From e58c63decca002f3b23aa0ac698424403355a060 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 00:34:44 +0100 Subject: [PATCH 01/13] Enable apache-formula Signed-off-by: Georg Pfuetzenreuter --- pillar/formulas.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/formulas.yaml b/pillar/formulas.yaml index 191a8e1..9c50d7a 100644 --- a/pillar/formulas.yaml +++ b/pillar/formulas.yaml @@ -1,4 +1,5 @@ --- +- apache - firewalld - keepalived - nginx -- 2.35.3 From 906dd92d7ed1bd79eb2524b9a3e1a0d880eab068 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 00:36:43 +0100 Subject: [PATCH 02/13] Add web.apache-httpd role Signed-off-by: Georg Pfuetzenreuter --- pillar/role/web/apache-httpd.sls | 3 +++ salt/role/web/apache-httpd.sls | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 pillar/role/web/apache-httpd.sls create mode 100644 salt/role/web/apache-httpd.sls diff --git a/pillar/role/web/apache-httpd.sls b/pillar/role/web/apache-httpd.sls new file mode 100644 index 0000000..5b4b64b --- /dev/null +++ b/pillar/role/web/apache-httpd.sls @@ -0,0 +1,3 @@ +apache: + global: + ServerAdmin: system@lysergic.dev diff --git a/salt/role/web/apache-httpd.sls b/salt/role/web/apache-httpd.sls new file mode 100644 index 0000000..7c2002f --- /dev/null +++ b/salt/role/web/apache-httpd.sls @@ -0,0 +1,2 @@ +include: + - apache.config -- 2.35.3 From 5e0c0e4bffc6966f56c233b0af1b18b0ef42e3bc Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 00:37:20 +0100 Subject: [PATCH 03/13] Add bookstack profile+role Signed-off-by: Georg Pfuetzenreuter --- salt/profile/bookstack/init.sls | 70 +++++++++++++++++++++++++++++++++ salt/role/bookstack.sls | 3 ++ 2 files changed, 73 insertions(+) create mode 100644 salt/profile/bookstack/init.sls create mode 100644 salt/role/bookstack.sls diff --git a/salt/profile/bookstack/init.sls b/salt/profile/bookstack/init.sls new file mode 100644 index 0000000..af14a4b --- /dev/null +++ b/salt/profile/bookstack/init.sls @@ -0,0 +1,70 @@ +{%- set mypillar = salt['pillar.get']('profile:bookstack', {}) -%} +{%- set configfile = '/etc/sysconfig/BookStack' -%} + +bookstack_packages: + pkg.installed: + - names: + - BookStack-config-php-fpm-apache + +bookstack_permissions: + file.managed: + - mode: '0640' + - user: root + - group: wwwrun + - names: + - {{ configfile }} + +{%- if mypillar | length %} +{{ configfile }}: + file.keyvalue: + - separator: '=' + - show_changes: False + - require: + - pkg: bookstack_packages + - key_values: + {%- macro condconf(option) %} + {%- if option in mypillar -%} + {{ option | upper }}: {{ mypillar[option] }} + {%- endif -%} + {%- endmacro %} + {{ condconf('app_url') }} + {{ condconf('db_host') }} + {{ condconf('db_database') }} + {{ condconf('db_username') }} + {{ condconf('db_password') }} + {{ condconf('mail_driver') }} + {{ condconf('mail_from_name') }} + {{ condconf('mail_from') }} + {{ condconf('mail_host') }} + {{ condconf('mail_port') }} + {{ condconf('mail_username') }} + {{ condconf('mail_password') }} + {{ condconf('mail_encryption') }} + {{ condconf('app_theme') }} + {{ condconf('cache_driver') }} + {{ condconf('session_driver') }} + {{ condconf('memcached_servers') }} + {{ condconf('session_secure_cookie') }} + {{ condconf('session_cookie_name') }} + {{ condconf('app_debug') }} + {{ condconf('session_lifetime') }} + {{ condconf('auth_method') }} + {{ condconf('auth_auto_initiate') }} + {{ condconf('saml2_name') }} + {{ condconf('saml2_email_attribute') }} + {{ condconf('saml2_external_id_attribute') }} + {{ condconf('saml2_display_name_attributes') }} + {{ condconf('saml2_idp_entityid') }} + {{ condconf('saml2_idp_entityid') }} + {{ condconf('saml2_idp_sso') }} + {{ condconf('saml2_idp_slo') }} + {{ condconf('saml2_idp_x509') }} + {{ condconf('saml2_autoload_metadata') }} + {{ condconf('saml2_sp_x509') }} + {{ condconf('saml2_user_to_groups') }} + {{ condconf('saml2_group_attribute') }} + {{ condconf('saml2_remove_from_groups') }} + {{ condconf('saml2_dump_user_details') }} + {{ condconf('queue_connection') }} + {{ condconf('app_views_books') }} +{%- endif %} diff --git a/salt/role/bookstack.sls b/salt/role/bookstack.sls new file mode 100644 index 0000000..4c7f087 --- /dev/null +++ b/salt/role/bookstack.sls @@ -0,0 +1,3 @@ +include: + - role.web.apache-httpd + - profile.bookstack -- 2.35.3 From e36d40dbc3a46c1d13834f9ecee69089b4a35211 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 00:37:54 +0100 Subject: [PATCH 04/13] id.themis: add BookStack httpd configuration Signed-off-by: Georg Pfuetzenreuter --- pillar/id/themis_lysergic_dev.sls | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 pillar/id/themis_lysergic_dev.sls diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls new file mode 100644 index 0000000..4fa5a51 --- /dev/null +++ b/pillar/id/themis_lysergic_dev.sls @@ -0,0 +1,36 @@ +apache: + sites: + BookStack: + interface: '[fd29:8e45:f292:ff80::1]' + port: 443 + ServerName: bookstack.themis.backend.syscid.com + DocumentRoot: /srv/www/BookStack/ + DirectoryIndex: index.php + Directory: + /srv/www/BookStack/: + Options: 'Indexes FollowSymLinks -MultiViews' + AllowOverride: None + Require: all granted + Formula_Append: | + RewriteEngine On + RewriteCond '%{HTTP:Authorization} .' + RewriteCond '.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]' + RewriteCond '%{REQUEST_FILENAME} !-d' + RewriteCond '%{REQUEST_URI} (.+)/$' + RewriteCond '^ %1 [L,R=301]' + RewriteCond '%{REQUEST_FILENAME} !-d' + RewriteCond '%{REQUEST_FILENAME} !-f' + RewriteCond '^ index.php [L]' + LogLevel: False + ErrorLog: False + LogFormat: False + CustomLog: False + ServerAdmin: False + ServerAlias: False + Formula_Append: | + Include /etc/apache2/snippets.d/ssl_themis.conf + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript + SetOutputFilter DEFLATE + + SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack' + -- 2.35.3 From d8d848055ffe8da7530ccdf3f8076a01fae44ed0 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 02:08:05 +0100 Subject: [PATCH 05/13] id.themis: add BookStack configuration Signed-off-by: Georg Pfuetzenreuter --- pillar/id/themis_lysergic_dev.sls | 41 +++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls index 4fa5a51..0773f4f 100644 --- a/pillar/id/themis_lysergic_dev.sls +++ b/pillar/id/themis_lysergic_dev.sls @@ -34,3 +34,44 @@ apache: SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack' + +profile: + bookstack: + app_url: https://libertacasa.info + db_host: ${'secret_bookstack:db_host'} + db_database: ${'secret_bookstack:db_database'} + db_username: ${'secret_bookstack:db_username'} + db_password: ${'secret_bookstack:db_password'} + mail_driver: smtp + mail_from_name: LibertaCasa Documentation + mail_from: mail@libertacasa.info + mail_host: zz0.email + mail_port: 465 + mail_username: mail@libertacasa.info + mail_password: ${'secret_bookstack:mail_password'} + mail_encryption: ssl + app_theme: lysergic + cache_driver: memcached + session_driver: memcached + memcached_servers: /run/memcached/memcached.sock + session_secure_cookie: true + session_cookie_name: libertacasa_megayummycookie + app_debug: false + session_lifetime: 240 + auth_method: saml2 + auth_auto_initiate: true + saml2_name: LibertaCasa SSO + saml2_email_attribute: email + saml2_external_id_attribute: uid + saml2_display_name_attributes: fullname + saml2_idp_entityid: https://libsso.net/realms/libertacasa + saml2_idp_sso: https://libsso.net/realms/libertacasa/protocol/saml + saml2_idp_slo: https://libsso.net/realms/libertacasa/protocol/saml + saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'} + saml2_autoload_metadata: false + saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'} + saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'} + saml2_user_to_groups: true + saml2_group_attribute: groups + saml2_remove_from_groups: true + queue_connection: database -- 2.35.3 From 4653655010c16d8f1f128480b55d4cd2e9f5a9e7 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 13:40:47 +0100 Subject: [PATCH 06/13] profile.apache-httpd: manage snippets - add apache-httpd profile with snippets configuration - add TLS snippet to apache-httpd role pillar Signed-off-by: Georg Pfuetzenreuter --- pillar/role/web/apache-httpd.sls | 10 ++++++++++ salt/profile/apache-httpd/init.sls | 31 ++++++++++++++++++++++++++++++ salt/role/web/apache-httpd.sls | 2 +- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 salt/profile/apache-httpd/init.sls diff --git a/pillar/role/web/apache-httpd.sls b/pillar/role/web/apache-httpd.sls index 5b4b64b..bd77162 100644 --- a/pillar/role/web/apache-httpd.sls +++ b/pillar/role/web/apache-httpd.sls @@ -1,3 +1,13 @@ +{%- set host = grains['host'] -%} +{%- set fqdn = grains['fqdn'] -%} + apache: global: ServerAdmin: system@lysergic.dev + +profile: + apache-httpd: + snippets: + ssl_{{ host }}: + - 'SSLCertificateFile "/etc/ssl/{{ host }}/{{ fqdn }}.crt"' + - 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"' diff --git a/salt/profile/apache-httpd/init.sls b/salt/profile/apache-httpd/init.sls new file mode 100644 index 0000000..db5b6f9 --- /dev/null +++ b/salt/profile/apache-httpd/init.sls @@ -0,0 +1,31 @@ +{%- set snippetsdir = '/etc/apache2/snippets.d' -%} +{%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%} + +{{ snippetsdir }}: + file.directory: + - makedirs: True + +{%- if 'snippets' in mypillar %} +{%- for snippet, config in mypillar['snippets'].items() %} +{{ snippetsdir }}/{{ snippet }}.conf: + file.managed: + - contents: + {%- for line in config %} + - {{ line }} + {%- endfor %} + - require: + - file: {{ snippetsdir }} + {#- formula dependencies #} + - require_in: + - module: apache-service-running-restart + - service: apache-service-running + - watch_in: + - module: apache-service-running-reload +{%- endfor %} +{%- endif %} + +include: + - apache.config + + + diff --git a/salt/role/web/apache-httpd.sls b/salt/role/web/apache-httpd.sls index 7c2002f..559d860 100644 --- a/salt/role/web/apache-httpd.sls +++ b/salt/role/web/apache-httpd.sls @@ -1,2 +1,2 @@ include: - - apache.config + - profile.apache-httpd -- 2.35.3 From f820978b7897ea4650f031fa80c11384061e7375 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 18:05:14 +0100 Subject: [PATCH 07/13] Add memcached role Signed-off-by: Georg Pfuetzenreuter --- pillar/role/memcached.sls | 2 ++ salt/role/memcached.sls | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 pillar/role/memcached.sls create mode 100644 salt/role/memcached.sls diff --git a/pillar/role/memcached.sls b/pillar/role/memcached.sls new file mode 100644 index 0000000..e3ded73 --- /dev/null +++ b/pillar/role/memcached.sls @@ -0,0 +1,2 @@ +memcached: + listen_address: /run/memcached/memcached.sock diff --git a/salt/role/memcached.sls b/salt/role/memcached.sls new file mode 100644 index 0000000..f277347 --- /dev/null +++ b/salt/role/memcached.sls @@ -0,0 +1,2 @@ +include: + - memcached.config -- 2.35.3 From edbf9f3f20da6e9b4d865bc51537088ff62320e1 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 19 Feb 2023 18:06:21 +0100 Subject: [PATCH 08/13] role.bookstack: include memcached Signed-off-by: Georg Pfuetzenreuter --- salt/role/bookstack.