Merge pull request 'cleanup interprotocol bridges' (#96) from cfg_matterbridge into production

Reviewed-on: #96
Reviewed-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

.gommit.toml

@@ -0,0 +1,23 @@
+[config]
+exclude-merge-commits=true
+check-summary-length=true
+summary-length=50
+
+[matchers]
+all='^(?:(?:Add|Remove|Update|Enable|Disable) |(?:role|profile|id|pipeline)\.[\w\-_]+: )[\w \.\+\-]+\n(?:(?:\n\- .*)+\n)?(?:\nSigned-off-by: \w+ \w+ <.*@.*>)'
+
+[examples]
+summary_variant_one="""
+[Add|Remove|Update|Enable|Disable] this and that
+"""
+
+summary_variant_two="""
+[role.$role|profile.$profile]: this and that
+"""
+
+body_message="""
+- an optional body line
+- another optional body line
+
+Signed-off-by: Max Mandatory <required@example.com>
+"""

.pipeline.yml

@@ -1,9 +1,32 @@
+---
+# yamllint disable rule:line-length
 skip_clone: true
 
 pipeline:
+  # commit_lint:
+  #   image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
+  #   secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
+  #   when:
+  #     event: [push]
+  #   commands:
+  #     - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
+  #     - cd ../salt-libertacasa-commit-linting
+  #     - bin/lint-commits.pl production
+
+  code_lint:
+    image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-lint:latest
+    secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
+    when:
+      event: [push]
+    commands:
+      - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-linting
+      - cd ../salt-libertacasa-linting
+      - find . -type f \( -name '*.yaml' -o -name '*.yml' \) -exec yamllint -f colored -s {} +
+      - find . -name '*.sls' -exec salt-lint --severity -x 204 {} +
+
   check:
     image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline:latest
-    secrets: [ ci_netrc_username, ci_netrc_password, ci_netrc_machine ]
+    secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
     when:
       event: [push]
     commands:
@@ -29,5 +52,5 @@ pipeline:
       event: [push]
       instance: woodpecker-orpheus.intranet.squirrelcube.com
     commands:
-      #- rolesyncer
+      # - rolesyncer
       - bin/rolesyncer.py

bin/lint-commits.pl

@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+use v5.26;
+
+my ($branch_main) = @ARGV;
+
+if(!$branch_main){
+        $branch_main = "master"
+}
+
+`git ls-remote origin $branch_main` =~ /([a-f0-9]{40})/;
+
+my $refHead = `git rev-parse HEAD`;
+my $refTail = $1;
+
+chomp($refHead);
+chomp($refTail);
+
+if ($refHead eq $refTail) {
+    exit 0;
+}
+
+system "gommit check range $refTail $refHead";
+
+if ($? > 0) {
+    exit 1;
+}

bin/nbroles_to_grains.sh

@@ -1,4 +1,14 @@
 #!/usr/bin/env sh
 # This rewrites top-files to fetch roles from grains instead of our custom roles API. Useful for testing outside of the LibertaCasa infrastructure, but not recommended for production.
 
-sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" */top.sls
+potential_files=(*/top.sls salt/common/suse.sls)
+
+for file in ${potential_files[@]}
+do
+	if [ -f "$file" ]
+	then
+		files+="$file "
+	fi
+done
+
+sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" ${files[@]}

pillar/cluster/denc/web-proxy.sls

@@ -0,0 +1,240 @@
+{%- from 'map.jinja' import nginx_crtkeypair -%}
+{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
+{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
+{%- set resolver = '192.168.0.115' -%}
+{%- set mailer = '192.168.0.120' -%}
+{%- set ha4 = '81.16.19.62' -%}
+{%- set ha6 = '2a03:4000:20:21f::' -%}
+
+keepalived:
+  config:
+    global_defs:
+      notification_email:
+        - system@lysergic.dev
+      notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
+      smtp_server: {{ mailer }}
+      smtp_connect_timeout: 30
+      router_id: SSO_FO
+      enable_script_security: true
+    vrrp_script:
+      check_nginx_port:
+        script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
+        weight: 5
+        interval: 3
+        timeout: 3
+      check_nginx_process:
+        {#- this is not a good check but better than nothing #}
+        script: '"/usr/bin/pgrep nginx"'
+        weight: 4
+        interval: 2
+        timeout: 10
+      check_useless_process:
+        {#- this is only used for debugging #}
+        script: '"/usr/bin/pgrep useless.sh"'
+        weight: 4
+        interval: 2
+        timeout: 3
+    vrrp_instance:
+      DENCWC:
+        state: MASTER
+        interface: eth1
+        priority: 100
+        virtual_router_id: 100
+        advert_int: 5
+        smtp_alert: true
+        notify_master: '"/usr/local/bin/failover --all"'
+        promote_secondaries: true
+        mcast_src_ip: 192.168.0.50
+        authentication:
+          auth_type: PASS
+          auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
+        virtual_ipaddress:
+          - {{ ha4 }}/32 dev eth0 label failover
+        virtual_ipaddress_excluded:
+          - {{ ha6 }}/64 dev eth0
+          {%- for i in [1, 2, 3] %}
+          - {{ ha6 }}{{ i }}/64 dev eth0
+          {%- endfor %}
+        track_script:
+          {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
+          - check_nginx_process
+        track_interface:
+          - eth0
+
+nginx:
+  snippets:
+    listen_ha:
+      - listen:
+        - {{ ha4 }}:443 ssl http2
+        - '[{{ ha6 }}]:443 ssl http2'
+    proxy:
+      - proxy_set_header:
+        - Host                $host
+        - X-Real-IP           $remote_addr
+        - X-Forwarded-For     $proxy_add_x_forwarded_for
+        - X-Forwarded-Host    $host
+        - X-Forwarded-Server  $host
+        - X-Forwarded-Port    $server_port
+        - X-Forwarded-Proto   $scheme
+      - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
+    tls:
+      - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+    {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
+    {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
+      - include: snippets/tls
+    {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
+      - include: snippets/tls
+    {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
+      - include: snippets/tls
+    {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
+      - include: snippets/tls
+    tls_syscidsso:
+      - ssl_client_certificate:  {{ trustcrt }}
+      - ssl_certificate:         /etc/ssl/syscid/sso.syscid.com.crt
+      - ssl_certificate_key:     /etc/ssl/syscid/sso.syscid.com.key
+      - ssl_ocsp:                'on'
+      - ssl_ocsp_responder:      {{ stapler }}
+      - ssl_stapling_responder:  {{ stapler }}
+      - ssl_verify_client:       'on'
+      - resolver:                {{ resolver }} ipv6=off
+      - include:                 snippets/tls
+
+  servers:
+    managed:
+      jboss-cluster.conf:
+        available_dir: /etc/nginx/conf.d
+        config:
+        - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
+        - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
+        - upstream jboss:
+          - ip_hash: ''
+          - server:
+            - theia.backend.syscid.com:8443
+            - orpheus.backend.syscid.com:8443
+            - selene.backend.syscid.com:8443
+
+      bookstack.conf:
+        config:
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_libertacasa
+            - server_name: libertacasa.info libcasa.info
+            - location /:
+              - proxy_pass: https://bookstack.themis.backend.syscid.com
+              - proxy_http_version: 1.1
+            - client_max_body_size: 20M
+            - modsecurity_rules: |-
+                '
+                SecRuleRemoveById 941160 949110
+                SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'"
+                '
+
+      http.conf:
+        config:
+          - server:
+            - listen:
+              - {{ ha4 }}:80 default_server
+              - '[{{ ha6 }}]:80 default_server'
+              - include: snippets/robots
+              - location /:
+                - return: 301 https://$host$request_uri
+
+      privatebin.conf:
+        config:
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_lysergic
+            - server_name: pasta.lysergic.dev
+            - location /:
+              - proxy_pass: https://privatebin.themis.backend.syscid.com
+              - proxy_http_version: 1.1
+            - client_max_body_size: 50M
+            - modsecurity_rules: |-
+                '
+                SecRequestBodyNoFilesLimit 50000000
+                '
+
+      sso_private.conf:
+        config:
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_syscidsso
+            - server_name: sso.syscid.com
+            - root: /srv/www/sso.syscid.com
+            - location = /: []
+            - location /index.html: []
+            - location /:
+              - proxy_pass: https://jboss
+              - proxy_cache: cache_sso_private
+              - include: snippets/proxy
+            - proxy_buffer_size: 256k
+            - proxy_buffers: 4 512k
+            - proxy_busy_buffers_size: 512k
+            - error_log: /var/log/nginx/sso_private.error.log
+            - access_log: /var/log/nginx/sso_private.access.log combined
+
+      sso_public.conf:
+        config:
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_libsso
+            - server_name: sso.casa www.sso.casa
+            - location /:
+              - root: /srv/www/sso.casa
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_libsso
+            - server_name: libsso.net www.libsso.net
+            - location /:
+              - root: /srv/www/libsso.net
+            - location /auth: {#- compat, consider removing #}
+              - rewrite: '^/auth(.*)$ https://libsso.net$1 break'
+            {%- for path in ['realms', 'resources', 'js'] %}
+            - location /{{ path }}:
+              - proxy_pass: https://jboss/{{ path }}
+              - proxy_cache: cache_sso_public
+              {#- - proxy_ssl_verify: on #to-do: enable this #}
+              - include: snippets/proxy
+            {%- endfor %}
+            {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
+            - location /{{ path }}:
+              - return: https://liberta.casa/
+            {%- endfor %}
+            - proxy_buffer_size: 256k
+            - proxy_buffers: 4 512k
+            - proxy_busy_buffers_size: 512k
+            - error_log: /var/log/nginx/libsso_public.error.log
+            - access_log: /var/log/nginx/libsso_public.access.log combined
+
+      agola.conf:
+        config:
+          - server:
+            - include:
+              - snippets/listen_ha
+              - snippets/tls_lysergic
+            - server_name: ci.lysergic.dev ci.git.com.de
+            - location /:
+              - proxy_pass: https://ci.lysergic.dev
+              - proxy_ssl_verify: 'on'
+              - include: snippets/proxy
+
+manage_firewall: True
+firewalld:
+  zones:
+    public:
+      services:
+        - http
+        - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '{{ trustcrt }} r,'
+        - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,'

