From 33ea034b904e8fbd8fa25b9d164afb66b66e6cf7 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Sun, 12 Feb 2023 16:21:23 +0100
Subject: [PATCH] web-proxy: include apparmor.local

- allow access to trust certificate
- some web proxy servers need additional AppArmor drop-ins, for example
for serving static content

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/role/web-proxy.sls | 6 ++++++
 salt/role/web-proxy.sls   | 1 +
 2 files changed, 7 insertions(+)

diff --git a/pillar/role/web-proxy.sls b/pillar/role/web-proxy.sls
index 36ba63e..53865eb 100644
--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@@ -68,3 +68,9 @@ firewalld:
       services:
         - http
         - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '{{ trustcrt }} r,'
diff --git a/salt/role/web-proxy.sls b/salt/role/web-proxy.sls
index 81f2293..c4aba08 100644
--- a/salt/role/web-proxy.sls
+++ b/salt/role/web-proxy.sls
@@ -1,4 +1,5 @@
 include:
+  - apparmor.local
   - nginx.pkg
   - nginx.config
   - nginx.snippets