Compare commits

...

32 Commits

Author SHA1 Message Date
454214be61
Add ha-netcup role
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Role managing the Netcup IP failover script plus keepalived.
Requires ha-node role introduced via a8bbe056f1.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
41bd1af1a4
Add keepalived_script_user profile
Short profile source from other profiles requiring the keepalived_script
user to be present.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
ae40b1c9c0
Add netcup_failover profile
Profile managing a Netcup IP address failover script for use with
keepalived.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
303b06ae8c
nemesis/hubris: import keepalived configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:43 +01:00
a0a21a17db
nemesis/hubris: include denc.web-proxy
Add shared nginx configuration to nemesis/hubris HA pair nodes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:42 +01:00
eed4945a9f
nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 05:21:39 +01:00
1b0965943f Merge pull request 'common-suse: add qemu-guest-agent + remove AutoYaST' (#23) from common-suse into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #23
2023-02-12 04:13:50 +01:00
8e1436d4af
common.suse: manage qemu-guest-agent
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Ensure qemu-guest-agent is active on all KVM guests.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 04:11:14 +01:00
b6b7ff1e33
common.suse: remove AutoYaST
We only use AutoYaST for the OS deployment and don't need the packages
afterwards.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 04:11:14 +01:00
95248fd374 Merge pull request 'dericom02: manage web firewall zone' (#22) from dericom02-webfw into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #22
2023-02-12 03:52:41 +01:00
1f8d8b642c
dericom02: manage web firewall zone
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Import locally configured web zone into Salt. This zone allows the web
proxy to reach http for serving Matterbridge media.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 03:49:40 +01:00
9043634123 Merge pull request 'lighttpd: improve dependencies' (#21) from lighttpd-watch into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #21
2023-02-12 03:06:20 +01:00
9a0c210b87
lighttpd: improve dependencies
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- add more explicit Salt ID dependencies
- reload service on configuration changes

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 03:03:09 +01:00
5da0bfe798 Merge pull request 'dericom02: disable matterbridge XMPP debug' (#20) from matterbridge-xmpp-debug into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #20
2023-02-12 02:56:22 +01:00
16c8cd3dd5
dericom02: disable matterbridge XMPP debug
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
It's very noisy - one can enable it on demand if needed.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:53:04 +01:00
1eb10e4687 Merge pull request 'matterbridge: restart on changes' (#19) from matterbridge-watch into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #19
2023-02-12 02:42:29 +01:00
b446afcc49
matterbridge: restart on changes
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Matterbridge does detect file changes, but seems to only apply them on
a service restart.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:39:47 +01:00
82e8ce4eb2 Merge pull request 'matterbridge: quote numbers' (#18) from matterbridge-booleans into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #18
2023-02-12 02:33:30 +01:00
586c7e3bc7 Merge pull request 'Disable "aithunder" Discord bridge' (#17) from matterbridge-aithunder into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #17
2023-02-12 02:31:48 +01:00
b061265885
matterbridge: quote numbers
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Needed to make the TOML configuration format happy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:30:56 +01:00
1302e06486
Disable "aithunder" Discord bridge
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Discord room does not exist.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:25:55 +01:00
8fbfd38ec3 Merge pull request 'dericom02: quote matterbridge booleans' (#16) from matterbridge-booleans into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #16
2023-02-12 02:18:19 +01:00
12c47a346b
dericom02: quote matterbridge booleans
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
TOML configuration format needs lowercase boolean values.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 02:13:03 +01:00
c9a157833b Merge pull request 'Matterbridge media' (#15) from matterbridge-media into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #15
2023-02-12 00:55:49 +01:00
1aacd3f340
dericom02: manage matterbridge media
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- move base media directory to variable
- add lighttpd vhosts to pillar

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 00:51:59 +01:00
ab47eb5485
matterbridge: manage media directories
Create media directories if defined in the pillar.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-12 00:51:26 +01:00
e2560f0dd6 Merge pull request 'matterbridge: add role pillar' (#14) from matterbridge-pillar-fixup into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #14
2023-02-09 23:00:18 +01:00
77c50cf53f
matterbridge: add role pillar
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Empty for now, adding for future reference and because we enforce role
pillars to exist.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-09 22:56:28 +01:00
03a4aec0f3 Merge pull request 'Import Matterbridge configuration' (#10) from import-dericom02 into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #10
2023-02-09 21:02:02 +01:00
dee3e035c2 Merge pull request 'Refactor Matterbridge profile' (#11) from matterbridge-refactor into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #11
2023-02-09 20:44:03 +01:00
650854fa27
Refactor matterbridge profile
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- reduce pillar calls
- no longer define possible configuration options, apply settings from
  pillar 1:1