pillar/formulas.yaml

@@ -1,8 +1,13 @@
+---
+- apache
 - firewalld
 - keepalived
+- memcached
 - nginx
 - openssh
+- php
 - postfix
+- prometheus
 - salt
 - tor
 - users

pillar/global/init.sls

@@ -15,6 +15,7 @@ zypper:
   refreshdb_force: False
 
 firewalld:
+  FlushAllOnReload: 'yes'
   zones:
     internal:
       short: Internal
@@ -26,6 +27,10 @@ firewalld:
     public:
       short: Public
       {{ firewall_interfaces(public) }}
+    {%- if backend | length %}
+    backend:
+      {{ firewall_interfaces(backend) }}
+    {%- endif %}
 {%- endif %}
 
 mine_functions:

pillar/id/dencpod01_lysergic_dev.sls

@@ -0,0 +1 @@
+manage_firewall: True

pillar/id/dericom02_rigel_lysergic_dev.sls

@@ -1,7 +1,7 @@
-{%- set mediapath = '/srv/matterbridge/' -%}
+{%- set mediapath = '/var/lib/matterbridge/' -%}
 
 {%- macro discord_common() -%}
-            AutoWebhooks: "true"
+            AutoWebhooks: 'true'
             EditSuffix: '(edited)'
             RemoteNickFormat: '[{PROTOCOL}]:{NICK} '
 {%- endmacro -%}
@@ -17,16 +17,16 @@ profile:
         accounts:
           irc.libertacasa:
             Server: irc.liberta.casa:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Nick: viaduct
             NickServNick: viaduct
             NickServPassword: ${'secret_matterbridge:general:accounts:irc.libertacasa:NickServPassword'}
-            ColorNicks: "true"
+            ColorNicks: 'true'
-            Charset: utf8 
+            Charset: utf8
-            MessageSplit: "true"
+            MessageSplit: 'true'
             MessageQueue: 60
-            UseRelayMsg: "true"
+            UseRelayMsg: 'true'
             RemoteNickFormat: '{NICK}/{LABEL}'
           xmpp.libertacasa:
             Server: xmpp.liberta.casa:5222
@@ -34,32 +34,33 @@ profile:
             Password: ${'secret_matterbridge:general:accounts:xmpp.libertacasa:Password'}
             Muc: muc.liberta.casa
             Nick: viaduct
-            RemoteNickFormat: '[{PROTOCOL}] <{NICK}>'
+            RemoteNickFormat: '[{PROTOCOL}] <{NICK}> '
             Label: x
-            Debug: "true"
+            Debug: 'false'
           telegram.libertacasa:
             Token: ${'secret_matterbridge:general:accounts:telegram.libertacasa:Token'}
-            RemoteNickFormat: '&lt;{NICK}&gt; '
+            RemoteNickFormat: '[{PROTOCOL}] &lt;{NICK}&gt; '
             MessageFormat: HTMLNick
             Label: tg
-            DisableWebPagePreview: "true"
+            DisableWebPagePreview: 'true'
           sshchat.Psyched:
             Server: 192.168.0.110:2220
             Nick: LC
             RemoteNickFormat: '{PROTOCOL}:<{NICK}> '
-            Label: p
+            Label: ssh
           discord.23:
             Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
             Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
             {{ discord_common() }}
+          {#-
           discord.aithunder:
             Token: ${'secret_matterbridge:general:accounts:discord.aithunder:Token'}
             Server: ${'secret_matterbridge:general:accounts:discord.aithunder:Server'}
             {{ discord_common() }}
+          #}
         gateways:
           libcasa:
             irc.libertacasa: '#libcasa'
-            sshchat.Psyched: sshchat
             xmpp.libertacasa: libcasa
           dev:
             irc.libertacasa: '#dev'
@@ -67,28 +68,25 @@ profile:
           lucy:
             irc.libertacasa: '#lucy'
             xmpp.libertacasa: lucy
+            telegram.libertacasa: '-1001795702961'
+            sshchat.Psyched: sshchat
           info:
             irc.libertacasa: '#libcasa.info'
             xmpp.libertacasa: libcasa.info
-            #telegram.libertacasa: '-1001518274267'
           chat:
-            irc.libertacasa: '#chai'
+            irc.libertacasa: '#chat'
             discord.23: chat
             xmpp.libertacasa: chat
-          dota:
+          petals:
-            irc.libertacasa: '#dotes'
+            irc.libertacasa: '#Petals'
-            discord.23: dotes
+            telegram.libertacasa: '-1001971550949'
-            xmpp.libertacasa: dota
+
-          aithunder:
-            irc.libertacasa: '#aithunder'
-            discord.aithunder: main-chat
-            xmpp.libertacasa: aithunder
 
