denc-webcluster: nginx AppArmor rules

Allow access to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
web-proxy: include apparmor.local
2023-02-12 16:28:19 +01:00 · 2023-02-12 16:27:40 +01:00 · 2023-02-12 16:20:44 +01:00
4 changed files with 22 additions and 0 deletions
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@ -209,3 +209,9 @@ firewalld:
      services:
        - http
        - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,'
--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@ -68,3 +68,9 @@ firewalld:
      services:
        - http
        - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '{{ trustcrt }} r,'
--- a/salt/profile/apparmor/local.sls
+++ b/salt/profile/apparmor/local.sls
@ -0,0 +1,9 @@
+{%- set aapillar = salt['pillar.get']('profile:apparmor') %}
+
+{%- if 'local' in aapillar %}
+{%- for profile, lines in aapillar['local'].items() %}
+/etc/apparmor.d/local/{{ profile }}:
+  file.managed:
+    - contents: {{ lines }}
+{%- endfor %}
+{%- endif %}
--- a/salt/role/web-proxy.sls
+++ b/salt/role/web-proxy.sls
@ -1,4 +1,5 @@
 include:
+  - apparmor.local
  - nginx.pkg
  - nginx.config
  - nginx.snippets