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-07 22:37:37 +01:00
07d325d777
dericom02: import Matterbridge configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-07 22:29:02 +01:00
14 changed files with 663 additions and 24 deletions

View File

@ -0,0 +1,206 @@
{%- from 'map.jinja' import nginx_crtkeypair -%}
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%}
{%- set mailer = '192.168.0.120' -%}
{%- set ha4 = '81.16.19.62' -%}
{%- set ha6 = '2a03:4000:20:21f::' -%}
keepalived:
config:
global_defs:
notification_email:
- system@lysergic.dev
notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
smtp_server: {{ mailer }}
smtp_connect_timeout: 30
router_id: SSO_FO
vrrp_script:
check_nginx_port:
script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
weight: 5
interval: 3
timeout: 3
check_nginx_process:
{#- this is not a good check but better than nothing #}
script: '"/usr/bin/pgrep nginx"'
weight: 4
interval: 2
timeout: 10
check_useless_process:
{#- this is only used for debugging #}
script: '"/usr/bin/pgrep useless.sh"'
weight: 4
interval: 2
timeout: 3
vrrp_instance:
DENCWC:
state: MASTER
interface: eth1
priority: 100
virtual_router_id: 100
advert_int: 5
smtp_alert: true
notify_master: '"/usr/local/bin/failover --all"'
promote_secondaries: true
mcast_src_ip: 192.168.0.50
authentication:
auth_type: PASS
auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
virtual_ipaddress:
- {{ ha4 }}/32 dev eth0 label failover
virtual_ipaddress_excluded:
- {{ ha6 }}/64 dev eth0
{%- for i in [1, 2, 3] %}
- {{ ha6 }}{{ i }}/64 dev eth0
{%- endfor %}
track_script:
{#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
- check_nginx_process
track_interface:
- eth0
nginx:
snippets:
listen_ha:
- listen:
- {{ ha4 }}:443 ssl http2
- '[{{ ha6 }}]:443 ssl http2'
proxy:
- proxy_set_header:
- Host $host
- X-Real-IP $remote_addr
- X-Forwarded-For $proxy_add_x_forwarded_for
- X-Forwarded-Host $host
- X-Forwarded-Server $host
- X-Forwarded-Port $server_port
- X-Forwarded-Proto $scheme
- proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
tls:
- ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
{#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
{{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
- include: snippets/tls
tls_syscidsso:
- ssl_trusted_certificate: {{ trustcrt }}
- ssl_client_certificate: {{ trustcrt }}
- ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
- ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
- ssl_ocsp: 'on'
- ssl_ocsp_responder: {{ stapler }}
- ssl_stapling: 'on'
- ssl_stapling_responder: {{ stapler }}
- ssl_stapling_verify: 'on'
- ssl_verify_client: 'on'
- resolver: {{ resolver }} ipv6=off
- include: snippets.d/tls
servers:
managed:
jboss-cluster.conf:
available_dir: /etc/nginx/conf.d
config:
- proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
- proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
- upstream jboss:
- ip: hash
- server:
- theia.backend.syscid.com:8443
- orpheus.backend.syscid.com:8443
- selene.backend.syscid.com:8443
bookstack.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_libertacasa
- server_name: libertacasa.info libcasa.info
- location /:
- proxy_pass: https://bookstack.themis.backend.syscid.com
- proxy_http_version: 1.1
- client_max_body_size: 20M
http.conf:
config:
- server:
- listen:
- {{ ha4 }}:80 default_server
- '[{{ ha6 }}]:80 default_server'
- include: snippets/robots
- location /:
- return: 301 https://$host$request_uri
privatebin.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_lysergic
- server_name: pasta.lysergic.dev
- location /:
- proxy_pass: https://privatebin.themis.backend.syscid.com
- proxy_http_version: 1.1
- client_max_body_size: 50M
sso_private.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_syscidsso
- server_name: sso.syscid.com
- root: /srv/www/sso.syscid.com
- location = /: []
- location /index.html: []
- location /:
- proxy_pass: https://jboss
- proxy_cache: cache_sso_private
- include: snippets/proxy
- proxy_buffer_size: 256k
- proxy_buffers: 4 512k
- proxy_busy_buffers_size: 512k
- error_log: /var/log/nginx/sso_private.error.log
- access_log: /var/log/nginx/sso_private.access.log combined
sso_public.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_libsso
- server_name: sso.casa www.sso.casa
- location /:
- root: /srv/www/sso.casa
- server:
- include:
- snippets/listen
- snippets/tls_libsso
- server_name: libsso.net www.libsso.net
- location /:
- root: /srv/www/libsso.net
- location /auth: {#- compat, consider removing #}
- rewrite: '^/auth(.*)$ https://libsso.net$1 break'
{%- for path in ['realms', 'resources', 'js'] %}
- location /{{ path }}:
- proxy_pass: https://jboss/{{ path }}
- proxy_cache: cache_sso_public
{#- - proxy_ssl_verify: on #to-do: enable this #}
- include: snippets/proxy
{%- endfor %}
{%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
- location /{{ path }}:
- return: https://liberta.casa/
{%- endfor %}
- proxy_buffer_size: 256k
- proxy_buffers: 4 512k
- proxy_busy_buffers_size: 512k
- error_log: /var/log/nginx/libsso_public.error.log
- access_log: /var/log/nginx/libsso_public.access.log combined