       libertacasa-irc:
         general:
           RemoteNickFormat: '{NOPINGNICK}/{LABEL}: '
-          IgnoreFailureOnStart: "true"
+          IgnoreFailureOnStart: 'true'
-          MessageSplit: "true"
+          MessageSplit: 'true'
           MediaDownloadSize: 1000000000
           MediaDownloadPath: {{ mediapath }}libertacasa-irc
           MediaServerDownload: https://irc.load.casa
@@ -98,44 +96,44 @@ profile:
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.libertacasa:NickServPassword'}
             Server: irc.liberta.casa:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: libcasa
             Charset: utf8
             IgnoreNicks: HistServ
-            UseRelayMsg: "true"
+            UseRelayMsg: 'true'
             RemoteNickFormat: '{NICK}/{LABEL}'
           irc.chillnet:
             Nick: IRCrelay
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.chillnet:NickServPassword'}
             Server: irc.chillnet.org:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: chillnet
             Charset: utf8
             IgnoreNicks: HistServ
-            UseRelayMsg: "true"
+            UseRelayMsg: 'true'
             RemoteNickFormat: '{NICK}/{LABEL}'
           irc.ergo:
             Nick: LCIRCrelay
             NickServNick: LCIRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.ergo:NickServPassword'}
             Server: irc.ergo.chat:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: ergochat
             Charset: utf8
             IgnoreNicks: HistServ
-            UseRelayMsg: "true"
+            UseRelayMsg: 'true'
             RemoteNickFormat: '{NICK}/{LABEL}'
           irc.2600:
             Nick: IRCrelay
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.2600:NickServPassword'}
             Server: irc.2600.net:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            SkipTLSVerify: "true"
+            SkipTLSVerify: 'true'
             Label: 2600net
             Charset: utf8
           irc.dosers:
@@ -143,8 +141,8 @@ profile:
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.dosers:NickServPassword'}
             Server: irc.dosers.net:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: dosers
             Charset: utf8
           irc.rizon:
@@ -152,8 +150,8 @@ profile:
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.rizon:NickServPassword'}
             Server: irc.rizon.net:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: rizon
             Charset: utf8
           irc.nerds:
@@ -161,15 +159,15 @@ profile:
             NickServNick: LCRelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.nerds:NickServPassword'}
             Server: irc6.irc-nerds.net:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: nerds
             Charset: utf8
           irc.oftc:
             Nick: IRCrelay
             NickServNick: IRCrelay
             Server: irc.oftc.net:6697
-            UseTLS: "true"
+            UseTLS: 'true'
             Label: oftc
             Charset: utf8
           irc.libera:
@@ -177,14 +175,14 @@ profile:
             NickServNick: IRCrelay
             NickServPassword: ${'secret_matterbridge:irc:accounts:irc.libera:NickServPassword'}
             Server: irc.eu.libera.chat:6697
-            UseTLS: "true"
+            UseTLS: 'true'
-            UseSASL: "true"
+            UseSASL: 'true'
             Label: libera
             Charset: utf8
           irc.stardust:
             Nick: IRCrelay
             Server: irc.stardust.cx:6697
-            UseTLS: "true"
+            UseTLS: 'true'
             Charset: utf8
             Label: stardust
             # ugly but requested
@@ -213,20 +211,65 @@ profile:
           nerds:
             irc.libertacasa: '#nerds'
             irc.nerds: '#nerds'
-          chillops:
-            irc.libertacasa: '#chillops'
-            irc.chillnet: '#chillops'
-            irc.stardust: '#chillnet-test'
           music:
             irc.libertacasa: '#music'
             irc.chillnet: '#music'
             irc.stardust: '#music'
+      chillnet:
+        general:
+          MediaDownloadSize: 1000000000
+          MediaDownloadPath: {{ mediapath }}chillnet
+          MediaServerDownload: https://up.chillnet.org
+        accounts:
+          irc.chillnet:
+            Server: irc.chillnet.org:6697
+            UseTLS: 'true'
+            UseSASL: 'true'
+            Nick: viaduct
+            NickServNick: viaduct
+            NickServPassword: ${'secret_matterbridge:chillnet:accounts:irc.chillnet:NickServPassword'}
+            ColorNicks: 'true'
+            Charset: utf8
+            MessageSplit: 'true'
+            MessageQueue: 60
+            UseRelayMsg: 'true'
+            RemoteNickFormat: '{NICK}/{LABEL}'
+          telegram.chillnet:
+            Token: ${'secret_matterbridge:chillnet:accounts:telegram.chillnet:Token'}
+            RemoteNickFormat: '&lt;{NICK}&gt; '
+            MessageFormat: HTMLNick
+            Label: tg
+            DisableWebPagePreview: 'true'
+          discord.23:
+            Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
+            Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
+            {{ discord_common() }}
+        gateways:
+          staff:
+            irc.chillnet: '#chillstaff'
+            telegram.chillnet: '-1001932699309'
+          devs:
+            irc.chillnet: '#chilldevs'
+            telegram.chillnet: '-1001778806358'
+            discord.23: chilldevs
 
   lighttpd:
     vhosts:
       matterbridge-general:
-        host: 'libertacasa-general\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
+        host: 'libertacasa-general.matterbridge.dericom02.rigel.lysergic.dev'
         root: {{ mediapath }}libertacasa-general
       matterbridge-irc:
-        host: 'libertacasa-irc\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
+        host: 'libertacasa-irc.matterbridge.dericom02.rigel.lysergic.dev'
         root: {{ mediapath }}libertacasa-irc
+      matterbridge-chillnet:
+        host: 'chillnet.matterbridge.dericom02.rigel.lysergic.dev'
+        root: {{ mediapath }}chillnet
+
+manage_firewall: True
+firewalld:
+  zones:
+    web:
+      services:
+        - http
+      sources:
+        - '2a01:4f8:11e:2200::dead/128'

pillar/id/derigsm01_rigel_lysergic_dev.sls

@@ -0,0 +1 @@
+manage_firewall: True

pillar/id/derimisc01_rigel_lysergic_dev.sls

@@ -12,3 +12,5 @@ tor:
       hostname: cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion
       hs_ed25519_public_key: PT0gZWQyNTUxOXYxLXB1YmxpYzogdHlwZTAgPT0AAAAUd+uGrDJs0tuSXjiqC8LbsnJJMSbx15jQ7calMDGHhw==
       hs_ed25519_secret_key: ${'secret_tor:hidden_services:irc:key'}
+
+manage_firewall: True

pillar/id/deriweb01_rigel_lysergic_dev.sls

@@ -44,15 +44,15 @@
                 - proxy_set_header: Host $http_host
                 - resolver: '{{ resolver }} ipv4=off valid=24h'
 {%- endmacro -%}
-{%- macro matterbridge_media(name) -%}
+{%- macro matterbridge_media(domain, name, tls='load') -%}
           - server:
             - include:
               - snippets/listen
-              - snippets/tls_load
+              - snippets/tls_{{ tls }}
               - snippets/tls
-            - server_name: {% if name == 'general' %}load.casa{%- else %}{{ name ~ '.load.casa' }}{%- endif %}
+            - server_name: {{ domain }}
             - location /:
-                - proxy_pass: http://libertacasa-{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
+                - proxy_pass: http://{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
 {%- endmacro -%}
 
 nginx:
@@ -71,6 +71,7 @@ nginx:
     {{ nginx_crtkeypair('meet', 'meet.com.de') | indent }}
     {{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }}
     {{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }}
+    {{ nginx_crtkeypair('up.chillnet.org', 'up.chillnet.org') | indent }}
 
