142 Commits

Author	SHA1	Message	Date
Georg Pfuetzenreuter	c1fcf5f3b1	Init psyched.dev ... Add pillar IDs for theia/orpheus/selene to disable sshd management on them (machines use custom configurations for historic reasons, and we like to preserve history). Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 21:00:45 +02:00
Georg Pfuetzenreuter	b6b129c41f	Init dencpod01.lysergic.dev ... Blank machine. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 20:40:09 +02:00
Georg Pfuetzenreuter	2ce85f172e	Move backup_mode to minion dict ... Is a minion specific option. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 20:25:33 +02:00
Georg Pfuetzenreuter	c4532b4686	Enable minion file backup ... https://docs.saltproject.io/en/latest/ref/states/backup_mode.html Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 20:13:24 +02:00
Georg Pfuetzenreuter	d89138e2a7	Import moni firewall configuration ... Some ports not yet covered by a role. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 20:02:21 +02:00
Georg Pfuetzenreuter	55acb1dea4	Init phoebe.lysergic.dev ... Blank machine. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 19:48:22 +02:00
Georg Pfuetzenreuter	409016ea75	Disable manage_sshd for philia ... Machine uses a custom sshd configuration for $reasons. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-02 19:32:36 +02:00
Georg Pfuetzenreuter	2a9a5cf394	Set ping_on_rotate ... Enable option to ensure minions are immediately responsive after key rotations. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-01 20:24:13 +02:00
Georg Pfuetzenreuter	1089146801	Set env_order ... Option was removed in d4f39e8e5f807169b790d5380c10872d1ba31710, but the default environment seems to not be set to "production" without it being present. Adding it back until a better way is found. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-01 20:20:32 +02:00
Georg Pfuetzenreuter	841317e0f4	Repair BookStack httpd configuration ... - Replace wrong instances of RewriteCond with RewriteRule - Remove wrong quotes around rewrite conditions - Set correct options (seemingly our version of httpd does not set FollowSymLinks by default?) Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-05-01 00:00:31 +02:00
Georg Pfuetzenreuter	f56ed6f64e	Merge pull request 'Adjust themis httpd directory options' (#50) from themis-httpd-fixup into production ... Reviewed-on: #50	2023-04-30 20:04:42 +02:00
Georg Pfuetzenreuter	d8359f002d	Correct SAML realm capitalization ... The Keycloak realm is named "LibertaCasa", not "libertacasa". Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 18:22:58 +02:00
Georg Pfuetzenreuter	0a3d34d962	Adjust themis httpd directory options ... Some directory options are not needed and were listed with syntax issues. Set to false to prevent "Options" from being added, which equals "Options +FollowSymLinks". Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 18:16:35 +02:00
Georg Pfuetzenreuter	600a73a984	Merge pull request 'Add empty role.privatebin pillar' (#49) from privatebin-role into production ... Reviewed-on: #49	2023-04-30 16:44:56 +02:00
Georg Pfuetzenreuter	b0613cf377	Add empty role.privatebin pillar ... For some reason Salt complains about the file missing, albeit us using "ignore_missing" in the top file. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 16:41:22 +02:00
Georg Pfuetzenreuter	b685f16c91	Add manage_firewall conditional ... Allow us to enroll machines in Salt which do not yet have their firewall configuration imported without having their rules overwritten. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 16:07:21 +02:00
Georg Pfuetzenreuter	e8107a3054	Add empty role.bookstack pillar ... For some reason Salt complains about the file missing (albeit us using having "ignore_missing" enabled in the pillar top). Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 14:54:43 +02:00
Georg Pfuetzenreuter	d4f39e8e5f	Allow saltenv/pillarenv override ... To ease development, allow saltenv=<branch>/pillarenv=<branch> instead of enforcing the production branch. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-30 14:43:59 +02:00
Georg Pfuetzenreuter	b1249e69eb	Merge pull request 'Import themis / PrivateBin' (#40) from privatebin into production ... Reviewed-on: #40	2023-04-30 14:37:12 +02:00
Georg Pfuetzenreuter	f32d814658	id.themis: import backend firewall rules ... Allow HTTPS traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-04-29 18:39:30 +02:00
Pratyush Desai	9d9e61d51d	Add tg lucy channel mapping ... Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>	2023-04-14 18:45:51 +05:30
