55 changed files with 67 additions and 860 deletions
--- a/.gommit.toml
+++ b/.gommit.toml
@ -1,23 +0,0 @@
 [config]
 exclude-merge-commits=true
 check-summary-length=true
 summary-length=50
 [matchers]
 all='^(?:(?:Add|Remove|Update|Enable|Disable) |(?:role|profile|id|pipeline)\.[\w\-_]+: )[\w \.\+\-]+\n(?:(?:\n\- .*)+\n)?(?:\nSigned-off-by: \w+ \w+ <.*@.*>)'
 [examples]
 summary_variant_one="""
 [Add|Remove|Update|Enable|Disable] this and that
 """
 summary_variant_two="""
 [role.$role|profile.$profile]: this and that
 """
 body_message="""
 - an optional body line
 - another optional body line
 Signed-off-by: Max Mandatory <required@example.com>
 """
--- a/.pipeline.yml
+++ b/.pipeline.yml
@ -1,32 +1,9 @@
 ---
 # yamllint disable rule:line-length
 skip_clone: true
 pipeline:
  # commit_lint:
  #   image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-gommit:latest
  #   secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
  #   when:
  #     event: [push]
  #   commands:
  #     - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-commit-linting
  #     - cd ../salt-libertacasa-commit-linting
  #     - bin/lint-commits.pl production
  code_lint:
    image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline-lint:latest
    secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
    when:
      event: [push]
    commands:
      - git clone --single-branch -b $CI_COMMIT_BRANCH $CI_REPO_LINK ../salt-libertacasa-linting
      - cd ../salt-libertacasa-linting
      - find . -type f \( -name '*.yaml' -o -name '*.yml' \) -exec yamllint -f colored -s {} +
      - find . -name '*.sls' -exec salt-lint --severity -x 204 {} +
  check:
    image: registry.opensuse.org/home/crameleon/libertacasa/containers/containerfile/libertacasa/pipeline:latest
-    secrets: [ci_netrc_username, ci_netrc_password, ci_netrc_machine]
+    secrets: [ ci_netrc_username, ci_netrc_password, ci_netrc_machine ]
    when:
      event: [push]
    commands:
@ -52,5 +29,5 @@ pipeline:
      event: [push]
      instance: woodpecker-orpheus.intranet.squirrelcube.com
    commands:
-      # - rolesyncer
+      #- rolesyncer
      - bin/rolesyncer.py
--- a/bin/lint-commits.pl
+++ b/bin/lint-commits.pl
@ -1,39 +0,0 @@
 #!/usr/bin/perl
 #
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
 #   You may obtain a copy of the License at
 #
 #       http://www.apache.org/licenses/LICENSE-2.0
 #
 #   Unless required by applicable law or agreed to in writing, software
 #   distributed under the License is distributed on an "AS IS" BASIS,
 #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 #
 use v5.26;
 my ($branch_main) = @ARGV;
 if(!$branch_main){
        $branch_main = "master"
 }
 `git ls-remote origin $branch_main` =~ /([a-f0-9]{40})/;
 my $refHead = `git rev-parse HEAD`;
 my $refTail = $1;
 chomp($refHead);
 chomp($refTail);
 if ($refHead eq $refTail) {
    exit 0;
 }
 system "gommit check range $refTail $refHead";
 if ($? > 0) {
    exit 1;
 }
--- a/bin/nbroles_to_grains.sh
+++ b/bin/nbroles_to_grains.sh
@ -1,14 +1,4 @@
 #!/usr/bin/env sh
 # This rewrites top-files to fetch roles from grains instead of our custom roles API. Useful for testing outside of the LibertaCasa infrastructure, but not recommended for production.
-potential_files=(*/top.sls salt/common/suse.sls)
+sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" */top.sls
 for file in ${potential_files[@]}
 do
 	if [ -f "$file" ]
 	then
 		files+="$file "
 	fi
 done
 sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" ${files[@]}
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@ -15,7 +15,6 @@ keepalived:
      smtp_server: {{ mailer }}
      smtp_connect_timeout: 30
      router_id: SSO_FO
      enable_script_security: true
    vrrp_script:
      check_nginx_port:
        script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
@ -90,15 +89,18 @@ nginx:
    {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
      - include: snippets/tls
    tls_syscidsso:
      - ssl_trusted_certificate: {{ trustcrt }}
      - ssl_client_certificate:  {{ trustcrt }}
      - ssl_certificate:         /etc/ssl/syscid/sso.syscid.com.crt
      - ssl_certificate_key:     /etc/ssl/syscid/sso.syscid.com.key
      - ssl_ocsp:                'on'
      - ssl_ocsp_responder:      {{ stapler }}
      - ssl_stapling:            'on'
      - ssl_stapling_responder:  {{ stapler }}
      - ssl_stapling_verify:     'on'
      - ssl_verify_client:       'on'
      - resolver:                {{ resolver }} ipv6=off
-      - include:                 snippets/tls
+      - include:                 snippets.d/tls
  servers:
    managed:
@ -108,7 +110,7 @@ nginx:
        - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
        - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
        - upstream jboss:
-          - ip_hash: ''
+          - ip: hash
          - server:
            - theia.backend.syscid.com:8443
            - orpheus.backend.syscid.com:8443
@ -118,18 +120,13 @@ nginx:
        config:
          - server:
            - include:
-              - snippets/listen_ha
+              - snippets/listen
              - snippets/tls_libertacasa
            - server_name: libertacasa.info libcasa.info
            - location /:
              - proxy_pass: https://bookstack.themis.backend.syscid.com
              - proxy_http_version: 1.1
            - client_max_body_size: 20M
            - modsecurity_rules: |-
                '
                SecRuleRemoveById 941160 949110
                SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'"
