LibertaCasa/salt
LibertaCasa/salt
9
1
Fork 0
Code Issues 5 Pull Requests Releases Activity

Compare commits

base: LibertaCasa:974014937f88c060a0896db3cb6073c654c0bc2b
Branches Tags
LibertaCasa:production
LibertaCasa:change_bridges
LibertaCasa:fix/matterb-trashtgirclinks
LibertaCasa:add/matterbridge-chillnet-tgchan
LibertaCasa:mta-optional
LibertaCasa:orpheus
LibertaCasa:privatebin
LibertaCasa:bookstack
LibertaCasa:nsd
LibertaCasa:import-denc-webcluster
LibertaCasa:fix/pillar_boolquotes
..
compare: LibertaCasa:182aba2661e08d3aae1e1d4ad0b22b487303ee4d
Branches Tags
LibertaCasa:production
LibertaCasa:change_bridges
LibertaCasa:fix/matterb-trashtgirclinks
LibertaCasa:add/matterbridge-chillnet-tgchan
LibertaCasa:mta-optional
LibertaCasa:orpheus
LibertaCasa:privatebin
LibertaCasa:bookstack
LibertaCasa:nsd
LibertaCasa:import-denc-webcluster
LibertaCasa:fix/pillar_boolquotes

2 Commits
974014937f ... 182aba2661

Author SHA1 Message Date
Georg Pfuetzenreuter
182aba2661
nemesis/hubris: include denc.web-proxy
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Details 
Add shared nginx configuration to nemesis/hubris HA pair nodes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
 2023-02-08 00:11:36 +01:00
Georg Pfuetzenreuter
4137ffb3e5
nemesis/hubris: import nginx configuration 
Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
 2023-02-08 00:10:17 +01:00
1 changed files with 21 additions and 23 deletions
Show Stats Expand all files Collapse all files

40
pillar/cluster/denc/web-proxy.sls
View File

@ -1,7 +1,4 @@
{%- from 'map.jinja' import nginx_crtkeypair -%} {%- from 'map.jinja' import nginx_crtkeypair -%}
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%}
nginx: nginx:
snippets: snippets:
@ -21,29 +18,31 @@ nginx:
- proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
tls: tls:
- ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_baseline: {#- compat, to-do: merge into role.web-proxy #}
- include: snippets/tls
{#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #} {#- certificate snippets #}
{{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }} {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
- include: snippets/tls - include: snippets/tls_baseline
{{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }} {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
- include: snippets/tls - include: snippets/tls_baseline
{{ nginx_crtkeypair('libsso', 'libsso.net') | indent }} {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
- include: snippets/tls - include: snippets/tls_baseline
{{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }} {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
- include: snippets/tls - include: snippets/tls_baseline
tls_syscidsso: tls_syscidsso:
- ssl_trusted_certificate: {{ trustcrt }} - ssl_trusted_certificate: /etc/pki/trust/anchors/syscid-ca.crt
- ssl_client_certificate: {{ trustcrt }} - ssl_client_certificate: /etc/pki/trust/anchors/syscid-ca.crt
- ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt - ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
- ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key - ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
- ssl_ocsp: 'on' - ssl_ocsp: on
- ssl_ocsp_responder: {{ stapler }} - ssl_ocsp_responder: http://gaia.syscid.com:8900/
- ssl_stapling: 'on' - ssl_stapling: on
- ssl_stapling_responder: {{ stapler }} - ssl_stapling_responder: http://gaia.syscid.com:8900/
- ssl_stapling_verify: 'on' - ssl_stapling_verify: on
- ssl_verify_client: 'on' - ssl_verify_client: on
- resolver: {{ resolver }} ipv6=off - resolver: 192.168.0.115 ipv6=off
- include: snippets.d/tls - include: snippets.d/tls_baseline
servers: servers:
managed: managed:
@ -101,8 +100,8 @@ nginx:
- snippets/tls_syscidsso - snippets/tls_syscidsso
- server_name: sso.syscid.com - server_name: sso.syscid.com
- root: /srv/www/sso.syscid.com - root: /srv/www/sso.syscid.com
- location = /: [] - location = /: {}
- location /index.html: [] - location /index.html: {}
- location /: - location /:
- proxy_pass: https://jboss - proxy_pass: https://jboss
- proxy_cache: cache_sso_private - proxy_cache: cache_sso_private
@ -112,7 +111,6 @@ nginx:
- proxy_busy_buffers_size: 512k - proxy_busy_buffers_size: 512k
- error_log: /var/log/nginx/sso_private.error.log - error_log: /var/log/nginx/sso_private.error.log
- access_log: /var/log/nginx/sso_private.access.log combined - access_log: /var/log/nginx/sso_private.access.log combined
sso_public.conf: sso_public.conf:
config: config:
- server: - server: