109 Commits

Author	SHA1	Message	Date
Georg Pfuetzenreuter	2bf2996f07	themis: add BookStack configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-19 13:43:10 +01:00
Georg Pfuetzenreuter	0ddf88225b	themis: add BookStack httpd configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-19 13:43:10 +01:00
Georg Pfuetzenreuter	f8bc790a09	Add web.apache-httpd role ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-19 00:36:43 +01:00
Georg Pfuetzenreuter	4b9e90a51c	Enable apache-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-19 00:34:44 +01:00
Georg Pfuetzenreuter	18d28c3b7f	Address salt-lint errors/warnings ... - remove trailing whitespaces - format octal modes correctly Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 23:18:54 +01:00
Georg Pfuetzenreuter	cd93d792ff	Address yamllint errors/warnings ... - remove spaces, add headers - add ignore for line-lengths in .pipeline.yml Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 23:15:25 +01:00
Georg Pfuetzenreuter	2674d21efc	Enable prometheus-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 18:57:18 +01:00
Georg Pfuetzenreuter	c75e31c145	denc-webcluster: add ModSecurity adjustments ... With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 23:46:22 +01:00
Georg Pfuetzenreuter	37a1ec433a	denc-webcluster: nginx listen on HA addresses ... Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 17:42:31 +01:00
Georg Pfuetzenreuter	2d5da24ce5	denc-webcluster: nginx AppArmor rules ... Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 16:39:49 +01:00
Georg Pfuetzenreuter	eac227d120	denc-webcluster: nginx config fixup ... - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 15:48:44 +01:00
Georg Pfuetzenreuter	d017233a52	ha-node: vrrp is a protocol ... Accidentally added as a service. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 15:22:08 +01:00
Georg Pfuetzenreuter	533aedd864	denc-webcluster: enable keepalived script security ... Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 14:37:45 +01:00
Georg Pfuetzenreuter	7481741f95	denc-webcluster: allow http(s) publicly ... Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 14:33:34 +01:00
Georg Pfuetzenreuter	c5ce94d7b5	Manage backend firewall zone ... Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 06:04:16 +01:00
Georg Pfuetzenreuter	bef66c1f8a	ha-node: allow vrrp in firewall ... Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:54:20 +01:00
Georg Pfuetzenreuter	303b06ae8c	nemesis/hubris: import keepalived configuration ... Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:21:43 +01:00
Georg Pfuetzenreuter	a0a21a17db	nemesis/hubris: include denc.web-proxy ... Add shared nginx configuration to nemesis/hubris HA pair nodes. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:21:42 +01:00
Georg Pfuetzenreuter	eed4945a9f	nemesis/hubris: import nginx configuration ... Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:21:39 +01:00
Georg Pfuetzenreuter	1f8d8b642c	dericom02: manage web firewall zone ... Import locally configured web zone into Salt. This zone allows the web proxy to reach http for serving Matterbridge media. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 03:49:40 +01:00
Georg Pfuetzenreuter	16c8cd3dd5	dericom02: disable matterbridge XMPP debug ... It's very noisy - one can enable it on demand if needed. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 02:53:04 +01:00
Georg Pfuetzenreuter	1302e06486	Disable "aithunder" Discord bridge ... Discord room does not exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 02:25:55 +01:00
Georg Pfuetzenreuter	12c47a346b	dericom02: quote matterbridge booleans ... TOML configuration format needs lowercase boolean values. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 02:13:03 +01:00
Georg Pfuetzenreuter	1aacd3f340	dericom02: manage matterbridge media ... - move base media directory to variable - add lighttpd vhosts to pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 00:51:59 +01:00
Georg Pfuetzenreuter	77c50cf53f	matterbridge: add role pillar ... Empty for now, adding for future reference and because we enforce role pillars to exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-09 22:56:28 +01:00
Pratyush Desai	03a4aec0f3	Merge pull request 'Import Matterbridge configuration' (#10) from import-dericom02 into production ... Reviewed-on: #10	2023-02-09 21:02:02 +01:00