                '
      http.conf:
        config:
@ -145,23 +142,19 @@ nginx:
        config:
          - server:
            - include:
-              - snippets/listen_ha
+              - snippets/listen
              - snippets/tls_lysergic
            - server_name: pasta.lysergic.dev
            - location /:
              - proxy_pass: https://privatebin.themis.backend.syscid.com
              - proxy_http_version: 1.1
            - client_max_body_size: 50M
            - modsecurity_rules: |-
                '
                SecRequestBodyNoFilesLimit 50000000
                '
      sso_private.conf:
        config:
          - server:
            - include:
-              - snippets/listen_ha
+              - snippets/listen
              - snippets/tls_syscidsso
            - server_name: sso.syscid.com
            - root: /srv/www/sso.syscid.com
@ -181,14 +174,14 @@ nginx:
        config:
          - server:
            - include:
-              - snippets/listen_ha
+              - snippets/listen
              - snippets/tls_libsso
            - server_name: sso.casa www.sso.casa
            - location /:
              - root: /srv/www/sso.casa
          - server:
            - include:
-              - snippets/listen_ha
+              - snippets/listen
              - snippets/tls_libsso
            - server_name: libsso.net www.libsso.net
            - location /:
@ -211,30 +204,3 @@ nginx:
            - proxy_busy_buffers_size: 512k
            - error_log: /var/log/nginx/libsso_public.error.log
            - access_log: /var/log/nginx/libsso_public.access.log combined
      agola.conf:
        config:
          - server:
            - include:
              - snippets/listen_ha
              - snippets/tls_lysergic
            - server_name: ci.lysergic.dev ci.git.com.de
            - location /:
              - proxy_pass: https://ci.lysergic.dev
              - proxy_ssl_verify: 'on'
              - include: snippets/proxy
 manage_firewall: True
 firewalld:
  zones:
    public:
      services:
        - http
        - https
 profile:
  apparmor:
    local:
      usr.sbin.nginx:
        - '{{ trustcrt }} r,'
        - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,'
--- a/pillar/formulas.yaml
+++ b/pillar/formulas.yaml
@ -1,13 +1,8 @@
 ---
 - apache
 - firewalld
 - keepalived
 - memcached
 - nginx
 - openssh
 - php
 - postfix
 - prometheus
 - salt
 - tor
 - users
--- a/pillar/global/init.sls
+++ b/pillar/global/init.sls
@ -15,7 +15,6 @@ zypper:
  refreshdb_force: False
 firewalld:
  FlushAllOnReload: 'yes'
  zones:
    internal:
      short: Internal
--- a/pillar/id/dencpod01_lysergic_dev.sls
+++ b/pillar/id/dencpod01_lysergic_dev.sls
@ -1 +0,0 @@
 manage_firewall: True
--- a/pillar/id/dericom02_rigel_lysergic_dev.sls
+++ b/pillar/id/dericom02_rigel_lysergic_dev.sls
@ -1,4 +1,4 @@
-{%- set mediapath = '/var/lib/matterbridge/' -%}
+{%- set mediapath = '/srv/matterbridge/' -%}
 {%- macro discord_common() -%}
            AutoWebhooks: 'true'
@ -23,7 +23,7 @@ profile:
            NickServNick: viaduct
            NickServPassword: ${'secret_matterbridge:general:accounts:irc.libertacasa:NickServPassword'}
            ColorNicks: 'true'
-            Charset: utf8
+            Charset: utf8 
            MessageSplit: 'true'
            MessageQueue: 60
            UseRelayMsg: 'true'
@ -34,12 +34,12 @@ profile:
            Password: ${'secret_matterbridge:general:accounts:xmpp.libertacasa:Password'}
            Muc: muc.liberta.casa
            Nick: viaduct
-            RemoteNickFormat: '[{PROTOCOL}] <{NICK}> '
+            RemoteNickFormat: '[{PROTOCOL}] <{NICK}>'
            Label: x
            Debug: 'false'
          telegram.libertacasa:
            Token: ${'secret_matterbridge:general:accounts:telegram.libertacasa:Token'}
-            RemoteNickFormat: '[{PROTOCOL}] &lt;{NICK}&gt; '
+            RemoteNickFormat: '&lt;{NICK}&gt; '
            MessageFormat: HTMLNick
            Label: tg
            DisableWebPagePreview: 'true'
@ -47,7 +47,7 @@ profile:
            Server: 192.168.0.110:2220
            Nick: LC
            RemoteNickFormat: '{PROTOCOL}:<{NICK}> '
-            Label: ssh
+            Label: p
          discord.23:
            Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
            Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
@ -61,6 +61,7 @@ profile:
        gateways:
          libcasa:
            irc.libertacasa: '#libcasa'
            sshchat.Psyched: sshchat
            xmpp.libertacasa: libcasa
          dev:
            irc.libertacasa: '#dev'
@ -68,19 +69,22 @@ profile:
          lucy:
            irc.libertacasa: '#lucy'
            xmpp.libertacasa: lucy
            telegram.libertacasa: '-1001795702961'
            sshchat.Psyched: sshchat
          info:
            irc.libertacasa: '#libcasa.info'
            xmpp.libertacasa: libcasa.info
            #telegram.libertacasa: '-1001518274267'
          chat:
-            irc.libertacasa: '#chat'
+            irc.libertacasa: '#chai'
            discord.23: chat
            xmpp.libertacasa: chat
-          petals:
+          dota:
-            irc.libertacasa: '#Petals'
+            irc.libertacasa: '#dotes'
-            telegram.libertacasa: '-1001971550949'
+            discord.23: dotes
-
+            xmpp.libertacasa: dota
          aithunder:
            irc.libertacasa: '#aithunder'
          #  discord.aithunder: main-chat
            xmpp.libertacasa: aithunder
      libertacasa-irc:
        general:
@ -211,61 +215,24 @@ profile:
          nerds:
            irc.libertacasa: '#nerds'
            irc.nerds: '#nerds'
          chillops:
            irc.libertacasa: '#chillops'
            irc.chillnet: '#chillops'
            irc.stardust: '#chillnet-test'
          music:
            irc.libertacasa: '#music'
            irc.chillnet: '#music'
            irc.stardust: '#music'
      chillnet:
        general:
          MediaDownloadSize: 1000000000
          MediaDownloadPath: {{ mediapath }}chillnet
          MediaServerDownload: https://up.chillnet.org
        accounts:
          irc.chillnet:
            Server: irc.chillnet.org:6697
            UseTLS: 'true'
            UseSASL: 'true'
            Nick: viaduct
            NickServNick: viaduct
            NickServPassword: ${'secret_matterbridge:chillnet:accounts:irc.chillnet:NickServPassword'}
            ColorNicks: 'true'
            Charset: utf8
            MessageSplit: 'true'
            MessageQueue: 60
            UseRelayMsg: 'true'
            RemoteNickFormat: '{NICK}/{LABEL}'
          telegram.chillnet:
            Token: ${'secret_matterbridge:chillnet:accounts:telegram.chillnet:Token'}
            RemoteNickFormat: '&lt;{NICK}&gt; '
            MessageFormat: HTMLNick
            Label: tg
            DisableWebPagePreview: 'true'
          discord.23:
            Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
            Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
            {{ discord_common() }}
        gateways:
          staff:
            irc.chillnet: '#chillstaff'
            telegram.chillnet: '-1001932699309'
          devs:
            irc.chillnet: '#chilldevs'
            telegram.chillnet: '-1001778806358'
            discord.23: chilldevs
  lighttpd:
    vhosts:
      matterbridge-general:
-        host: 'libertacasa-general.matterbridge.dericom02.rigel.lysergic.dev'
+        host: 'libertacasa-general\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
        root: {{ mediapath }}libertacasa-general
      matterbridge-irc:
-        host: 'libertacasa-irc.matterbridge.dericom02.rigel.lysergic.dev'
+        host: 'libertacasa-irc\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
        root: {{ mediapath }}libertacasa-irc
      matterbridge-chillnet:
        host: 'chillnet.matterbridge.dericom02.rigel.lysergic.dev'
        root: {{ mediapath }}chillnet
 manage_firewall: True
 firewalld:
  zones:
    web:
--- a/pillar/id/derigsm01_rigel_lysergic_dev.sls
+++ b/pillar/id/derigsm01_rigel_lysergic_dev.sls
@ -1 +0,0 @@
 manage_firewall: True
--- a/pillar/id/derimisc01_rigel_lysergic_dev.sls
+++ b/pillar/id/derimisc01_rigel_lysergic_dev.sls
@ -12,5 +12,3 @@ tor:
      hostname: cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion
      hs_ed25519_public_key: PT0gZWQyNTUxOXYxLXB1YmxpYzogdHlwZTAgPT0AAAAUd+uGrDJs0tuSXjiqC8LbsnJJMSbx15jQ7calMDGHhw==
      hs_ed25519_secret_key: ${'secret_tor:hidden_services:irc:key'}
 manage_firewall: True
--- a/pillar/id/deriweb01_rigel_lysergic_dev.sls
+++ b/pillar/id/deriweb01_rigel_lysergic_dev.sls
@ -44,15 +44,15 @@
                - proxy_set_header: Host $http_host
                - resolver: '{{ resolver }} ipv4=off valid=24h'
 {%- endmacro -%}
-{%- macro matterbridge_media(domain, name, tls='load') -%}
+{%- macro matterbridge_media(name) -%}
          - server:
            - include:
              - snippets/listen
-              - snippets/tls_{{ tls }}
+              - snippets/tls_load
              - snippets/tls
-            - server_name: {{ domain }}
+            - server_name: {% if name == 'general' %}load.casa{%- else %}{{ name ~ '.load.casa' }}{%- endif %}
            - location /:
-                - proxy_pass: http://{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
+                - proxy_pass: http://libertacasa-{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
 {%- endmacro -%}
 nginx:
@ -71,7 +71,6 @@ nginx:
    {{ nginx_crtkeypair('meet', 'meet.com.de') | indent }}
    {{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }}
    {{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }}
    {{ nginx_crtkeypair('up.chillnet.org', 'up.chillnet.org') | indent }}
    {#- locations shared between clearnet and Tor LibertaCasa servers #}
    libertacasa:
@ -317,9 +316,8 @@ nginx:
      matterbridge.conf:
        config:
-          {{ matterbridge_media('load.casa', 'libertacasa-general') }}
+          {{  matterbridge_media('general') }}
-          {{ matterbridge_media('irc.load.casa', 'libertacasa-irc') }}
+          {{  matterbridge_media('irc') }}
          {{ matterbridge_media('up.chillnet.org', 'chillnet', 'up.chillnet.org') }}
      meet.conf:
        config:
@ -414,7 +412,7 @@ nginx:
            - location /:
                - proxy_pass: http://media.takahe.rigel.lysergic.dev:8001
                {{ takaheresolver }}
-          {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #}
+          {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #} 
          - server:
            {{ takahe_includes() }}
            - server_name: despair.life
@ -438,9 +436,8 @@ nginx:
              - snippets/error
            - server_name: exhausted.life
            {{ takahe_gohome() }}
-            - location /.well-known/:
+            - location /.well-known/: 
                - proxy_pass: {{ backend.takahe }}
                - sub_filter_types: application/xml
                - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life