     {#- locations shared between clearnet and Tor LibertaCasa servers #}
     libertacasa:
@@ -316,8 +317,9 @@ nginx:
 
       matterbridge.conf:
         config:
-          {{  matterbridge_media('general') }}
+          {{ matterbridge_media('load.casa', 'libertacasa-general') }}
-          {{  matterbridge_media('irc') }}
+          {{ matterbridge_media('irc.load.casa', 'libertacasa-irc') }}
+          {{ matterbridge_media('up.chillnet.org', 'chillnet', 'up.chillnet.org') }}
 
       meet.conf:
         config:
@@ -412,7 +414,7 @@ nginx:
             - location /:
                 - proxy_pass: http://media.takahe.rigel.lysergic.dev:8001
                 {{ takaheresolver }}
-          {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #} 
+          {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #}
           - server:
             {{ takahe_includes() }}
             - server_name: despair.life
@@ -436,8 +438,9 @@ nginx:
               - snippets/error
             - server_name: exhausted.life
             {{ takahe_gohome() }}
-            - location /.well-known/: 
+            - location /.well-known/:
                 - proxy_pass: {{ backend.takahe }}
                 - sub_filter_types: application/xml
                 - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life
 
+manage_firewall: True

pillar/id/derutil01_rigel_lysergic_dev.sls

@@ -0,0 +1 @@
+manage_firewall: True

pillar/id/hubris_lysergic_dev.sls

@@ -0,0 +1,2 @@
+include:
+  - cluster.denc.web-proxy

pillar/id/moni_lysergic_dev.sls

@@ -0,0 +1,123 @@
+prometheus:
+  pkg:
+    component:
+      prometheus:
+        config:
+          alerting:
+            alertmanagers:
+              - static_configs:
+                - targets:
+                  - localhost:9093
+
+          rule_files:
+            - /etc/prometheus/alerts/lysergic/*.yml
+
+          scrape_configs:
+            - job_name: 'prometheus'
+              static_configs:
+              - targets: ['localhost:9090']
+
+            - job_name: 'node_exporters_lysergic'
+              scrape_timeout: 1m
+              scrape_interval: 5m
+              file_sd_configs:
+              - files:
+                - '/etc/prometheus/targets/node-lysergic.json'
+
+            - job_name: 'blackbox-2xx'
+              metrics_path: /probe
+              params:
+                module: [http_2xx]
+              file_sd_configs:
+              - files: ['/etc/prometheus/targets/blackbox-2xx*.json']
+              relabel_configs:
+              - source_labels: [__address__]
+                target_label: __param_target
+              - source_labels: [__param_target]
+                target_label: instance
+              - target_label: __address__
+                replacement: 127.0.0.1:9115
+
+            - job_name: 'blackbox-3xx'
+              metrics_path: /probe
+              params:
+                module: [http_3xx]
+              file_sd_configs:
+              - files: ['/etc/prometheus/targets/blackbox-3xx*.json']
+              relabel_configs:
+              - source_labels: [__address__]
+                target_label: __param_target
+              - source_labels: [__param_target]
+                target_label: instance
+              - target_label: __address__
+                replacement: 127.0.0.1:9115
+
+            - job_name: 'certificate_exporter'
+              static_configs:
+              - targets: ['therapon.rigel.lysergic.dev:9793']
+
+      alertmanager:
+        config:
+          route:
+            group_by: ['alertname']
+            group_wait: 10s
+            group_interval: 10s
+            repeat_interval: 1h
+            receiver: 'smtp-local'
+            routes:
+            - receiver: 'lysergic'
+          #    continue: false
+              match:
+               project: LYSERGIC
+            - receiver: 'chillnet'
+              match:
+               project: CHILLNET
+
+          receivers:
+          - name: 'smtp-local'
+            email_configs:
+            - to: 'system@lysergic.dev'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+          # !!! TO-DO
+              smarthost: 'zz0.email:465'
+              send_resolved: yes
+
+          - name: 'irc-libertacasa'
+            webhook_configs:
+            - url: 'http://127.0.0.1:2410/universe'
+              send_resolved: yes
+
+          - name: 'lysergic'
+            webhook_configs:
+            - url: 'http://127.0.0.1:2410/universe'
+              send_resolved: yes
+            - url: http://127.0.0.2:8081/prometheus/webhook
+              send_resolved: yes
+            email_configs:
+            - to: 'system@lysergic.dev'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+              smarthost: 'zz0.email:465'
+              send_resolved: yes
+
+          - name: 'chillnet'
+            email_configs:
+            - to: 'team@chillnet.org'
+              from: 'alertmanager@moni.lysergic.dev'
+              require_tls: false
+              smarthost: 'zz0.email:465'
+              send_resolved: yes
+
+manage_firewall: True
+firewalld:
+  zones:
+    internal:
+      services:
+        - https
+      ports:
+        - comment: DNS Slave
+          port: 5353
+          protocol: tcp
+        - port: 5353
+          protocol: udp

