nemesis/hubris: include denc.web-proxy

Add shared nginx configuration to nemesis/hubris HA pair nodes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar/cluster/denc/web-proxy.sls

@@ -1,4 +1,7 @@
 {%- from 'map.jinja' import nginx_crtkeypair -%}
+{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
+{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
+{%- set resolver = '192.168.0.115' -%}
 
 nginx:
   snippets:
@@ -18,31 +21,29 @@ nginx:
       - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
     tls:
       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    tls_baseline: {#- compat, to-do: merge into role.web-proxy #}
-      - include: snippets/tls
 
-    {#- certificate snippets #}
+    {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
     {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
-      - include: snippets/tls_baseline
+      - include: snippets/tls
     {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
-      - include: snippets/tls_baseline
+      - include: snippets/tls
     {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
-      - include: snippets/tls_baseline
+      - include: snippets/tls
     {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
-      - include: snippets/tls_baseline
+      - include: snippets/tls
     tls_syscidsso:
-      - ssl_trusted_certificate: /etc/pki/trust/anchors/syscid-ca.crt
+      - ssl_trusted_certificate: {{ trustcrt }}
-      - ssl_client_certificate:  /etc/pki/trust/anchors/syscid-ca.crt
+      - ssl_client_certificate:  {{ trustcrt }}
       - ssl_certificate:         /etc/ssl/syscid/sso.syscid.com.crt
       - ssl_certificate_key:     /etc/ssl/syscid/sso.syscid.com.key
-      - ssl_ocsp:                on
+      - ssl_ocsp:                'on'
-      - ssl_ocsp_responder:      http://gaia.syscid.com:8900/
+      - ssl_ocsp_responder:      {{ stapler }}
-      - ssl_stapling:            on
+      - ssl_stapling:            'on'
-      - ssl_stapling_responder:  http://gaia.syscid.com:8900/
+      - ssl_stapling_responder:  {{ stapler }}
-      - ssl_stapling_verify:     on
+      - ssl_stapling_verify:     'on'
-      - ssl_verify_client:       on
+      - ssl_verify_client:       'on'
-      - resolver:                192.168.0.115 ipv6=off
+      - resolver:                {{ resolver }} ipv6=off
-      - include:                 snippets.d/tls_baseline
+      - include:                 snippets.d/tls
 
   servers:
     managed:
@@ -100,8 +101,8 @@ nginx:
               - snippets/tls_syscidsso
             - server_name: sso.syscid.com
             - root: /srv/www/sso.syscid.com
-            - location = /: {}
+            - location = /: []
-            - location /index.html: {}
+            - location /index.html: []
             - location /:
               - proxy_pass: https://jboss
               - proxy_cache: cache_sso_private
@@ -111,6 +112,7 @@ nginx:
             - proxy_busy_buffers_size: 512k
             - error_log: /var/log/nginx/sso_private.error.log
             - access_log: /var/log/nginx/sso_private.access.log combined
+
       sso_public.conf:
         config:
           - server:
@@ -122,8 +124,8 @@ nginx:
               - root: /srv/www/sso.casa
           - server:
             - include:
-             - snippets/listen
+              - snippets/listen
-             - snippets/tls_libsso
+              - snippets/tls_libsso
             - server_name: libsso.net www.libsso.net
             - location /:
               - root: /srv/www/libsso.net