 manage_firewall: True
--- a/pillar/id/derutil01_rigel_lysergic_dev.sls
+++ b/pillar/id/derutil01_rigel_lysergic_dev.sls
@ -1 +0,0 @@
 manage_firewall: True
--- a/pillar/id/moni_lysergic_dev.sls
+++ b/pillar/id/moni_lysergic_dev.sls
@ -1,123 +0,0 @@
 prometheus:
  pkg:
    component:
      prometheus:
        config:
          alerting:
            alertmanagers:
              - static_configs:
                - targets:
                  - localhost:9093
          rule_files:
            - /etc/prometheus/alerts/lysergic/*.yml
          scrape_configs:
            - job_name: 'prometheus'
              static_configs:
              - targets: ['localhost:9090']
            - job_name: 'node_exporters_lysergic'
              scrape_timeout: 1m
              scrape_interval: 5m
              file_sd_configs:
              - files:
                - '/etc/prometheus/targets/node-lysergic.json'
            - job_name: 'blackbox-2xx'
              metrics_path: /probe
              params:
                module: [http_2xx]
              file_sd_configs:
              - files: ['/etc/prometheus/targets/blackbox-2xx*.json']
              relabel_configs:
              - source_labels: [__address__]
                target_label: __param_target
              - source_labels: [__param_target]
                target_label: instance
              - target_label: __address__
                replacement: 127.0.0.1:9115
            - job_name: 'blackbox-3xx'
              metrics_path: /probe
              params:
                module: [http_3xx]
              file_sd_configs:
              - files: ['/etc/prometheus/targets/blackbox-3xx*.json']
              relabel_configs:
              - source_labels: [__address__]
                target_label: __param_target
              - source_labels: [__param_target]
                target_label: instance
              - target_label: __address__
                replacement: 127.0.0.1:9115
            - job_name: 'certificate_exporter'
              static_configs:
              - targets: ['therapon.rigel.lysergic.dev:9793']
      alertmanager:
        config:
          route:
            group_by: ['alertname']
            group_wait: 10s
            group_interval: 10s
            repeat_interval: 1h
            receiver: 'smtp-local'
            routes:
            - receiver: 'lysergic'
          #    continue: false
              match:
               project: LYSERGIC
            - receiver: 'chillnet'
              match:
               project: CHILLNET
          receivers:
          - name: 'smtp-local'
            email_configs:
            - to: 'system@lysergic.dev'
              from: 'alertmanager@moni.lysergic.dev'
              require_tls: false
          # !!! TO-DO
              smarthost: 'zz0.email:465'
              send_resolved: yes
          - name: 'irc-libertacasa'
            webhook_configs:
            - url: 'http://127.0.0.1:2410/universe'
              send_resolved: yes
          - name: 'lysergic'
            webhook_configs:
            - url: 'http://127.0.0.1:2410/universe'
              send_resolved: yes
            - url: http://127.0.0.2:8081/prometheus/webhook
              send_resolved: yes
            email_configs:
            - to: 'system@lysergic.dev'
              from: 'alertmanager@moni.lysergic.dev'
              require_tls: false
              smarthost: 'zz0.email:465'
              send_resolved: yes
          - name: 'chillnet'
            email_configs:
            - to: 'team@chillnet.org'
              from: 'alertmanager@moni.lysergic.dev'
              require_tls: false
              smarthost: 'zz0.email:465'
              send_resolved: yes
 manage_firewall: True
 firewalld:
  zones:
    internal:
      services:
        - https
      ports:
        - comment: DNS Slave
          port: 5353
          protocol: tcp
        - port: 5353
          protocol: udp
--- a/pillar/id/orpheus_psyched_dev.sls
+++ b/pillar/id/orpheus_psyched_dev.sls
@ -1 +0,0 @@
 manage_sshd: False
--- a/pillar/id/philia_rigel_lysergic_dev.sls
+++ b/pillar/id/philia_rigel_lysergic_dev.sls
@ -1 +0,0 @@
 manage_sshd: False
--- a/pillar/id/phoebe_lysergic_dev.sls
+++ b/pillar/id/phoebe_lysergic_dev.sls
@ -1 +0,0 @@
 manage_firewall: True
--- a/pillar/id/selene_psyched_dev.sls
+++ b/pillar/id/selene_psyched_dev.sls
@ -1 +0,0 @@
 manage_sshd: False
--- a/pillar/id/theia_psyched_dev.sls
+++ b/pillar/id/theia_psyched_dev.sls
@ -1 +0,0 @@
 manage_sshd: False
--- a/pillar/id/themis_lysergic_dev.sls
+++ b/pillar/id/themis_lysergic_dev.sls
@ -1,150 +0,0 @@
 {%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%}
 {%- macro httpdformulaexcess() -%}
      LogLevel: False
      ErrorLog: False
      LogFormat: False
      CustomLog: False
      ServerAdmin: False
      ServerAlias: False
 {%- endmacro -%}
 {%- macro httpdcommon(app) -%}
        Include {{ common['snippetsdir'] }}ssl_themis.conf
        <FilesMatch '\.php$'>
          SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}'
        </FilesMatch>
 {%- endmacro -%}
 apache:
  sites:
    BookStack:
      interface: '{{ common['address'] }}'
      port: {{ common['port'] }}
      ServerName: bookstack{{ common['domain'] }}
      DocumentRoot: /srv/www/BookStack/
      DirectoryIndex: index.php
      Directory:
        /srv/www/BookStack/:
          Options: FollowSymLinks
          AllowOverride: None
          Require: all granted
          Formula_Append: |
            RewriteEngine On
            RewriteCond %{HTTP:Authorization} .
