Compare commits

..

No commits in common. "production" and "privatebin" have entirely different histories.

29 changed files with 65 additions and 169 deletions

View File

@ -1,14 +1,4 @@
#!/usr/bin/env sh #!/usr/bin/env sh
# This rewrites top-files to fetch roles from grains instead of our custom roles API. Useful for testing outside of the LibertaCasa infrastructure, but not recommended for production. # This rewrites top-files to fetch roles from grains instead of our custom roles API. Useful for testing outside of the LibertaCasa infrastructure, but not recommended for production.
potential_files=(*/top.sls salt/common/suse.sls) sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" */top.sls
for file in ${potential_files[@]}
do
if [ -f "$file" ]
then
files+="$file "
fi
done
sed -i "s/salt\['http.query'\].*/grains\['roles'\] -%}/" ${files[@]}

View File

@ -127,7 +127,7 @@ nginx:
- client_max_body_size: 20M - client_max_body_size: 20M
- modsecurity_rules: |- - modsecurity_rules: |-
' '
SecRuleRemoveById 941160 949110 SecRuleRemoveById 941160
SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'" SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'"
' '
@ -212,19 +212,6 @@ nginx:
- error_log: /var/log/nginx/libsso_public.error.log - error_log: /var/log/nginx/libsso_public.error.log
- access_log: /var/log/nginx/libsso_public.access.log combined - access_log: /var/log/nginx/libsso_public.access.log combined
agola.conf:
config:
- server:
- include:
- snippets/listen_ha
- snippets/tls_lysergic
- server_name: ci.lysergic.dev ci.git.com.de
- location /:
- proxy_pass: https://ci.lysergic.dev
- proxy_ssl_verify: 'on'
- include: snippets/proxy
manage_firewall: True
firewalld: firewalld:
zones: zones:
public: public:

View File

@ -15,7 +15,6 @@ zypper:
refreshdb_force: False refreshdb_force: False
firewalld: firewalld:
FlushAllOnReload: 'yes'
zones: zones:
internal: internal:
short: Internal short: Internal

