Compare commits

...

No commits in common. "devel" and "master" have entirely different histories.

160 changed files with 8643 additions and 8 deletions

13
ansible/deployment_poc/.gitignore vendored Normal file
View File

@ -0,0 +1,13 @@
__pycache__/
locks/
playbooks/ghost.yml
playbooks/test.yml
shared/
templates/autoinst_*.lysergic.dev.xml.j2
templates/generated/
variables/deploy-variables.yml
inventory.yml
*.bak
*.example
*.old
*.tgz

View File

@ -0,0 +1 @@
![Flowchart about the deployment and provisioning process](flow.svg)

View File

@ -0,0 +1,321 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd">
<svg width="106cm" height="76cm" viewBox="-561 -1021 2120 1505" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g>
<path style="fill: #ffffff" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0z"/>
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.5" y="52.3989">
<tspan x="-315.5" y="52.3989">START</tspan>
<tspan x="-315.5" y="68.3989"></tspan>
<tspan x="-315.5" y="84.3989">"User decides to provision a new virtual machine"</tspan>
</text>
</g>
<g>
<path style="fill: #ffffff" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333z"/>
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="176.775" y="252.215">
<tspan x="176.775" y="252.215">NetBox</tspan>
<tspan x="176.775" y="268.215">(User)</tspan>
<tspan x="176.775" y="284.215"></tspan>
<tspan x="176.775" y="300.215">1. User creates a "Virtual Machine" object</tspan>
<tspan x="176.775" y="316.215">and enters the desired specifications</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-144.538" y1="129.513" x2="93.0249" y2="219.827"/>
<polygon style="fill: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
</g>
<g>
<rect style="fill: #ffffff" x="880" y="240" width="349.4" height="70"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="880" y="240" width="349.4" height="70"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1054.7" y="262.881">
<tspan x="1054.7" y="262.881">Webhook</tspan>
<tspan x="1054.7" y="278.881"></tspan>
<tspan x="1054.7" y="294.881">3. HTTPS POST is received and body data is parsed</tspan>
</text>
</g>
<g>
<polygon style="fill: #ffffff" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1008.62" y="382.881">
<tspan x="1008.62" y="382.881">NetBox</tspan>
<tspan x="1008.62" y="398.881">(System)</tspan>
<tspan x="1008.62" y="414.881"></tspan>
<tspan x="1008.62" y="430.881">2. System creates a JSON object</tspan>
<tspan x="1008.62" y="446.881">and sends it out via HTTPS POST</tspan>
</text>
</g>
<g>
<polygon style="fill: #ffffff" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1378.87" y="62.8812">
<tspan x="1378.87" y="62.8812">YES</tspan>
<tspan x="1378.87" y="78.8812"></tspan>
<tspan x="1378.87" y="94.8812">Wehook</tspan>
<tspan x="1378.87" y="110.881">(System)</tspan>
<tspan x="1378.87" y="126.881"></tspan>
<tspan x="1378.87" y="142.881">4. A shell script is executed, initiating</tspan>
<tspan x="1378.87" y="158.881">a SSH session</tspan>
</text>
</g>
<g>
<polygon style="fill: #ffffff" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="770.22" y="104.785">
<tspan x="770.22" y="104.785">Does the received object contain valid JSON</tspan>
<tspan x="770.22" y="120.785">with the required attributes?</tspan>
</text>
</g>
<g>
<polygon style="fill: #ffffff" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="607.212" y="407.131">
<tspan x="607.212" y="407.131">Does the created object contain</tspan>
<tspan x="607.212" y="423.131">the requireed fields?</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="314.551" y1="302.747" x2="507.445" y2="374.262"/>
<polygon style="fill: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="775.424" y1="411.145" x2="868.251" y2="411.087"/>
<polygon style="fill: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1026.24" y1="358.996" x2="1039.38" y2="320.222"/>
<polygon style="fill: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="578.953" y1="351.04" x2="350.273" y2="-136.195"/>
<polygon style="fill: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="993.303" y1="239.153" x2="857.778" y2="160.026"/>
<polygon style="fill: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1001.38" y1="108.181" x2="1213.84" y2="107.516"/>
<polygon style="fill: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="700.682" y1="59.8147" x2="418.504" y2="-139.385"/>
<polygon style="fill: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
</g>
<g>
<rect style="fill: #ffffff" x="1260" y="-240" width="286.601" height="134.793"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1260" y="-240" width="286.601" height="134.793"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1403.3" y="-192.722">
<tspan x="1403.3" y="-192.722">Ansible</tspan>
<tspan x="1403.3" y="-176.722">(System)</tspan>
<tspan x="1403.3" y="-160.722"></tspan>
<tspan x="1403.3" y="-144.722">5. A playbook is executed</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1384.81" y1="39.002" x2="1396.48" y2="-94.5735"/>
<polygon style="fill: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
</g>
<g>
<path style="fill: #ffffff" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92z"/>
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92"/>
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-509.11 1339.34,-501.84 1392.22,-501.84 C 1445.12,-501.84 1471.56,-509.11 1524.45,-530.92"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1392.22" y="-478.339">
<tspan x="1392.22" y="-478.339">NetBox</tspan>
<tspan x="1392.22" y="-462.339">(System)</tspan>
<tspan x="1392.22" y="-446.339"></tspan>
<tspan x="1392.22" y="-430.339">6. The Virtual Machine object is queried </tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1400.78" y1="-240.992" x2="1395.84" y2="-374.856"/>
<polygon style="fill: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
</g>
<g>
<polygon style="fill: #ffffff" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="918.547" y="-109.878">
<tspan x="918.547" y="-109.878">Does the Virtual Machine object contain the required</tspan>
<tspan x="918.547" y="-93.8776">fields, is it in the correct state and</tspan>
<tspan x="918.547" y="-77.8776">compliant?l</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1298.76" y1="-398.763" x2="1013.15" y2="-172.656"/>
<polygon style="fill: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
</g>
<g>
<rect style="fill: #ffffff" x="120" y="-280" width="388.45" height="134"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="120" y="-280" width="388.45" height="134"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="314.225" y="-241.119">
<tspan x="314.225" y="-241.119">NO</tspan>
<tspan x="314.225" y="-225.119"></tspan>
<tspan x="314.225" y="-209.119">(System)</tspan>
<tspan x="314.225" y="-193.119"></tspan>
<tspan x="314.225" y="-177.119">Received data is discarded, and the process is aborted</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="742.533" y1="-131.324" x2="519.002" y2="-173.95"/>
<polygon style="fill: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
</g>
<g>
<rect style="fill: #ffffff" x="800" y="-420" width="252" height="134.793"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-420" width="252" height="134.793"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="926" y="-380.722">
<tspan x="926" y="-380.722">Ansible</tspan>
<tspan x="926" y="-364.722">(System)</tspan>
<tspan x="926" y="-348.722"></tspan>
<tspan x="926" y="-332.722">7. A virtual hard disk is created</tspan>
<tspan x="926" y="-316.722">he actual virtual machine is defined</tspan>
</text>
</g>
<g>
<rect style="fill: #ffffff" x="800" y="-580" width="230.15" height="86"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-580" width="230.15" height="86"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="915.075" y="-557.119">
<tspan x="915.075" y="-557.119">Ansible</tspan>
<tspan x="915.075" y="-541.119">(System)</tspan>
<tspan x="915.075" y="-525.119"></tspan>
<tspan x="915.075" y="-509.119">8. The virtual machine is started</tspan>
</text>
</g>
<g>
<rect style="fill: #ffffff" x="774.367" y="-709.01" width="289.3" height="86"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="774.367" y="-709.01" width="289.3" height="86"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="919.017" y="-686.129">
<tspan x="919.017" y="-686.129">Libvirt</tspan>
<tspan x="919.017" y="-670.129">(System)</tspan>
<tspan x="919.017" y="-654.129"></tspan>
<tspan x="919.017" y="-638.129">9. The virtual machine is network booted </tspan>
</text>
</g>
<g>
<rect style="fill: #ffffff" x="780" y="-860" width="280.125" height="83.646"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-860" width="280.125" height="83.646"/>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="808.012" y1="-860" x2="808.012" y2="-776.354"/>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1032.11" y1="-860" x2="1032.11" y2="-776.354"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="920.062" y="-822.296">
<tspan x="920.062" y="-822.296">The DHCP/TFTP/NFS process</tspan>
<tspan x="920.062" y="-806.296">loads a network operating system</tspan>
</text>
</g>
<g>
<rect style="fill: #ffffff" x="780" y="-1020" width="252.6" height="86"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-1020" width="252.6" height="86"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="906.3" y="-997.119">
<tspan x="906.3" y="-997.119">OpenSUSE</tspan>
<tspan x="906.3" y="-981.119">(System)</tspan>
<tspan x="906.3" y="-965.119"></tspan>
<tspan x="906.3" y="-949.119">11. The installer initializes the disk </tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.948" y1="-420.998" x2="918.257" y2="-483.286"/>
<polygon style="fill: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="916.419" y1="-580.985" x2="917.376" y2="-612.293"/>
<polygon style="fill: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="919.319" y1="-710.005" x2="919.701" y2="-765.626"/>
<polygon style="fill: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
</g>
<g>
<rect style="fill: #ffffff" x="1180" y="-1020" width="352.65" height="102"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1180" y="-1020" width="352.65" height="102"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1356.32" y="-997.119">
<tspan x="1356.32" y="-997.119">OpenSUSE</tspan>
<tspan x="1356.32" y="-981.119">(System)</tspan>
<tspan x="1356.32" y="-965.119"></tspan>
<tspan x="1356.32" y="-949.119">10. Requested oftware specifications</tspan>
<tspan x="1356.32" y="-933.119">are collected </tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1179.11" y1="-972.15" x2="1043.33" y2="-974.564"/>
<polygon style="fill: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1043.88" y1="-860.983" x2="1196.71" y2="-913.817"/>
<polygon style="fill: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
</g>
<g>
<rect style="fill: #ffffff" x="220" y="-1020" width="352.65" height="102"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="220" y="-1020" width="352.65" height="102"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="396.325" y="-989.119">
<tspan x="396.325" y="-989.119">OpenSUSE</tspan>
<tspan x="396.325" y="-973.119">(System)</tspan>
<tspan x="396.325" y="-957.119"></tspan>
<tspan x="396.325" y="-941.119">12. The operating system is installed </tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="779.024" y1="-975.003" x2="583.371" y2="-971.934"/>
<polygon style="fill: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.532" y1="-199.812" x2="923.715" y2="-274.478"/>
<polygon style="fill: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1360.09" y1="-917.011" x2="1385.15" y2="-570.617"/>
<polygon style="fill: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
</g>
<g>
<rect style="fill: #ffffff" x="-320" y="-1020" width="352.65" height="102"/>
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="-320" y="-1020" width="352.65" height="102"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-143.675" y="-997.119">
<tspan x="-143.675" y="-997.119">OpenSUSE</tspan>
<tspan x="-143.675" y="-981.119">(System)</tspan>
<tspan x="-143.675" y="-965.119"></tspan>
<tspan x="-143.675" y="-949.119">13. The system starts base daemons</tspan>
<tspan x="-143.675" y="-933.119">and sends a report via emaill</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="218.997" y1="-969" x2="43.3886" y2="-969"/>
<polygon style="fill: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
</g>
<g>
<path style="fill: #ffffff" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480z"/>
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480"/>
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.875" y="-427.601">
<tspan x="-315.875" y="-427.601">END</tspan>
<tspan x="-315.875" y="-411.601"></tspan>
<tspan x="-315.875" y="-395.601">Pipeline completed</tspan>
</text>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-159.853" y1="-916.998" x2="-292.601" y2="-490.295"/>
<polygon style="fill: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
</g>
<g>
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="119.001" y1="-275.735" x2="-115.526" y2="-351.1"/>
<polygon style="fill: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
</g>
</svg>