View File

@ -0,0 +1,242 @@
{%- set mediapath = '/srv/matterbridge/' -%}
{%- macro discord_common() -%}
AutoWebhooks: 'true'
EditSuffix: '(edited)'
RemoteNickFormat: '[{PROTOCOL}]:{NICK} '
{%- endmacro -%}
profile:
matterbridge:
instances:
libertacasa-general:
general:
MediaDownloadSize: 1000000000
MediaDownloadPath: {{ mediapath }}libertacasa-general
MediaServerDownload: https://load.casa
accounts:
irc.libertacasa:
Server: irc.liberta.casa:6697
UseTLS: 'true'
UseSASL: 'true'
Nick: viaduct
NickServNick: viaduct
NickServPassword: ${'secret_matterbridge:general:accounts:irc.libertacasa:NickServPassword'}
ColorNicks: 'true'
Charset: utf8
MessageSplit: 'true'
MessageQueue: 60
UseRelayMsg: 'true'
RemoteNickFormat: '{NICK}/{LABEL}'
xmpp.libertacasa:
Server: xmpp.liberta.casa:5222
Jid: viaduct@liberta.casa
Password: ${'secret_matterbridge:general:accounts:xmpp.libertacasa:Password'}
Muc: muc.liberta.casa
Nick: viaduct
RemoteNickFormat: '[{PROTOCOL}] <{NICK}>'
Label: x
Debug: 'false'
telegram.libertacasa:
Token: ${'secret_matterbridge:general:accounts:telegram.libertacasa:Token'}
RemoteNickFormat: '&lt;{NICK}&gt; '
MessageFormat: HTMLNick
Label: tg
DisableWebPagePreview: 'true'
sshchat.Psyched:
Server: 192.168.0.110:2220
Nick: LC
RemoteNickFormat: '{PROTOCOL}:<{NICK}> '
Label: p
discord.23:
Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
{{ discord_common() }}
{#-
discord.aithunder:
Token: ${'secret_matterbridge:general:accounts:discord.aithunder:Token'}
Server: ${'secret_matterbridge:general:accounts:discord.aithunder:Server'}
{{ discord_common() }}
#}
gateways:
libcasa:
irc.libertacasa: '#libcasa'
sshchat.Psyched: sshchat
xmpp.libertacasa: libcasa
dev:
irc.libertacasa: '#dev'
xmpp.libertacasa: dev
lucy:
irc.libertacasa: '#lucy'
xmpp.libertacasa: lucy
info:
irc.libertacasa: '#libcasa.info'
xmpp.libertacasa: libcasa.info
#telegram.libertacasa: '-1001518274267'
chat:
irc.libertacasa: '#chai'
discord.23: chat
xmpp.libertacasa: chat
dota:
irc.libertacasa: '#dotes'
discord.23: dotes
xmpp.libertacasa: dota
aithunder:
irc.libertacasa: '#aithunder'
# discord.aithunder: main-chat
xmpp.libertacasa: aithunder
libertacasa-irc:
general:
RemoteNickFormat: '{NOPINGNICK}/{LABEL}: '
IgnoreFailureOnStart: 'true'
MessageSplit: 'true'
MediaDownloadSize: 1000000000
MediaDownloadPath: {{ mediapath }}libertacasa-irc
MediaServerDownload: https://irc.load.casa
accounts:
irc.libertacasa:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.libertacasa:NickServPassword'}
Server: irc.liberta.casa:6697
UseTLS: 'true'
UseSASL: 'true'
Label: libcasa
Charset: utf8
IgnoreNicks: HistServ
UseRelayMsg: 'true'
RemoteNickFormat: '{NICK}/{LABEL}'
irc.chillnet:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.chillnet:NickServPassword'}