View File

@ -1 +0,0 @@
manage_firewall: True

View File

@ -1,4 +1,4 @@
{%- set mediapath = '/var/lib/matterbridge/' -%} {%- set mediapath = '/srv/matterbridge/' -%}
{%- macro discord_common() -%} {%- macro discord_common() -%}
AutoWebhooks: 'true' AutoWebhooks: 'true'
@ -39,7 +39,7 @@ profile:
Debug: 'false' Debug: 'false'
telegram.libertacasa: telegram.libertacasa:
Token: ${'secret_matterbridge:general:accounts:telegram.libertacasa:Token'} Token: ${'secret_matterbridge:general:accounts:telegram.libertacasa:Token'}
RemoteNickFormat: '[{PROTOCOL}] <{NICK}> ' RemoteNickFormat: '<{NICK}> '
MessageFormat: HTMLNick MessageFormat: HTMLNick
Label: tg Label: tg
DisableWebPagePreview: 'true' DisableWebPagePreview: 'true'
@ -47,7 +47,7 @@ profile:
Server: 192.168.0.110:2220 Server: 192.168.0.110:2220
Nick: LC Nick: LC
RemoteNickFormat: '{PROTOCOL}:<{NICK}> ' RemoteNickFormat: '{PROTOCOL}:<{NICK}> '
Label: ssh Label: p
discord.23: discord.23:
Token: ${'secret_matterbridge:general:accounts:discord.23:Token'} Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
Server: ${'secret_matterbridge:general:accounts:discord.23:Server'} Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
@ -61,6 +61,7 @@ profile:
gateways: gateways:
libcasa: libcasa:
irc.libertacasa: '#libcasa' irc.libertacasa: '#libcasa'
sshchat.Psyched: sshchat
xmpp.libertacasa: libcasa xmpp.libertacasa: libcasa
dev: dev:
irc.libertacasa: '#dev' irc.libertacasa: '#dev'
@ -68,19 +69,22 @@ profile:
lucy: lucy:
irc.libertacasa: '#lucy' irc.libertacasa: '#lucy'
xmpp.libertacasa: lucy xmpp.libertacasa: lucy
telegram.libertacasa: '-1001795702961'
sshchat.Psyched: sshchat
info: info:
irc.libertacasa: '#libcasa.info' irc.libertacasa: '#libcasa.info'
xmpp.libertacasa: libcasa.info xmpp.libertacasa: libcasa.info
#telegram.libertacasa: '-1001518274267'
chat: chat:
irc.libertacasa: '#chat' irc.libertacasa: '#chai'
discord.23: chat discord.23: chat
xmpp.libertacasa: chat xmpp.libertacasa: chat
petals: dota:
irc.libertacasa: '#Petals' irc.libertacasa: '#dotes'
telegram.libertacasa: '-1001971550949' discord.23: dotes
xmpp.libertacasa: dota
aithunder:
irc.libertacasa: '#aithunder'
# discord.aithunder: main-chat
xmpp.libertacasa: aithunder
libertacasa-irc: libertacasa-irc:
general: general:
@ -211,61 +215,24 @@ profile:
nerds: nerds:
irc.libertacasa: '#nerds' irc.libertacasa: '#nerds'
irc.nerds: '#nerds' irc.nerds: '#nerds'
chillops:
irc.libertacasa: '#chillops'
irc.chillnet: '#chillops'
irc.stardust: '#chillnet-test'
music: music:
irc.libertacasa: '#music' irc.libertacasa: '#music'
irc.chillnet: '#music' irc.chillnet: '#music'
irc.stardust: '#music' irc.stardust: '#music'
chillnet:
general:
MediaDownloadSize: 1000000000
MediaDownloadPath: {{ mediapath }}chillnet
MediaServerDownload: https://up.chillnet.org
accounts:
irc.chillnet:
Server: irc.chillnet.org:6697
UseTLS: 'true'
UseSASL: 'true'
Nick: viaduct
NickServNick: viaduct
NickServPassword: ${'secret_matterbridge:chillnet:accounts:irc.chillnet:NickServPassword'}
ColorNicks: 'true'
Charset: utf8
MessageSplit: 'true'
MessageQueue: 60
UseRelayMsg: 'true'
RemoteNickFormat: '{NICK}/{LABEL}'
telegram.chillnet:
Token: ${'secret_matterbridge:chillnet:accounts:telegram.chillnet:Token'}
RemoteNickFormat: '&lt;{NICK}&gt; '
MessageFormat: HTMLNick
Label: tg
DisableWebPagePreview: 'true'
discord.23:
Token: ${'secret_matterbridge:general:accounts:discord.23:Token'}
Server: ${'secret_matterbridge:general:accounts:discord.23:Server'}
{{ discord_common() }}
gateways:
staff:
irc.chillnet: '#chillstaff'
telegram.chillnet: '-1001932699309'
devs:
irc.chillnet: '#chilldevs'
telegram.chillnet: '-1001778806358'
discord.23: chilldevs
lighttpd: lighttpd:
vhosts: vhosts:
matterbridge-general: matterbridge-general:
host: 'libertacasa-general.matterbridge.dericom02.rigel.lysergic.dev' host: 'libertacasa-general\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
root: {{ mediapath }}libertacasa-general root: {{ mediapath }}libertacasa-general
matterbridge-irc: matterbridge-irc:
host: 'libertacasa-irc.matterbridge.dericom02.rigel.lysergic.dev' host: 'libertacasa-irc\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
root: {{ mediapath }}libertacasa-irc root: {{ mediapath }}libertacasa-irc
matterbridge-chillnet:
host: 'chillnet.matterbridge.dericom02.rigel.lysergic.dev'
root: {{ mediapath }}chillnet
manage_firewall: True
firewalld: firewalld:
zones: zones:
web: web:

View File

@ -1 +0,0 @@
manage_firewall: True

View File

@ -12,5 +12,3 @@ tor:
hostname: cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion hostname: cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion
hs_ed25519_public_key: PT0gZWQyNTUxOXYxLXB1YmxpYzogdHlwZTAgPT0AAAAUd+uGrDJs0tuSXjiqC8LbsnJJMSbx15jQ7calMDGHhw== hs_ed25519_public_key: PT0gZWQyNTUxOXYxLXB1YmxpYzogdHlwZTAgPT0AAAAUd+uGrDJs0tuSXjiqC8LbsnJJMSbx15jQ7calMDGHhw==
hs_ed25519_secret_key: ${'secret_tor:hidden_services:irc:key'} hs_ed25519_secret_key: ${'secret_tor:hidden_services:irc:key'}
manage_firewall: True