Pratyush Desai	508c0dc1b2	Add Chillnet to matterbridge ... Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>	2023-04-10 00:25:14 +05:30
Pratyush Desai	6ebd02042f	Refactor matterbridge_media macro ... Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>	2023-04-10 00:18:59 +05:30
Georg Pfuetzenreuter	4ff7a39f0e	id.themis: import PrivateBin httpd vhost ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-03-12 17:21:32 +01:00
Georg Pfuetzenreuter	bf3aaa5ff1	id.themis: import PrivateBin configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-03-12 17:01:17 +01:00
Georg Pfuetzenreuter	a1ce36fd6c	Enable php-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:29 +01:00
Georg Pfuetzenreuter	361e118b31	Add php-fpm role ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:29 +01:00
Georg Pfuetzenreuter	f55e5363a0	Enable memcached-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:28 +01:00
Georg Pfuetzenreuter	f820978b78	Add memcached role ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:28 +01:00
Georg Pfuetzenreuter	4653655010	profile.apache-httpd: manage snippets ... - add apache-httpd profile with snippets configuration - add TLS snippet to apache-httpd role pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:28 +01:00
Georg Pfuetzenreuter	d8d848055f	id.themis: add BookStack configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:28 +01:00
Georg Pfuetzenreuter	e36d40dbc3	id.themis: add BookStack httpd configuration ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 13:14:28 +01:00
Georg Pfuetzenreuter	906dd92d7e	Add web.apache-httpd role ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 11:10:05 +01:00
Georg Pfuetzenreuter	e58c63decc	Enable apache-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-26 11:10:04 +01:00
Georg Pfuetzenreuter	0730cbb4c2	Manage Prometheus firewall rules ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-21 19:06:04 +01:00
Georg Pfuetzenreuter	cade9c0aca	Moni: Read Blackbox targets as JSON ... Use uniform JSON target files instead of a JSON/YAML mix. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-21 19:06:03 +01:00
Georg Pfuetzenreuter	979021f5c4	Import Prometheus server configuration ... * add new roles: - monitoring.prometheus - monitoring.prometheus-alertmanager - monitoring.prometheus-exporter-blackbox * add common Prometheus and Prometheus Alertmanager pillar data * add moni.lysergic.dev specific Prometheus pillar data Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-21 19:05:03 +01:00
Georg Pfuetzenreuter	18d28c3b7f	Address salt-lint errors/warnings ... - remove trailing whitespaces - format octal modes correctly Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 23:18:54 +01:00
Georg Pfuetzenreuter	cd93d792ff	Address yamllint errors/warnings ... - remove spaces, add headers - add ignore for line-lengths in .pipeline.yml Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 23:15:25 +01:00
Georg Pfuetzenreuter	2674d21efc	Enable prometheus-formula ... Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-15 18:57:18 +01:00
Georg Pfuetzenreuter	c75e31c145	denc-webcluster: add ModSecurity adjustments ... With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 23:46:22 +01:00
Georg Pfuetzenreuter	37a1ec433a	denc-webcluster: nginx listen on HA addresses ... Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 17:42:31 +01:00
Georg Pfuetzenreuter	2d5da24ce5	denc-webcluster: nginx AppArmor rules ... Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 16:39:49 +01:00
Georg Pfuetzenreuter	eac227d120	denc-webcluster: nginx config fixup ... - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 15:48:44 +01:00
Georg Pfuetzenreuter	d017233a52	ha-node: vrrp is a protocol ... Accidentally added as a service. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 15:22:08 +01:00
Georg Pfuetzenreuter	533aedd864	denc-webcluster: enable keepalived script security ... Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 14:37:45 +01:00
Georg Pfuetzenreuter	7481741f95	denc-webcluster: allow http(s) publicly ... Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 14:33:34 +01:00
Georg Pfuetzenreuter	c5ce94d7b5	Manage backend firewall zone ... Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 06:04:16 +01:00
Georg Pfuetzenreuter	bef66c1f8a	ha-node: allow vrrp in firewall ... Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:54:20 +01:00
Georg Pfuetzenreuter	303b06ae8c	nemesis/hubris: import keepalived configuration ... Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>	2023-02-12 05:21:43 +01:00