Commit Graph

135 Commits

Author SHA1 Message Date
2a9a5cf394
Set ping_on_rotate
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Enable option to ensure minions are immediately responsive after key
rotations.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-05-01 20:24:13 +02:00
1089146801
Set env_order
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Option was removed in d4f39e8e5f, but the
default environment seems to not be set to "production" without
it being present. Adding it back until a better way is found.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-05-01 20:20:32 +02:00
841317e0f4
Repair BookStack httpd configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- Replace wrong instances of RewriteCond with RewriteRule
- Remove wrong quotes around rewrite conditions
- Set correct options (seemingly our version of httpd does not set
  FollowSymLinks by default?)

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-05-01 00:00:31 +02:00
f56ed6f64e Merge pull request 'Adjust themis httpd directory options' (#50) from themis-httpd-fixup into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #50
2023-04-30 20:04:42 +02:00
d8359f002d
Correct SAML realm capitalization
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
The Keycloak realm is named "LibertaCasa", not "libertacasa".

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 18:22:58 +02:00
0a3d34d962
Adjust themis httpd directory options
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Some directory options are not needed and were listed with syntax
issues. Set to false to prevent "Options" from
being added, which equals "Options +FollowSymLinks".

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 18:16:35 +02:00
600a73a984 Merge pull request 'Add empty role.privatebin pillar' (#49) from privatebin-role into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #49
2023-04-30 16:44:56 +02:00
b0613cf377
Add empty role.privatebin pillar
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
For some reason Salt complains about the file missing, albeit us using
"ignore_missing" in the top file.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 16:41:22 +02:00
b685f16c91
Add manage_firewall conditional
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Allow us to enroll machines in Salt which do not yet have their firewall
configuration imported without having their rules overwritten.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 16:07:21 +02:00
e8107a3054
Add empty role.bookstack pillar
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
For some reason Salt complains about the file missing (albeit us using
having "ignore_missing" enabled in the pillar top).

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 14:54:43 +02:00
d4f39e8e5f
Allow saltenv/pillarenv override
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
To ease development, allow saltenv=<branch>/pillarenv=<branch> instead
of enforcing the production branch.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 14:43:59 +02:00
b1249e69eb Merge pull request 'Import themis / PrivateBin' (#40) from privatebin into production
Some checks failed
ci/lysergic/push/pipeline Pipeline failed
Reviewed-on: #40
2023-04-30 14:37:12 +02:00
f32d814658
id.themis: import backend firewall rules
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Allow HTTPS traffic.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-29 18:39:30 +02:00
9d9e61d51d
Add tg lucy channel mapping
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
2023-04-14 18:45:51 +05:30
508c0dc1b2
Add Chillnet to matterbridge
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
2023-04-10 00:25:14 +05:30
6ebd02042f
Refactor matterbridge_media macro
Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
2023-04-10 00:18:59 +05:30
4ff7a39f0e
id.themis: import PrivateBin httpd vhost
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-03-12 17:21:32 +01:00
bf3aaa5ff1
id.themis: import PrivateBin configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-03-12 17:01:17 +01:00
a1ce36fd6c
Enable php-formula
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:29 +01:00
361e118b31
Add php-fpm role
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:29 +01:00
f55e5363a0
Enable memcached-formula
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:28 +01:00
f820978b78
Add memcached role
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:28 +01:00
4653655010
profile.apache-httpd: manage snippets
- add apache-httpd profile with snippets configuration
- add TLS snippet to apache-httpd role pillar

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:28 +01:00
d8d848055f
id.themis: add BookStack configuration
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:28 +01:00
e36d40dbc3
id.themis: add BookStack httpd configuration
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 13:14:28 +01:00
906dd92d7e
Add web.apache-httpd role
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 11:10:05 +01:00
e58c63decc
Enable apache-formula
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-26 11:10:04 +01:00
0730cbb4c2
Manage Prometheus firewall rules
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-21 19:06:04 +01:00
cade9c0aca
Moni: Read Blackbox targets as JSON
Use uniform JSON target files instead of a JSON/YAML mix.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-21 19:06:03 +01:00
979021f5c4
Import Prometheus server configuration
* add new roles:
  - monitoring.prometheus
  - monitoring.prometheus-alertmanager
  - monitoring.prometheus-exporter-blackbox
* add common Prometheus and Prometheus Alertmanager pillar data
* add moni.lysergic.dev specific Prometheus pillar data

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-21 19:05:03 +01:00
18d28c3b7f
Address salt-lint errors/warnings
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- remove trailing whitespaces
- format octal modes correctly

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 23:18:54 +01:00
cd93d792ff
Address yamllint errors/warnings
- remove spaces, add headers
- add ignore for line-lengths in .pipeline.yml

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 23:15:25 +01:00
2674d21efc
Enable prometheus-formula
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-15 18:57:18 +01:00
c75e31c145
denc-webcluster: add ModSecurity adjustments
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
With the rollout of our Salted configuration, ModSecurity came enforced.
This adds necessary rules to PrivateBin and BookStack for correct
operation.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 23:46:22 +01:00
37a1ec433a
denc-webcluster: nginx listen on HA addresses
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Accidentally configured to listen only internally.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 17:42:31 +01:00
2d5da24ce5
denc-webcluster: nginx AppArmor rules
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Allow access to client trust certificate and to static content.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 16:39:49 +01:00
eac227d120
denc-webcluster: nginx config fixup
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- remove keys duplicated by include
- repair wrong snippets include directory
- repair wrong ip_hash option syntax

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 15:48:44 +01:00
d017233a52
ha-node: vrrp is a protocol
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Accidentally added as a service.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 15:22:08 +01:00
533aedd864
denc-webcluster: enable keepalived script security
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Prevent script tampering.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 14:37:45 +01:00
7481741f95
denc-webcluster: allow http(s) publicly
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Public firewall rules were missing from initial import.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 14:33:34 +01:00
c5ce94d7b5
Manage backend firewall zone
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Configure backend firewall zones if applicable. Allow all UDP for
cluster traffic.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 06:04:16 +01:00
bef66c1f8a
ha-node: allow vrrp in firewall
Needed for keepalived operation.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:54:20 +01:00
303b06ae8c
nemesis/hubris: import keepalived configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
a0a21a17db
nemesis/hubris: include denc.web-proxy
Add shared nginx configuration to nemesis/hubris HA pair nodes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:42 +01:00
eed4945a9f
nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:39 +01:00
1f8d8b642c
dericom02: manage web firewall zone
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Import locally configured web zone into Salt. This zone allows the web
proxy to reach http for serving Matterbridge media.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 03:49:40 +01:00
16c8cd3dd5
dericom02: disable matterbridge XMPP debug
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
It's very noisy - one can enable it on demand if needed.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:53:04 +01:00
1302e06486
Disable "aithunder" Discord bridge
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Discord room does not exist.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:25:55 +01:00
12c47a346b
dericom02: quote matterbridge booleans
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
TOML configuration format needs lowercase boolean values.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:13:03 +01:00
1aacd3f340
dericom02: manage matterbridge media
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- move base media directory to variable
- add lighttpd vhosts to pillar

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 00:51:59 +01:00