Compare commits

..

8 Commits

Author SHA1 Message Date
d4f39e8e5f
Allow saltenv/pillarenv override
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
To ease development, allow saltenv=<branch>/pillarenv=<branch> instead
of enforcing the production branch.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 14:43:59 +02:00
a7cd6609e6 Merge pull request 'Watch httpd service for snippets' (#46) from httpd-service into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #46
2023-04-30 14:43:42 +02:00
d65cb9a43b
Watch httpd service for snippets
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
The reload/restart module calls have been dropped from the formula.
Watch the service.running state instead.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-30 14:39:27 +02:00
b1249e69eb Merge pull request 'Import themis / PrivateBin' (#40) from privatebin into production
Some checks failed
ci/lysergic/push/pipeline Pipeline failed
Reviewed-on: #40
2023-04-30 14:37:12 +02:00
f32d814658
id.themis: import backend firewall rules
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Allow HTTPS traffic.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-04-29 18:39:30 +02:00
4ff7a39f0e
id.themis: import PrivateBin httpd vhost
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-03-12 17:21:32 +01:00
bf3aaa5ff1
id.themis: import PrivateBin configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-03-12 17:01:17 +01:00
96daffc979
Add privatebin profile+role
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-03-12 17:01:00 +01:00
4 changed files with 145 additions and 17 deletions

View File

@ -1,9 +1,26 @@
{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%}
{%- macro httpdformulaexcess() -%}
LogLevel: False
ErrorLog: False
LogFormat: False
CustomLog: False
ServerAdmin: False
ServerAlias: False
{%- endmacro -%}
{%- macro httpdcommon(app) -%}
Include {{ common['snippetsdir'] }}ssl_themis.conf
<FilesMatch '\.php$'>
SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}'
</FilesMatch>
{%- endmacro -%}
apache:
sites:
BookStack:
interface: '[fd29:8e45:f292:ff80::1]'
port: 443
ServerName: bookstack.themis.backend.syscid.com
interface: '{{ common['address'] }}'
port: {{ common['port'] }}
ServerName: bookstack{{ common['domain'] }}
DocumentRoot: /srv/www/BookStack/
DirectoryIndex: index.php
Directory:
@ -21,19 +38,26 @@ apache:
RewriteCond '%{REQUEST_FILENAME} !-d'
RewriteCond '%{REQUEST_FILENAME} !-f'
RewriteCond '^ index.php [L]'
LogLevel: False
ErrorLog: False
LogFormat: False
CustomLog: False
ServerAdmin: False
ServerAlias: False
{{ httpdformulaexcess() }}
Formula_Append: |
Include /etc/apache2/snippets.d/ssl_themis.conf
{{ httpdcommon('BookStack') }}
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
SetOutputFilter DEFLATE
<FilesMatch '\.php$'>
SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
</FilesMatch>
PrivateBin:
interface: '{{ common['address'] }}'
port: {{ common['port'] }}
ServerName: privatebin{{ common['domain'] }}
DocumentRoot: /srv/www/PrivateBin/public
DirectoryIndex: index.php
Directory:
/srv/www/PrivateBin/:
Options: false
AllowOverride: None
Require: all granted
{{ httpdformulaexcess() }}
Formula_Append: |
{{ httpdcommon('PrivateBin') }}
profile:
bookstack:
@ -75,3 +99,51 @@ profile:
saml2_group_attribute: groups
saml2_remove_from_groups: true
queue_connection: database
privatebin:
main:
name: Bin
fileupload: true
syntaxhighlightingtheme: sons-of-obsidian
sizelimit: 310485760
notice: 'Note: Kittens will die if you abuse this service.'
languageselection: true
urlshortener: ${'secret_privatebin:main:urlshortener'}
qrcode: true
expire:
default: 1week
expire_options:
5min: 300
10min: 600
1hour: 3600
1day: 86400
1week: 604800
1month: 2592000
1year: 31536000
never: 0
formatter_options:
plaintext: Plain Text
syntaxhighlighting: Source Code
markdown: Markdown
traffic:
limit: 10
header: X_FORWARDED_FOR
dir: /var/lib/PrivateBin/limits
purge:
limit: 300
batchsize: 10
dir: /var/lib/PrivateBin/limits
model:
class: Database
model_options:
dsn: ${'secret_privatebin:model_options:dsn'}
tbl: privatebin_
usr: ${'secret_privatebin:model_options:usr'}
pwd: ${'secret_privatebin:model_options:pwd'}
opt[12]: true
firewalld:
zones:
backend:
services:
- https

View File

@ -16,11 +16,8 @@
- require:
- file: {{ snippetsdir }}
{#- formula dependencies #}
- require_in:
- module: apache-service-running-restart
- service: apache-service-running
- watch_in:
- module: apache-service-running-reload
- service: apache-service-running
{%- endfor %}
{%- endif %}

View File

@ -0,0 +1,55 @@
{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%}
{%- set confdir = '/etc/PrivateBin' -%}
{%- set configfile = confdir ~ '/conf.php' -%}
privatebin_packages:
pkg.installed:
- names:
- PrivateBin-config-httpd
privatebin_clean:
file.directory:
- name: {{ confdir }}
- clean: True
- onchanges:
- pkg: privatebin_packages
- require:
- pkg: privatebin_packages
{%- if mypillar | length %}
{{ configfile }}:
ini.options_present:
- separator: '='
- strict: True
- sections:
{%- macro conf(section, options) %}
{%- for option in options.keys() -%}
{%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %}
{%- set value = mypillar[section][option] -%}
{%- else %}
{%- set value = mypillar[section][option] | quote -%}
{%- endif %}
{{ option }}: {{ value }}
{%- endfor -%}
{%- endmacro %}
{%- for section, options in mypillar.items() %}
{{ section }}:
{{ conf(section, options) }}
{%- endfor %}
- require:
- pkg: privatebin_packages
- watch:
- file: privatebin_clean
- watch_in:
- file: privatebin_permissions
{%- endif %}
privatebin_permissions:
file.managed:
- mode: '0640'
- user: wwwrun
- group: privatebin
- names:
- {{ configfile }}
- require:
- pkg: privatebin_packages

4
salt/role/privatebin.sls Normal file
View File

@ -0,0 +1,4 @@
include:
- role.web.apache-httpd
- profile.privatebin
- php.fpm