Compare commits
No commits in common. "devel" and "master" have entirely different histories.
13
ansible/deployment_poc/.gitignore
vendored
Normal file
13
ansible/deployment_poc/.gitignore
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
__pycache__/
|
||||
locks/
|
||||
playbooks/ghost.yml
|
||||
playbooks/test.yml
|
||||
shared/
|
||||
templates/autoinst_*.lysergic.dev.xml.j2
|
||||
templates/generated/
|
||||
variables/deploy-variables.yml
|
||||
inventory.yml
|
||||
*.bak
|
||||
*.example
|
||||
*.old
|
||||
*.tgz
|
1
ansible/deployment_poc/README.md
Normal file
1
ansible/deployment_poc/README.md
Normal file
@ -0,0 +1 @@
|
||||
![Flowchart about the deployment and provisioning process](flow.svg)
|
321
ansible/deployment_poc/flow.svg
Normal file
321
ansible/deployment_poc/flow.svg
Normal file
@ -0,0 +1,321 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd">
|
||||
<svg width="106cm" height="76cm" viewBox="-561 -1021 2120 1505" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<g>
|
||||
<path style="fill: #ffffff" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0z"/>
|
||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.5" y="52.3989">
|
||||
<tspan x="-315.5" y="52.3989">START</tspan>
|
||||
<tspan x="-315.5" y="68.3989"></tspan>
|
||||
<tspan x="-315.5" y="84.3989">"User decides to provision a new virtual machine"</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<path style="fill: #ffffff" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333z"/>
|
||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="176.775" y="252.215">
|
||||
<tspan x="176.775" y="252.215">NetBox</tspan>
|
||||
<tspan x="176.775" y="268.215">(User)</tspan>
|
||||
<tspan x="176.775" y="284.215"></tspan>
|
||||
<tspan x="176.775" y="300.215">1. User creates a "Virtual Machine" object</tspan>
|
||||
<tspan x="176.775" y="316.215">and enters the desired specifications</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-144.538" y1="129.513" x2="93.0249" y2="219.827"/>
|
||||
<polygon style="fill: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="880" y="240" width="349.4" height="70"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="880" y="240" width="349.4" height="70"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1054.7" y="262.881">
|
||||
<tspan x="1054.7" y="262.881">Webhook</tspan>
|
||||
<tspan x="1054.7" y="278.881"></tspan>
|
||||
<tspan x="1054.7" y="294.881">3. HTTPS POST is received and body data is parsed</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<polygon style="fill: #ffffff" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1008.62" y="382.881">
|
||||
<tspan x="1008.62" y="382.881">NetBox</tspan>
|
||||
<tspan x="1008.62" y="398.881">(System)</tspan>
|
||||
<tspan x="1008.62" y="414.881"></tspan>
|
||||
<tspan x="1008.62" y="430.881">2. System creates a JSON object</tspan>
|
||||
<tspan x="1008.62" y="446.881">and sends it out via HTTPS POST</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<polygon style="fill: #ffffff" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1378.87" y="62.8812">
|
||||
<tspan x="1378.87" y="62.8812">YES</tspan>
|
||||
<tspan x="1378.87" y="78.8812"></tspan>
|
||||
<tspan x="1378.87" y="94.8812">Wehook</tspan>
|
||||
<tspan x="1378.87" y="110.881">(System)</tspan>
|
||||
<tspan x="1378.87" y="126.881"></tspan>
|
||||
<tspan x="1378.87" y="142.881">4. A shell script is executed, initiating</tspan>
|
||||
<tspan x="1378.87" y="158.881">a SSH session</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<polygon style="fill: #ffffff" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="770.22" y="104.785">
|
||||
<tspan x="770.22" y="104.785">Does the received object contain valid JSON</tspan>
|
||||
<tspan x="770.22" y="120.785">with the required attributes?</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<polygon style="fill: #ffffff" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="607.212" y="407.131">
|
||||
<tspan x="607.212" y="407.131">Does the created object contain</tspan>
|
||||
<tspan x="607.212" y="423.131">the requireed fields?</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="314.551" y1="302.747" x2="507.445" y2="374.262"/>
|
||||
<polygon style="fill: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="775.424" y1="411.145" x2="868.251" y2="411.087"/>
|
||||
<polygon style="fill: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1026.24" y1="358.996" x2="1039.38" y2="320.222"/>
|
||||
<polygon style="fill: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="578.953" y1="351.04" x2="350.273" y2="-136.195"/>
|
||||
<polygon style="fill: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="993.303" y1="239.153" x2="857.778" y2="160.026"/>
|
||||
<polygon style="fill: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1001.38" y1="108.181" x2="1213.84" y2="107.516"/>
|
||||
<polygon style="fill: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="700.682" y1="59.8147" x2="418.504" y2="-139.385"/>
|
||||
<polygon style="fill: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="1260" y="-240" width="286.601" height="134.793"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1260" y="-240" width="286.601" height="134.793"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1403.3" y="-192.722">