pillar/id/nemesis_lysergic_dev.sls

@@ -0,0 +1,2 @@
+include:
+  - cluster.denc.web-proxy

pillar/id/orpheus_psyched_dev.sls

@@ -0,0 +1 @@
+manage_sshd: False

pillar/id/philia_rigel_lysergic_dev.sls

@@ -0,0 +1 @@
+manage_sshd: False

pillar/id/phoebe_lysergic_dev.sls

@@ -0,0 +1 @@
+manage_firewall: True

pillar/id/selene_psyched_dev.sls

@@ -0,0 +1 @@
+manage_sshd: False

pillar/id/theia_psyched_dev.sls

@@ -0,0 +1 @@
+manage_sshd: False

pillar/id/themis_lysergic_dev.sls

@@ -0,0 +1,150 @@
+{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%}
+
+{%- macro httpdformulaexcess() -%}
+      LogLevel: False
+      ErrorLog: False
+      LogFormat: False
+      CustomLog: False
+      ServerAdmin: False
+      ServerAlias: False
+{%- endmacro -%}
+{%- macro httpdcommon(app) -%}
+        Include {{ common['snippetsdir'] }}ssl_themis.conf
+        <FilesMatch '\.php$'>
+          SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}'
+        </FilesMatch>
+{%- endmacro -%}
+
+apache:
+  sites:
+    BookStack:
+      interface: '{{ common['address'] }}'
+      port: {{ common['port'] }}
+      ServerName: bookstack{{ common['domain'] }}
+      DocumentRoot: /srv/www/BookStack/
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/BookStack/:
+          Options: FollowSymLinks
+          AllowOverride: None
+          Require: all granted
+          Formula_Append: |
+            RewriteEngine On
+            RewriteCond %{HTTP:Authorization} .
+            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+            RewriteCond %{REQUEST_FILENAME} !-d
+            RewriteCond %{REQUEST_URI} (.+)/$
+            RewriteRule ^ %1 [L,R=301]
+            RewriteCond %{REQUEST_FILENAME} !-d
+            RewriteCond %{REQUEST_FILENAME} !-f
+            RewriteRule ^ index.php [L]
+      {{ httpdformulaexcess() }}
+      Formula_Append: |
+        {{ httpdcommon('BookStack') }}
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+        SetOutputFilter DEFLATE
+
+    PrivateBin:
+      interface: '{{ common['address'] }}'
+      port: {{ common['port'] }}
+      ServerName: privatebin{{ common['domain'] }}
+      DocumentRoot: /srv/www/PrivateBin/public
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/PrivateBin/:
+          Options: false
+          AllowOverride: None
+          Require: all granted
+      {{ httpdformulaexcess() }}
+      Formula_Append: |
+        {{ httpdcommon('PrivateBin') }}
+
+profile:
+  bookstack:
+    app_url: https://libertacasa.info
+    db_host: ${'secret_bookstack:db_host'}
+    db_database: ${'secret_bookstack:db_database'}
+    db_username: ${'secret_bookstack:db_username'}
+    db_password: ${'secret_bookstack:db_password'}
+    mail_driver: smtp
+    mail_from_name: LibertaCasa Documentation
+    mail_from: mail@libertacasa.info
+    mail_host: zz0.email
+    mail_port: 465
+    mail_username: mail@libertacasa.info
+    mail_password: ${'secret_bookstack:mail_password'}
+    mail_encryption: ssl
+    app_theme: lysergic
+    cache_driver: memcached
+    session_driver: memcached
+    memcached_servers: /run/memcached/memcached.sock
+    session_secure_cookie: true
+    session_cookie_name: libertacasa_megayummycookie
+    app_debug: false
+    session_lifetime: 240
+    auth_method: saml2
+    auth_auto_initiate: true
+    saml2_name: LibertaCasa SSO
+    saml2_email_attribute: email
+    saml2_external_id_attribute: uid
+    saml2_display_name_attributes: fullname
+    saml2_idp_entityid: https://libsso.net/realms/LibertaCasa
+    saml2_idp_sso: https://libsso.net/realms/LibertaCasa/protocol/saml
+    saml2_idp_slo: https://libsso.net/realms/LibertaCasa/protocol/saml
+    saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
+    saml2_autoload_metadata: false
+    saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
+    saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'}
+    saml2_user_to_groups: true
+    saml2_group_attribute: groups
+    saml2_remove_from_groups: true
+    queue_connection: database
+
+  privatebin:
+    main:
+      name: Bin
+      fileupload: true
+      syntaxhighlightingtheme: sons-of-obsidian
+      sizelimit: 310485760
+      notice: 'Note: Kittens will die if you abuse this service.'
+      languageselection: true
+      urlshortener: ${'secret_privatebin:main:urlshortener'}
+      qrcode: true
+    expire:
+      default: 1week
+    expire_options:
+      5min: 300
+      10min: 600
+      1hour: 3600
+      1day: 86400
+      1week: 604800
+      1month: 2592000
+      1year: 31536000
+      never: 0
+    formatter_options:
+      plaintext: Plain Text
+      syntaxhighlighting: Source Code
+      markdown: Markdown
+    traffic:
+      limit: 10
+      header: X_FORWARDED_FOR
+      dir: /var/lib/PrivateBin/limits
+    purge:
+      limit: 300
+      batchsize: 10
+      dir: /var/lib/PrivateBin/limits
+    model:
+      class: Database
+    model_options:
+      dsn: ${'secret_privatebin:model_options:dsn'}
+      tbl: privatebin_
+      usr: ${'secret_privatebin:model_options:usr'}
+      pwd: ${'secret_privatebin:model_options:pwd'}
+      opt[12]: true
+
+manage_firewall: True
+firewalld:
+  zones:
+    backend:
+      services:
+        - https

pillar/id/thetrip_lysergic_dev.sls

@@ -0,0 +1,7 @@
+manage_firewall: True
+firewalld:
+  zones:
+    public:
+      services:
+        - http
+        - https

pillar/role/bookstack.sls

@@ -0,0 +1 @@
+# empty

pillar/role/ha-netcup.sls

@@ -0,0 +1,2 @@
+include:
+  - role.ha-node

pillar/role/ha-node.sls

@@ -0,0 +1,8 @@
+firewalld:
+  zones:
+    internal:
+      protocols:
+        - vrrp
+    backend:
+      protocols:
+        - udp

pillar/role/memcached.sls

@@ -0,0 +1,2 @@
+memcached:
+  listen_address: /run/memcached/memcached.sock

pillar/role/monitoring/prometheus-alertmanager.sls

@@ -0,0 +1,11 @@
+prometheus:
+  wanted:
+    component:
+      - alertmanager
+  pkg:
+    component:
+      alertmanager:
+        config:
+          global:
+            resolve_timeout: 5m
+

pillar/role/monitoring/prometheus-exporter-blackbox.sls

@@ -0,0 +1,50 @@
+prometheus:
+  wanted:
+    component:
+      - blackbox_exporter
+  pkg:
+    component:
+      blackbox_exporter:
+        config:
+          modules:
+            http_2xx:
+              prober: http
+              timeout: 15s
+            http_post_2xx:
+              prober: http
+              http:
+                method: POST
+            http_3xx:
+              prober: http
+              timeout: 5s
+              http:
+                method: HEAD
+                no_follow_redirects: true
+                valid_status_codes: [301, 302]
+            tcp_connect:
+              prober: tcp
+            ssh_banner:
+              prober: tcp
+              tcp:
+                query_response:
+                - expect: "^SSH-2.0-"
+            irc_banner:
+              prober: tcp
+              tcp:
+                query_response:
+                - send: "NICK prober"
+                - send: "USER prober prober prober :prober"
+                - expect: "PING :([^ ]+)"
+                  send: "PONG ${1}"
+                - expect: "^:[^ ]+ 001"
+            icmp:
+              prober: icmp
+
+firewalld:
+  zones:
+    internal:
+      ports:
+        - comment: 'Prometheus Blackbox Exporter'
+          port: 9115
+          protocol: tcp
+

pillar/role/monitoring/prometheus.sls

@@ -0,0 +1,17 @@
+prometheus:
+  wanted:
+    component:
+      - prometheus
+  pkg:
+    component:
+      prometheus:
+        config:
+          global:
+            scrape_interval: 15s
+            evaluation_interval: 1m
+
+firewalld:
+  zones:
+    internal:
+      services:
+        - prometheus

pillar/role/php-fpm.sls

@@ -0,0 +1 @@
+# empty

pillar/role/privatebin.sls

@@ -0,0 +1 @@
+# empty

pillar/role/salt/master.sls

@@ -21,7 +21,7 @@ salt:
       - roots
       - git
     file_roots:
-      production:
+      __env__:
         {%- for formula in formulas %}
         - /srv/formulas/{{ formula }}-formula
         {%- endfor %}
@@ -30,6 +30,7 @@ salt:
       - https://git.com.de/LibertaCasa/salt.git:
         - user: ${'secret_salt:master:gitfs_remotes:LibertaCasa:user'}
         - password: ${'secret_salt:master:gitfs_remotes:LibertaCasa:password'}
+        - fallback: production
     ext_pillar:
       - netbox:
           api_url: ${'secret_salt:master:ext_pillar:netbox:api_url'}
@@ -59,6 +60,7 @@ salt:
     timeout: 20
     gather_job_timeout: 20
     keep_jobs: 30
+    ping_on_rotate: True
     user: ${'secret_salt:master:user'}
     syndic_user: ${'secret_salt:master:syndic_user'}
     cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'}