Server: irc.chillnet.org:6697
UseTLS: 'true'
UseSASL: 'true'
Label: chillnet
Charset: utf8
IgnoreNicks: HistServ
UseRelayMsg: 'true'
RemoteNickFormat: '{NICK}/{LABEL}'
irc.ergo:
Nick: LCIRCrelay
NickServNick: LCIRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.ergo:NickServPassword'}
Server: irc.ergo.chat:6697
UseTLS: 'true'
UseSASL: 'true'
Label: ergochat
Charset: utf8
IgnoreNicks: HistServ
UseRelayMsg: 'true'
RemoteNickFormat: '{NICK}/{LABEL}'
irc.2600:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.2600:NickServPassword'}
Server: irc.2600.net:6697
UseTLS: 'true'
SkipTLSVerify: 'true'
Label: 2600net
Charset: utf8
irc.dosers:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.dosers:NickServPassword'}
Server: irc.dosers.net:6697
UseTLS: 'true'
UseSASL: 'true'
Label: dosers
Charset: utf8
irc.rizon:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.rizon:NickServPassword'}
Server: irc.rizon.net:6697
UseTLS: 'true'
UseSASL: 'true'
Label: rizon
Charset: utf8
irc.nerds:
Nick: LCRelay
NickServNick: LCRelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.nerds:NickServPassword'}
Server: irc6.irc-nerds.net:6697
UseTLS: 'true'
UseSASL: 'true'
Label: nerds
Charset: utf8
irc.oftc:
Nick: IRCrelay
NickServNick: IRCrelay
Server: irc.oftc.net:6697
UseTLS: 'true'
Label: oftc
Charset: utf8
irc.libera:
Nick: IRCrelay
NickServNick: IRCrelay
NickServPassword: ${'secret_matterbridge:irc:accounts:irc.libera:NickServPassword'}
Server: irc.eu.libera.chat:6697
UseTLS: 'true'
UseSASL: 'true'
Label: libera
Charset: utf8
irc.stardust:
Nick: IRCrelay
Server: irc.stardust.cx:6697
UseTLS: 'true'
Charset: utf8
Label: stardust
# ugly but requested
RemoteNickFormat: '[{LABEL}] <{NICK}> '
gateways:
main:
irc.libertacasa: '#libcasa'
irc.2600: '#libcasa'
irc.nerds: '#praxis'
irc.libera: '#libcasa'
irc.oftc: '#libcasa'
irc.dosers: '#libcasa'
irc.rizon: '#praxis'
lucy:
irc.libertacasa: '#lucy'
irc.dosers: '#lucy'
libcasainfo:
irc.libertacasa: '#libcasa.info'
irc.ergo: '#libcasa.info'
irc.libera: '#libcasa.info'
irc.oftc: '#libcasa.info'
ircv5:
irc.libertacasa: '#ircv5'
irc.libera: '#ircv5'
irc.oftc: '#ircv5'
nerds:
irc.libertacasa: '#nerds'
irc.nerds: '#nerds'
chillops:
irc.libertacasa: '#chillops'
irc.chillnet: '#chillops'
irc.stardust: '#chillnet-test'
music:
irc.libertacasa: '#music'
irc.chillnet: '#music'
irc.stardust: '#music'
lighttpd:
vhosts:
matterbridge-general:
host: 'libertacasa-general\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
root: {{ mediapath }}libertacasa-general
matterbridge-irc:
host: 'libertacasa-irc\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
root: {{ mediapath }}libertacasa-irc
firewalld:
zones:
web:
services:
- http
sources:
- '2a01:4f8:11e:2200::dead/128'