|
||||
<tspan x="1403.3" y="-192.722">Ansible</tspan>
|
||||
<tspan x="1403.3" y="-176.722">(System)</tspan>
|
||||
<tspan x="1403.3" y="-160.722"></tspan>
|
||||
<tspan x="1403.3" y="-144.722">5. A playbook is executed</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1384.81" y1="39.002" x2="1396.48" y2="-94.5735"/>
|
||||
<polygon style="fill: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
|
||||
</g>
|
||||
<g>
|
||||
<path style="fill: #ffffff" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92z"/>
|
||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92"/>
|
||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-509.11 1339.34,-501.84 1392.22,-501.84 C 1445.12,-501.84 1471.56,-509.11 1524.45,-530.92"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1392.22" y="-478.339">
|
||||
<tspan x="1392.22" y="-478.339">NetBox</tspan>
|
||||
<tspan x="1392.22" y="-462.339">(System)</tspan>
|
||||
<tspan x="1392.22" y="-446.339"></tspan>
|
||||
<tspan x="1392.22" y="-430.339">6. The Virtual Machine object is queried </tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1400.78" y1="-240.992" x2="1395.84" y2="-374.856"/>
|
||||
<polygon style="fill: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
|
||||
</g>
|
||||
<g>
|
||||
<polygon style="fill: #ffffff" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="918.547" y="-109.878">
|
||||
<tspan x="918.547" y="-109.878">Does the Virtual Machine object contain the required</tspan>
|
||||
<tspan x="918.547" y="-93.8776">fields, is it in the correct state and</tspan>
|
||||
<tspan x="918.547" y="-77.8776">compliant?l</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1298.76" y1="-398.763" x2="1013.15" y2="-172.656"/>
|
||||
<polygon style="fill: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="120" y="-280" width="388.45" height="134"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="120" y="-280" width="388.45" height="134"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="314.225" y="-241.119">
|
||||
<tspan x="314.225" y="-241.119">NO</tspan>
|
||||
<tspan x="314.225" y="-225.119"></tspan>
|
||||
<tspan x="314.225" y="-209.119">(System)</tspan>
|
||||
<tspan x="314.225" y="-193.119"></tspan>
|
||||
<tspan x="314.225" y="-177.119">Received data is discarded, and the process is aborted</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="742.533" y1="-131.324" x2="519.002" y2="-173.95"/>
|
||||
<polygon style="fill: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="800" y="-420" width="252" height="134.793"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-420" width="252" height="134.793"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="926" y="-380.722">
|
||||
<tspan x="926" y="-380.722">Ansible</tspan>
|
||||
<tspan x="926" y="-364.722">(System)</tspan>
|
||||
<tspan x="926" y="-348.722"></tspan>
|
||||
<tspan x="926" y="-332.722">7. A virtual hard disk is created</tspan>
|
||||
<tspan x="926" y="-316.722">he actual virtual machine is defined</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="800" y="-580" width="230.15" height="86"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-580" width="230.15" height="86"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="915.075" y="-557.119">
|
||||
<tspan x="915.075" y="-557.119">Ansible</tspan>
|
||||
<tspan x="915.075" y="-541.119">(System)</tspan>
|
||||
<tspan x="915.075" y="-525.119"></tspan>
|
||||
<tspan x="915.075" y="-509.119">8. The virtual machine is started</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="774.367" y="-709.01" width="289.3" height="86"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="774.367" y="-709.01" width="289.3" height="86"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="919.017" y="-686.129">
|
||||
<tspan x="919.017" y="-686.129">Libvirt</tspan>
|
||||
<tspan x="919.017" y="-670.129">(System)</tspan>
|
||||
<tspan x="919.017" y="-654.129"></tspan>
|
||||
<tspan x="919.017" y="-638.129">9. The virtual machine is network booted </tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="780" y="-860" width="280.125" height="83.646"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-860" width="280.125" height="83.646"/>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="808.012" y1="-860" x2="808.012" y2="-776.354"/>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1032.11" y1="-860" x2="1032.11" y2="-776.354"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="920.062" y="-822.296">
|
||||
<tspan x="920.062" y="-822.296">The DHCP/TFTP/NFS process</tspan>
|
||||
<tspan x="920.062" y="-806.296">loads a network operating system</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="780" y="-1020" width="252.6" height="86"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-1020" width="252.6" height="86"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="906.3" y="-997.119">
|
||||
<tspan x="906.3" y="-997.119">OpenSUSE</tspan>
|
||||
<tspan x="906.3" y="-981.119">(System)</tspan>
|
||||
<tspan x="906.3" y="-965.119"></tspan>
|
||||
<tspan x="906.3" y="-949.119">11. The installer initializes the disk </tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.948" y1="-420.998" x2="918.257" y2="-483.286"/>
|
||||
<polygon style="fill: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="916.419" y1="-580.985" x2="917.376" y2="-612.293"/>
