Commit Graph

285 Commits

Author SHA1 Message Date
cd93d792ff
Address yamllint errors/warnings
- remove spaces, add headers
- add ignore for line-lengths in .pipeline.yml

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 23:15:25 +01:00
36b1fbffb2
Add linting pipeline
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 23:15:25 +01:00
6096be0f81 Merge pull request 'Enable prometheus-formula' (#31) from prometheus-formula into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #31
2023-02-15 19:09:12 +01:00
2674d21efc
Enable prometheus-formula
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 18:57:18 +01:00
2c2a37ef8b Merge pull request 'denc-webcluster: add ModSecurity adjustments' (#30) from import-denc-webcluster-nginx-modsec into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #30
2023-02-13 01:06:56 +01:00
c75e31c145
denc-webcluster: add ModSecurity adjustments
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
With the rollout of our Salted configuration, ModSecurity came enforced.
This adds necessary rules to PrivateBin and BookStack for correct
operation.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 23:46:22 +01:00
f69cd00888 Merge pull request 'denc-webcluster: nginx listen on HA addresses' (#29) from import-denc-webcluster-nginx-listen-fixup into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #29
2023-02-12 17:43:59 +01:00
37a1ec433a
denc-webcluster: nginx listen on HA addresses
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Accidentally configured to listen only internally.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 17:42:31 +01:00
29435f6fc3 Merge pull request 'AppArmor: reload on drop-in changes' (#28) from reload-apparmor into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #28
2023-02-12 17:37:56 +01:00
75f105a6aa
AppArmor: reload on drop-in changes
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Self-explanatory.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 17:35:09 +01:00
0a00f3ea93 Merge pull request 'Manage AppArmor on web-proxie's' (#27) from import-denc-webcluster-apparmor into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #27
2023-02-12 17:14:41 +01:00
2d5da24ce5
denc-webcluster: nginx AppArmor rules
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Allow access to client trust certificate and to static content.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 16:39:49 +01:00
7e73f6b1a4
web-proxy: include apparmor.local
Some web proxy servers need additional AppArmor drop-ins, for example
for serving static content.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 16:39:48 +01:00
0eca62f4ce
Add AppArmor profile
Simple profile to allow for management of local profile drop-ins using
pillar values.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 16:20:44 +01:00
91089d5d98 Merge pull request 'denc-webcluster: nginx config fixup' (#26) from import-denc-webcluster-iphash into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #26
2023-02-12 15:56:30 +01:00
eac227d120
denc-webcluster: nginx config fixup
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- remove keys duplicated by include
- repair wrong snippets include directory
- repair wrong ip_hash option syntax

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 15:48:44 +01:00
f9341ad9fe Merge pull request 'ha-node: vrrp is a protocol' (#25) from vrrp-fixup into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #25
2023-02-12 15:25:53 +01:00
d017233a52
ha-node: vrrp is a protocol
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Accidentally added as a service.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 15:22:08 +01:00
5fdbdc7462 Merge pull request 'denc-webcluster: allow http(s) publicly' (#24) from import-denc-webcluster-fw into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #24
2023-02-12 14:44:20 +01:00
533aedd864
denc-webcluster: enable keepalived script security
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Prevent script tampering.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 14:37:45 +01:00
7481741f95
denc-webcluster: allow http(s) publicly
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Public firewall rules were missing from initial import.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 14:33:34 +01:00
8c21d250c3 Merge pull request 'Import denc webcluster (nemesis/hubris)' (#12) from import-denc-webcluster into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #12
2023-02-12 14:25:55 +01:00
c5ce94d7b5
Manage backend firewall zone
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Configure backend firewall zones if applicable. Allow all UDP for
cluster traffic.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 06:04:16 +01:00
bef66c1f8a
ha-node: allow vrrp in firewall
Needed for keepalived operation.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:54:20 +01:00
0581510c10
Add ha-netcup role
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Role managing the Netcup IP failover script plus keepalived.
Requires ha-node role introduced via a8bbe056f1.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:24:27 +01:00
af2c5b0061
Add keepalived_script_user profile
Short profile source from other profiles requiring the keepalived_script
user to be present.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:24:27 +01:00
f08bda4256
Add netcup_failover profile
Profile managing a Netcup IP address failover script for use with
keepalived.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:24:27 +01:00
303b06ae8c
nemesis/hubris: import keepalived configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
a0a21a17db
nemesis/hubris: include denc.web-proxy
Add shared nginx configuration to nemesis/hubris HA pair nodes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:42 +01:00
eed4945a9f
nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:39 +01:00
1b0965943f Merge pull request 'common-suse: add qemu-guest-agent + remove AutoYaST' (#23) from common-suse into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #23
2023-02-12 04:13:50 +01:00
8e1436d4af
common.suse: manage qemu-guest-agent
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Ensure qemu-guest-agent is active on all KVM guests.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 04:11:14 +01:00
b6b7ff1e33
common.suse: remove AutoYaST
We only use AutoYaST for the OS deployment and don't need the packages
afterwards.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 04:11:14 +01:00
95248fd374 Merge pull request 'dericom02: manage web firewall zone' (#22) from dericom02-webfw into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #22
2023-02-12 03:52:41 +01:00
1f8d8b642c
dericom02: manage web firewall zone
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Import locally configured web zone into Salt. This zone allows the web
proxy to reach http for serving Matterbridge media.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 03:49:40 +01:00
9043634123 Merge pull request 'lighttpd: improve dependencies' (#21) from lighttpd-watch into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #21
2023-02-12 03:06:20 +01:00
9a0c210b87
lighttpd: improve dependencies
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- add more explicit Salt ID dependencies
- reload service on configuration changes

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 03:03:09 +01:00
5da0bfe798 Merge pull request 'dericom02: disable matterbridge XMPP debug' (#20) from matterbridge-xmpp-debug into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #20
2023-02-12 02:56:22 +01:00
16c8cd3dd5
dericom02: disable matterbridge XMPP debug
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
It's very noisy - one can enable it on demand if needed.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:53:04 +01:00
1eb10e4687 Merge pull request 'matterbridge: restart on changes' (#19) from matterbridge-watch into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #19
2023-02-12 02:42:29 +01:00
b446afcc49
matterbridge: restart on changes
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Matterbridge does detect file changes, but seems to only apply them on
a service restart.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:39:47 +01:00
82e8ce4eb2 Merge pull request 'matterbridge: quote numbers' (#18) from matterbridge-booleans into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #18
2023-02-12 02:33:30 +01:00
586c7e3bc7 Merge pull request 'Disable "aithunder" Discord bridge' (#17) from matterbridge-aithunder into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #17
2023-02-12 02:31:48 +01:00
b061265885
matterbridge: quote numbers
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Needed to make the TOML configuration format happy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:30:56 +01:00
1302e06486
Disable "aithunder" Discord bridge
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Discord room does not exist.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:25:55 +01:00
8fbfd38ec3 Merge pull request 'dericom02: quote matterbridge booleans' (#16) from matterbridge-booleans into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #16
2023-02-12 02:18:19 +01:00
12c47a346b
dericom02: quote matterbridge booleans
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
TOML configuration format needs lowercase boolean values.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:13:03 +01:00
c9a157833b Merge pull request 'Matterbridge media' (#15) from matterbridge-media into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #15
2023-02-12 00:55:49 +01:00
1aacd3f340
dericom02: manage matterbridge media
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- move base media directory to variable
- add lighttpd vhosts to pillar

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 00:51:59 +01:00
ab47eb5485
matterbridge: manage media directories
Create media directories if defined in the pillar.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 00:51:26 +01:00