After

Width:  |  Height:  |  Size: 24 KiB

View File

@ -0,0 +1,133 @@
---
- hosts: status_planned
gather_facts: no
vars:
token: "{{ nb_token }}"
vm_name: "{{ inventory_hostname }}"
tag_merged: []
debug_merged: []
vars_files:
- ../variables/deploy-variables.yml
pre_tasks:
- name: Check lock
wait_for:
path: "{{ lockfile }}"
state: absent
timeout: 600
msg: Lock did not disappear in time
delegate_to: localhost
- name: Create lock
file:
path: "{{ lockfile }}"
state: touch
delegate_to: localhost
tasks:
- name: Pipeline
block:
- name: Gather details
block:
- import_tasks: "../tasks/netbox_query_vm.yml"
- import_tasks: "../tasks/netbox_query_cluster.yml"
no_log: true
- name: Assign variables
block:
- import_tasks: "../tasks/netbox_evaluate_cluster.yml"
- import_tasks: "../tasks/netbox_evaluate_vm.yml"
- name: Verify compliance
block:
- name: Check status
fail:
msg: The object is not Planned.
when: status != 'planned'
- name: Check tag
fail:
msg: The object is marked as already being in deployment.
when: '"active-deployment" in tags'
- name: Check platform
fail:
msg: The object does not contain a valid platform attribute.
when: os != 'openSUSE-Leap-x86_64' #support more OS's later
- name: Write tag and journal
import_tasks: "../tasks/netbox_tags_pre.yml"
- name: Gather site configuration
block:
- import_tasks: "../tasks/netbox_query_site.yml"
- import_tasks: "../tasks/netbox_evaluate_site.yml"
no_log: true
- name: Gather prefix
block:
- import_tasks: "../tasks/netbox_query_prefix.yml"
- import_tasks: "../tasks/netbox_evaluate_prefix.yml"
no_log: true
- name: Gather IP address
block:
- import_tasks: "../tasks/netbox_query_ip.yml"
- import_tasks: "../tasks/netbox_evaluate_ip.yml"
no_log: true
- name: Provision virtual machine
import_tasks: "../tasks/configure_libvirt.yml"
- name: Configure DHCP
import_tasks: "../tasks/init_dhcp.yml"
- name: Configure DNS
import_tasks: "../tasks/init_dns.yml"
- name: Configure Deployment Servers
import_tasks: "../tasks/init_dps.yml"
- name: Create interface object in NetBox or use existing one
block:
- import_tasks: "../tasks/netbox_init_interface.yml"
- import_tasks: "../tasks/netbox_query_interface.yml"
- import_tasks: "../tasks/netbox_evaluate_interface.yml"
no_log: true
- name: Define IP address object in NetBox
block:
- import_tasks: "../tasks/netbox_init_ip.yml"
- import_tasks: "../tasks/netbox_primaryip.yml"
no_log: true
- name: Start VM and attach console
import_tasks: "../tasks/init_vm_console.yml"
- name: Initialize SSH CA
import_tasks: "../tasks/init_ssh.yml"
- name: Assist guest OS installation
import_tasks: "../tasks/autoyast_assistant.yml"
- name: Wait for guest OS installation
import_tasks: "../tasks/wait.yml"
- name: Configure SSH
import_tasks: "../tasks/configure_ssh.yml"
always:
- name: Restore original tags
import_tasks: "../tasks/netbox_tags_post.yml"
- name: Remove lock
file:
path: "{{ lockfile }}"
state: absent
delegate_to: localhost
- name: Debug
ansible.builtin.debug:
msg: "{{ status if status is defined}} - {{ tags if tags is defined }} - {{ host if host is defined }} - {{ host_status if host_status is defined }} - {{ namespace if namespace is defined }} - {{ os if os is defined }} - {{ vcpus if vcpus is defined }} - {{ memory if memory is defined }} - {{ disk if disk is defined }}"

View File

@ -0,0 +1,79 @@
#!/bin/sh
#
# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc.
#
# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
# Last edit: 13/02/2022
PUBKEY="$1"
get_ip_address () {
case $KERNEL in
"OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
;;
"Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
;;
esac
}
HOSTNAME=$(hostname -s)
KERNEL=$(uname)
IP_ADDRESS="$(get_ip_address)"
if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then
if [ ! -d /etc/ssh/old ]; then
mkdir /etc/ssh/old
fi
if [ -f /etc/ssh/ssh_known_hosts ]; then
mv /etc/ssh/ssh_known_hosts /etc/ssh/old/
fi
#if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
#mv /etc/ssh/ssh_host_* /etc/ssh/old/
#fi
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
mv /etc/ssh/ssh_host_* /etc/ssh/old/
fi
mv /etc/ssh/sshd_config /etc/ssh/old/
if [ -f /etc/ssh/ssh_config ]; then
mv /etc/ssh/ssh_config /etc/ssh/old/
fi
cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
ListenAddress %%IP_ADDRESS%%
Protocol 2
SyslogFacility AUTH
LogLevel FATAL
HostKey /etc/ssh/%%HOSTNAME%%
HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub
TrustedUserCAKeys /etc/ssh/user_ca
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 1
MaxSessions 3
X11Forwarding no
PrintMotd yes
PrintLastLog yes
EOF_SSHD_CONFIG
sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config
echo "$PUBKEY" > /etc/ssh/user_ca
case $KERNEL in
"OpenBSD" ) rcctl reload sshd
;;
"Linux" ) systemctl reload sshd
;;
esac
echo "OK"
else
echo "Missing host certificate and public key, copy them to /etc/ssh/ for me."
fi
else
echo "Unsupported operating system, please configure sshd manually."
fi

View File

@ -0,0 +1,38 @@
---
- name: Monitor OS installation
block:
- name: Monitor first stage
ansible.builtin.expect:
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
responses:
"reboot: Restarting system":
- "\u001d"
timeout: 720
ignore_errors: true
no_log: true
- name: Destroy
community.libvirt.virt:
uri: "{{ libvirt_url }}"
command: destroy
name: "{{ vm_name }}"
state: destroyed
- name: Start
community.libvirt.virt:
uri: "{{ libvirt_url }}"
command: start
name: "{{ vm_name }}"
state: running
- name: Unlock
ansible.builtin.expect:
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
responses:
"Please enter passphrase for disk cr_root:":
- "{{ luks_passphrase }}"
- "\u001d"
ignore_errors: yes
no_log: true
delegate_to: localhost

View File

@ -0,0 +1,40 @@
---
- name: Configure DHCP
block:
- name: Set DHCP host OS
set_fact:
dhcp_os: "{{ hostvars[dhcp_host]['platforms'][0] }}"
- name: Insert DHCP host block
ansible.builtin.blockinfile:
#backup: yes
block: "{{ lookup('template', '../templates/dhcpd.conf.j2') }}"
marker: "### {mark} Ansible managed block for {{ vm_name }} ###"
path: "/etc/dhcpd.conf"
#delegate_to: "{{ dhcp_host }}"
become: yes
become_method: doas
when: dhcp_os == 'openbsd-x86_64'
- name: Restart dhcpd
ansible.builtin.command:
argv:
- /usr/bin/doas
- rcctl
- restart
- dhcpd
when: dhcp_os == 'openbsd-x86_64'
- name: Insert DHCP static mapping
vyos.vyos.vyos_config:
backup: yes
backup_options:
dir_path: "/tmp/"
comment: "Configured as part of {{ vm_name }} deployment"
lines:
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} mac-address {{ mac_address }}"
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} ip-address {{ ip_address }}"
save: no # CHANGE BEFORE ROLLOUT
when: dhcp_os == 'vyos-x86_64'
delegate_to: "{{ dhcp_host }}"

View File

@ -0,0 +1,56 @@
---
- name: Configure DNS
block:
- name: Set FQDNs
set_fact:
dns_fqdn: "{{ lookup('community.general.dig', dns_ip + '/PTR') }}"
vm_fqdn: "{{ vm_name + '.' + namespace }}"
tags:
- init_ssh
- name: Gather DNS hostname and zonename
set_fact:
dns_host: "{{ dns_fqdn.split('.')[0] }}"
zone: "{{ namespace.split('.')[1] + '.' + namespace.split('.')[2] }}"
- name: Set DNS host OS
set_fact:
dns_os: "{{ hostvars[dns_host]['platforms'][0] }}"
- name: Insert DNS record
ansible.builtin.blockinfile:
#backup: yes
block: "{{ lookup('template', '../templates/nsd_zone.j2') }}"
marker: "; {mark} Ansible managed block for {{ vm_name }}"
path: "/var/nsd/zones/master/{{ zone }}.zone"
when: dns_os == 'openbsd-x86_64'
delegate_to: "{{ dns_host }}"
- name: Reload DNS zone
ansible.builtin.command:
argv:
- /usr/bin/doas
- nsd-control
- reload
- "{{ zone }}"
when: dhcp_os == 'openbsd-x86_64'
delegate_to: "{{ dns_host }}"
- name: Insert DNS static host mapping
vyos.vyos.vyos_config:
backup: yes
backup_options:
dir_path: "/tmp/"
comment: "Configured as part of {{ vm_name }} deployment"
lines:
- "set system static-host-mapping host-name {{ vm_fqdn }} inet {{ ip_address }}"
- "set system static-host-mapping host-name {{ vm_fqdn }} alias {{ vm_name }}"
save: no # CHANGE BEFORE ROLLOUT
when: dns_os == 'vyos-x86_64'
delegate_to: "{{ dns_host }}"
always:
- name: Debug
ansible.builtin.debug:
msg: "{{ dns_ip if dns_ip is defined }} - {{ dns_host if dns_host is defined }} - {{ dns_fqdn if dns_fqdn is defined }} - {{ dns_os if dns_os is defined }} - {{ vm_fqdn if vm_fqdn is defined }} - {{ zone if zone is defined }}"

View File

@ -0,0 +1,55 @@
---
- name: Configure Deployment Server
block:
- name: Set DP host OS
set_fact:
dp_os: "{{ hostvars[deployment_host]['platforms'][0] }}"
- name: Prepare Grub host file
ansible.builtin.template:
src: ../templates/grub.j2
dest: "/srv/www/boot/hosts/{{ ip_address }}.cfg"
group: wheel
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
- name: Prepare unattended installation
ansible.builtin.template:
src: "../templates/autoinst_{{ namespace }}.xml.j2"
dest: "/srv/www/autoinst_{{ vm_name }}.xml"
group: wheel
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
- name: Prepare Grub host file for http
ansible.builtin.template:
src: ../templates/grub.j2
dest: "/var/www/htdocs/www/boot/hosts/{{ ip_address }}.cfg"
group: wheel
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
when: dp_os == 'openbsd-x86_64'
- name: Prepare Grub host file for tftp
ansible.builtin.template:
src: ../templates/grub.j2
dest: "/tftpboot/boot/hosts/{{ ip_address }}.cfg"
group: wheel
mode: '0444'
when: dp_os == 'openbsd-x86_64'
- name: Generate LUKS passphrase #does not quite belong here
set_fact:
luks_passphrase: "{{ lookup('password', '/dev/null', length=15, chars=hexdigits, seed=inventory_hostname) }}"
no_log: true
- name: Prepare unattended installation
ansible.builtin.template:
src: "../templates/autoinst_{{ namespace }}.xml.j2"
dest: "/var/www/htdocs/www/autoinst_{{ vm_name }}.xml"
group: wheel
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
when: dp_os == 'openbsd-x86_64'
delegate_to: "{{ deployment_host }}"
tags:
- init_dp

View File

@ -0,0 +1,79 @@
---
- name: Provision VM
block:
- name: Query volumes
ansible.builtin.command:
argv:
- /usr/bin/virsh
- -c
- "{{ libvirt_url }}"
- vol-list
- "{{ storage.name }}"
register: volumes
no_log: true
- name: Create storage template
ansible.builtin.template:
src: "../templates/libvirt-storage-template.xml.j2"
dest: "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
group: lysergic
mode: '0660'
when: vm_name not in volumes.stdout
- name: Define volume
ansible.builtin.command:
argv:
- /usr/bin/virsh
- -c
- "{{ libvirt_url }}"
- vol-create
- "{{ storage.name }}"
- "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
when: vm_name not in volumes.stdout
# https://gitlab.com/libvirt/libvirt/-/issues/135
- name: Fetch volume path
ansible.builtin.command:
argv:
- /usr/bin/virsh
- -c
- "{{ libvirt_url }}"
- vol-path
- --pool
- "{{ storage.name }}"
- "{{ inventory_hostname }}_root_disk.qcow2"
register: volpath
- name: Store volume path
set_fact:
volume_path: "{{ volpath.stdout }}"
- name: Create domain template
ansible.builtin.template:
src: "../templates/libvirt-template.xml.j2"
dest: "../templates/generated/libvirt-{{ inventory_hostname }}.xml"
group: lysergic
mode: '0660'
- name: Define domain
community.libvirt.virt:
uri: "{{ libvirt_url }}"
command: define
xml: "{{ lookup('template', '../templates/libvirt-template.xml.j2') }}"
autostart: no
# delegate_to: localhost
- name: Fetch MAC address
ansible.builtin.shell: "/usr/bin/virsh -c {{ libvirt_url }} domiflist {{ vm_name }} | awk '{print $5}' | cut -d/ -f 1 | tail -n 2 | head -n 1" # ewww :-(
register: domiflist_mac
- name: Store MAC address
set_fact:
mac_address: "{{ domiflist_mac.stdout }}"
delegate_to: localhost
always:
- name: Debug
ansible.builtin.debug:
msg: "{{ libvirt_url if libvirt_url is defined }} - {{ storage.name if storage is defined }} - {{ mac_address if mac_address is defined }}"

View File

@ -0,0 +1,65 @@
---
- name: Configure SSH server
block:
- name: Switch user
set_fact:
ansible_user_original: "{{ lookup('env', 'USER') }}"
ansible_ssh_private_key_file_original: "{{ ansible_ssh_private_key_file }}"
ansible_user: install
ansible_ssh_private_key_file: "{{ installkey }}"
- name: Test 1
ansible.builtin.raw: whoami
vars:
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: Install SSH host certificate
ansible.builtin.copy:
checksum: "{{ stat_ssh_cert.stat.checksum }}"
dest: "/etc/ssh/{{ vm_name }}"
group: root
local_follow: no
mode: 0400
owner: root
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
become: yes
become_method: sudo
become_user: root
vars:
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: Install SSH host key
ansible.builtin.copy:
checksum: "{{ stat_ssh_spk.stat.checksum }}"
dest: "/etc/ssh/{{ vm_name }}-cert.pub"
group: root
local_follow: no
mode: 0444
owner: root
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
become: yes
become_method: sudo
become_user: root
vars:
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: Install sshd configuration
ansible.builtin.script:
cmd: "../shell/configure_sshd.sh '{{ ca_pk }}'"
become: yes
become_method: sudo
become_user: root
vars:
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: Switch user
set_fact:
ansible_user: "{{ ansible_user_original }}"
ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file_original }}"
- name: Test 2
ansible.builtin.raw: whoami
tags:
- init_ssh

View File

@ -0,0 +1,7 @@
---
- name: Initialize DHCP configurator
include_tasks: "../tasks/configure_dhcp.yml"
vars:
dhcp_host: "{{ item }}"
with_items: "{{ dhcp_servers }}"

View File

@ -0,0 +1,9 @@
---
- name: Initialize DNS configurator
include_tasks: "../tasks/configure_dns.yml"
vars:
dns_ip: "{{ item }}"
with_items: "{{ dns_servers }}"
tags:
- init_ssh

View File

@ -0,0 +1,10 @@
---
- name: Initialize Deployment Server configurator
include_tasks: "../tasks/configure_dps.yml"
vars:
deployment_host: "{{ item }}"
with_items: "{{ deployment_servers }}"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,54 @@
---
- name: Initialize SSH host keys
block:
- name: Generate SSH host keypair
ansible.builtin.command:
argv:
- ssh-keygen
- -f
- "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
- -t
- ed25519
- -C
- "{{ vm_fqdn }}"
- -N
- ""
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
- name: Evaluate certificate
ansible.builtin.stat:
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
get_attributes: no
register: stat_ssh_cert
# - name: Sign SSH host key
# ansible.builtin.command:
# argv:
# - ssh-keygen
# - -s
# - "{{ ssh_ca_path }}/{{ tenant }}"
# - -I
# - "{{ ssh_ca_prefix }} - {{ vm_fqdn }}"
# - -hn
# - "{{ vm_fqdn }}"
# - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
# creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
- name: Sign SSH host key
ansible.builtin.expect:
command: ssh-keygen -s "{{ ssh_ca_path }}/{{ tenant }}" -I "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" -hn "{{ vm_fqdn }}" "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
responses:
Enter passphrase: "{{ ca_pp }}"
timeout: 3
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
- name: Evaluate public key
ansible.builtin.stat:
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
get_attributes: no
register: stat_ssh_spk
no_log: true
delegate_to: localhost
tags:
- init_ssh

View File

@ -0,0 +1,42 @@
---
- name: Start VM and attach console inside tmux
block:
- name: Start VM
community.libvirt.virt:
uri: "{{ libvirt_url }}"
command: start
name: "{{ vm_name }}"
state: running
- name: Spawn tmux session
ansible.builtin.command:
argv:
- /usr/bin/tmux
- -S
- /tmp/ansible
- new-session
- -d
- -s
- "{{ vm_name }}"
ignore_errors: true
- name: Attach console inside tmux
ansible.builtin.command:
argv:
- /usr/bin/tmux
- -S
- /tmp/ansible
- new-window
- -t
- "{{ vm_name }}"
- /usr/bin/virsh
- -c
- "{{ libvirt_url }}"
- console
- "{{ vm_name }}"
delegate_to: localhost
tags:
- init_ssh

View File

@ -0,0 +1,61 @@
---
- name: Evaluate cluster
block:
- name: Increment counters
set_fact:
retry_count: "{{ 0 if retry_count is undefined else retry_count | int +1 }}"
host_count: "{{ 0 if retry_count is undefined else host_count | int +1 }}"
- name: Pick cluster host
set_fact:
#host_choice: "{{ nb_hosts.json.results[nb_hosts.json.count | random | int] }}" #PICK RANDOM
#host_choice: "{{ nb_hosts.json.results[1] }}" #FAIL TEST
host_choice: "{{ nb_hosts.json.results[host_count | int] }}" #INCREMENT
no_log: true
- name: Evaluate cluster host status
set_fact:
host_status: "{{ host_choice.status.value }}"
#register: host_status
- name: Evaluate cluster host name
set_fact:
host: "{{ host_choice.name }}"
- name: Evaluate cluster host status
fail:
msg: Host is not ready.
when: host_status != 'active'
- name: Evaluate cluster host configuration
block:
- name: Cluster derived variables 1/2
set_fact:
storage: "{{ host_choice.config_context.storage[0] }}"
deployment_servers: "{{ host_choice.config_context.deployment_servers }}"
dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}"
dns_servers: "{{ host_choice.config_context.dns_servers }}"
namespace: "{{ host_choice.config_context.namespace }}"
gateway: "{{ host_choice.config_context.gateway }}"
- name: Cluster derived variables 2/2
set_fact:
namespace_short: "{{ namespace.split('.')[0] }}"
when: host_status == 'active'
tags:
- init_dp
- init_ssh
rescue:
- name: Check retry counter
fail:
msg: "Too many retries - no host is ready"
when: retry_count | int == 3 and host_status != 'active'
- debug:
msg: "{{ host if host is defined }} - {{ host_status if host_status is defined }}"
- name: Re-evaluate cluster
include_tasks: "../tasks/netbox_evaluate_cluster.yml"
when: host_status != 'active'

View File

@ -0,0 +1,10 @@
---
- name: Register interface ID
set_fact:
ifid: '{{ nb_interface_2.json.results[0].id }}'
when: "nb_interface_1.status|int == 400"
- name: Register interface ID
set_fact:
ifid: '{{ nb_interface_1.json.id }}'
when: "nb_interface_1.status|int == 201"

View File

@ -0,0 +1,21 @@
---
- name: Define existing IP address
set_fact:
ip_address: "{{ nb_ip_1.json.results[0].address | ansible.netcommon.ipaddr('address') }}"
ip_address_cidr: "{{ nb_ip_1.json.results[0].address }}"
ip_address_type: "existing"
ipid: "{{ nb_ip_1.json.results[0].id }}"
when: "nb_ip_1.status|int == 200 and nb_ip_1.json.count|int != 0 and (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value == 'active')"
tags:
- init_dp
- init_ssh
- name: Define new IP address
set_fact:
ip_address: "{{ nb_ip_2.json[0].address | ansible.netcommon.ipaddr('address') }}"
ip_address_cidr: "{{ nb_ip_2.json[0].address }}"
ip_address_type: "new"
when: "nb_ip_2.status is defined and nb_ip_2.status|int == 200"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,9 @@
---
- name: Evaluate prefix options
set_fact:
prefix_id: "{{ nb_prefix.json.results[0].id }}"
prefix_display: "{{ nb_prefix.json.results[0].display }}"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,8 @@
---
- name: Gather site configuration
set_fact:
site_id: "{{ nb_site.json.results[0].id }}"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,29 @@
---
- name: Pick hard- and software
# not needed, can be pulled from hostvars
set_fact:
vcpus: "{{ nb_vm.json.results[0].vcpus | int }}"
os: "{{ nb_vm.json.results[0].platform.name }}"
# - name: Pick virtual hardware specifications
# # not needed, part of hostvars
# set_fact:
# memory: "{{ nb_vm.json.results[0].memory }}"
# disk: "{{ nb_vm.json.results[0].disk }}"
tags:
- init_dp
- init_ssh
- name: Pick metadata
set_fact:
id: "{{ nb_vm.json.results[0].id }}"
site: "{{ hostvars[inventory_hostname]['sites'][0] }}"
status: "{{ nb_vm.json.results[0].status.value }}"
# # not needed, part of hostvars
# #tags: "{{ nb_vm.json.results[0].tags[0].slug }}"
# #tags: "{{ nb_vm.json.results[0].tags | sum(start=[]) | map(attribute='slug') }}"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,20 @@
---
- name: Create VM interface objects
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/interfaces/"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: POST
return_content: yes
status_code:
- 201
- 400 #interface name already exists. is there an elegant way to limit 400 to this particular case? regex parsing the response text for "The fields virtual_machine, name must make a unique set." would be ugly.
headers:
Accept: application/json
Authorization: "Token {{ token }}"
body_format: json
body: ' {"virtual_machine": {{ id }}, "name": "eth0", "enabled": true, "mac_address": "{{ mac_address }}", "mode": "access"}'
register: nb_interface_1
delegate_to: localhost
#no_log: true

View File

@ -0,0 +1,20 @@
---
- name: Create IP address object
ansible.builtin.uri:
url: "{{ endpoint }}/ipam/ip-addresses/"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: POST
return_content: yes
status_code:
- 201
- 400
headers:
Accept: application/json
Authorization: "Token {{ token }}"
body_format: json
body: ' {"address": "{{ ip_address_cidr }}", "tenant": 1, "status": "active", "assigned_object_type": "virtualization.vminterface", "assigned_object_id": {{ ifid }}, "dns_name": "{{ vm_fqdn }}"}'
register: nb_ip_3
when: "ip_address_type|string == 'new'"
delegate_to: localhost

View File

@ -0,0 +1,20 @@
---
- name: Register IP address object ID #only for new addresses, existing ones have ipid set in _evaluate_ip.yml
set_fact:
ipid: "{{ nb_ip_3.json.id }}"
when: "ip_address_type|string == 'new'"
- name: Set primary IPv4 address
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: PATCH
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
body_format: json
body: ' {"primary_ip4": {{ ipid }}}'
delegate_to: localhost

View File

@ -0,0 +1,16 @@
---
- name: Locate cluster hosts
ansible.builtin.uri:
url: "{{ endpoint }}/dcim/devices/?cluster_id={{ nb_vm.json.results[0].cluster.id }}"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_hosts
delegate_to: localhost
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,15 @@
---
- name: Query existing interface
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/interfaces/?name=eth0&virtual_machine_id={{ id }}"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_interface_2
delegate_to: localhost
when: "nb_interface_1.status|int == 400"

View File

@ -0,0 +1,34 @@
---
- name: Query existing address
ansible.builtin.uri:
url: "{{ endpoint }}/ipam/ip-addresses?virtual_machine_id={{ id }}"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_ip_1
delegate_to: localhost
tags:
- init_dp
- init_ssh
- name: Query available address
ansible.builtin.uri:
url: "{{ endpoint }}/ipam/prefixes/{{ prefix_id }}/available-ips/?limit=1"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_ip_2
delegate_to: localhost
when: "nb_ip_1.json.count|int == 0 or (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value != 'active')"
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,17 @@
---
- name: Query prefix
ansible.builtin.uri:
url: "{{ endpoint }}/ipam/prefixes/?site_id={{ site_id }}&tenant={{ tenant }}&limit=1"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_prefix
delegate_to: localhost
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,17 @@
---
- name: Query site
ansible.builtin.uri:
url: "{{ endpoint }}/dcim/sites/?slug={{ site }}"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_site
delegate_to: localhost
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,18 @@
---
# consider ditching this block, would need to work around missing cluster ID in hostvars
- name: Query VM
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/virtual-machines/?name={{ inventory_hostname }}"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: GET
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
register: nb_vm
delegate_to: localhost
tags:
- init_dp
- init_ssh

View File

@ -0,0 +1,24 @@
---
- name: Post-deployment tagging
block:
- name: Construct body for tagging
set_fact:
body2: ' {% for tag in tag_exist %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
when: tag_exist is defined
- name: Set post-deployment tags
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: PATCH
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
body_format: json
body: ' {"tags": [ {{ body2 }}]}'
delegate_to: localhost
when: body2 is defined
no_log: true

View File

@ -0,0 +1,34 @@
---
- name: Pre-deployment tagging
block:
- name: Gather tags
set_fact:
tag_exist: "{{ tags }}"
tag_append: "['active-deployment']"
- name: Merge tags
set_fact:
tag_merged: "{{ tag_merged + [item] }}"
with_items:
- "{{ tag_exist }}"
- "{{ tag_append }}"
- name: Construct body for tagging
set_fact:
body1: ' {% for tag in tag_merged %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
- name: Set pre-deployment tags
ansible.builtin.uri:
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
client_cert: "{{ cert }}"
client_key: "{{ key }}"
method: PATCH
return_content: yes
headers:
Accept: application/json
Authorization: "Token {{ token }}"
body_format: json
body: ' {"tags": [ {{ body1 }}]}'
delegate_to: localhost
no_log: true

View File

@ -0,0 +1,42 @@
---
- name: Sit patiently
block:
- name: Wait for guest to become alive
wait_for:
delay: 240
connect_timeout: 3
sleep: 15
port: 22
host: '{{ ip_address }}'
search_regex: OpenSSH
timeout: 600
# rescue:
# - name: Destroy
# community.libvirt.virt:
# uri: "{{ libvirt_url }}"
# command: destroy
# name: "{{ vm_name }}"
# state: destroyed
#
# - name: Start
# community.libvirt.virt:
# uri: "{{ libvirt_url }}"
# command: start
# name: "{{ vm_name }}"
# state: running
#
# - name: Wait for guest to become alive
# wait_for:
# delay: 120
# connect_timeout: 3
# sleep: 15
# port: 22
# host: '{{ ip_address }}'
# search_regex: OpenSSH
# timeout: 600
delegate_to: localhost
tags:
- init_ssh

View File

@ -0,0 +1,5 @@
host {{ vm_name }} {
hardware ethernet {{ mac_address }};
fixed-address {{ ip_address }};
filename "shim.efi";
}

View File

@ -0,0 +1,3 @@
default={% if os == 'openSUSE-Leap-x86_64' %}install-suse{% endif %}{% if os == 'OpenBSD-x86_64' %}install-openbsd{% endif %}
{% if os == 'openSUSE-Leap-x86_64' %}installfile=autoinst_{{ vm_name }}.xml{% endif %}

View File

@ -0,0 +1,16 @@
<volume type='file'>
<name>{{ inventory_hostname }}_root_disk.qcow2</name>
<source>
</source>
<capacity unit='GB'>{{ disk }}</capacity>
<target>
<path>{{ storage.name }}</path>
<format type='qcow2'/>
<permissions>
<mode>0660</mode>
<owner>455</owner>
<group>453</group>
</permissions>
</target>
</volume>

View File

@ -0,0 +1,177 @@
<domain type='kvm'>
<name>{{ inventory_hostname }}</name>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
</libosinfo:libosinfo>
</metadata>
<memory unit='MB'>{{ memory }}</memory>
<currentMemory unit='GB'>{{ memory }}</currentMemory>
<vcpu placement='static'>{{ vcpus }}</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-q35-5.2'>hvm</type>
<!--loader readonly='yes' type='pflash'>/opt/firmware/OVMF_09012022_RELEASE_HTTPBOOT.fd</loader-->
<loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x86_64-code.bin</loader>
<nvram>/var/lib/libvirt/qemu/nvram/{{ inventory_hostname }}_VARS.fd</nvram>
<boot dev='hd'/>
<boot dev='network'/>
<bootmenu enable='no'/>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>Broadwell-IBRS</model>
<vendor>Intel</vendor>
<feature policy='require' name='vme'/>
<feature policy='require' name='ss'/>
<feature policy='require' name='vmx'/>
<feature policy='require' name='f16c'/>
<feature policy='require' name='rdrand'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='arat'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='umip'/>
<feature policy='require' name='md-clear'/>
<feature policy='require' name='stibp'/>
<feature policy='require' name='arch-capabilities'/>
<feature policy='require' name='ssbd'/>
<feature policy='require' name='xsaveopt'/>
<feature policy='require' name='pdpe1gb'/>
<feature policy='require' name='abm'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
<feature policy='require' name='pschange-mc-no'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<!--source pool='{{ storage.name }}' volume='{{ inventory_hostname }}_root_disk.qcow2' index='1'/-->
<source file='{{ volume_path }}'/>
<backingStore/>
<target dev='vda' bus='virtio'/>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</disk>
<!--disk type='file' device='cdrom'>
<driver name='qemu'/>
<source file='/mnt/iso/openSUSE-Leap-15.3-NET-x86_64.iso'/>
<target dev='sda' bus='sata'/>
<readonly/>
<boot order='2'/>
<alias name='sata0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk-->
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</controller>
<controller type='sata' index='0'>
<alias name='ide'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'>
<alias name='pcie.0'/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x8'/>
<alias name='pci.1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x9'/>
<alias name='pci.2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0xa'/>
<alias name='pci.3'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0xb'/>
<alias name='pci.4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0xc'/>
<alias name='pci.5'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0xd'/>
<alias name='pci.6'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0xe'/>
<alias name='pci.7'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</controller>
<interface type='network'>
<source network='LAN01'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/4'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/4'>
<source path='/dev/pts/4'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'>
<alias name='input0'/>
</input>
<input type='keyboard' bus='ps2'>
<alias name='input1'/>
</input>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<alias name='rng0'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</rng>
</devices>
</domain>

View File

@ -0,0 +1,2 @@
{{ vm_name }} IN A {{ ip_address }}
{{ vm_name }}.{{ namespace_short }} IN A {{ ip_address }}

View File

@ -0,0 +1,14 @@
[v3_ca]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Web Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = orpheus.syscid.com
DNS.2 = auth.syscid.com
DNS.3 = www.syscid.com
DNS.4 = sso.syscid.com

15
ca/server_cert_ext.cnf Normal file
View File

@ -0,0 +1,15 @@
[v3_ca]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "LDAP01 Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ldap.syscid.com
DNS.2 = ldap01.syscid.com
DNS.3 = dir.syscid.com
DNS.4 = dir01.syscid.com
DNS.5 = gaia.syscid.com

View File

@ -0,0 +1,13 @@
[v3_ca]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "LDAP01 Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = web.sun.lysergic.dev
DNS.2 = web.syscid.com
DNS.3 = web

734
coturn/turnserver.conf Normal file
View File

@ -0,0 +1,734 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where a boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
# If the value is missing, then it means 'true' by default.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
#
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
listening-ip=192.168.0.115
listening-ip=202.61.255.116
listening-ip=2a03:4000:55:d20::
# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
#
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
#relay-ip=172.17.19.105
#relay-ip=2607:f0d0:1002:51::5
# For Amazon EC2 users:
#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the 'external' IP.
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same 'external' port 12345).
#
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is optimal, so you have to change this option
# if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
#min-port=49152
#max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
#verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#lt-cred-mech
# This option is the opposite of lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
#
# Note that you can use only one auth mechanism at the same time! This is because,
# both mechanisms conduct username and password validation in different ways.
#
# Use either lt-cred-mech or use-auth-secret in the conf
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
#
static-auth-secret=$authsec
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#
#server-name=blackdow.carleon.gov
#server-name=orpheus.syscid.com
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for the long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
psql-userdb="host=$dbhost dbname=$db user=$dbuser password=$dbpass connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use the string format below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string,
# then set the MySQL password encryption secret key file with this option.
#
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
# If you want to use a cleartext password then do not set this option!
#
# This is the file path for the aes encrypted secret key used for password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that you are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that you are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use the string format below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If the default realm is not specified, then realm falls back to the host domain name.
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
#
realm=turn.lysergic.dev
# This flag sets the origin consistency
# check. Across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
#check-origin-consistency
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
#
#user-quota=0
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
total-quota=100
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporarily suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
#max-bps=0
#
# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# for the sessions, combined (input and output network streams are treated separately).
#
# bps-capacity=0
# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
#no-udp
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
#no-udp-relay
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having a limited lifetime.
# By default, the nonce value is unique for a session,
# and has an unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
stale-nonce=600
# Uncomment if you want to set the maximum allocation
# time before it has to be refreshed.
# Default is 3600s.
#
#max-allocate-lifetime=3600
# Uncomment to set the lifetime for the channel.
# Default value is 600 secs (10 minutes).
# This value MUST not be changed for production purposes.
#
#channel-lifetime=600
# Uncomment to set the permission lifetime.
# Default to 300 secs (5 minutes).
# In production this value MUST not be changed,
# however it can be useful for test purposes.
#
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#cert=/etc/pki/coturn/public/turn_server_cert.pem
cert=/etc/ssl/lysergic/fullchain.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#pkey=/etc/pki/coturn/private/turn_server_pkey.pem
pkey=/etc/ssl/lysergic/private/privkey.pem
# Private key file password, if it is in encoded format.
# This option has no default value.
#
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
#
#dh1066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to
# the configured log file. With this option everything will
# go to the configured log only (unless the log file itself is stdout).
#
no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and the current directory
# (Whichever file open operation succeeds first will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
log-file=/var/log/coturn/turnserver.log
# Option to redirect all log output into system log (syslog).
#
#syslog
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
simple-log
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in the form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server option is provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if you have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
#stun-only
# Option to hide software version. Enhance security when used in production.
# Revealing the specific software version of the agent through the
# SOFTWARE attribute might allow them to become more vulnerable to
# attacks against software that is known to contain security holes.
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
#no-stun
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45
allowed-peer-ip=192.168.0.1-192.168.0.254
# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
#pidfile="/var/run/turnserver.pid"
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
#
#proc-group=<group-name>
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended that you use the encrypted
# form of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
#
# Or unsecure form for the same password:
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when you want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
#cli-max-output-sessions
# Set network engine type for the process (for internal purposes).
#
#ne=[1|2|3]
# Do not allow an TLS/DTLS version of protocol
#
no-sslv3
no-tlsv1
no-tlsv1_1
no-tlsv1_2

View File

@ -1,9 +1,11 @@
# Cronjob for Restic Backup to S3 # Cronjob for Restic Backup to Wasabi S3
# Created and last modified: 20/07/2021 # Created and last modified: 20/07/2021
# georg@lysergic.dev # georg@lysergic.dev
MAILTO=system MAILTO=system
SHELL=/bin/sh SHELL=/bin/sh
#This will make a deduplicating backup every day at 22:00 and send an email to system@lysergic.dev as well as #universe #This will make a deduplicating (is that the right word?) backup every day at 23:00 and send an email to system@lysergic.dev as well as #universe
0 22 * * * restic /opt/restic/run.sh |& mail -s "S3 Backup - $(hostname -f) - $(date)" ircsystem 0 22 * * * restic /opt/restic/run.sh |& mail -s "[S3 Backup] - $(hostname -f) - $(date)" ircsystem
#This will remove everything except the last 30 days worth of snapshots every two days at 22:30
0 4 */2 * * restic /opt/restic/cleanup.sh |& mail -s "[S3 Cleanup] - $(date)" ircsystem

View File

@ -0,0 +1,21 @@
#!/bin/sh
OUTPUT="nc -N 127.0.0.2 2424"
maximumSecondsBehind=20
/opt/mysql/bin/mysql -u repl-status -p'$dbmonpass' -e 'SHOW REPLICA STATUS \G' > /tmp/replicationstatus.txt
slaveRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_IO_Running: Yes" | wc -l)"
slaveSQLRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_SQL_Running: Yes" | wc -l)"
secondsBehind="$(cat /tmp/replicationstatus.txt | grep "Seconds_Behind_Source" | tr -dc '0-9')"
echo $slaveRunning | $OUTPUT
echo $slaveSQLRunning | $OUTPUT
echo $secondsBehind | $OUTPUT
if [[ $slaveRunning != 1 || $slaveSQLRunning != 1 || $secondsBehind -gt $maximumSecondsBehind ]]; then
echo
echo "Replikacja wydaje się być popieprzona. Sending logs via email. @cranberry" | $OUTPUT
/usr/bin/mail -s "[MySQL Replication Monitor] Issue on $(hostname) at $(date)" system@lysergic.dev < /tmp/replicationstatus.txt
else
echo
echo "Replikacja wydaje się być zdrowa." | $OUTPUT
fi

View File

@ -0,0 +1,13 @@
[general]
config_version = 2
[slapd]
instance_name = syscid
root_password = $dirmgrpass
[backend-userroot]
create_suffix_entry = yes
sample_entries = yes
suffix = dc=syscid,dc=com

View File

@ -0,0 +1,12 @@
[general]
config_version = 2
[slapd]
instance_name = syscid
root_password = $dirmgrpass
[backend-userroot]
create_suffix_entry = True
sample_entries = no
suffix = dc=syscid,dc=com

View File

@ -0,0 +1,35 @@
dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: always_set_home
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
sudoOption: env_reset
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
sudoOption: insults
sudoOption: mail_badpass
sudoOption: log_output
sudoOption: timestamp_timeout=15
sudoOrder: 1
dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2
dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3

153
dirsrv/misc/sudoers2ldif.pl Normal file
View File

@ -0,0 +1,153 @@
#!/usr/bin/env perl
#
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
use strict;
#
# Converts a sudoers file to LDIF format in prepration for loading into
# the LDAP server.
#
# BUGS:
# Does not yet handle multiple lines with : in them
# Does not yet remove quotation marks from options
# Does not yet escape + at the beginning of a dn
# Does not yet handle line wraps correctly
# Does not yet handle multiple roles with same name (needs tiebreaker)
#
# CAVEATS:
# Sudoers entries can have multiple RunAs entries that override former ones,
# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
my %RA;
my %UA;
my %HA;
my %CA;
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
my @options=();
my $did_defaults=0;
my $order = 0;
# parse sudoers one line at a time
while (<>){
# remove comment
s/#.*//;
# line continuation
$_.=<> while s/\\\s*$//s;
# cleanup newline
chomp;
# ignore blank lines
next if /^\s*$/;
if (/^Defaults\s+/i) {
my $opt=$';
$opt=~s/\s+$//; # remove trailing whitespace
push @options,$opt;
} elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
# Aliases or Definitions
my ($p1,$p2,$p3)=($1,$2,$3);
$p2=~s/\s+$//; # remove trailing whitespace
$p3=~s/\s+$//; # remove trailing whitespace
if ($p1 eq "User_Alias") {
$UA{$p2}=$p3;
} elsif ($p1 eq "Runas_Alias") {
$RA{$p2}=$p3;
} elsif ($p1 eq "Host_Alias") {
$HA{$p2}=$p3;
} elsif ($p1 eq "Cmnd_Alias") {
$CA{$p2}=$p3;
} else {
if (!$did_defaults++){
# do this once
print "dn: cn=defaults,$base\n";
print "objectClass: top\n";
print "objectClass: sudoRole\n";
print "cn: defaults\n";
print "description: Default sudoOption's go here\n";
print "sudoOption: $_\n" foreach @options;
printf "sudoOrder: %d\n", ++$order;
print "\n";
}
# Definition
my @users=split /\s*,\s*/,$p1;
my @hosts=split /\s*,\s*/,$p2;
my @cmds= split /\s*,\s*/,$p3;
@options=();
print "dn: cn=$users[0],$base\n";
print "objectClass: top\n";
print "objectClass: sudoRole\n";
print "cn: $users[0]\n";
# will clobber options
print "sudoUser: $_\n" foreach expand(\%UA,@users);
print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
foreach (@cmds) {
if (s/^\(([^\)]+)\)\s*//) {
my @runas = split(/:\s*/, $1);
if (defined($runas[0])) {
print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
}
if (defined($runas[1])) {
print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
}
}
}
print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
print "sudoOption: $_\n" foreach @options;
printf "sudoOrder: %d\n", ++$order;
print "\n";
}
} else {
print "parse error: $_\n";
}
}
#
# recursively expand hash elements
sub expand{
my $ref=shift;
my @a=();
# preen the line a little
foreach (@_){
# if NOPASSWD: directive found, mark entire entry as not requiring
s/NOPASSWD:\s*// && push @options,"!authenticate";
s/PASSWD:\s*// && push @options,"authenticate";
s/NOEXEC:\s*// && push @options,"noexec";
s/EXEC:\s*// && push @options,"!noexec";
s/SETENV:\s*// && push @options,"setenv";
s/NOSETENV:\s*// && push @options,"!setenv";
s/LOG_INPUT:\s*// && push @options,"log_input";
s/NOLOG_INPUT:\s*// && push @options,"!log_input";
s/LOG_OUTPUT:\s*// && push @options,"log_output";
s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
s/[[:upper:]]+://; # silently remove other tags
s/\s+$//; # right trim
}
# do the expanding
push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
@a;
}

32
generic/nsswitch.conf Normal file
View File

@ -0,0 +1,32 @@
###
##
## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
## georg@lysergic.dev
##
###
passwd: sss files
group: sss files
shadow: sss compat
# initgroups: compat
hosts: files dns
networks: files dns
aliases: files usrfiles
ethers: files usrfiles
gshadow: files usrfiles
netgroup: files nis
protocols: files usrfiles
publickey: files
rpc: files usrfiles
services: files usrfiles
automount: files nis
bootparams: files
netmasks: files
sudoers: sss

View File

@ -0,0 +1,7 @@
[client]
socket=/run/mysql/mysql.sock
[mysqld]
log-error=/var/log/mysql/mysqld.log
port=3306
bind-address = 127.0.0.1,10.0.0.31
datadir = /var/lib/mysql

15
nginx/01/adminer.conf Normal file
View File

@ -0,0 +1,15 @@
#include php-fpm;
server {
listen 192.168.0.110:8084 ssl;
server_name adminer-local.one.secure.squirrelcube.xyz;
root /mnt/gluster01/web/adminer1;
index adminer.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
}
include php;
}

41
nginx/01/dnsui.conf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 192.168.0.110:8084 ssl;
server_name dnsui-local.one.secure.squirrelcube.xyz;
root /mnt/gluster01/web/dnsui1/public_html;
index init.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
# auth_basic "NS1 Intranet";
# auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
location / {
try_files $uri $uri/ @php;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /init.php {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /info.php {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
error_log /var/log/nginx/dnsui1.log;
}

123
nginx/01/hidden.conf Normal file
View File

@ -0,0 +1,123 @@
server {
# server_name localhost;
listen 127.0.0.1:9191;
root /mnt/gluster01/web/liberta.casa;
}
server {
server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion;
listen 127.0.0.1:9191;
autoindex off;
port_in_redirect off;
location /kiwi/static/config.json {
root /mnt/gluster01/web/liberta.casa;
rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json;
}
location /kiwi {
root /mnt/gluster01/web/liberta.casa;
index index.html;
try_files $uri $uri/ =404;
}
location / {
root /srv/www/liberta.casa/static/website;
index index.html;
}
location /register {
proxy_pass http://127.0.0.1:8965;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /libcasa {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /libcasa.info {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /gamja {
root /srv/www/gamja;
index index.html;
}
location /socket {
proxy_pass http://192.168.0.110:8068;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /convos {
rewrite ^/convos/?(.*)$ /$1 break;
proxy_pass http://[::1]:8089;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Base "$scheme://$host/convos";
}
location /candy {
root /srv/www/candy/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
location /candy-source {
root /srv/www/candy/;
}
error_log /var/log/nginx/liberta.casa.err;
#location / {
# root /srv/www/liberta.casa;
# try_files $uri $uri/ =404;
#}
location /webirc {
proxy_pass http://127.0.0.2:6669;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#server {
# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion;
# listen 9191;
#
# location /webirc {
# proxy_pass http://127.0.0.2:6668;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
#}

11
nginx/01/http.conf Normal file
View File

@ -0,0 +1,11 @@
#server {
# listen 81.16.19.64:80 default_server;
# listen 45.129.182.13:80 default_server;
# listen [2a03:4000:47:58a::]:80 default_server;
# return 302 https://$host$request_uri;
#}
server {
listen 80 default_server;
return 302 https://$host$request_uri;
}

79
nginx/01/keycloak.conf Normal file
View File

@ -0,0 +1,79 @@
server {
listen 127.0.0.1:443 ssl http2;
server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.5:10090;
proxy_set_header Host $host:10090;
proxy_set_header Origin http://$host:10090;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
server {
listen 127.0.0.1:443 ssl http2;
server_name keycloak-prod-theia.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://192.168.0.110:8180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
##
## PRODUCTION CONFIG
## Keycloak Frontend Load Balancer
## Instance: theia
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
}
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}

5
nginx/01/lan.conf Normal file
View File

@ -0,0 +1,5 @@
server {
listen 127.0.0.2:80;
server_name theia.local;
root /srv/www/lan;
}

209
nginx/01/liberta.casa.conf Normal file
View File

@ -0,0 +1,209 @@
server {
server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa;
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
#listen [::]:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
return 302 https://liberta.casa;
}
server {
server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com;
listen 81.16.19.64:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
return 302 https://liberta.casa;
}
server {
server_name liberta.casa lib.casa;
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
#listen [::]:443 ssl http2;
root /srv/www/liberta.casa/static/website;
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
root /srv/www/liberta.casa/static/website;
index index.html;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /kiwi {
root /mnt/gluster01/web/liberta.casa;
index index.html;
try_files $uri $uri/ =404;
}
location /register {
proxy_pass http://127.0.0.1:8965;
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
}
location /webirc {
proxy_pass http://192.168.0.110:8068;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /libcasa {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /libcasa.info {
root /srv/www/superseriousstats/libertacasa;
index index.html;
location ~ \.php$ {
fastcgi_pass 172.168.100.1:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /gamja {
root /srv/www/gamja;
index index.html;
}
location /socket {
proxy_pass http://192.168.0.110:8068;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
# location /convos {
# proxy_pass http://[::1]:8089;
# proxy_read_timeout 600s;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
#
# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) {
# root /srv/www/convos/convos/public;
# }
location /convos {
rewrite ^/convos/?(.*)$ /$1 break;
proxy_pass http://[::1]:8089;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Base "$scheme://$host/convos";
}
location /candy {
root /srv/www/candy/;
index index.html;
add_header Access-Control-Allow-Origin *;
}
location /candy-source {
root /srv/www/candy/;
}
## https://xmpp.org/extensions/xep-0156.html#http
## Provides an alternative to SRV lookups, needed for compliance
location /.well-known/host-meta {
root /srv/www/xmpp;
default_type 'application/xrd+xml';
add_header Access-Control-Allow-Origin '*' always;
}
location /.well-known/host-meta.json {
root /srv/www/xmpp;
default_type 'application/jrd+json';
add_header Access-Control-Allow-Origin '*' always;
}
error_log /var/log/nginx/liberta.casa.err;
}
server {
server_name katyusha.liberta.casa;
listen 81.16.19.64:443 ssl http2;
ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
location / {
proxy_pass http://[::1]:8086;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old;
error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug;
}

240
nginx/01/matrix.conf Normal file
View File

@ -0,0 +1,240 @@
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA
##SYNAPSE
server {
listen 81.16.19.64:443 ssl;
# For the federation port
listen 81.16.19.64:8448 ssl default_server;
listen 192.168.0.110:8448 ssl;
# For bridge
listen 127.0.0.2:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name matrix.liberta.casa;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://[::1]:8077;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.liberta.casa:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location / {
proxy_pass http://[::1]:8077/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug;
}
#ELEMENT
server {
listen 81.16.19.64:443 ssl;
server_name element.liberta.casa;
root /mnt/gluster01/web/matrix/element-libertacasa;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
}
server {
listen 81.16.19.64:443 ssl;
server_name m.liberta.casa;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
return 301 https://element.liberta.casa$request_uri;
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
}
#SYDENT
server {
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name ident.matrix.liberta.casa;
location / {
proxy_pass http://127.0.0.4:8074/;
proxy_set_header X-Forwarded-For $remote_addr;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 20M;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug;
}
#DIMENSION
server {
server_name integrations.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8184;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug;
}
#KEYS
server {
server_name keys.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.2:8076;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "keys.matrix.liberta.casa:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug;
}
#MAUBOT
server {
server_name maubot.matrix.liberta.casa;
listen 81.16.19.64:443 ssl;
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
# location /_matrix/maubot/v1/logs {
# proxy_pass http://127.0.0.2:29419;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-For $remote_addr;
# }
location / {
proxy_pass http://127.0.0.2:29419;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog;
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug;
}

74
nginx/01/mattermost.conf Normal file
View File

@ -0,0 +1,74 @@
upstream mattermost {
server 127.0.0.2:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
listen 81.16.19.64:443 ssl http2;
listen 192.168.0.110:443 ssl http2;
server_name mattermost.casa;
http2_push_preload on;
ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
#ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security max-age=15768000;
#add_header X-Early-Data $tls1_3_early_data;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location /libcasa/channels/town-square {
return https://mattermost.casa/libcasa/channels/libcasa;
}
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
client_max_body_size 50M;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://mattermost;
}
location / {
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
client_max_body_size 50M;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://mattermost;
}
}

18
nginx/01/mirror.conf Normal file
View File

@ -0,0 +1,18 @@
server {
listen 45.129.182.13:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name 3zy.de;
ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem;
location / {
root /mnt/gluster01/mirror;
# fancyindex on;
# fancyindex_exact_size on;
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
}

16
nginx/01/nsedit.conf Normal file
View File

@ -0,0 +1,16 @@
include php-fpm;
server {
listen 192.168.0.110:8083 ssl;
server_name nsedit1-local.secure.squirrelcube.xyz;
root /mnt/gluster01/web/nsedit1;
index index.php;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
}
include php;
}

41
nginx/01/omnidb.conf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 127.0.0.2:8085 ssl;
server_name omnidb-local.one.secure.squirrelcube.xyz;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 45.129.182.13:25483 ssl;
listen [2a03:4000:47:58a::]:25483 ssl;
server_name omnidb1.one.secure.squirrelcube.xyz;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
location / {
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 25483;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

