = "${onpremise_dir}/sentry/config.yml" $config_py = "${onpremise_dir}/sentry/sentry.conf.py" $relay_credentials_json = "${onpremise_dir}/relay/credentials.json" $relay_config_yml = "${onpremise_dir}/relay/config.yml" $symbolicator_config_yml = "${onpremise_dir}/symbolicator/config.yml" $clickhouse_config_xml = "${onpremise_dir}/clickhouse/config.xml" $geoip_conf = "${onpremise_dir}/geoip/GeoIP.conf" file {$requirements_file: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/requirements.txt.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } # variables for config.yml $admin_email = lookup('sentry::admin_email') $secret_key = lookup('sentry::secret_key') $vhost_name = lookup('sentry::vhost::name') $mail_host = lookup('sentry::mail::host') $mail_from = lookup('sentry::mail::from') + $mail_list_namespace = lookup('sentry::mail::list_namespace') file {$config_yml: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/config.yml.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } file {$relay_config_yml: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/relay.yml.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } file {$symbolicator_config_yml: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/symbolicator.yml.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } file {$clickhouse_config_xml: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/clickhouse.xml.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } ##### # variables for sentry.conf.py # postgresql $postgres_host = lookup('sentry::postgres::host') $postgres_port = lookup('sentry::postgres::port') $postgres_dbname = lookup('sentry::postgres::dbname') $postgres_user = lookup('sentry::postgres::user') $postgres_password = lookup('sentry::postgres::password') # relay $relay_public_key = lookup('sentry::relay::public_key') ##### file {$config_py: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/sentry.conf.py.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } $relay_secret_key = lookup('sentry::relay::secret_key') $relay_id = lookup('sentry::relay::id') file {$relay_credentials_json: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/relay_credentials.json.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } $geoip_account_id = lookup('sentry::geoip::account_id') $geoip_license_key = lookup('sentry::geoip::license_key') file {$geoip_conf: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/geoip.conf.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } file_line {'sentry_environment_kafka': ensure => absent, path => "${onpremise_dir}/.env", match => '^DEFAULT_BROKERS=', match_for_absence => true, multiple => true, require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } $onpremise_flag = "${onpremise_dir}-installed" $onpremise_log = "/var/log/sentry-onpremise-install.log" exec {'check sentry-onpremise install flag': command => 'true', unless => "bash -c '[[ \"$(cat ${onpremise_flag})\" = \"$(git rev-parse HEAD)\" ]]'", cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], notify => Exec['run sentry-onpremise install.sh'], } exec {'run sentry-onpremise install.sh': command => "rm -f ${onpremise_flag}; (./install.sh --minimize-downtime && git rev-parse HEAD > ${onpremise_flag}) | tee -a ${onpremise_log}", timeout => 0, provider => shell, cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], environment => ["CI=yes"], refreshonly => true, require => [ Class['profile::docker'], Package['docker-compose'], File[$requirements_file, $config_yml, $config_py], ], notify => Exec['start sentry-onpremise docker compose'], } exec {'start sentry-onpremise docker compose': command => 'docker-compose up -d', timeout => 0, cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], refreshonly => true, require => [ Class['profile::docker'], Package['docker-compose'], File[$requirements_file, $config_yml, $config_py], ], } } diff --git a/site-modules/profile/templates/sentry/config.yml.erb b/site-modules/profile/templates/sentry/config.yml.erb index e4681579..68d6e3c9 100644 --- a/site-modules/profile/templates/sentry/config.yml.erb +++ b/site-modules/profile/templates/sentry/config.yml.erb @@ -1,125 +1,130 @@ # File managed by puppet (module profile::sentry), modifications will be lost! # While a lot of configuration in Sentry can be changed via the UI, for all # new-style config (as of 8.0) you can also declare values here in this file # to enforce defaults or to ensure they cannot be changed via the UI. For more # information see the Sentry documentation. ############### # Mail Server # ############### # mail.backend: 'smtp' # Use dummy if you want to disable email entirely mail.host: '<%= @mail_host %>' mail.port: 25 mail.username: '' mail.password: '' mail.use-tls: false - +mail.use-ssl: false # The email address to send on behalf of mail.from: '<%= @mail_from %>' +# The mailing list namespace for emails sent by this Sentry server. +# This should be a domain you own (often the same domain as the domain +# part of the `mail.from` configuration parameter value) or `localhost`. +mail.list-namespace: '<%= @mail_list_namespace %>' + # If you'd like to configure email replies, enable this. # mail.enable-replies: true # When email-replies are enabled, this value is used in the Reply-To header # mail.reply-hostname: '' # If you're using mailgun for inbound mail, set your API key and configure a # route to forward to /api/hooks/mailgun/inbound/ # Also don't forget to set `mail.enable-replies: true` above. # mail.mailgun-api-key: '' ################### # System Settings # ################### # If this file ever becomes compromised, it's important to generate a new key. # Changing this value will result in all current sessions being invalidated. # A new key can be generated with `$ sentry config generate-secret-key` system.secret-key: '<%= @secret_key %>' # The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis # clusters. These clusters can be then referred to by name when configuring # backends such as the cache, digests, or TSDB backend. # redis.clusters: # default: # hosts: # 0: # host: 127.0.0.1 # port: 6379 ################ # File storage # ################ # Uploaded media uses these `filestore` settings. The available # backends are either `filesystem` or `s3`. filestore.backend: 'filesystem' filestore.options: location: '/data/files' dsym.cache-path: '/data/dsym-cache' releasefile.cache-path: '/data/releasefile-cache' # filestore.backend: 's3' # filestore.options: # access_key: 'AKIXXXXXX' # secret_key: 'XXXXXXX' # bucket_name: 's3-bucket-name' system.internal-url-prefix: 'http://web:9000' symbolicator.enabled: true symbolicator.options: url: "http://symbolicator:3021" transaction-events.force-disable-internal-project: true ###################### # GitHub Integration # ###################### # github-login.extended-permissions: ['repo'] # github-app.id: GITHUB_APP_ID # github-app.name: 'GITHUB_APP_NAME' # github-app.webhook-secret: 'GITHUB_WEBHOOK_SECRET' # Use only if configured in GitHub # github-app.client-id: 'GITHUB_CLIENT_ID' # github-app.client-secret: 'GITHUB_CLIENT_SECRET' # github-app.private-key: | # -----BEGIN RSA PRIVATE KEY----- # privatekeyprivatekeyprivatekeyprivatekey # privatekeyprivatekeyprivatekeyprivatekey # privatekeyprivatekeyprivatekeyprivatekey # privatekeyprivatekeyprivatekeyprivatekey # privatekeyprivatekeyprivatekeyprivatekey # -----END RSA PRIVATE KEY----- ##################### # Slack Integration # ##################### # Refer to https://develop.sentry.dev/integrations/slack/ for setup instructions. # slack.client-id: <'client id'> # slack.client-secret: # slack.signing-secret: ## If legacy-app is True use verfication-token instead of signing-secret # slack.verification-token: ######################## # SWH config overrides # ######################## # Sentry URL prefix system.url-prefix: 'https://<%= @vhost_name %>' # Sentry admin email address system.admin-email: '<%= @admin_email %>' # Report full data via the sentry beacon # Docs: https://docs.sentry.io/server/beacon/ beacon.anonymous: false # Allow user registration auth.allow-registration: false