View File

@ -0,0 +1,2 @@
include:
- cluster.denc.web-proxy

View File

@ -0,0 +1,2 @@
include:
- cluster.denc.web-proxy

View File

@ -0,0 +1 @@
# empty

View File

@ -41,8 +41,29 @@ ca-certificates-syscid:
- require:
- pkgrepo: libertacasa_rpm_repository
common_packages:
common_packages_install:
pkg.installed:
- names:
- fish
- system-group-wheel
{%- if grains['virtual'] == 'kvm' %}
- qemu-guest-agent
qemu-guest-agent:
service.running:
- enable: True
- require:
- pkg: qemu-guest-agent
{%- endif %}
common_packages_remove:
pkg.removed:
- pkgs:
{#- we only use AutoYaST for the OS deployment #}
- autoyast2
- autoyast2-installation
- libX11-data
- yast2-add-on
- yast2-services-manager
- yast2-slp
- yast2-trans-stats

View File

@ -0,0 +1,7 @@
keepalived_script_user:
user.present:
- name: keepalived_script
- createhome: False
- home: /var/lib/keepalived
- shell: /usr/sbin/nologin
- system: True

View File

@ -25,6 +25,8 @@ lighttpd_files:
- group: lighttpd
- mode: '0640'
- template: jinja
- watch_in:
- service: lighttpd_service
- names:
- /etc/lighttpd/lighttpd.conf:
- source: salt:///{{ slspath }}/files/etc/lighttpd/lighttpd.conf.j2
@ -40,3 +42,6 @@ lighttpd_service:
service.running:
- name: lighttpd.service
- enable: True
- reload: True
- require:
- pkg: lighttpd_packages

View File

@ -1,35 +1,33 @@
{%- set header = salt['pillar.get']('managed_header_pound') -%}
{%- set myfqdn = salt['grains.get']('fqdn') -%}
{%- set mypillar = 'profile:matterbridge:instances:' ~ instance ~ ':' -%}
{%- set myaccounts = mypillar ~ 'accounts' -%}
{%- set mygateways = mypillar ~ 'gateways' -%}
{%- set generalopts = ['RemoteNickFormat', 'IgnoreFailureOnStart', 'MessageSplit', 'MediaDownloadSize', 'MediaDownloadPath', 'MediaServerDownload', 'LogFile'] -%}
{%- set accountopts = ['Nick', 'NickServNick', 'NickServPassword', 'Server', 'UseTLS', 'UseSASL', 'Label', 'Charset', 'IgnoreNicks', 'RunCommands', 'UseRelayMsg', 'RemoteNickFormat'] -%}
{{ header }}
{%- if general | length %}
[general]
{% for option in generalopts %}
{%- if salt['pillar.get'](mypillar ~ option, None) != None %}
{{ option }}="{{ salt['pillar.get'](mypillar ~ option) }}"
{%- endif -%}
{%- endfor -%}
{%- for option, value in general.items() %}
{%- if value is string %}
{%- set value = '"' ~ value ~ '"' %}
{%- endif %}
{{ option }}={{ value }}
{%- endfor %}
{% endif %}
{% for account, config in salt['pillar.get'](myaccounts).items() %}
[{{ config['protocol'] }}.{{ account }}]
{%- for option in accountopts %}
{%- if salt['pillar.get'](myaccounts ~ ':' ~ account ~ ':' ~ option, None) != None %}
{{ option }}="{{ config[option] }}"
{%- endif -%}
{%- for account, config in accounts.items() %}
[{{ account }}]
{%- for option, value in config.items() %}
{%- if value is string or value is number %}
{%- set value = '"' ~ value ~ '"' %}
{%- endif %}
{{ option }}={{ value }}
{%- endfor %}
{% endfor %}
{% endfor -%}
{% for gateway, config in salt['pillar.get'](mygateways).items() %}
{%- for gateway, config in gateways.items() %}
[[gateway]]
name="{{ gateway }}"
enable=true
{% for account, channel in config.items() %}
{%- for account, channel in config.items() %}
[[gateway.inout]]
account="{{ account }}"
channel="{{ channel }}"
{%- endfor %}
{% endfor %}
{%- endfor -%}