28
nginx/01/tp.3gy.de.conf Normal file
View File

@ -0,0 +1,28 @@
server {
server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz;
listen 45.129.182.13:443 ssl;
listen [2a03:4000:47:58a::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_pass https://[::1]:3080/;
proxy_ssl_verify off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600;
}
}

301
nginx/01/xmpp.conf Normal file
View File

@ -0,0 +1,301 @@
#Prosody (DEPRECATED!)
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
# server_name xmpp.liberta.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
# location / {
# proxy_pass http://[::1]:5280;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
#
# }
#
# location /xmpp-websocket {
# proxy_pass http://[::1]:5280/xmpp-websocket;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
# location /candy/http-bind {
# proxy_pass https://127.0.0.2:5443/http-bind;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
# location /candy {
# root /srv/www/candy/;
# index index.html;
# }
# location /candy-source {
# root /srv/www/candy/;
# }
#}
#mod_http_upload_external
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
#
# server_name up.xmpp.liberta.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
## client_max_body_size 50m;
#
# location / {
# if ( $request_method = OPTIONS ) {
# add_header Access-Control-Allow-Origin '*';
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
# add_header Access-Control-Allow-Credentials 'true';
# add_header Content-Length 0;
# add_header Content-Type text/plain;
# return 200;
# }
# proxy_pass http://[::1]:5050/upload/;
# proxy_request_buffering off;
# }
#}
#server {
# listen 81.16.19.64:443 ssl http2;
# listen [2a03:4000:47:58a::]:443 ssl http2;
# server_name xmpp.lib.casa;
#
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# resolver 127.0.0.4;
#
# location / {
# root /srv/www/jappix;
# index index.php;
# location ~ \.php$ {
# fastcgi_pass 172.168.100.1:9100;
# include fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# }
# }
#
# error_log /var/log/nginx/xmpp.lib.casa.err;
#}
####
## ejabberd
####
## mod_http_upload
perl_modules /usr/local/lib/perl;
perl_require upload.pm;
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
listen 127.0.0.2:443 ssl http2;
server_name up.xmpp.lib.casa up.xmpp.liberta.casa;
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
root /opt/ejabberd/upload;
location / {
perl upload::handle;
}
client_max_body_size 40m;
# location / {
# if ( $request_method = OPTIONS ) {
# add_header Access-Control-Allow-Origin '*';
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
# add_header Access-Control-Allow-Credentials 'true';
# add_header Content-Length 0;
# add_header Content-Type text/plain;
# return 200;
# }
# proxy_pass http://127.0.0.2:5443;
# proxy_request_buffering off;
# }
error_log /var/log/nginx/up.xmpp.lib.casa.err;
}
## Everything
server {
listen 81.16.19.64:443 ssl http2;
listen [2a03:4000:47:58a::]:443 ssl http2;
server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa;
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
#location / {
# proxy_pass https://127.0.0.2:5443;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
#
#}
location / {
root /srv/www/xmpp;
index index.html;
}
location /upload {
return https://up.xmpp.lib.casa;
}
location /bosh {
proxy_pass https://127.0.0.2:5443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
location /ws {
proxy_pass https://127.0.0.2:5443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
# location /xmpp-websocket {
# proxy_pass http://[::1]:5280/xmpp-websocket;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_read_timeout 900s;
# }
location /candy/http-bind {
proxy_pass https://127.0.0.2:5443/http-bind;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_read_timeout 900s;
}
location /candy {
root /srv/www/candy/;
index index.html;
}
location /candy-source {
root /srv/www/candy/;
}
error_log /var/log/nginx/xmpp.lib.casa.err;
}
## ejabberd_web_admin
server {
listen 127.0.0.2:443 ssl http2;
server_name ejabberd-local.one.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:5280;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}

35
nginx/02/bastelstube.conf Normal file
View File

@ -0,0 +1,35 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name www.lysergic.dev lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
root /srv/www/htdocs/bastelstube;
index index.html;
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
}

17
nginx/02/cachet.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name status.liberta.casa status.lib.casa;
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
location / {
proxy_pass http://cachet.local:8033;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}

30
nginx/02/confluence.conf Normal file
View File

@ -0,0 +1,30 @@
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
server_name confluence.psyched.dev;
ssl_certificate /etc/ssl/psyched/fullchain.pem;
ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3;
#ssl_prefer_server_ciphers on;
location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

17
nginx/02/default.conf Normal file
View File

@ -0,0 +1,17 @@
server {
listen 202.61.255.116:443 ssl http2 default_server;
listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
root /srv/www/htdocs/default;
index index.html;
}
server {
listen 202.61.255.116:80 default_server;
listen [2a03:4000:55:d20::]:80 default_server;
root /srv/www/htdocs/default;
index index.html;
}

27
nginx/02/dnsui.conf Normal file
View File

@ -0,0 +1,27 @@
server {
listen 192.168.0.115:8084 ssl;
server_name dnsui-local.two.secure.squirrelcube.xyz;
root /mnt/gluster01/web/dnsui2/public_html;
index init.php;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
try_files $uri $uri/ @php;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /init.php {
fastcgi_pass 172.168.100.2:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
}

38
nginx/02/drone.conf Normal file
View File

@ -0,0 +1,38 @@
#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
server {
listen 192.168.0.115:443 ssl http2;
server_name drone.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
}
}
#Runner Exec
server {
listen 192.168.0.115:443 ssl http2;
server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.3:3000;
}
}
#Runner SSH
server {
listen 192.168.0.115:443 ssl http2;
server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.3:3001;
}
}

39
nginx/02/etherpad.conf Normal file
View File

@ -0,0 +1,39 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:9001;
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_set_header Host $host;
proxy_pass_header Server;
# Note you might want to pass these headers etc too.
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

23
nginx/02/georg.conf Normal file
View File

@ -0,0 +1,23 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
ssl_certificate /etc/ssl/georg/533088712.crt;
ssl_certificate_key /etc/ssl/georg/my.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
resolver 127.0.0.4;
root /srv/www/htdocs/georg;
index index.html;
}

65
nginx/02/git.conf Normal file
View File

@ -0,0 +1,65 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
server_name git.lysergic.dev git.de.com;
return 302 https://git.com.de;
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
server_name git.casa;
# return 302 https://git.com.de/libertacasa;
root /srv/www/htdocs;
try_files $uri @cgit;
location @cgit {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass unix:/run/fcgiwrap.sock;
}
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 192.168.0.115:443 ssl http2;
server_name git.com.de;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.2:3501;
}
}

15
nginx/02/grafana.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name grafana.lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.3;
location / {
proxy_pass http://[::1]:3000/;
}
}

42
nginx/02/graylog.conf Normal file
View File

@ -0,0 +1,42 @@
server {
listen 192.168.0.115:8087 ssl;
server_name graylog-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
}
}
#server {
# listen 202.61.255.116:443 ssl http2;
# listen [2a03:4000:55:d20::]:443 ssl http2;
# server_name glpub.two.secure.squirrelcube.xyz;
#
# ssl_certificate /etc/ssl/tp/fullchain.pem;
# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSLS:10m;
# ssl_session_tickets off;
# ssl_protocols TLSv1.3;
# ssl_prefer_server_ciphers off;
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
# resolver 127.0.0.4;
#
# location /streams {
# proxy_pass http://127.0.0.1:9000/;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_http_version 1.1;
# }
#}

57
nginx/02/jitsi.conf Normal file
View File

@ -0,0 +1,57 @@
#server_names_hash_bucket_size 64;
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 127.0.0.1:443 ssl http2;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
# tls configuration that is not covered in this guide
# we recommend the use of https://certbot.eff.org/
server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
# set the root
root /srv/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location = /http-bind {
proxy_pass http://127.0.0.1:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_method POST;
proxy_buffering off;
tcp_nodelay on;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /srv/jitsi-meet/libs/external_api.min.js;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name meet-auth.sso.casa;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location / {
proxy_pass http://127.0.0.2:3002;
}
}

219
nginx/02/keycloak.conf Normal file
View File

@ -0,0 +1,219 @@
#########################################
## SECTION 1 ##
## DEVELOPMENT / STAGING CONFIGURATION ##
#########################################
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name auth.syscid.com sso.syscid.com;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
# location /auth {
# return 302 https://auth.syscid.com/auth/realms/master/account/;
# }
# location /auth/realms/master/account/ {
# proxy_pass https://10.0.0.10;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 127.0.0.1:443 ssl http2;
server_name keycloak-internal.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
location / {
proxy_pass https://10.0.0.10;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#########################################
## SECTION 2 ##
## Everything below here is PRODUCTION ##
#########################################
##
## WildFly Management UI access through Teleport
##
server {
listen 127.0.0.1:443 ssl http2;
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.5:9990;
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Authorization $http_authorization;
# proxy_pass_header Authorization;
proxy_set_header Host $host:10090;
proxy_set_header Origin http://$host:10090;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
##
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
##
#server {
# listen 127.0.0.1:443 ssl http2;
# listen 192.168.0.115:443 ssl http2;
#
# server_name intra.sso.casa;
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#}
##
## Standalone Keycloak Frontend on Orpheus
##
#server {
# listen 202.61.255.116:443 ssl http2;
# listen [2a03:4000:55:d20::]:443 ssl http2;
#
# server_name sso.casa;
#
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
#
# location / {
# proxy_pass https://192.168.0.115:8843/;
# proxy_ssl_verify off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# #proxy_set_header X-Forwarded-Host $host;
# #proxy_set_header X-Forwarded-Server $host;
# #proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-Proto https;
# }
# proxy_buffer_size 128k;
# proxy_buffers 4 256k;
# proxy_busy_buffers_size 256k;
#
## location ~ /auth/admin {
## deny all;
## return 403;
## }
#
#}
##
## Keycloak Frontend Load Balancer
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
# only available in NGINX Plus - very sad!!
# sticky learn
# create=$upstream_cookie_AUTH_SESSION_ID
# lookup=$cookie_AUTH_SESSION_ID
# zone=client_sessions:1m;
}
# same ordeal
#match jboss_check {
# status 200;
# header Content-Type = text/html;
# body ~ "WildFly is running";
#}
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
listen 127.0.0.1:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# yup, nginx plus
#health_check match=jboss_check;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}

79
nginx/02/matrix.conf Normal file
View File

@ -0,0 +1,79 @@
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
##SYNAPSE
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
# For the federation port
listen 202.61.255.116:8448 ssl default_server;
listen [2a03:4000:55:d20::]:8448 ssl;
listen 192.168.0.115:8448 ssl;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
server_name matrix.lysergic.dev;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://[::1]:8763;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 100M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location / {
proxy_pass http://[::1]:8763/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 100M;
}
}
#ELEMENT
server {
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
server_name element.lysergic.dev;
root /mnt/gluster01/web/matrix/element-lysergic;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
}