pillar/role/salt/minion.sls

@@ -3,4 +3,7 @@ salt:
   minion_remove_config: True
   minion:
     master_type: str
+    backup_mode: minion
+    cache_jobs: True
+    enable_gpu_grains: False
   saltenv: production

pillar/role/web/apache-httpd.sls

@@ -0,0 +1,13 @@
+{%- set host = grains['host'] -%}
+{%- set fqdn = grains['fqdn'] -%}
+
+apache:
+  global:
+    ServerAdmin: system@lysergic.dev
+
+profile:
+  apache-httpd:
+   snippets:
+    ssl_{{ host }}:
+      - 'SSLCertificateFile    "/etc/ssl/{{ host }}/{{ fqdn }}.crt"'
+      - 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"'

salt/common/openbsd.sls

@@ -0,0 +1 @@
+# Nothing yet

salt/common/ssh.sls

@@ -1,5 +1,6 @@
 include:
   - openssh.banner
+{%- if salt['pillar.get']('manage_sshd', True) %}
   - openssh.config
 
 /etc/ssh/user_ca:
@@ -10,3 +11,4 @@ include:
       {%- endfor -%}
     - require:
       - pkg: openssh
+{%- endif %}

salt/common/suse.sls

@@ -1,9 +1,16 @@
 include:
+  {#- drop pillar check after all firewall configurations have been imported #}
+  {%- if salt['pillar.get']('manage_firewall', False) %}
   - firewalld
+  {%- endif %}
   - profile.seccheck
   - profile.zypp
-  - profile.node_exporter
+  - profile.prometheus.node_exporter
+  {%- if salt['cmd.run']("awk '/^passwd/{ print $2; exit }' /etc/nsswitch.conf") == 'sss' %}
+  {%- do salt.log.warning('Not configuring local users due to sss') %}
+  {%- else %}
   - users
+  {%- endif %}
   - .ssh
   - postfix.config
 
@@ -41,8 +48,28 @@ ca-certificates-syscid:
     - require:
       - pkgrepo: libertacasa_rpm_repository
 
-common_packages:
+common_packages_install:
   pkg.installed:
     - names:
       - fish
       - system-group-wheel
+{%- if grains['virtual'] == 'kvm' %}
+      - qemu-guest-agent
+
+qemu-guest-agent:
+  service.running:
+    - enable: True
+    - require:
+      - pkg: qemu-guest-agent
+{%- endif %}
+
+common_packages_remove:
+  pkg.removed:
+    - pkgs:
+      {#- we only use AutoYaST for the OS deployment #}
+      - autoyast2
+      - autoyast2-installation
+      - yast2-add-on
+      - yast2-services-manager
+      - yast2-slp
+      - yast2-trans-stats

salt/profile/apache-httpd/init.sls

@@ -0,0 +1,28 @@
+{%- set snippetsdir = '/etc/apache2/snippets.d' -%}
+{%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%}
+
+{{ snippetsdir }}:
+  file.directory:
+    - makedirs: True
+
+{%- if 'snippets' in mypillar %}
+{%- for snippet, config in mypillar['snippets'].items() %}
+{{ snippetsdir }}/{{ snippet }}.conf:
+  file.managed:
+    - contents:
+      {%- for line in config %}
+      - {{ line }}
+      {%- endfor %}
+    - require:
+      - file: {{ snippetsdir }}
+    {#- formula dependencies #}
+    - watch_in:
+      - service: apache-service-running
+{%- endfor %}
+{%- endif %}
+
+include:
+  - apache.config
+
+
+

salt/profile/apparmor/local.sls

@@ -0,0 +1,22 @@
+{%- set aapillar = salt['pillar.get']('profile:apparmor') %}
+
+{%- if 'local' in aapillar %}
+{%- for profile, lines in aapillar['local'].items() %}
+/etc/apparmor.d/local/{{ profile }}:
+  file.managed:
+    - contents: {{ lines }}
+    - watch_in:
+      - module: apparmor_reload
+{%- endfor %}
+
+{%- if aapillar['local'] | length %}
+apparmor_reload:
+  module.run:
+    - name: service.reload
+    - m_name: apparmor
+    - onchanges:
+      {%- for profile in aapillar['local'] %}
+      - file: /etc/apparmor.d/local/{{ profile }}
+      {%- endfor %}
+{%- endif %}
+{%- endif %}

salt/profile/bookstack/init.sls

@@ -0,0 +1,74 @@
+{%- set mypillar = salt['pillar.get']('profile:bookstack', {}) -%}
+{%- set configfile = '/etc/sysconfig/BookStack' -%}
+
+bookstack_packages:
+  pkg.installed:
+    - names:
+      - BookStack-config-php-fpm-apache
+
+bookstack_permissions:
+  file.managed:
+    - mode: '0640'
+    - user: root
+    - group: www
+    - names:
+      - {{ configfile }}
+
+{%- if mypillar | length %}
+{{ configfile }}:
+  file.keyvalue:
+    - separator: '='
+    - show_changes: False
+    - require:
+      - pkg: bookstack_packages
+    - key_values:
+        {%- macro condconf(option) %}
+        {%- if option in mypillar -%}
+        {%- if ( mypillar[option] is string and mypillar[option].startswith('$') ) or mypillar[option] is number %}
+        {%- set value = mypillar[option] %}
+        {%- else %}
+        {%- set value = "\"'" ~ mypillar[option] ~ "'\"" %}
+        {%- endif %}
+        {{ option | upper }}: {{ value }}
+        {%- endif -%}
+        {%- endmacro %}
+        {{ condconf('app_url') }}
+        {{ condconf('db_host') }}
+        {{ condconf('db_database') }}
+        {{ condconf('db_username') }}
+        {{ condconf('db_password') }}
+        {{ condconf('mail_driver') }}
+        {{ condconf('mail_from_name') }}
+        {{ condconf('mail_from') }}
+        {{ condconf('mail_host') }}
+        {{ condconf('mail_port') }}
+        {{ condconf('mail_username') }}
+        {{ condconf('mail_password') }}
+        {{ condconf('mail_encryption') }}
+        {{ condconf('app_theme') }}
+        {{ condconf('cache_driver') }}
+        {{ condconf('session_driver') }}
+        {{ condconf('memcached_servers') }}
+        {{ condconf('session_secure_cookie') }}
+        {{ condconf('session_cookie_name') }}
+        {{ condconf('app_debug') }}
+        {{ condconf('session_lifetime') }}
+        {{ condconf('auth_method') }}
+        {{ condconf('auth_auto_initiate') }}
+        {{ condconf('saml2_name') }}
+        {{ condconf('saml2_email_attribute') }}
+        {{ condconf('saml2_external_id_attribute') }}
+        {{ condconf('saml2_display_name_attributes') }}
+        {{ condconf('saml2_idp_entityid') }}
+        {{ condconf('saml2_idp_sso') }}
+        {{ condconf('saml2_idp_slo') }}
+        {{ condconf('saml2_idp_x509') }}
+        {{ condconf('saml2_autoload_metadata') }}
+        {{ condconf('saml2_sp_x509') }}
+        {{ condconf('saml2_user_to_groups') }}
+        {{ condconf('saml2_group_attribute') }}
+        {{ condconf('saml2_remove_from_groups') }}
+        {{ condconf('saml2_dump_user_details') }}
+        {{ condconf('queue_connection') }}
+        {{ condconf('app_views_books') }}
+{%- endif %}