View File

@ -1,5 +1,5 @@
{%- set mypillar = 'profile:matterbridge' -%}
{%- set instances = salt['pillar.get'](mypillar ~ ':instances') or [] -%}
{%- set mypillar = salt['pillar.get']('profile:matterbridge') -%}
{%- set instances = mypillar['instances'] | default([]) -%}
matterbridge_packages:
pkg.installed:
@ -31,11 +31,31 @@ matterbridge_files:
- /etc/matterbridge/{{ instance }}.toml:
- context:
instance: {{ instance }}
general: {{ instances[instance]['general'] | default({}) }}
accounts: {{ instances[instance]['accounts'] }}
gateways: {{ instances[instance]['gateways'] }}
- watch_in:
- service: matterbridge_{{ instance }}_service
{%- endfor %}
{%- for instance in instances %}
{%- if 'general' in instances[instance] and 'MediaDownloadPath' in instances[instance]['general'] %}
matterbridge_{{ instance }}_mediadir:
file.directory:
- name: {{ instances[instance]['general']['MediaDownloadPath'] }}
- user: matterbridge
{#- to-do: implement some shared group #}
- group: lighttpd
- mode: 750
- makedirs: True
{%- endif %}
matterbridge_{{ instance }}_service:
service.running:
- name: matterbridge@{{ instance }}.service
- enable: True
- watch:
- file: /etc/matterbridge/{{ instance }}.toml
{%- endfor %}
{%- endif %}

View File

@ -0,0 +1,13 @@
This profile installs a script switching failover IP addresses between Netcup hosted VM's.
Required pillar:
```
profile:
netcup_failover:
scp_user: 12345
scp_pass: xxxx
scp_server: v9876
ip4_address: xx.xx.xx.xx/32
ip6_address: 'foo:bar::/64'
```

View File

@ -0,0 +1,109 @@
{%- set header = salt['pillar.get']('managed_header_pound') -%}
{%- set mypillar = salt['pillar.get']('profile:netcup_failover') -%}
#!/bin/sh
# Floating IP switching script utilizing the Netcup API
{{ header }}
SCP_USER='{{ mypillar['scp_user'] }}'
SCP_PASS='{{ mypillar['scp_pass'] }}'
SCP_SERVER='{{ mypillar['scp_server'] }}'
MAC='{{ mypillar['mac_address'] }}'
IP_v4='{{ mypillar['ip4_address'] }}'
IP_v6='{{ mypillar['ip6_address'] }}'
URL="https://www.servercontrolpanel.de/WSEndUser?xsd=1" ### ?xsd=1 ?wsdl
usage () {
echo "$0 [--ipv4 | --ipv6 | --all] [--debug]"
exit 2
}
init () {
construct "$1"
run
parse
}
construct () {
if [ "$1" = "ip4" ];
then
local IP="$IP_v4"
fi
if [ "$1" = "ip6" ];
then
local IP="$IP_v6"
fi
local CIDR="${IP#*/}"
local IP="`echo $IP | sed "s?/$CIDR??"`"
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Initiating: $1"
echo "[DEBUG] IP Address: $IP"
echo "[DEBUG] CIDR Mask: $CIDR"
fi
XML_BODY="<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:ns1='http://enduser.service.web.vcp.netcup.de/'><SOAP-ENV:Body><ns1:changeIPRouting><loginName>$SCP_USER</loginName><password>$SCP_PASS</password><routedIP>$IP</routedIP><routedMask>$CIDR</routedMask><destinationVserverName>$SCP_SERVER</destinationVserverName><destinationInterfaceMAC>$MAC</destinationInterfaceMAC></ns1:changeIPRouting></SOAP-ENV:Body></SOAP-ENV:Envelope>"
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Payload: $XML_BODY"
fi
}
request () {
curl -s -H 'Content-Type: text/xml' -H 'SOAPAction:' -d "$XML_BODY" -X POST "$URL"
}
run () {
RESPONSE=`request`
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Response: $RESPONSE"
fi
}
parse () {
local IFS='&'
local check_invalid="validation error&IP already assigned&true"
for check in $check_invalid;
do
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Parsing: $check"
fi
if [ "${RESPONSE#*$check}" = "$RESPONSE" ];
then
result="Not found"
fi
if [ "${RESPONSE#*$check}" != "$RESPONSE" ];
then
result="Found"
fi
echo "Check for \"$check\": $result"
done
}
MODE="$1"
if [ "$2" = "--debug" ];
then
DEBUG="true"
echo "[DEBUG] Script invoked at `date`"
fi
case "$MODE" in
"--ipv4" )
init ip4
;;
"--ipv6" )
init ip6
;;
"--all" )
init ip6
init ip4
;;
* )
usage
;;
esac

View File

@ -0,0 +1,10 @@
include:
- profile.keepalived_script_user
/usr/local/bin/failover:
file.managed:
- user: keepalived_script
- group: wheel
- mode: 750
- template: jinja
- source: salt://{{ slspath }}/files/failover.sh.j2

3
salt/role/ha-netcup.sls Normal file
View File

@ -0,0 +1,3 @@
include:
- profile.netcup_failover
- role.ha-node