15
nginx/02/mirror.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name 3zy.de;
ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
location / {
root /mnt/gluster01/mirror;
fancyindex on;
fancyindex_exact_size on;
}
}

View File

@ -0,0 +1,22 @@
server {
listen 192.168.0.115:8084 ssl;
server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
index index.php;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
}

24
nginx/02/privatebin.conf Normal file
View File

@ -0,0 +1,24 @@
server {
server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/privatebin/PrivateBin;
index index.php;
charset utf-8;
disable_symlinks off;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
client_max_body_size 300M;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
}

67
nginx/02/prometheus.conf Normal file
View File

@ -0,0 +1,67 @@
server {
listen 192.168.0.115:8092 ssl http2;
server_name prometheus-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9090/;
}
}
server {
listen 192.168.0.115:8093 ssl http2;
server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9093/;
}
}
server {
listen 192.168.0.115:8094 ssl http2;
server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9115/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9113/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://172.16.9.2:9586/;
}
}
server {
listen 192.168.0.115:8095 ssl http2;
server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
proxy_pass http://127.0.0.2:9586/;
}
}

29
nginx/02/scooper.conf Normal file
View File

@ -0,0 +1,29 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name scooper.irc.lsd.systems;
ssl_certificate /etc/ssl/irc/fullchain.pem;
ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSLS:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
fastcgi_split_path_info (/)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
auth_basic "I <3 Internet Relay Chat";
auth_basic_user_file /mnt/gluster01/web/auth/scooper;
}
}

31
nginx/02/shlink-web.conf Normal file
View File

@ -0,0 +1,31 @@
server {
server_name lsd25.xyz;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/shlink-web;
index index.html;
charset utf-8;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
add_header Cache-Control "public";
}
location ~* \.(?:css|js)$ {
expires 1y;
add_header Cache-Control "public";
}
location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
try_files $uri $uri/ =404;
}
location / {
auth_basic "Lysergic URL Shortening Service";
auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
try_files $uri $uri/ /index.html$is_args$args;
}
}

29
nginx/02/shlink.conf Normal file
View File

@ -0,0 +1,29 @@
include php-fpm;
server {
server_name lsd25.dev lsd-25.dev mcdonalds.pw;
listen 202.61.255.116:443;
listen [2a03:4000:55:d20::]:443;
root /mnt/gluster01/web/shlink/public;
index index.php;
charset utf-8;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 172.168.100.2:9100;
}
location ~ /\.ht {
deny all;
}
}

15
nginx/02/syscid.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.116:443 ssl http2;
listen [2a03:4000:55:d20::]:443 ssl http2;
server_name orpheus.syscid.com www.syscid.com;
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
location / {
root /srv/www/htdocs/syscid;
index index.html;
}
}

28
nginx/02/tp.3gy.de.conf Normal file
View File

@ -0,0 +1,28 @@
server {
server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
listen 202.61.255.116:443 ssl;
listen [2a03:4000:55:d20::]:443 ssl;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.4;
location / {
proxy_pass https://[::1]:3080/;
proxy_ssl_verify off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 3600;
}
}

View File

@ -0,0 +1,23 @@
server {
listen 192.168.0.115:8086 ssl;
server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
resolver 127.0.0.4;
location / {
proxy_pass https://127.0.0.2:8089;
proxy_ssl_verify off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect default;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_read_timeout 1800;
client_max_body_size 4G;
}
}

31
nginx/03/3gy.conf Normal file
View File

@ -0,0 +1,31 @@
server {
listen 202.61.255.100:443 ssl http2;
listen [2a03:4000:55:d1d::]:443 ssl http2;
server_name 3gy.de;
ssl_certificate /etc/ssl/mail/fullchain.pem;
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 172.168.100.2;
location / {
root /srv/www/htdocs/3gy/;
index index.html;
}
}

34
nginx/03/beauties.conf Normal file
View File

@ -0,0 +1,34 @@
server {
listen 202.61.255.100:443 ssl http2;
listen [2a03:4000:55:d1d::]:443 ssl http2;
server_name hugz.io up.hugz.io www.hugz.io;
ssl_certificate /etc/ssl/hugz/fullchain.pem;
ssl_certificate_key /etc/ssl/hugz/private/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
error_page 403 /beauties-ip.html;
location = /beauties-ip.html {
root /srv/www/error;
allow all;
}
location / {
proxy_pass http://192.168.0.120:8922;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 200M;
types {} default_type "text/plain; charset=utf-8";
deny 2a01:7e00::f03c:91ff:feae:d55;
deny 176.58.107.169;
}
}

31
nginx/03/cytube.conf Normal file
View File

@ -0,0 +1,31 @@
server {
listen 202.61.255.100:443 ssl http2;
listen [2a03:4000:55:d1d::]:443 ssl http2;
listen 192.168.0.120:443 ssl http2;
server_name party.lysergic.dev;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 127.0.0.4;
location / {
proxy_pass http://127.0.0.1:8250;
proxy_set_header X-Forwarded-Host $host:$server_port;
}
location /jsxc {
root /srv/www/jsxc.party;
}
}

16
nginx/03/default.conf Normal file
View File

@ -0,0 +1,16 @@
#server {
# listen 202.61.255.100:80 default_server;
#
# root /srv/www/htdocs/default;
# index index.html;
#}
server {
listen 202.61.255.100:443 ssl http2 default_server;
listen [2a03:4000:55:d1d::]:443 ssl http2 default_server;
root /srv/www/htdocs/default;
index index.html;
ssl_certificate /etc/ssl/parking/fullchain.pem;
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
}

15
nginx/03/deploy.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 202.61.255.100:80;
listen 192.168.0.120:80;
server_name deploy.squirrelcube.xyz;
root /srv/www/deploy;
location / {
autoindex on;
}
location /secret {
auth_basic "Lysergic Deployment Services";
auth_basic_user_file /etc/nginx/auth/deployment;
}
}

27
nginx/03/dnsui.conf Normal file
View File

@ -0,0 +1,27 @@
server {
listen 192.168.0.120:8084 ssl;
server_name dnsui-local.secure.squirrelcube.xyz;
root /mnt/gluster01/web/dnsui3/public_html;
index init.php;
ssl_certificate /etc/ssl/tp/fullchain.pem;
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
location / {
try_files $uri $uri/ @php;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
location /init.php {
fastcgi_pass 172.168.100.3:9100;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
auth_basic "NS1 Intranet";
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
}
}

6
nginx/03/http.conf Normal file
View File

@ -0,0 +1,6 @@
server {
listen 202.61.255.100:80 default_server;
listen [2a03:4000:55:d1d::]:80 default_server;
listen 81.16.18.137:80 default_server;
return 302 https://$host$request_uri;
}

43
nginx/03/keycloak.conf Normal file
View File

@ -0,0 +1,43 @@
##
## PRODUCTION CONFIG
## Keycloak Frontend Load Balancer
## Instance: selene
##
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
upstream jboss {
ip_hash;
server 192.168.0.110:8843;
server 192.168.0.115:8843;
server 192.168.0.120:8843;
}
server {
listen 202.61.255.100:443 ssl http2;
listen [2a03:4000:55:d1d::]:443 ssl http2;
server_name sso.casa;
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
#location = / {
# return 302 /auth/;
#}
location / {
proxy_pass https://jboss;
proxy_cache backcache;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
proxy_buffer_size 256k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
}

4
nginx/03/local.conf Normal file
View File

@ -0,0 +1,4 @@
server {
listen 192.168.0.120:80;
root /srv/www/local;
}

124
nginx/03/mail.conf Normal file
View File

@ -0,0 +1,124 @@
server {
listen 192.168.0.120:443 ssl http2;
server_name zz0.email;
ssl_certificate /etc/ssl/mail/fullchain.pem;
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 172.168.100.2;
location /Microsoft-Server-ActiveSync {
proxy_pass http://127.0.0.2:8080/Microsoft-Server-ActiveSync;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 75;
proxy_send_timeout 3650;
proxy_read_timeout 3650;
proxy_buffers 64 256k;
client_body_buffer_size 512k;
client_max_body_size 0;
}
location / {
proxy_pass http://127.0.0.2:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
}
}
server {
listen 202.61.255.100:443 ssl http2;
listen [2a03:4000:55:d1d::]:443 ssl http2;
server_name sogo.zz0.email zz0.email;
ssl_certificate /etc/ssl/mail/fullchain.pem;
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
resolver 172.168.100.2;
location / {
return 302 /SOGo;
}
location /SOGo {
proxy_pass http://127.0.0.2:20000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
proxy_set_header x-webobjects-remote-host $remote_addr;
proxy_set_header x-webobjects-server-name $server_name;
proxy_set_header x-webobjects-server-url https://$http_host;
proxy_set_header x-webobjects-server-port $server_port;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
client_body_buffer_size 128k;
client_max_body_size 0;
break;
}
location /SOGo.woa/WebServerResources/ {
alias /opt/GNUstep/SOGo/WebServerResources/;
}
location /.woa/WebServerResources/ {
alias /opt/GNUstep/SOGo/WebServerResources/;
}
location /SOGo/WebServerResources/ {
alias /opt/GNUstep/SOGo/WebServerResources/;
}
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
}
#trying to make / serve SOGo with no fuzz....
# location /WebServerResources/ {
# alias /opt/GNUstep/SOGo/WebServerResources/;
# }
# location (^/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
# alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
# }
}

View File

@ -0,0 +1,71 @@
server {
server_name ts.lsd25.xyz;
listen 202.61.255.100:443 ssl;
listen [2a03:4000:55:d1d::]:443 ssl;
root /opt/matterbridge/tripsit/bridgemedia;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
#ssl_stapling on;
#ssl_stapling_verify on;
location / {
}
}
server {
server_name lc.lsd25.xyz;
listen 202.61.255.100:443 ssl;
listen [2a03:4000:55:d1d::]:443 ssl;
root /opt/matterbridge/libertacasa/bridgemedia;
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
#ssl_stapling on;
#ssl_stapling_verify on;
location / {
}
}
server {
server_name lsd.airforce;
listen 202.61.255.100:443 ssl;
listen [2a03:4000:55:d1d::]:443 ssl;
root /opt/matterbridge/tripsit/bridgemedia2;
ssl_certificate /etc/ssl/parking/fullchain.pem;
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
#ssl_ciphers
#ssl_prefer_server_ciphers
add_header Strict-Transport-Security "max-age=63072000" always;
#ssl_stapling on;
#ssl_stapling_verify on;
location / {
}
}

Some files were not shown because too many files have changed in this diff Show More