salt/profile/keepalived_script_user/init.sls

@@ -0,0 +1,7 @@
+keepalived_script_user:
+  user.present:
+    - name: keepalived_script
+    - createhome: False
+    - home: /var/lib/keepalived
+    - shell: /usr/sbin/nologin
+    - system: True

salt/profile/lighttpd/init.sls

@@ -25,6 +25,8 @@ lighttpd_files:
     - group: lighttpd
     - mode: '0640'
     - template: jinja
+    - watch_in:
+      - service: lighttpd_service
     - names:
       - /etc/lighttpd/lighttpd.conf:
         - source: salt:///{{ slspath }}/files/etc/lighttpd/lighttpd.conf.j2
@@ -40,3 +42,6 @@ lighttpd_service:
   service.running:
     - name: lighttpd.service
     - enable: True
+    - reload: True
+    - require:
+      - pkg: lighttpd_packages

salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2

@@ -14,7 +14,7 @@
 {%- for account, config in accounts.items() %}
 [{{ account }}]
 {%- for option, value in config.items() %}
-{%- if value is string %}
+{%- if value is string or value is number %}
 {%- set value = '"' ~ value ~ '"' %}
 {%- endif %}
 {{ option }}={{ value }}

salt/profile/matterbridge/init.sls

@@ -34,6 +34,8 @@ matterbridge_files:
             general: {{ instances[instance]['general'] | default({}) }}
             accounts: {{ instances[instance]['accounts'] }}
             gateways: {{ instances[instance]['gateways'] }}
+        - watch_in:
+          - service: matterbridge_{{ instance }}_service
 {%- endfor %}
 
 {%- for instance in instances %}
@@ -44,7 +46,7 @@ matterbridge_{{ instance }}_mediadir:
     - user: matterbridge
     {#- to-do: implement some shared group #}
     - group: lighttpd
-    - mode: 750
+    - mode: '0750'
     - makedirs: True
 {%- endif %}
 
@@ -52,6 +54,8 @@ matterbridge_{{ instance }}_service:
   service.running:
     - name: matterbridge@{{ instance }}.service
     - enable: True
+    - watch:
+      - file: /etc/matterbridge/{{ instance }}.toml
 {%- endfor %}
 {%- endif %}
 

salt/profile/netcup_failover/README.md

@@ -0,0 +1,14 @@
+This profile installs a script switching failover IP addresses between Netcup hosted VM's.
+
+Required pillar:
+
+```
+profile:
+  netcup_failover:
+    scp_user: 12345
+    scp_pass: xxxx
+    scp_server: v9876
+    mac_address: ff:ff:ff:ff:ff
+    ip4_address: xx.xx.xx.xx/32
+    ip6_address: 'foo:bar::/64'
+```

salt/profile/netcup_failover/files/failover.sh.j2

@@ -0,0 +1,109 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{%- set mypillar = salt['pillar.get']('profile:netcup_failover') -%}
+#!/bin/sh
+# Floating IP switching script utilizing the Netcup API
+
+{{ header }}
+
+SCP_USER='{{ mypillar['scp_user'] }}'
+SCP_PASS='{{ mypillar['scp_pass'] }}'
+SCP_SERVER='{{ mypillar['scp_server'] }}'
+MAC='{{ mypillar['mac_address'] }}'
+IP_v4='{{ mypillar['ip4_address'] }}'
+IP_v6='{{ mypillar['ip6_address'] }}'
+
+URL="https://www.servercontrolpanel.de/WSEndUser?xsd=1" ### ?xsd=1 ?wsdl
+
+usage () {
+        echo "$0 [--ipv4 | --ipv6 | --all] [--debug]"
+        exit 2
+}
+
+init () {
+        construct "$1"
+        run
+        parse
+}
+
+construct () {
+        if [ "$1" = "ip4" ];
+        then
+                local IP="$IP_v4"
+        fi
+        if [ "$1" = "ip6" ];
+        then
+                local IP="$IP_v6"
+        fi
+        local CIDR="${IP#*/}"
+        local IP="`echo $IP | sed "s?/$CIDR??"`"
+        if [ "$DEBUG" = "true" ];
+        then
+                echo "[DEBUG] Initiating: $1"
+                echo "[DEBUG] IP Address: $IP"
+                echo "[DEBUG] CIDR Mask: $CIDR"
+        fi
+        XML_BODY="<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:ns1='http://enduser.service.web.vcp.netcup.de/'><SOAP-ENV:Body><ns1:changeIPRouting><loginName>$SCP_USER</loginName><password>$SCP_PASS</password><routedIP>$IP</routedIP><routedMask>$CIDR</routedMask><destinationVserverName>$SCP_SERVER</destinationVserverName><destinationInterfaceMAC>$MAC</destinationInterfaceMAC></ns1:changeIPRouting></SOAP-ENV:Body></SOAP-ENV:Envelope>"
+        if [ "$DEBUG" = "true" ];
+        then
+                echo "[DEBUG] Payload: $XML_BODY"
+        fi
+}
+
+request () {
+        curl -s -H 'Content-Type: text/xml' -H 'SOAPAction:' -d "$XML_BODY" -X POST "$URL"
+}
+
+run () {
+        RESPONSE=`request`
+        if [ "$DEBUG" = "true" ];
+        then
+                echo "[DEBUG] Response: $RESPONSE"
+        fi
+
+}
+
+parse () {
+        local IFS='&'
+        local check_invalid="validation error&IP already assigned&true"
+        for check in $check_invalid;
+        do
+                if [ "$DEBUG" = "true" ];
+                then
+                        echo "[DEBUG] Parsing: $check"
+                fi
+                if [ "${RESPONSE#*$check}" = "$RESPONSE" ];
+                then
+                        result="Not found"
+                fi
+                if [ "${RESPONSE#*$check}" != "$RESPONSE" ];
+                then
+                        result="Found"
+                fi
+                echo "Check for \"$check\": $result"
+        done
+}
+
+MODE="$1"
+
+if [ "$2" = "--debug" ];
+then
+        DEBUG="true"
+        echo "[DEBUG] Script invoked at `date`"
+fi
+
+case "$MODE" in
+        "--ipv4" )
+                init ip4
+                ;;
+        "--ipv6" )
+                init ip6
+                ;;
+        "--all" )
+                init ip6
+                init ip4
+                ;;
+        * )
+                usage
+                ;;
+esac
+

salt/profile/netcup_failover/init.sls

@@ -0,0 +1,10 @@
+include:
+  - profile.keepalived_script_user
+
+/usr/local/bin/failover:
+  file.managed:
+    - user: keepalived_script
+    - group: wheel
+    - mode: '0750'
+    - template: jinja
+    - source: salt://{{ slspath }}/files/failover.sh.j2