|
||||
<polygon style="fill: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="919.319" y1="-710.005" x2="919.701" y2="-765.626"/>
|
||||
<polygon style="fill: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="1180" y="-1020" width="352.65" height="102"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1180" y="-1020" width="352.65" height="102"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1356.32" y="-997.119">
|
||||
<tspan x="1356.32" y="-997.119">OpenSUSE</tspan>
|
||||
<tspan x="1356.32" y="-981.119">(System)</tspan>
|
||||
<tspan x="1356.32" y="-965.119"></tspan>
|
||||
<tspan x="1356.32" y="-949.119">10. Requested oftware specifications</tspan>
|
||||
<tspan x="1356.32" y="-933.119">are collected </tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1179.11" y1="-972.15" x2="1043.33" y2="-974.564"/>
|
||||
<polygon style="fill: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1043.88" y1="-860.983" x2="1196.71" y2="-913.817"/>
|
||||
<polygon style="fill: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="220" y="-1020" width="352.65" height="102"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="220" y="-1020" width="352.65" height="102"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="396.325" y="-989.119">
|
||||
<tspan x="396.325" y="-989.119">OpenSUSE</tspan>
|
||||
<tspan x="396.325" y="-973.119">(System)</tspan>
|
||||
<tspan x="396.325" y="-957.119"></tspan>
|
||||
<tspan x="396.325" y="-941.119">12. The operating system is installed </tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="779.024" y1="-975.003" x2="583.371" y2="-971.934"/>
|
||||
<polygon style="fill: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.532" y1="-199.812" x2="923.715" y2="-274.478"/>
|
||||
<polygon style="fill: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1360.09" y1="-917.011" x2="1385.15" y2="-570.617"/>
|
||||
<polygon style="fill: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
|
||||
</g>
|
||||
<g>
|
||||
<rect style="fill: #ffffff" x="-320" y="-1020" width="352.65" height="102"/>
|
||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="-320" y="-1020" width="352.65" height="102"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-143.675" y="-997.119">
|
||||
<tspan x="-143.675" y="-997.119">OpenSUSE</tspan>
|
||||
<tspan x="-143.675" y="-981.119">(System)</tspan>
|
||||
<tspan x="-143.675" y="-965.119"></tspan>
|
||||
<tspan x="-143.675" y="-949.119">13. The system starts base daemons</tspan>
|
||||
<tspan x="-143.675" y="-933.119">and sends a report via emaill</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="218.997" y1="-969" x2="43.3886" y2="-969"/>
|
||||
<polygon style="fill: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
|
||||
</g>
|
||||
<g>
|
||||
<path style="fill: #ffffff" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480z"/>
|
||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480"/>
|
||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.875" y="-427.601">
|
||||
<tspan x="-315.875" y="-427.601">END</tspan>
|
||||
<tspan x="-315.875" y="-411.601"></tspan>
|
||||
<tspan x="-315.875" y="-395.601">Pipeline completed</tspan>
|
||||
</text>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-159.853" y1="-916.998" x2="-292.601" y2="-490.295"/>
|
||||
<polygon style="fill: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
|
||||
</g>
|
||||
<g>
|
||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="119.001" y1="-275.735" x2="-115.526" y2="-351.1"/>
|
||||
<polygon style="fill: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
|
||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 24 KiB |
133
ansible/deployment_poc/playbooks/deploy.yml
Normal file
133
ansible/deployment_poc/playbooks/deploy.yml
Normal file
@ -0,0 +1,133 @@
|
||||
---
|
||||
- hosts: status_planned
|
||||
gather_facts: no
|
||||
vars:
|
||||
token: "{{ nb_token }}"
|
||||
vm_name: "{{ inventory_hostname }}"
|
||||
tag_merged: []
|
||||
debug_merged: []
|
||||
vars_files:
|
||||
- ../variables/deploy-variables.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check lock
|
||||
wait_for:
|
||||
path: "{{ lockfile }}"
|
||||
state: absent
|
||||
timeout: 600
|
||||
msg: Lock did not disappear in time
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Create lock
|
||||
file:
|
||||
path: "{{ lockfile }}"
|
||||
state: touch
|
||||
delegate_to: localhost
|
||||
|
||||
tasks:
|
||||
- name: Pipeline
|
||||
block:
|
||||
- name: Gather details
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_query_vm.yml"
|
||||
- import_tasks: "../tasks/netbox_query_cluster.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Assign variables
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_evaluate_cluster.yml"
|
||||
- import_tasks: "../tasks/netbox_evaluate_vm.yml"
|
||||
|
||||
- name: Verify compliance
|
||||
block:
|
||||
- name: Check status
|
||||
fail:
|
||||
msg: The object is not Planned.
|
||||
when: status != 'planned'
|
||||
|
||||
- name: Check tag
|
||||
fail:
|
||||
msg: The object is marked as already being in deployment.
|
||||
when: '"active-deployment" in tags'
|
||||
|
||||
- name: Check platform
|
||||
fail:
|
||||
msg: The object does not contain a valid platform attribute.