Georg Pfuetzenreuter	2d06de94ca	Enable keepalived-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-08 20:30:52 +01:00
Georg Pfuetzenreuter	07d325d777	dericom02: import Matterbridge configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-07 22:29:02 +01:00
Georg Pfuetzenreuter	f678de8560	derimisc01: import Tor configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-07 18:35:40 +01:00
Georg Pfuetzenreuter	a3ec351b70	Add onion-router role ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-07 18:21:32 +01:00
Georg Pfuetzenreuter	687473b919	Enable tor-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-06 23:00:47 +01:00
Georg Pfuetzenreuter	70ca4fabc8	Set webirc backend to https ... Ergo rightfully does not accept plain text websocket connections. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-06 14:20:19 +01:00
Georg Pfuetzenreuter	82cad3b099	Include libertacasa for liberta.casa ... Fallout from 77fa39e59c15a2235f210128dab821d2e2fd6ae5 - libertacasa nginx snippet needs to be included in liberta.casa server for main website to operate on the clearnet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-06 14:10:14 +01:00
Georg Pfuetzenreuter	df3eeede1d	Repair liberta.casa TLS include ... Accidentally mixed up the libertacasa with the libertacasa2 nginx TLS snippet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-06 14:01:23 +01:00
Georg Pfuetzenreuter	92f01888af	web-proxy: include mime.types ... Always include mime.types on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 20:10:57 +01:00
Georg Pfuetzenreuter	e369c53a4c	web-proxy: common includes ... Always include files in conf.d and vhosts.d on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 20:09:05 +01:00
Georg Pfuetzenreuter	12ce134559	web-proxy: common nginx.conf ... Import default nginx.conf contents from our custom packaged file into Salt. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 19:59:04 +01:00
Georg Pfuetzenreuter	e3e4caaabe	web-proxy: IPv6 listener brackets ... Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx from failing to start. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 19:19:27 +01:00
Georg Pfuetzenreuter	5e02090bc6	web-proxy: add firewall configuration ... Allow internal http and https to pass on web proxies. To-do: logic for web proxies directly attached to the internet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 14:29:25 +01:00
Georg Pfuetzenreuter	1b619358a8	deriweb01: import nginx configuration ... Transfer local/manual nginx configuration structure into pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 11:56:27 +01:00
Georg Pfuetzenreuter	98ea861c13	web-proxy: add common TLS configuration ... Add TLS configuration snippet shared between all web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 10:05:20 +01:00
Georg Pfuetzenreuter	4581bd4a6a	Add nginx crtkeypair macro ... For use in nginx pillars. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 10:04:09 +01:00
Georg Pfuetzenreuter	3f2b8d2ee7	Add cluster pillar ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-05 09:36:23 +01:00
Georg Pfuetzenreuter	2e4d350c7f	Add web-proxy role ... - web-proxy role to configure nginx - pillar with common nginx configuration Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-04 11:47:09 +01:00
Georg Pfuetzenreuter	bb252c1d47	Set default saltenv ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-01 23:23:43 +01:00
Georg Pfuetzenreuter	ba6522ce5b	Refactor map/macro sourcing ... - move pillar macros and map to base directory - move listener logic from macro to map - update includes respectively Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-01-30 05:43:53 +01:00
Georg Pfuetzenreuter	096bb24769	Enable nginx-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-01-30 03:23:48 +01:00
Georg Pfuetzenreuter	83f698e18c	Manage Salt roleproxy ... Add role, profile and pillar for roleproxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-01-30 00:39:33 +01:00
Georg Pfuetzenreuter	d2bc7b0785	Set firewalld short zone names ... To match the SUSE defaults deployed by our AutoYaST configuration. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-01-29 17:50:37 +01:00
Georg Pfuetzenreuter	84c1d63776	Allow IPv6-only interfaces + fixup ... - interfaces with no IPv4 address would cause a render failure - repair if-clause needed for interfaces with only IPv4 addresses Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-01-29 17:38:29 +01:00