            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_URI} (.+)/$
            RewriteRule ^ %1 [L,R=301]
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^ index.php [L]
      {{ httpdformulaexcess() }}
      Formula_Append: |
        {{ httpdcommon('BookStack') }}
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
        SetOutputFilter DEFLATE
    PrivateBin:
      interface: '{{ common['address'] }}'
      port: {{ common['port'] }}
      ServerName: privatebin{{ common['domain'] }}
      DocumentRoot: /srv/www/PrivateBin/public
      DirectoryIndex: index.php
      Directory:
        /srv/www/PrivateBin/:
          Options: false
          AllowOverride: None
          Require: all granted
      {{ httpdformulaexcess() }}
      Formula_Append: |
        {{ httpdcommon('PrivateBin') }}
 profile:
  bookstack:
    app_url: https://libertacasa.info
    db_host: ${'secret_bookstack:db_host'}
    db_database: ${'secret_bookstack:db_database'}
    db_username: ${'secret_bookstack:db_username'}
    db_password: ${'secret_bookstack:db_password'}
    mail_driver: smtp
    mail_from_name: LibertaCasa Documentation
    mail_from: mail@libertacasa.info
    mail_host: zz0.email
    mail_port: 465
    mail_username: mail@libertacasa.info
    mail_password: ${'secret_bookstack:mail_password'}
    mail_encryption: ssl
    app_theme: lysergic
    cache_driver: memcached
    session_driver: memcached
    memcached_servers: /run/memcached/memcached.sock
    session_secure_cookie: true
    session_cookie_name: libertacasa_megayummycookie
    app_debug: false
    session_lifetime: 240
    auth_method: saml2
    auth_auto_initiate: true
    saml2_name: LibertaCasa SSO
    saml2_email_attribute: email
    saml2_external_id_attribute: uid
    saml2_display_name_attributes: fullname
    saml2_idp_entityid: https://libsso.net/realms/LibertaCasa
    saml2_idp_sso: https://libsso.net/realms/LibertaCasa/protocol/saml
    saml2_idp_slo: https://libsso.net/realms/LibertaCasa/protocol/saml
    saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
    saml2_autoload_metadata: false
    saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
    saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'}
    saml2_user_to_groups: true
    saml2_group_attribute: groups
    saml2_remove_from_groups: true
    queue_connection: database
  privatebin:
    main:
      name: Bin
      fileupload: true
      syntaxhighlightingtheme: sons-of-obsidian
      sizelimit: 310485760
      notice: 'Note: Kittens will die if you abuse this service.'
      languageselection: true
      urlshortener: ${'secret_privatebin:main:urlshortener'}
      qrcode: true
    expire:
      default: 1week
    expire_options:
      5min: 300
      10min: 600
      1hour: 3600
      1day: 86400
      1week: 604800
      1month: 2592000
      1year: 31536000
      never: 0
    formatter_options:
      plaintext: Plain Text
      syntaxhighlighting: Source Code
      markdown: Markdown
    traffic:
      limit: 10
      header: X_FORWARDED_FOR
      dir: /var/lib/PrivateBin/limits
    purge:
      limit: 300
      batchsize: 10
      dir: /var/lib/PrivateBin/limits
    model:
      class: Database
    model_options:
      dsn: ${'secret_privatebin:model_options:dsn'}
      tbl: privatebin_
      usr: ${'secret_privatebin:model_options:usr'}
      pwd: ${'secret_privatebin:model_options:pwd'}
      opt[12]: true
 manage_firewall: True
 firewalld:
  zones:
    backend:
      services:
        - https
--- a/pillar/id/thetrip_lysergic_dev.sls
+++ b/pillar/id/thetrip_lysergic_dev.sls
@ -1,7 +0,0 @@
 manage_firewall: True
 firewalld:
  zones:
    public:
      services:
        - http
        - https
--- a/pillar/role/bookstack.sls
+++ b/pillar/role/bookstack.sls
@ -1 +0,0 @@
 # empty
--- a/pillar/role/ha-node.sls
+++ b/pillar/role/ha-node.sls
@ -1,7 +1,7 @@
 firewalld:
  zones:
    internal:
-      protocols:
+      services:
        - vrrp
    backend:
      protocols:
--- a/pillar/role/memcached.sls
+++ b/pillar/role/memcached.sls
@ -1,2 +0,0 @@
 memcached:
  listen_address: /run/memcached/memcached.sock
--- a/pillar/role/monitoring/prometheus-alertmanager.sls
+++ b/pillar/role/monitoring/prometheus-alertmanager.sls
@ -1,11 +0,0 @@
 prometheus:
  wanted:
    component:
      - alertmanager
  pkg:
    component:
      alertmanager:
        config:
          global:
            resolve_timeout: 5m
--- a/pillar/role/monitoring/prometheus-exporter-blackbox.sls
+++ b/pillar/role/monitoring/prometheus-exporter-blackbox.sls
@ -1,50 +0,0 @@
 prometheus:
  wanted:
    component:
      - blackbox_exporter
  pkg:
    component:
      blackbox_exporter:
        config:
          modules:
            http_2xx:
              prober: http
              timeout: 15s
            http_post_2xx:
              prober: http
              http:
                method: POST
            http_3xx:
              prober: http
              timeout: 5s
              http:
                method: HEAD
                no_follow_redirects: true