|
||||
when: os != 'openSUSE-Leap-x86_64' #support more OS's later
|
||||
|
||||
- name: Write tag and journal
|
||||
import_tasks: "../tasks/netbox_tags_pre.yml"
|
||||
|
||||
- name: Gather site configuration
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_query_site.yml"
|
||||
- import_tasks: "../tasks/netbox_evaluate_site.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Gather prefix
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_query_prefix.yml"
|
||||
- import_tasks: "../tasks/netbox_evaluate_prefix.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Gather IP address
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_query_ip.yml"
|
||||
- import_tasks: "../tasks/netbox_evaluate_ip.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Provision virtual machine
|
||||
import_tasks: "../tasks/configure_libvirt.yml"
|
||||
|
||||
- name: Configure DHCP
|
||||
import_tasks: "../tasks/init_dhcp.yml"
|
||||
|
||||
- name: Configure DNS
|
||||
import_tasks: "../tasks/init_dns.yml"
|
||||
|
||||
- name: Configure Deployment Servers
|
||||
import_tasks: "../tasks/init_dps.yml"
|
||||
|
||||
- name: Create interface object in NetBox or use existing one
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_init_interface.yml"
|
||||
- import_tasks: "../tasks/netbox_query_interface.yml"
|
||||
- import_tasks: "../tasks/netbox_evaluate_interface.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Define IP address object in NetBox
|
||||
block:
|
||||
- import_tasks: "../tasks/netbox_init_ip.yml"
|
||||
- import_tasks: "../tasks/netbox_primaryip.yml"
|
||||
no_log: true
|
||||
|
||||
- name: Start VM and attach console
|
||||
import_tasks: "../tasks/init_vm_console.yml"
|
||||
|
||||
- name: Initialize SSH CA
|
||||
import_tasks: "../tasks/init_ssh.yml"
|
||||
|
||||
- name: Assist guest OS installation
|
||||
import_tasks: "../tasks/autoyast_assistant.yml"
|
||||
|
||||
- name: Wait for guest OS installation
|
||||
import_tasks: "../tasks/wait.yml"
|
||||
|
||||
- name: Configure SSH
|
||||
import_tasks: "../tasks/configure_ssh.yml"
|
||||
|
||||
|
||||
always:
|
||||
- name: Restore original tags
|
||||
import_tasks: "../tasks/netbox_tags_post.yml"
|
||||
|
||||
- name: Remove lock
|
||||
file:
|
||||
path: "{{ lockfile }}"
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Debug
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ status if status is defined}} - {{ tags if tags is defined }} - {{ host if host is defined }} - {{ host_status if host_status is defined }} - {{ namespace if namespace is defined }} - {{ os if os is defined }} - {{ vcpus if vcpus is defined }} - {{ memory if memory is defined }} - {{ disk if disk is defined }}"
|
||||
|
79
ansible/deployment_poc/shell/configure_sshd.sh
Executable file
79
ansible/deployment_poc/shell/configure_sshd.sh
Executable file
@ -0,0 +1,79 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
|
||||
# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc.
|
||||
#
|
||||
# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
|
||||
# Last edit: 13/02/2022
|
||||
|
||||
PUBKEY="$1"
|
||||
|
||||
|
||||
get_ip_address () {
|
||||
case $KERNEL in
|
||||
"OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
|
||||
;;
|
||||
"Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
|
||||
;;
|
||||
esac
|
||||
|
||||
}
|
||||
HOSTNAME=$(hostname -s)
|
||||
KERNEL=$(uname)
|
||||
IP_ADDRESS="$(get_ip_address)"
|
||||
if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
|
||||
if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then
|
||||
if [ ! -d /etc/ssh/old ]; then
|
||||
mkdir /etc/ssh/old
|
||||
fi
|
||||
if [ -f /etc/ssh/ssh_known_hosts ]; then
|
||||
mv /etc/ssh/ssh_known_hosts /etc/ssh/old/
|
||||
fi
|
||||
#if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
|
||||
#mv /etc/ssh/ssh_host_* /etc/ssh/old/
|
||||
#fi
|
||||
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
|
||||
mv /etc/ssh/ssh_host_* /etc/ssh/old/
|
||||
fi
|
||||
mv /etc/ssh/sshd_config /etc/ssh/old/
|
||||
if [ -f /etc/ssh/ssh_config ]; then
|
||||
mv /etc/ssh/ssh_config /etc/ssh/old/
|
||||
fi
|
||||
cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
|
||||
ListenAddress %%IP_ADDRESS%%
|
||||
Protocol 2
|
||||
SyslogFacility AUTH
|
||||
LogLevel FATAL
|
||||
|
||||
HostKey /etc/ssh/%%HOSTNAME%%
|
||||
HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub
|
||||
TrustedUserCAKeys /etc/ssh/user_ca
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
AuthenticationMethods publickey
|
||||
|
||||
LoginGraceTime 1m
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
MaxAuthTries 1
|
||||
MaxSessions 3
|
||||
|
||||
X11Forwarding no
|
||||
PrintMotd yes
|
||||
PrintLastLog yes
|
||||
EOF_SSHD_CONFIG
|
||||
sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config
|
||||
echo "$PUBKEY" > /etc/ssh/user_ca
|
||||
case $KERNEL in
|
||||
"OpenBSD" ) rcctl reload sshd
|
||||
;;
|
||||
"Linux" ) systemctl reload sshd
|
||||
;;
|
||||
esac
|
||||
echo "OK"
|
||||
else
|
||||
echo "Missing host certificate and public key, copy them to /etc/ssh/ for me."
|
||||
fi
|
||||
else
|
||||
echo "Unsupported operating system, please configure sshd manually."
