70ca4fabc8
Set webirc backend to https
...
ci/lysergic/push/pipeline Pipeline was successful
Ergo rightfully does not accept plain text websocket connections.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-06 14:20:19 +01:00
82cad3b099
Include libertacasa for liberta.casa
...
ci/lysergic/push/pipeline Pipeline was successful
Fallout from 77fa39e59c
2023-02-06 14:10:14 +01:00
df3eeede1d
Repair liberta.casa TLS include
...
ci/lysergic/push/pipeline Pipeline was successful
Accidentally mixed up the libertacasa with the libertacasa2 nginx
TLS snippet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-06 14:01:23 +01:00
92f01888af
web-proxy: include mime.types
...
ci/lysergic/push/pipeline Pipeline was successful
Always include mime.types on web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 20:10:57 +01:00
e369c53a4c
web-proxy: common includes
...
ci/lysergic/push/pipeline Pipeline was successful
Always include files in conf.d and vhosts.d on web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 20:09:05 +01:00
7dc481c996
Merge pull request 'web-proxy: common nginx.conf' ( #9 ) from nginxconf into production
...
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #9
2023-02-05 20:03:18 +01:00
12ce134559
web-proxy: common nginx.conf
...
ci/lysergic/push/pipeline Pipeline was successful
Import default nginx.conf contents from our custom packaged file into
Salt.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 19:59:04 +01:00
e3e4caaabe
web-proxy: IPv6 listener brackets
...
ci/lysergic/push/pipeline Pipeline was successful
Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx
from failing to start.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 19:19:27 +01:00
119e97805d
Increase LC repository priority
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 18:47:17 +01:00
77fa39e59c
Merge pull request 'deriweb01: import nginx configuration' ( #8 ) from import-deriweb01 into production
...
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #8
2023-02-05 18:43:20 +01:00
5e02090bc6
web-proxy: add firewall configuration
...
ci/lysergic/push/pipeline Pipeline was successful
Allow internal http and https to pass on web proxies.
To-do: logic for web proxies directly attached to the internet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 14:29:25 +01:00
785986d2ac
Enable syntax highlighting
...
ci/lysergic/push/pipeline Pipeline was successful
Initially for .sls and .jinja/.j2 files - we can add others later on if
needed.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 12:07:13 +01:00
1b619358a8
deriweb01: import nginx configuration
...
ci/lysergic/push/pipeline Pipeline was successful
Transfer local/manual nginx configuration structure into pillar.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 11:56:27 +01:00
98ea861c13
web-proxy: add common TLS configuration
...
ci/lysergic/push/pipeline Pipeline was successful
Add TLS configuration snippet shared between all web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 10:05:20 +01:00
4581bd4a6a
Add nginx crtkeypair macro
...
For use in nginx pillars.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 10:04:09 +01:00
3f2b8d2ee7
Add cluster pillar
...
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 09:36:23 +01:00
7ab3cb6c59
Refresh LC repository
...
ci/lysergic/push/pipeline Pipeline was successful
Configure repository to be refreshed automatically.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 01:01:56 +01:00
2e4d350c7f
Add web-proxy role
...
- web-proxy role to configure nginx
- pillar with common nginx configuration
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-04 11:47:09 +01:00
bb252c1d47
Set default saltenv
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-01 23:23:43 +01:00
ba6522ce5b
Refactor map/macro sourcing
...
ci/lysergic/push/pipeline Pipeline was successful
- move pillar macros and map to base directory
- move listener logic from macro to map
- update includes respectively
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-30 05:43:53 +01:00
096bb24769
Enable nginx-formula
...
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-30 03:23:48 +01:00
1a03ecc9db
salt.master: add salt-keydiff package
...
ci/lysergic/push/pipeline Pipeline was successful
Useful to accept new minions.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-30 02:14:22 +01:00
83f698e18c
Manage Salt roleproxy
...
ci/lysergic/push/pipeline Pipeline was successful
Add role, profile and pillar for roleproxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-30 00:39:33 +01:00
81a37bf842
salt.minion: no longer manage grains
...
Grains have only been managed to track roles, however those have since
been moved to the Role API. Hence the managed /etc/salt/grains file can
safely be removed from management.