View File

@ -44,15 +44,15 @@
- proxy_set_header: Host $http_host - proxy_set_header: Host $http_host
- resolver: '{{ resolver }} ipv4=off valid=24h' - resolver: '{{ resolver }} ipv4=off valid=24h'
{%- endmacro -%} {%- endmacro -%}
{%- macro matterbridge_media(domain, name, tls='load') -%} {%- macro matterbridge_media(name) -%}
- server: - server:
- include: - include:
- snippets/listen - snippets/listen
- snippets/tls_{{ tls }} - snippets/tls_load
- snippets/tls - snippets/tls
- server_name: {{ domain }} - server_name: {% if name == 'general' %}load.casa{%- else %}{{ name ~ '.load.casa' }}{%- endif %}
- location /: - location /:
- proxy_pass: http://{{ name }}.matterbridge.dericom02.rigel.lysergic.dev - proxy_pass: http://libertacasa-{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
{%- endmacro -%} {%- endmacro -%}
nginx: nginx:
@ -71,7 +71,6 @@ nginx:
{{ nginx_crtkeypair('meet', 'meet.com.de') | indent }} {{ nginx_crtkeypair('meet', 'meet.com.de') | indent }}
{{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }} {{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }}
{{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }} {{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }}
{{ nginx_crtkeypair('up.chillnet.org', 'up.chillnet.org') | indent }}
{#- locations shared between clearnet and Tor LibertaCasa servers #} {#- locations shared between clearnet and Tor LibertaCasa servers #}
libertacasa: libertacasa:
@ -317,9 +316,8 @@ nginx:
matterbridge.conf: matterbridge.conf:
config: config:
{{ matterbridge_media('load.casa', 'libertacasa-general') }} {{ matterbridge_media('general') }}
{{ matterbridge_media('irc.load.casa', 'libertacasa-irc') }} {{ matterbridge_media('irc') }}
{{ matterbridge_media('up.chillnet.org', 'chillnet', 'up.chillnet.org') }}
meet.conf: meet.conf:
config: config:
@ -443,4 +441,3 @@ nginx:
- sub_filter_types: application/xml - sub_filter_types: application/xml
- sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life
manage_firewall: True

View File

@ -1 +0,0 @@
manage_firewall: True

View File

@ -108,16 +108,3 @@ prometheus:
require_tls: false require_tls: false
smarthost: 'zz0.email:465' smarthost: 'zz0.email:465'
send_resolved: yes send_resolved: yes
manage_firewall: True
firewalld:
zones:
internal:
services:
- https
ports:
- comment: DNS Slave
port: 5353
protocol: tcp
- port: 5353
protocol: udp

View File

@ -1 +0,0 @@
manage_sshd: False

View File

@ -1 +0,0 @@
manage_sshd: False

View File

@ -1 +0,0 @@
manage_firewall: True

View File

@ -1 +0,0 @@
manage_sshd: False

View File

@ -1 +0,0 @@
manage_sshd: False

View File

@ -25,19 +25,19 @@ apache:
DirectoryIndex: index.php DirectoryIndex: index.php
Directory: Directory:
/srv/www/BookStack/: /srv/www/BookStack/:
Options: FollowSymLinks Options: 'Indexes FollowSymLinks -MultiViews'
AllowOverride: None AllowOverride: None
Require: all granted Require: all granted
Formula_Append: | Formula_Append: |
RewriteEngine On RewriteEngine On
RewriteCond %{HTTP:Authorization} . RewriteCond '%{HTTP:Authorization} .'
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond '.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]'
RewriteCond %{REQUEST_FILENAME} !-d RewriteCond '%{REQUEST_FILENAME} !-d'
RewriteCond %{REQUEST_URI} (.+)/$ RewriteCond '%{REQUEST_URI} (.+)/$'
RewriteRule ^ %1 [L,R=301] RewriteCond '^ %1 [L,R=301]'
RewriteCond %{REQUEST_FILENAME} !-d RewriteCond '%{REQUEST_FILENAME} !-d'
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond '%{REQUEST_FILENAME} !-f'
RewriteRule ^ index.php [L] RewriteCond '^ index.php [L]'
{{ httpdformulaexcess() }} {{ httpdformulaexcess() }}
Formula_Append: | Formula_Append: |
{{ httpdcommon('BookStack') }} {{ httpdcommon('BookStack') }}
@ -88,9 +88,9 @@ profile:
saml2_email_attribute: email saml2_email_attribute: email
saml2_external_id_attribute: uid saml2_external_id_attribute: uid
saml2_display_name_attributes: fullname saml2_display_name_attributes: fullname
saml2_idp_entityid: https://libsso.net/realms/LibertaCasa saml2_idp_entityid: https://libsso.net/realms/libertacasa
saml2_idp_sso: https://libsso.net/realms/LibertaCasa/protocol/saml saml2_idp_sso: https://libsso.net/realms/libertacasa/protocol/saml
saml2_idp_slo: https://libsso.net/realms/LibertaCasa/protocol/saml saml2_idp_slo: https://libsso.net/realms/libertacasa/protocol/saml
saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'} saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
saml2_autoload_metadata: false saml2_autoload_metadata: false
saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'} saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
@ -142,7 +142,6 @@ profile:
pwd: ${'secret_privatebin:model_options:pwd'} pwd: ${'secret_privatebin:model_options:pwd'}
opt[12]: true opt[12]: true
manage_firewall: True
firewalld: firewalld:
zones: zones:
backend: backend:

View File

@ -1,7 +0,0 @@
manage_firewall: True
firewalld:
zones:
public:
services:
- http
- https

View File

@ -1 +0,0 @@
# empty

View File

@ -1 +0,0 @@
# empty

View File

@ -21,7 +21,7 @@ salt:
- roots - roots
- git - git
file_roots: file_roots:
__env__: production:
{%- for formula in formulas %} {%- for formula in formulas %}
- /srv/formulas/{{ formula }}-formula - /srv/formulas/{{ formula }}-formula
{%- endfor %} {%- endfor %}
@ -30,7 +30,6 @@ salt:
- https://git.com.de/LibertaCasa/salt.git: - https://git.com.de/LibertaCasa/salt.git:
- user: ${'secret_salt:master:gitfs_remotes:LibertaCasa:user'} - user: ${'secret_salt:master:gitfs_remotes:LibertaCasa:user'}
- password: ${'secret_salt:master:gitfs_remotes:LibertaCasa:password'} - password: ${'secret_salt:master:gitfs_remotes:LibertaCasa:password'}
- fallback: production
ext_pillar: ext_pillar:
- netbox: - netbox:
api_url: ${'secret_salt:master:ext_pillar:netbox:api_url'} api_url: ${'secret_salt:master:ext_pillar:netbox:api_url'}
@ -60,7 +59,6 @@ salt:
timeout: 20 timeout: 20
gather_job_timeout: 20 gather_job_timeout: 20
keep_jobs: 30 keep_jobs: 30
ping_on_rotate: True
user: ${'secret_salt:master:user'} user: ${'secret_salt:master:user'}
syndic_user: ${'secret_salt:master:syndic_user'} syndic_user: ${'secret_salt:master:syndic_user'}
cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'} cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'}

View File

@ -3,7 +3,4 @@ salt:
minion_remove_config: True minion_remove_config: True
minion: minion:
master_type: str master_type: str
backup_mode: minion
cache_jobs: True
enable_gpu_grains: False
saltenv: production saltenv: production

View File

@ -1 +0,0 @@
# Nothing yet

View File

@ -1,6 +1,5 @@
include: include:
- openssh.banner - openssh.banner
{%- if salt['pillar.get']('manage_sshd', True) %}
- openssh.config - openssh.config
/etc/ssh/user_ca: /etc/ssh/user_ca:
@ -11,4 +10,3 @@ include:
{%- endfor -%} {%- endfor -%}
- require: - require:
- pkg: openssh - pkg: openssh
{%- endif %}

View File

@ -1,16 +1,9 @@
include: include:
{#- drop pillar check after all firewall configurations have been imported #}
{%- if salt['pillar.get']('manage_firewall', False) %}
- firewalld - firewalld
{%- endif %}
- profile.seccheck - profile.seccheck
- profile.zypp - profile.zypp
- profile.prometheus.node_exporter - profile.prometheus.node_exporter
{%- if salt['cmd.run']("awk '/^passwd/{ print $2; exit }' /etc/nsswitch.conf") == 'sss' %}
{%- do salt.log.warning('Not configuring local users due to sss') %}
{%- else %}
- users - users
{%- endif %}
- .ssh - .ssh
- postfix.config - postfix.config
@ -69,6 +62,7 @@ common_packages_remove:
{#- we only use AutoYaST for the OS deployment #} {#- we only use AutoYaST for the OS deployment #}
- autoyast2 - autoyast2
- autoyast2-installation - autoyast2-installation
- libX11-data
- yast2-add-on - yast2-add-on
- yast2-services-manager - yast2-services-manager
- yast2-slp - yast2-slp

View File

@ -16,8 +16,11 @@
- require: - require:
- file: {{ snippetsdir }} - file: {{ snippetsdir }}
{#- formula dependencies #} {#- formula dependencies #}
- watch_in: - require_in:
- module: apache-service-running-restart
- service: apache-service-running - service: apache-service-running
- watch_in:
- module: apache-service-running-reload
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}