|
||||
fi
|
38
ansible/deployment_poc/tasks/autoyast_assistant.yml
Normal file
38
ansible/deployment_poc/tasks/autoyast_assistant.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
- name: Monitor OS installation
|
||||
block:
|
||||
- name: Monitor first stage
|
||||
ansible.builtin.expect:
|
||||
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
|
||||
responses:
|
||||
"reboot: Restarting system":
|
||||
- "\u001d"
|
||||
timeout: 720
|
||||
ignore_errors: true
|
||||
no_log: true
|
||||
|
||||
- name: Destroy
|
||||
community.libvirt.virt:
|
||||
uri: "{{ libvirt_url }}"
|
||||
command: destroy
|
||||
name: "{{ vm_name }}"
|
||||
state: destroyed
|
||||
|
||||
- name: Start
|
||||
community.libvirt.virt:
|
||||
uri: "{{ libvirt_url }}"
|
||||
command: start
|
||||
name: "{{ vm_name }}"
|
||||
state: running
|
||||
|
||||
- name: Unlock
|
||||
ansible.builtin.expect:
|
||||
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
|
||||
responses:
|
||||
"Please enter passphrase for disk cr_root:":
|
||||
- "{{ luks_passphrase }}"
|
||||
- "\u001d"
|
||||
ignore_errors: yes
|
||||
no_log: true
|
||||
|
||||
delegate_to: localhost
|
40
ansible/deployment_poc/tasks/configure_dhcp.yml
Normal file
40
ansible/deployment_poc/tasks/configure_dhcp.yml
Normal file
@ -0,0 +1,40 @@
|
||||
---
|
||||
- name: Configure DHCP
|
||||
block:
|
||||
- name: Set DHCP host OS
|
||||
set_fact:
|
||||
dhcp_os: "{{ hostvars[dhcp_host]['platforms'][0] }}"
|
||||
|
||||
- name: Insert DHCP host block
|
||||
ansible.builtin.blockinfile:
|
||||
#backup: yes
|
||||
block: "{{ lookup('template', '../templates/dhcpd.conf.j2') }}"
|
||||
marker: "### {mark} Ansible managed block for {{ vm_name }} ###"
|
||||
path: "/etc/dhcpd.conf"
|
||||
#delegate_to: "{{ dhcp_host }}"
|
||||
become: yes
|
||||
become_method: doas
|
||||
when: dhcp_os == 'openbsd-x86_64'
|
||||
|
||||
- name: Restart dhcpd
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/doas
|
||||
- rcctl
|
||||
- restart
|
||||
- dhcpd
|
||||
when: dhcp_os == 'openbsd-x86_64'
|
||||
|
||||
- name: Insert DHCP static mapping
|
||||
vyos.vyos.vyos_config:
|
||||
backup: yes
|
||||
backup_options:
|
||||
dir_path: "/tmp/"
|
||||
comment: "Configured as part of {{ vm_name }} deployment"
|
||||
lines:
|
||||
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} mac-address {{ mac_address }}"
|
||||
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} ip-address {{ ip_address }}"
|
||||
save: no # CHANGE BEFORE ROLLOUT
|
||||
when: dhcp_os == 'vyos-x86_64'
|
||||
delegate_to: "{{ dhcp_host }}"
|
||||
|
56
ansible/deployment_poc/tasks/configure_dns.yml
Normal file
56
ansible/deployment_poc/tasks/configure_dns.yml
Normal file
@ -0,0 +1,56 @@
|
||||
---
|
||||
- name: Configure DNS
|
||||
block:
|
||||
- name: Set FQDNs
|
||||
set_fact:
|
||||
dns_fqdn: "{{ lookup('community.general.dig', dns_ip + '/PTR') }}"
|
||||
vm_fqdn: "{{ vm_name + '.' + namespace }}"
|
||||
tags:
|
||||
- init_ssh
|
||||
|
||||
- name: Gather DNS hostname and zonename
|
||||
set_fact:
|
||||
dns_host: "{{ dns_fqdn.split('.')[0] }}"
|
||||
zone: "{{ namespace.split('.')[1] + '.' + namespace.split('.')[2] }}"
|
||||
|
||||
- name: Set DNS host OS
|
||||
set_fact:
|
||||
dns_os: "{{ hostvars[dns_host]['platforms'][0] }}"
|
||||
|
||||
- name: Insert DNS record
|
||||
ansible.builtin.blockinfile:
|
||||
#backup: yes
|
||||
block: "{{ lookup('template', '../templates/nsd_zone.j2') }}"
|
||||
marker: "; {mark} Ansible managed block for {{ vm_name }}"
|
||||
path: "/var/nsd/zones/master/{{ zone }}.zone"
|
||||
when: dns_os == 'openbsd-x86_64'
|
||||
delegate_to: "{{ dns_host }}"
|
||||
|
||||
- name: Reload DNS zone
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/doas
|
||||
- nsd-control
|
||||
- reload
|
||||
- "{{ zone }}"
|
||||
when: dhcp_os == 'openbsd-x86_64'
|
||||
delegate_to: "{{ dns_host }}"
|
||||
|
||||
- name: Insert DNS static host mapping
|
||||
vyos.vyos.vyos_config:
|
||||
backup: yes
|
||||
backup_options:
|
||||
dir_path: "/tmp/"
|
||||
comment: "Configured as part of {{ vm_name }} deployment"
|
||||
lines:
|
||||
- "set system static-host-mapping host-name {{ vm_fqdn }} inet {{ ip_address }}"
|
||||
- "set system static-host-mapping host-name {{ vm_fqdn }} alias {{ vm_name }}"
|
||||
save: no # CHANGE BEFORE ROLLOUT
|
||||
when: dns_os == 'vyos-x86_64'
|
||||
delegate_to: "{{ dns_host }}"
|
||||
|
||||
always:
|
||||
- name: Debug
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ dns_ip if dns_ip is defined }} - {{ dns_host if dns_host is defined }} - {{ dns_fqdn if dns_fqdn is defined }} - {{ dns_os if dns_os is defined }} - {{ vm_fqdn if vm_fqdn is defined }} - {{ zone if zone is defined }}"
|
||||
|
55
ansible/deployment_poc/tasks/configure_dps.yml