                valid_status_codes: [301, 302]
            tcp_connect:
              prober: tcp
            ssh_banner:
              prober: tcp
              tcp:
                query_response:
                - expect: "^SSH-2.0-"
            irc_banner:
              prober: tcp
              tcp:
                query_response:
                - send: "NICK prober"
                - send: "USER prober prober prober :prober"
                - expect: "PING :([^ ]+)"
                  send: "PONG ${1}"
                - expect: "^:[^ ]+ 001"
            icmp:
              prober: icmp
 firewalld:
  zones:
    internal:
      ports:
        - comment: 'Prometheus Blackbox Exporter'
          port: 9115
          protocol: tcp
--- a/pillar/role/monitoring/prometheus.sls
+++ b/pillar/role/monitoring/prometheus.sls
@ -1,17 +0,0 @@
 prometheus:
  wanted:
    component:
      - prometheus
  pkg:
    component:
      prometheus:
        config:
          global:
            scrape_interval: 15s
            evaluation_interval: 1m
 firewalld:
  zones:
    internal:
      services:
        - prometheus
--- a/pillar/role/php-fpm.sls
+++ b/pillar/role/php-fpm.sls
@ -1 +0,0 @@
 # empty
--- a/pillar/role/privatebin.sls
+++ b/pillar/role/privatebin.sls
@ -1 +0,0 @@
 # empty
--- a/pillar/role/salt/master.sls
+++ b/pillar/role/salt/master.sls
@ -21,7 +21,7 @@ salt:
      - roots
      - git
    file_roots:
-      __env__:
+      production:
        {%- for formula in formulas %}
        - /srv/formulas/{{ formula }}-formula
        {%- endfor %}
@ -30,7 +30,6 @@ salt:
      - https://git.com.de/LibertaCasa/salt.git:
        - user: ${'secret_salt:master:gitfs_remotes:LibertaCasa:user'}
        - password: ${'secret_salt:master:gitfs_remotes:LibertaCasa:password'}
        - fallback: production
    ext_pillar:
      - netbox:
          api_url: ${'secret_salt:master:ext_pillar:netbox:api_url'}
@ -60,7 +59,6 @@ salt:
    timeout: 20
    gather_job_timeout: 20
    keep_jobs: 30
    ping_on_rotate: True
    user: ${'secret_salt:master:user'}
    syndic_user: ${'secret_salt:master:syndic_user'}
    cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'}
--- a/pillar/role/salt/minion.sls
+++ b/pillar/role/salt/minion.sls
@ -3,7 +3,4 @@ salt:
  minion_remove_config: True
  minion:
    master_type: str
    backup_mode: minion
    cache_jobs: True
    enable_gpu_grains: False
  saltenv: production
--- a/pillar/role/web/apache-httpd.sls
+++ b/pillar/role/web/apache-httpd.sls
@ -1,13 +0,0 @@
 {%- set host = grains['host'] -%}
 {%- set fqdn = grains['fqdn'] -%}
 apache:
  global:
    ServerAdmin: system@lysergic.dev
 profile:
  apache-httpd:
   snippets:
    ssl_{{ host }}:
      - 'SSLCertificateFile    "/etc/ssl/{{ host }}/{{ fqdn }}.crt"'
      - 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"'
--- a/salt/common/openbsd.sls
+++ b/salt/common/openbsd.sls
@ -1 +0,0 @@
 # Nothing yet
--- a/salt/common/ssh.sls
+++ b/salt/common/ssh.sls
@ -1,6 +1,5 @@
 include:
  - openssh.banner
 {%- if salt['pillar.get']('manage_sshd', True) %}
  - openssh.config
 /etc/ssh/user_ca:
@ -11,4 +10,3 @@ include:
      {%- endfor -%}
    - require:
      - pkg: openssh
 {%- endif %}
--- a/salt/common/suse.sls
+++ b/salt/common/suse.sls
@ -1,16 +1,9 @@
 include:
  {#- drop pillar check after all firewall configurations have been imported #}
  {%- if salt['pillar.get']('manage_firewall', False) %}
  - firewalld
  {%- endif %}
  - profile.seccheck
  - profile.zypp
-  - profile.prometheus.node_exporter
+  - profile.node_exporter
  {%- if salt['cmd.run']("awk '/^passwd/{ print $2; exit }' /etc/nsswitch.conf") == 'sss' %}
  {%- do salt.log.warning('Not configuring local users due to sss') %}
  {%- else %}
  - users
  {%- endif %}
  - .ssh
  - postfix.config
@ -69,6 +62,7 @@ common_packages_remove:
      {#- we only use AutoYaST for the OS deployment #}
      - autoyast2
      - autoyast2-installation
      - libX11-data
      - yast2-add-on
      - yast2-services-manager
      - yast2-slp
--- a/salt/profile/apache-httpd/init.sls
+++ b/salt/profile/apache-httpd/init.sls
@ -1,28 +0,0 @@
 {%- set snippetsdir = '/etc/apache2/snippets.d' -%}
 {%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%}
 {{ snippetsdir }}:
  file.directory:
    - makedirs: True
 {%- if 'snippets' in mypillar %}
 {%- for snippet, config in mypillar['snippets'].items() %}
 {{ snippetsdir }}/{{ snippet }}.conf:
  file.managed:
    - contents:
      {%- for line in config %}
      - {{ line }}
      {%- endfor %}
    - require:
      - file: {{ snippetsdir }}
    {#- formula dependencies #}
    - watch_in:
      - service: apache-service-running
 {%- endfor %}
 {%- endif %}
 include:
  - apache.config
--- a/salt/profile/apparmor/local.sls
+++ b/salt/profile/apparmor/local.sls
@ -1,22 +0,0 @@
 {%- set aapillar = salt['pillar.get']('profile:apparmor') %}
 {%- if 'local' in aapillar %}
 {%- for profile, lines in aapillar['local'].items() %}
 /etc/apparmor.d/local/{{ profile }}:
  file.managed:
    - contents: {{ lines }}
    - watch_in:
      - module: apparmor_reload