salt/profile/privatebin/init.sls

@@ -0,0 +1,55 @@
+{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%}
+{%- set confdir = '/etc/PrivateBin' -%}
+{%- set configfile = confdir ~ '/conf.php' -%}
+
+privatebin_packages:
+  pkg.installed:
+    - names:
+      - PrivateBin-config-httpd
+
+privatebin_clean:
+  file.directory:
+    - name: {{ confdir }}
+    - clean: True
+    - onchanges:
+      - pkg: privatebin_packages
+    - require:
+      - pkg: privatebin_packages
+
+{%- if mypillar | length %}
+{{ configfile }}:
+  ini.options_present:
+    - separator: '='
+    - strict: True
+    - sections:
+        {%- macro conf(section, options) %}
+        {%- for option in options.keys() -%}
+        {%- if ( mypillar[section][option] is string and mypillar[section][option].startswith('$') ) or mypillar[section][option] is number %}
+        {%- set value = mypillar[section][option] -%}
+        {%- else %}
+        {%- set value = "\"'" ~ mypillar[section][option] ~ "'\"" -%}
+        {%- endif %}
+          {{ option }}: {{ value }}
+        {%- endfor -%}
+        {%- endmacro %}
+        {%- for section, options in mypillar.items() %}
+        {{ section }}:
+          {{ conf(section, options) }}
+        {%- endfor %}
+    - require:
+      - pkg: privatebin_packages
+    - watch:
+      - file: privatebin_clean
+    - watch_in:
+      - file: privatebin_permissions
+{%- endif %}
+
+privatebin_permissions:
+  file.managed:
+    - mode: '0640'
+    - user: wwwrun
+    - group: privatebin
+    - names:
+      - {{ configfile }}
+    - require:
+      - pkg: privatebin_packages

salt/profile/prometheus/targets.sls

@@ -0,0 +1,18 @@
+{%- set mypillar = salt['pillar.get']('profile:prometheus:targets') %}
+{%- set targetsdir = '/etc/prometheus/targets' %}
+
+{%- if mypillar | length %}
+{{ targetsdir }}:
+  file.directory:
+    - group: prometheus
+
+{%- for group, nodes in mypillar.items() %}
+{{ targetsdir }}/{{ group }}.json:
+  file.serialize:
+    - dataset: {{ nodes }}
+    - serializer: json
+{%- endfor %}
+
+{%- else %}
+{%- do salt.log.debug('profile.prometheus: no targets defined') %}
+{%- endif %}

salt/profile/salt/formulas.sls

@@ -0,0 +1,6 @@
+salt_master_formulas:
+  git.latest:
+    - name: https://git.com.de/LibertaCasa/salt-formulas.git
+    - target: /srv/formulas
+    - branch: production
+    - submodules: True

salt/profile/salt/master.sls

@@ -7,6 +7,7 @@
 
 include:
   - salt.master
+  - .formulas
 
 salt_master_extension_modules_dirs:
   file.directory:
@@ -17,7 +18,7 @@ salt_master_extension_modules_dirs:
       {%- endfor %}
     - user: root
     - group: salt
-    - mode: 0755
+    - mode: '0755'
 
 salt_master_extension_modules_bins:
   file.managed:
@@ -30,24 +31,17 @@ salt_master_extension_modules_bins:
       {%- endfor %}
     - user: root
     - group: salt
-    - mode: 0640
+    - mode: '0640'
     - require:
       - file: salt_master_extension_modules_dirs
 
-salt_master_formulas:
-  git.latest:
-    - name: https://git.com.de/LibertaCasa/salt-formulas.git
-    - target: /srv/formulas
-    - branch: production
-    - submodules: True
-
 salt_master_extra_packages:
   pkg.installed:
     - names:
       - python3-ldap
       - python3-pynetbox
       - python3-redis
-      - redis
+      - redis7
       - salt-bash-completion
       - salt-fish-completion
       - salt-keydiff
@@ -72,29 +66,29 @@ salt_master_extra_packages:
       - requirepass {{ master_pillar['cache.redis.password'] }}
     - user: root
     - group: redis
-    - mode: 0640
+    - mode: '0640'
     - require:
-      - pkg: redis
+      - pkg: redis7
 
 /var/lib/redis/salt:
   file.directory:
     - user: redis
     - group: redis
-    - mode: 0750
+    - mode: '0750'
     - require:
-      - pkg: redis
+      - pkg: redis7
 
 salt_redis_service_enable:
   service.enabled:
     - name: {{ redis_service }}
     - require:
-      - pkg: redis
+      - pkg: redis7
 
 salt_redis_service_start:
   service.running:
     - name: {{ redis_service }}
     - require:
-      - pkg: redis
+      - pkg: redis7
     - watch:
       - file: {{ redis_config }}
 
@@ -102,7 +96,7 @@ salt_redis_membership:
   group.present:
     - name: redis
     - require:
-      - pkg: redis
+      - pkg: redis7
     - addusers:
       - {{ master_pillar['user'] }}
 {%- if pillar['secret_salt'] is defined %}

salt/profile/salt/minion.sls

@@ -1,5 +1,7 @@
 {%- set netbox_pillar = salt['pillar.get']('netbox') -%}
-{%- if 'custom_fields' in netbox_pillar and netbox_pillar['custom_fields']['salt_roles'] is not none and 'salt.syndic' in netbox_pillar['custom_fields']['salt_roles'] -%}
+{%- if 'custom_fields' in netbox_pillar
+    and netbox_pillar['custom_fields']['salt_roles'] is not none
+    and 'salt.syndic' in netbox_pillar['custom_fields']['salt_roles'] -%}
 {%- set master = salt['pillar.get']('salt:master:syndic_master') -%}
 {%- elif 'config_context' in netbox_pillar -%}
 {%- set master = netbox_pillar['config_context']['salt_master'] -%}

salt/role/bookstack.sls

@@ -0,0 +1,5 @@
+include:
+  - role.web.apache-httpd
+  - role.memcached
+  - profile.bookstack
+  - php.fpm

salt/role/ha-netcup.sls

@@ -0,0 +1,3 @@
+include:
+  - profile.netcup_failover
+  - role.ha-node

salt/role/memcached.sls

@@ -0,0 +1,2 @@
+include:
+  - memcached.config

salt/role/monitoring/prometheus-alertmanager.sls

@@ -0,0 +1,2 @@
+include:
+  - prometheus.config

salt/role/monitoring/prometheus-exporter-blackbox.sls

@@ -0,0 +1,2 @@
+include:
+  - prometheus.config

salt/role/monitoring/prometheus.sls

@@ -0,0 +1,3 @@
+include:
+  - prometheus.config
+  - profile.prometheus.targets

salt/role/php-fpm.sls

@@ -0,0 +1,2 @@
+include:
+  - php.fpm

salt/role/privatebin.sls

@@ -0,0 +1,4 @@
+include:
+  - role.web.apache-httpd
+  - profile.privatebin
+  - php.fpm

salt/role/web-proxy.sls

@@ -1,5 +1,6 @@
 include:
   - nginx.pkg
+  - profile.apparmor.local
   - nginx.config
   - nginx.snippets
   - nginx.servers

salt/role/web/apache-httpd.sls

@@ -0,0 +1,2 @@
+include:
+  - profile.apache-httpd