Normal file
55
ansible/deployment_poc/tasks/configure_dps.yml
Normal file
@ -0,0 +1,55 @@
|
||||
---
|
||||
- name: Configure Deployment Server
|
||||
block:
|
||||
- name: Set DP host OS
|
||||
set_fact:
|
||||
dp_os: "{{ hostvars[deployment_host]['platforms'][0] }}"
|
||||
|
||||
- name: Prepare Grub host file
|
||||
ansible.builtin.template:
|
||||
src: ../templates/grub.j2
|
||||
dest: "/srv/www/boot/hosts/{{ ip_address }}.cfg"
|
||||
group: wheel
|
||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
||||
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
|
||||
|
||||
- name: Prepare unattended installation
|
||||
ansible.builtin.template:
|
||||
src: "../templates/autoinst_{{ namespace }}.xml.j2"
|
||||
dest: "/srv/www/autoinst_{{ vm_name }}.xml"
|
||||
group: wheel
|
||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
||||
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
|
||||
|
||||
- name: Prepare Grub host file for http
|
||||
ansible.builtin.template:
|
||||
src: ../templates/grub.j2
|
||||
dest: "/var/www/htdocs/www/boot/hosts/{{ ip_address }}.cfg"
|
||||
group: wheel
|
||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
||||
when: dp_os == 'openbsd-x86_64'
|
||||
|
||||
- name: Prepare Grub host file for tftp
|
||||
ansible.builtin.template:
|
||||
src: ../templates/grub.j2
|
||||
dest: "/tftpboot/boot/hosts/{{ ip_address }}.cfg"
|
||||
group: wheel
|
||||
mode: '0444'
|
||||
when: dp_os == 'openbsd-x86_64'
|
||||
|
||||
- name: Generate LUKS passphrase #does not quite belong here
|
||||
set_fact:
|
||||
luks_passphrase: "{{ lookup('password', '/dev/null', length=15, chars=hexdigits, seed=inventory_hostname) }}"
|
||||
no_log: true
|
||||
|
||||
- name: Prepare unattended installation
|
||||
ansible.builtin.template:
|
||||
src: "../templates/autoinst_{{ namespace }}.xml.j2"
|
||||
dest: "/var/www/htdocs/www/autoinst_{{ vm_name }}.xml"
|
||||
group: wheel
|
||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
||||
when: dp_os == 'openbsd-x86_64'
|
||||
|
||||
delegate_to: "{{ deployment_host }}"
|
||||
tags:
|
||||
- init_dp
|
79
ansible/deployment_poc/tasks/configure_libvirt.yml
Normal file
79
ansible/deployment_poc/tasks/configure_libvirt.yml
Normal file
@ -0,0 +1,79 @@
|
||||
---
|
||||
- name: Provision VM
|
||||
block:
|
||||
- name: Query volumes
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/virsh
|
||||
- -c
|
||||
- "{{ libvirt_url }}"
|
||||
- vol-list
|
||||
- "{{ storage.name }}"
|
||||
register: volumes
|
||||
no_log: true
|
||||
|
||||
- name: Create storage template
|
||||
ansible.builtin.template:
|
||||
src: "../templates/libvirt-storage-template.xml.j2"
|
||||
dest: "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
|
||||
group: lysergic
|
||||
mode: '0660'
|
||||
when: vm_name not in volumes.stdout
|
||||
|
||||
- name: Define volume
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/virsh
|
||||
- -c
|
||||
- "{{ libvirt_url }}"
|
||||
- vol-create
|
||||
- "{{ storage.name }}"
|
||||
- "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
|
||||
when: vm_name not in volumes.stdout
|
||||
|
||||
# https://gitlab.com/libvirt/libvirt/-/issues/135
|
||||
- name: Fetch volume path
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/virsh
|
||||
- -c
|
||||
- "{{ libvirt_url }}"
|
||||
- vol-path
|
||||
- --pool
|
||||
- "{{ storage.name }}"
|
||||
- "{{ inventory_hostname }}_root_disk.qcow2"
|
||||
register: volpath
|
||||
|
||||
- name: Store volume path
|
||||
set_fact:
|
||||
volume_path: "{{ volpath.stdout }}"
|
||||
|
||||
- name: Create domain template
|
||||
ansible.builtin.template:
|
||||
src: "../templates/libvirt-template.xml.j2"
|
||||
dest: "../templates/generated/libvirt-{{ inventory_hostname }}.xml"
|
||||
group: lysergic
|
||||
mode: '0660'
|
||||
|
||||
- name: Define domain
|
||||
community.libvirt.virt:
|
||||
uri: "{{ libvirt_url }}"
|
||||
command: define
|
||||
xml: "{{ lookup('template', '../templates/libvirt-template.xml.j2') }}"
|
||||
autostart: no
|
||||
# delegate_to: localhost
|
||||
|
||||
- name: Fetch MAC address
|
||||
ansible.builtin.shell: "/usr/bin/virsh -c {{ libvirt_url }} domiflist {{ vm_name }} | awk '{print $5}' | cut -d/ -f 1 | tail -n 2 | head -n 1" # ewww :-(
|
||||
register: domiflist_mac
|
||||
|
||||
- name: Store MAC address
|
||||
set_fact:
|
||||
mac_address: "{{ domiflist_mac.stdout }}"
|
||||
|
||||
delegate_to: localhost
|
||||
|
||||
always:
|
||||
- name: Debug
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ libvirt_url if libvirt_url is defined }} - {{ storage.name if storage is defined }} - {{ mac_address if mac_address is defined }}"
|
65
ansible/deployment_poc/tasks/configure_ssh.yml
Normal file
65
ansible/deployment_poc/tasks/configure_ssh.yml
Normal file