 {%- endfor %}
 {%- if aapillar['local'] | length %}
 apparmor_reload:
  module.run:
    - name: service.reload
    - m_name: apparmor
    - onchanges:
      {%- for profile in aapillar['local'] %}
      - file: /etc/apparmor.d/local/{{ profile }}
      {%- endfor %}
 {%- endif %}
 {%- endif %}
--- a/salt/profile/bookstack/init.sls
+++ b/salt/profile/bookstack/init.sls
@ -1,74 +0,0 @@
 {%- set mypillar = salt['pillar.get']('profile:bookstack', {}) -%}
 {%- set configfile = '/etc/sysconfig/BookStack' -%}
 bookstack_packages:
  pkg.installed:
    - names:
      - BookStack-config-php-fpm-apache
 bookstack_permissions:
  file.managed:
    - mode: '0640'
    - user: root
    - group: www
    - names:
      - {{ configfile }}
 {%- if mypillar | length %}
 {{ configfile }}:
  file.keyvalue:
    - separator: '='
    - show_changes: False
    - require:
      - pkg: bookstack_packages
    - key_values:
        {%- macro condconf(option) %}
        {%- if option in mypillar -%}
        {%- if ( mypillar[option] is string and mypillar[option].startswith('$') ) or mypillar[option] is number %}
        {%- set value = mypillar[option] %}
        {%- else %}
        {%- set value = "\"'" ~ mypillar[option] ~ "'\"" %}
        {%- endif %}
        {{ option | upper }}: {{ value }}
        {%- endif -%}
        {%- endmacro %}
        {{ condconf('app_url') }}
        {{ condconf('db_host') }}
        {{ condconf('db_database') }}
        {{ condconf('db_username') }}
        {{ condconf('db_password') }}
        {{ condconf('mail_driver') }}
        {{ condconf('mail_from_name') }}
        {{ condconf('mail_from') }}
        {{ condconf('mail_host') }}
        {{ condconf('mail_port') }}
        {{ condconf('mail_username') }}
        {{ condconf('mail_password') }}
        {{ condconf('mail_encryption') }}
        {{ condconf('app_theme') }}
        {{ condconf('cache_driver') }}
        {{ condconf('session_driver') }}
        {{ condconf('memcached_servers') }}
        {{ condconf('session_secure_cookie') }}
        {{ condconf('session_cookie_name') }}
        {{ condconf('app_debug') }}
        {{ condconf('session_lifetime') }}
        {{ condconf('auth_method') }}
        {{ condconf('auth_auto_initiate') }}
        {{ condconf('saml2_name') }}
        {{ condconf('saml2_email_attribute') }}
        {{ condconf('saml2_external_id_attribute') }}
        {{ condconf('saml2_display_name_attributes') }}
        {{ condconf('saml2_idp_entityid') }}
        {{ condconf('saml2_idp_sso') }}
        {{ condconf('saml2_idp_slo') }}
        {{ condconf('saml2_idp_x509') }}
        {{ condconf('saml2_autoload_metadata') }}
        {{ condconf('saml2_sp_x509') }}
        {{ condconf('saml2_user_to_groups') }}
        {{ condconf('saml2_group_attribute') }}
        {{ condconf('saml2_remove_from_groups') }}
        {{ condconf('saml2_dump_user_details') }}
        {{ condconf('queue_connection') }}
        {{ condconf('app_views_books') }}
 {%- endif %}
--- a/salt/profile/matterbridge/init.sls
+++ b/salt/profile/matterbridge/init.sls
@ -46,7 +46,7 @@ matterbridge_{{ instance }}_mediadir:
    - user: matterbridge
    {#- to-do: implement some shared group #}
    - group: lighttpd
-    - mode: '0750'
+    - mode: 750
    - makedirs: True
 {%- endif %}
--- a/salt/profile/netcup_failover/init.sls
+++ b/salt/profile/netcup_failover/init.sls
@ -5,6 +5,6 @@ include:
  file.managed:
    - user: keepalived_script
    - group: wheel
-    - mode: '0750'
+    - mode: 750
    - template: jinja
    - source: salt://{{ slspath }}/files/failover.sh.j2
--- a/salt/profile/prometheus/node_exporter.sls
+++ b/salt/profile/prometheus/node_exporter.sls
--- a/salt/profile/privatebin/init.sls
+++ b/salt/profile/privatebin/init.sls
@ -1,55 +0,0 @@
 {%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%}
 {%- set confdir = '/etc/PrivateBin' -%}
 {%- set configfile = confdir ~ '/conf.php' -%}
 privatebin_packages:
  pkg.installed:
    - names:
      - PrivateBin-config-httpd
 privatebin_clean:
  file.directory:
    - name: {{ confdir }}
    - clean: True
    - onchanges:
      - pkg: privatebin_packages
    - require:
      - pkg: privatebin_packages
 {%- if mypillar | length %}
 {{ configfile }}:
  ini.options_present:
    - separator: '='
    - strict: True
    - sections:
        {%- macro conf(section, options) %}
        {%- for option in options.keys() -%}
        {%- if ( mypillar[section][option] is string and mypillar[section][option].startswith('$') ) or mypillar[section][option] is number %}
        {%- set value = mypillar[section][option] -%}
        {%- else %}
        {%- set value = "\"'" ~ mypillar[section][option] ~ "'\"" -%}
        {%- endif %}
          {{ option }}: {{ value }}
        {%- endfor -%}
        {%- endmacro %}
        {%- for section, options in mypillar.items() %}
        {{ section }}:
          {{ conf(section, options) }}
        {%- endfor %}
    - require:
      - pkg: privatebin_packages
    - watch:
      - file: privatebin_clean
    - watch_in:
      - file: privatebin_permissions