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/role/bookstack.sls b/salt/role/bookstack.sls index 4c7f087..3d8882d 100644 --- a/salt/role/bookstack.sls +++ b/salt/role/bookstack.sls @@ -1,3 +1,4 @@ include: - role.web.apache-httpd + - role.memcached - profile.bookstack -- 2.35.3 From f55e5363a07e5ebb6ef0e4cab70ae90fdc70f969 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 22 Feb 2023 20:40:34 +0100 Subject: [PATCH 09/13] Enable memcached-formula Signed-off-by: Georg Pfuetzenreuter --- pillar/formulas.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/formulas.yaml b/pillar/formulas.yaml index 9c50d7a..c459929 100644 --- a/pillar/formulas.yaml +++ b/pillar/formulas.yaml @@ -2,6 +2,7 @@ - apache - firewalld - keepalived +- memcached - nginx - openssh - postfix -- 2.35.3 From 361e118b316622c731556fdc62144b24aa6f9c23 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 26 Feb 2023 11:12:44 +0100 Subject: [PATCH 10/13] Add php-fpm role Signed-off-by: Georg Pfuetzenreuter --- pillar/role/php-fpm.sls | 1 + salt/role/php-fpm.sls | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 pillar/role/php-fpm.sls create mode 100644 salt/role/php-fpm.sls diff --git a/pillar/role/php-fpm.sls b/pillar/role/php-fpm.sls new file mode 100644 index 0000000..1bb8bf6 --- /dev/null +++ b/pillar/role/php-fpm.sls @@ -0,0 +1 @@ +# empty diff --git a/salt/role/php-fpm.sls b/salt/role/php-fpm.sls new file mode 100644 index 0000000..14c3592 --- /dev/null +++ b/salt/role/php-fpm.sls @@ -0,0 +1,2 @@ +include: + - php.fpm -- 2.35.3 From c28a4f5a52490f8f243a9904c5b4c6023952cb97 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 26 Feb 2023 11:20:15 +0100 Subject: [PATCH 11/13] role.bookstack: include php-fpm Signed-off-by: Georg Pfuetzenreuter --- salt/role/bookstack.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/role/bookstack.sls b/salt/role/bookstack.sls index 3d8882d..de99a01 100644 --- a/salt/role/bookstack.sls +++ b/salt/role/bookstack.sls @@ -2,3 +2,4 @@ include: - role.web.apache-httpd - role.memcached - profile.bookstack + - php.fpm -- 2.35.3 From a1ce36fd6c5e4ed6e1f23eb7036c11c73fb6a323 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 26 Feb 2023 11:22:25 +0100 Subject: [PATCH 12/13] Enable php-formula Signed-off-by: Georg Pfuetzenreuter --- pillar/formulas.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/formulas.yaml b/pillar/formulas.yaml index c459929..bf74c21 100644 --- a/pillar/formulas.yaml +++ b/pillar/formulas.yaml @@ -5,6 +5,7 @@ - memcached - nginx - openssh +- php - postfix - prometheus - salt -- 2.35.3 From c932881cd70bd64db40245ea1e3df283f3859c78 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sat, 11 Mar 2023 18:10:07 +0100 Subject: [PATCH 13/13] profile.bookstack: quote keys Some keys needed quoting to pass the YAML parser. Signed-off-by: Georg Pfuetzenreuter --- salt/profile/bookstack/init.sls | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/profile/bookstack/init.sls b/salt/profile/bookstack/init.sls index af14a4b..3dc5a36 100644 --- a/salt/profile/bookstack/init.sls +++ b/salt/profile/bookstack/init.sls @@ -24,7 +24,12 @@ bookstack_permissions: - key_values: {%- macro condconf(option) %} {%- if option in mypillar -%} - {{ option | upper }}: {{ mypillar[option] }} + {%- if mypillar[option] is string and mypillar[option].startswith('$') or mypillar[option] is number %} + {%- set value = mypillar[option] %} + {%- else %} + {%- set value = mypillar[option] | quote %} + {%- endif %} + {{ option | upper }}: {{ value }} {%- endif -%} {%- endmacro %} {{ condconf('app_url') }} @@ -55,7 +60,6 @@ bookstack_permissions: {{ condconf('saml2_external_id_attribute') }} {{ condconf('saml2_display_name_attributes') }} {{ condconf('saml2_idp_entityid') }} - {{ condconf('saml2_idp_entityid') }} {{ condconf('saml2_idp_sso') }} {{ condconf('saml2_idp_slo') }} {{ condconf('saml2_idp_x509') }} -- 2.35.3