@ -0,0 +1,65 @@
|
||||
---
|
||||
- name: Configure SSH server
|
||||
block:
|
||||
- name: Switch user
|
||||
set_fact:
|
||||
ansible_user_original: "{{ lookup('env', 'USER') }}"
|
||||
ansible_ssh_private_key_file_original: "{{ ansible_ssh_private_key_file }}"
|
||||
ansible_user: install
|
||||
ansible_ssh_private_key_file: "{{ installkey }}"
|
||||
|
||||
- name: Test 1
|
||||
ansible.builtin.raw: whoami
|
||||
vars:
|
||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||
|
||||
- name: Install SSH host certificate
|
||||
ansible.builtin.copy:
|
||||
checksum: "{{ stat_ssh_cert.stat.checksum }}"
|
||||
dest: "/etc/ssh/{{ vm_name }}"
|
||||
group: root
|
||||
local_follow: no
|
||||
mode: 0400
|
||||
owner: root
|
||||
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
||||
become: yes
|
||||
become_method: sudo
|
||||
become_user: root
|
||||
vars:
|
||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||
|
||||
- name: Install SSH host key
|
||||
ansible.builtin.copy:
|
||||
checksum: "{{ stat_ssh_spk.stat.checksum }}"
|
||||
dest: "/etc/ssh/{{ vm_name }}-cert.pub"
|
||||
group: root
|
||||
local_follow: no
|
||||
mode: 0444
|
||||
owner: root
|
||||
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
||||
become: yes
|
||||
become_method: sudo
|
||||
become_user: root
|
||||
vars:
|
||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||
|
||||
- name: Install sshd configuration
|
||||
ansible.builtin.script:
|
||||
cmd: "../shell/configure_sshd.sh '{{ ca_pk }}'"
|
||||
become: yes
|
||||
become_method: sudo
|
||||
become_user: root
|
||||
vars:
|
||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
||||
|
||||
- name: Switch user
|
||||
set_fact:
|
||||
ansible_user: "{{ ansible_user_original }}"
|
||||
ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file_original }}"
|
||||
|
||||
- name: Test 2
|
||||
ansible.builtin.raw: whoami
|
||||
|
||||
tags:
|
||||
- init_ssh
|
||||
|
7
ansible/deployment_poc/tasks/init_dhcp.yml
Normal file
7
ansible/deployment_poc/tasks/init_dhcp.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: Initialize DHCP configurator
|
||||
include_tasks: "../tasks/configure_dhcp.yml"
|
||||
vars:
|
||||
dhcp_host: "{{ item }}"
|
||||
with_items: "{{ dhcp_servers }}"
|
||||
|
9
ansible/deployment_poc/tasks/init_dns.yml
Normal file
9
ansible/deployment_poc/tasks/init_dns.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: Initialize DNS configurator
|
||||
include_tasks: "../tasks/configure_dns.yml"
|
||||
vars:
|
||||
dns_ip: "{{ item }}"
|
||||
with_items: "{{ dns_servers }}"
|
||||
tags:
|
||||
- init_ssh
|
||||
|
10
ansible/deployment_poc/tasks/init_dps.yml
Normal file
10
ansible/deployment_poc/tasks/init_dps.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Initialize Deployment Server configurator
|
||||
include_tasks: "../tasks/configure_dps.yml"
|
||||
vars:
|
||||
deployment_host: "{{ item }}"
|
||||
with_items: "{{ deployment_servers }}"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
54
ansible/deployment_poc/tasks/init_ssh.yml
Normal file
54
ansible/deployment_poc/tasks/init_ssh.yml
Normal file
@ -0,0 +1,54 @@
|
||||
---
|
||||
- name: Initialize SSH host keys
|
||||
block:
|
||||
- name: Generate SSH host keypair
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- ssh-keygen
|
||||
- -f
|
||||
- "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
||||
- -t
|
||||
- ed25519
|
||||
- -C
|
||||
- "{{ vm_fqdn }}"
|
||||
- -N
|
||||
- ""
|
||||
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
||||
|
||||
- name: Evaluate certificate
|
||||
ansible.builtin.stat:
|
||||
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
||||
get_attributes: no
|
||||
register: stat_ssh_cert
|
||||
|
||||
# - name: Sign SSH host key
|
||||
# ansible.builtin.command:
|
||||
# argv:
|
||||
# - ssh-keygen
|
||||
# - -s
|
||||
# - "{{ ssh_ca_path }}/{{ tenant }}"
|
||||
# - -I
|
||||
# - "{{ ssh_ca_prefix }} - {{ vm_fqdn }}"
|
||||
# - -hn
|
||||
# - "{{ vm_fqdn }}"
|
||||
# - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
|
||||
# creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
||||
|
||||
- name: Sign SSH host key
|
||||
ansible.builtin.expect:
|
||||
command: ssh-keygen -s "{{ ssh_ca_path }}/{{ tenant }}" -I "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" -hn "{{ vm_fqdn }}" "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
|
||||
responses:
|
||||
Enter passphrase: "{{ ca_pp }}"
|
||||
timeout: 3
|
||||
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
||||
|
||||
- name: Evaluate public key
|
||||
ansible.builtin.stat:
|
||||
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
||||
get_attributes: no
|
||||
register: stat_ssh_spk
|
||||
|
||||
no_log: true
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_ssh