View File

@ -10,7 +10,7 @@ bookstack_permissions:
file.managed: file.managed:
- mode: '0640' - mode: '0640'
- user: root - user: root
- group: www - group: wwwrun
- names: - names:
- {{ configfile }} - {{ configfile }}
@ -24,10 +24,10 @@ bookstack_permissions:
- key_values: - key_values:
{%- macro condconf(option) %} {%- macro condconf(option) %}
{%- if option in mypillar -%} {%- if option in mypillar -%}
{%- if ( mypillar[option] is string and mypillar[option].startswith('$') ) or mypillar[option] is number %} {%- if mypillar[option] is string and mypillar[option].startswith('$') or mypillar[option] is number %}
{%- set value = mypillar[option] %} {%- set value = mypillar[option] %}
{%- else %} {%- else %}
{%- set value = "\"'" ~ mypillar[option] ~ "'\"" %} {%- set value = mypillar[option] | quote %}
{%- endif %} {%- endif %}
{{ option | upper }}: {{ value }} {{ option | upper }}: {{ value }}
{%- endif -%} {%- endif -%}

View File

@ -24,10 +24,10 @@ privatebin_clean:
- sections: - sections:
{%- macro conf(section, options) %} {%- macro conf(section, options) %}
{%- for option in options.keys() -%} {%- for option in options.keys() -%}
{%- if ( mypillar[section][option] is string and mypillar[section][option].startswith('$') ) or mypillar[section][option] is number %} {%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %}
{%- set value = mypillar[section][option] -%} {%- set value = mypillar[section][option] -%}
{%- else %} {%- else %}
{%- set value = "\"'" ~ mypillar[section][option] ~ "'\"" -%} {%- set value = mypillar[section][option] | quote -%}
{%- endif %} {%- endif %}
{{ option }}: {{ value }} {{ option }}: {{ value }}
{%- endfor -%} {%- endfor -%}

View File

@ -1,6 +0,0 @@
salt_master_formulas:
git.latest:
- name: https://git.com.de/LibertaCasa/salt-formulas.git
- target: /srv/formulas
- branch: production
- submodules: True

View File

@ -7,7 +7,6 @@
include: include:
- salt.master - salt.master
- .formulas
salt_master_extension_modules_dirs: salt_master_extension_modules_dirs:
file.directory: file.directory:
@ -35,13 +34,20 @@ salt_master_extension_modules_bins:
- require: - require:
- file: salt_master_extension_modules_dirs - file: salt_master_extension_modules_dirs
salt_master_formulas:
git.latest:
- name: https://git.com.de/LibertaCasa/salt-formulas.git
- target: /srv/formulas
- branch: production
- submodules: True
salt_master_extra_packages: salt_master_extra_packages:
pkg.installed: pkg.installed:
- names: - names:
- python3-ldap - python3-ldap
- python3-pynetbox - python3-pynetbox
- python3-redis - python3-redis
- redis7 - redis
- salt-bash-completion - salt-bash-completion
- salt-fish-completion - salt-fish-completion
- salt-keydiff - salt-keydiff
@ -68,7 +74,7 @@ salt_master_extra_packages:
- group: redis - group: redis
- mode: '0640' - mode: '0640'
- require: - require:
- pkg: redis7 - pkg: redis
/var/lib/redis/salt: /var/lib/redis/salt:
file.directory: file.directory:
@ -76,19 +82,19 @@ salt_master_extra_packages:
- group: redis - group: redis
- mode: '0750' - mode: '0750'
- require: - require:
- pkg: redis7 - pkg: redis
salt_redis_service_enable: salt_redis_service_enable:
service.enabled: service.enabled:
- name: {{ redis_service }} - name: {{ redis_service }}
- require: - require:
- pkg: redis7 - pkg: redis
salt_redis_service_start: salt_redis_service_start:
service.running: service.running:
- name: {{ redis_service }} - name: {{ redis_service }}
- require: - require:
- pkg: redis7 - pkg: redis
- watch: - watch:
- file: {{ redis_config }} - file: {{ redis_config }}
@ -96,7 +102,7 @@ salt_redis_membership:
group.present: group.present:
- name: redis - name: redis
- require: - require:
- pkg: redis7 - pkg: redis
- addusers: - addusers:
- {{ master_pillar['user'] }} - {{ master_pillar['user'] }}
{%- if pillar['secret_salt'] is defined %} {%- if pillar['secret_salt'] is defined %}