Existing installations will be cleaned up by me.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 23:33:40 +01:00
d2bc7b0785
Set firewalld short zone names
...
ci/lysergic/push/pipeline Pipeline was successful
To match the SUSE defaults deployed by our AutoYaST configuration.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 17:50:37 +01:00
84c1d63776
Allow IPv6-only interfaces + fixup
...
ci/lysergic/push/pipeline Pipeline was successful
- interfaces with no IPv4 address would cause a render failure
- repair if-clause needed for interfaces with only IPv4 addresses
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 17:38:29 +01:00
824baf386b
Firewall interface mapping logic
...
ci/lysergic/push/pipeline Pipeline was successful
Detect which interfaces belong to which zones, and configure firewalld
accordingly.
Backend zone is currently only prepared and yet to be tested and
enabled.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 17:27:58 +01:00
c8aa6c6157
Mine interfaces
...
Needed for firewall interface-zone mapping logic.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 16:37:07 +01:00
7600e631d3
salt.master: extra quotes around API listener
...
ci/lysergic/push/pipeline Pipeline was successful
State would print the colons unquoted into the file, causing the YAML to
not parse.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 16:11:01 +01:00
45b53f8392
salt.master: add firewalld rules
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:50:11 +01:00
e395f7f0a3
Manage common firewalld rules
...
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:49:48 +01:00
e62080ae5b
Manage firewalld
...
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:30:37 +01:00
1660fb099e
Merge lists on test minions
...
Reflect production setting, allow pillar to merge from different roles.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:29:30 +01:00
4ece021122
Enable firewalld-formula
...
ci/lysergic/push/pipeline Pipeline was successful
... and sort list entries alphabetically.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:12:52 +01:00
880f6796c5
salt.master: enable API IPv6 listener
...
ci/lysergic/push/pipeline Pipeline was successful
No individual listeners can be configured, hence global dual stack
listener it is.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:59:35 +01:00
7b808efdb5
Enable SSH banner
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:15:40 +01:00
002fad5f27
salt.minion: allow minions without roles
...
ci/lysergic/push/pipeline Pipeline was successful
If-clause to check for Syndic roles caused regression on minions without
any assigned roles.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:09:49 +01:00
bd7fe25eb0
Listeners macro: skip on empty mine
...
ci/lysergic/push/pipeline Pipeline was successful
Don't fail if mine does not contain information about the queried
minion.
In the future it would be nice to add another conditional to allow such
minions to fall-back to the locally executed network module for
masterless setups.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 02:14:37 +01:00
bd166cbb42
salt.master: set rootgroup
...
Needed for formula to not nuke Syndic key permissions. Little bit ugly.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 02:14:36 +01:00
08f23700c9
Listeners macro: use mined addresses
...
ci/lysergic/push/pipeline Pipeline failed
The network module run on the Salt master, but the macro should fetch
minion addresses.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:32:23 +01:00
0ea6f8c62d
Mine IPv6 addresses
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:13:21 +01:00
975fa89abc
Mine IP addresses
...
ci/lysergic/push/pipeline Pipeline was successful
Add Salt mine configuration to collect minion IP addresses.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:06:44 +01:00
e8b905cd0b
salt.master: increase LDAP scope
...
ci/lysergic/push/pipeline Pipeline was successful
Likely needed as it does not support searching a more fine grained base
DN.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 00:19:42 +01:00
a831a25701
salt.master: switch to CherryPy
...
ci/lysergic/push/pipeline Pipeline was successful
Tornado does not support all the features.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 00:17:39 +01:00
f4b253a1cf
salt.master: add ldap + completion packages
...
ci/lysergic/push/pipeline Pipeline was successful
- python-ldap is needed for authenticating with the API
- shell completions are useful :-)
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 20:59:00 +01:00
570522176a
salt.master: add LDAP configuration
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 20:01:01 +01:00
85bfe2cac4
salt.master: add Salt API configuration
...
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 19:25:21 +01:00
950b308546
Relay via static zz0.email host
...
ci/lysergic/push/pipeline Pipeline was successful
Split horizon for the complete .email zone is not feasible for all
sites, and TLS certificate currently does not cover any of the internal
hostnames.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 12:45:01 +01:00
b7ec9e683f
Merge pull request 'Manage common SSH server' ( #6 ) from ssh into production
...
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #6
2023-01-27 11:48:51 +01:00
698234c040
Manage common SSH server
...
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 23:05:21 +01:00