 {%- endif %}
 privatebin_permissions:
  file.managed:
    - mode: '0640'
    - user: wwwrun
    - group: privatebin
    - names:
      - {{ configfile }}
    - require:
      - pkg: privatebin_packages
--- a/salt/profile/prometheus/targets.sls
+++ b/salt/profile/prometheus/targets.sls
@ -1,18 +0,0 @@
 {%- set mypillar = salt['pillar.get']('profile:prometheus:targets') %}
 {%- set targetsdir = '/etc/prometheus/targets' %}
 {%- if mypillar | length %}
 {{ targetsdir }}:
  file.directory:
    - group: prometheus
 {%- for group, nodes in mypillar.items() %}
 {{ targetsdir }}/{{ group }}.json:
  file.serialize:
    - dataset: {{ nodes }}
    - serializer: json
 {%- endfor %}
 {%- else %}
 {%- do salt.log.debug('profile.prometheus: no targets defined') %}
 {%- endif %}
--- a/salt/profile/salt/formulas.sls
+++ b/salt/profile/salt/formulas.sls
@ -1,6 +0,0 @@
 salt_master_formulas:
  git.latest:
    - name: https://git.com.de/LibertaCasa/salt-formulas.git
    - target: /srv/formulas
    - branch: production
    - submodules: True
--- a/salt/profile/salt/master.sls
+++ b/salt/profile/salt/master.sls
@ -7,7 +7,6 @@
 include:
  - salt.master
  - .formulas
 salt_master_extension_modules_dirs:
  file.directory:
@ -18,7 +17,7 @@ salt_master_extension_modules_dirs:
      {%- endfor %}
    - user: root
    - group: salt
-    - mode: '0755'
+    - mode: 0755
 salt_master_extension_modules_bins:
  file.managed:
@ -31,17 +30,24 @@ salt_master_extension_modules_bins:
      {%- endfor %}
    - user: root
    - group: salt
-    - mode: '0640'
+    - mode: 0640
    - require:
      - file: salt_master_extension_modules_dirs
 salt_master_formulas:
  git.latest:
    - name: https://git.com.de/LibertaCasa/salt-formulas.git
    - target: /srv/formulas
    - branch: production
    - submodules: True
 salt_master_extra_packages:
  pkg.installed:
    - names:
      - python3-ldap
      - python3-pynetbox
      - python3-redis
-      - redis7
+      - redis
      - salt-bash-completion
      - salt-fish-completion
      - salt-keydiff
@ -66,29 +72,29 @@ salt_master_extra_packages:
      - requirepass {{ master_pillar['cache.redis.password'] }}
    - user: root
    - group: redis
-    - mode: '0640'
+    - mode: 0640
    - require:
-      - pkg: redis7
+      - pkg: redis
 /var/lib/redis/salt:
  file.directory:
    - user: redis
    - group: redis
-    - mode: '0750'
+    - mode: 0750
    - require:
-      - pkg: redis7
+      - pkg: redis
 salt_redis_service_enable:
  service.enabled:
    - name: {{ redis_service }}
    - require:
-      - pkg: redis7
+      - pkg: redis
 salt_redis_service_start:
  service.running:
    - name: {{ redis_service }}
    - require:
-      - pkg: redis7
+      - pkg: redis
    - watch:
      - file: {{ redis_config }}
@ -96,7 +102,7 @@ salt_redis_membership:
  group.present:
    - name: redis
    - require:
-      - pkg: redis7
+      - pkg: redis
    - addusers:
      - {{ master_pillar['user'] }}
 {%- if pillar['secret_salt'] is defined %}
--- a/salt/profile/salt/minion.sls
+++ b/salt/profile/salt/minion.sls
@ -1,7 +1,5 @@
 {%- set netbox_pillar = salt['pillar.get']('netbox') -%}
-{%- if 'custom_fields' in netbox_pillar
+{%- if 'custom_fields' in netbox_pillar and netbox_pillar['custom_fields']['salt_roles'] is not none and 'salt.syndic' in netbox_pillar['custom_fields']['salt_roles'] -%}
    and netbox_pillar['custom_fields']['salt_roles'] is not none
    and 'salt.syndic' in netbox_pillar['custom_fields']['salt_roles'] -%}
 {%- set master = salt['pillar.get']('salt:master:syndic_master') -%}
 {%- elif 'config_context' in netbox_pillar -%}
 {%- set master = netbox_pillar['config_context']['salt_master'] -%}
--- a/salt/role/bookstack.sls
+++ b/salt/role/bookstack.sls
@ -1,5 +0,0 @@
 include:
  - role.web.apache-httpd
  - role.memcached
  - profile.bookstack
  - php.fpm
--- a/salt/role/memcached.sls
+++ b/salt/role/memcached.sls
@ -1,2 +0,0 @@
 include:
  - memcached.config
--- a/salt/role/monitoring/prometheus-alertmanager.sls
+++ b/salt/role/monitoring/prometheus-alertmanager.sls
@ -1,2 +0,0 @@
 include:
  - prometheus.config
--- a/salt/role/monitoring/prometheus-exporter-blackbox.sls
+++ b/salt/role/monitoring/prometheus-exporter-blackbox.sls
@ -1,2 +0,0 @@
 include:
  - prometheus.config
--- a/salt/role/monitoring/prometheus.sls
+++ b/salt/role/monitoring/prometheus.sls
@ -1,3 +0,0 @@
 include:
  - prometheus.config
  - profile.prometheus.targets
--- a/salt/role/php-fpm.sls
+++ b/salt/role/php-fpm.sls
@ -1,2 +0,0 @@
 include:
  - php.fpm
--- a/salt/role/privatebin.sls
+++ b/salt/role/privatebin.sls
@ -1,4 +0,0 @@
 include:
  - role.web.apache-httpd
  - profile.privatebin
  - php.fpm
--- a/salt/role/web-proxy.sls
+++ b/salt/role/web-proxy.sls
@ -1,6 +1,5 @@
 include:
  - nginx.pkg
  - profile.apparmor.local
  - nginx.config
  - nginx.snippets
  - nginx.servers
--- a/salt/role/web/apache-httpd.sls
+++ b/salt/role/web/apache-httpd.sls
@ -1,2 +0,0 @@
 include:
  - profile.apache-httpd
		`@ -1,2 +0,0 @@`
			`memcached:`
			`listen_address: /run/memcached/memcached.sock`