|
42
ansible/deployment_poc/tasks/init_vm_console.yml
Normal file
42
ansible/deployment_poc/tasks/init_vm_console.yml
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
- name: Start VM and attach console inside tmux
|
||||
block:
|
||||
- name: Start VM
|
||||
community.libvirt.virt:
|
||||
uri: "{{ libvirt_url }}"
|
||||
command: start
|
||||
name: "{{ vm_name }}"
|
||||
state: running
|
||||
|
||||
- name: Spawn tmux session
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/tmux
|
||||
- -S
|
||||
- /tmp/ansible
|
||||
- new-session
|
||||
- -d
|
||||
- -s
|
||||
- "{{ vm_name }}"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Attach console inside tmux
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- /usr/bin/tmux
|
||||
- -S
|
||||
- /tmp/ansible
|
||||
- new-window
|
||||
- -t
|
||||
- "{{ vm_name }}"
|
||||
- /usr/bin/virsh
|
||||
- -c
|
||||
- "{{ libvirt_url }}"
|
||||
- console
|
||||
- "{{ vm_name }}"
|
||||
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_ssh
|
||||
|
||||
|
61
ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml
Normal file
61
ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml
Normal file
@ -0,0 +1,61 @@
|
||||
---
|
||||
- name: Evaluate cluster
|
||||
block:
|
||||
- name: Increment counters
|
||||
set_fact:
|
||||
retry_count: "{{ 0 if retry_count is undefined else retry_count | int +1 }}"
|
||||
host_count: "{{ 0 if retry_count is undefined else host_count | int +1 }}"
|
||||
|
||||
- name: Pick cluster host
|
||||
set_fact:
|
||||
#host_choice: "{{ nb_hosts.json.results[nb_hosts.json.count | random | int] }}" #PICK RANDOM
|
||||
#host_choice: "{{ nb_hosts.json.results[1] }}" #FAIL TEST
|
||||
host_choice: "{{ nb_hosts.json.results[host_count | int] }}" #INCREMENT
|
||||
no_log: true
|
||||
|
||||
- name: Evaluate cluster host status
|
||||
set_fact:
|
||||
host_status: "{{ host_choice.status.value }}"
|
||||
#register: host_status
|
||||
|
||||
- name: Evaluate cluster host name
|
||||
set_fact:
|
||||
host: "{{ host_choice.name }}"
|
||||
|
||||
- name: Evaluate cluster host status
|
||||
fail:
|
||||
msg: Host is not ready.
|
||||
when: host_status != 'active'
|
||||
|
||||
- name: Evaluate cluster host configuration
|
||||
block:
|
||||
- name: Cluster derived variables 1/2
|
||||
set_fact:
|
||||
storage: "{{ host_choice.config_context.storage[0] }}"
|
||||
deployment_servers: "{{ host_choice.config_context.deployment_servers }}"
|
||||
dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}"
|
||||
dns_servers: "{{ host_choice.config_context.dns_servers }}"
|
||||
namespace: "{{ host_choice.config_context.namespace }}"
|
||||
gateway: "{{ host_choice.config_context.gateway }}"
|
||||
- name: Cluster derived variables 2/2
|
||||
set_fact:
|
||||
namespace_short: "{{ namespace.split('.')[0] }}"
|
||||
when: host_status == 'active'
|
||||
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
||||
rescue:
|
||||
- name: Check retry counter
|
||||
fail:
|
||||
msg: "Too many retries - no host is ready"
|
||||
when: retry_count | int == 3 and host_status != 'active'
|
||||
|
||||
- debug:
|
||||
msg: "{{ host if host is defined }} - {{ host_status if host_status is defined }}"
|
||||
|
||||
- name: Re-evaluate cluster
|
||||
include_tasks: "../tasks/netbox_evaluate_cluster.yml"
|
||||
when: host_status != 'active'
|
||||
|
10
ansible/deployment_poc/tasks/netbox_evaluate_interface.yml
Normal file
10
ansible/deployment_poc/tasks/netbox_evaluate_interface.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Register interface ID
|
||||
set_fact:
|
||||
ifid: '{{ nb_interface_2.json.results[0].id }}'
|
||||
when: "nb_interface_1.status|int == 400"
|
||||
|
||||
- name: Register interface ID
|
||||
set_fact:
|
||||
ifid: '{{ nb_interface_1.json.id }}'
|
||||
when: "nb_interface_1.status|int == 201"
|
21
ansible/deployment_poc/tasks/netbox_evaluate_ip.yml
Normal file
21
ansible/deployment_poc/tasks/netbox_evaluate_ip.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
- name: Define existing IP address
|
||||
set_fact:
|
||||
ip_address: "{{ nb_ip_1.json.results[0].address | ansible.netcommon.ipaddr('address') }}"
|
||||
ip_address_cidr: "{{ nb_ip_1.json.results[0].address }}"
|
||||
ip_address_type: "existing"
|
||||
ipid: "{{ nb_ip_1.json.results[0].id }}"
|
||||
when: "nb_ip_1.status|int == 200 and nb_ip_1.json.count|int != 0 and (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value == 'active')"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
||||
- name: Define new IP address
|
||||
set_fact:
|
||||
ip_address: "{{ nb_ip_2.json[0].address | ansible.netcommon.ipaddr('address') }}"
|
||||
ip_address_cidr: "{{ nb_ip_2.json[0].address }}"
|
||||
ip_address_type: "new"
|
||||
when: "nb_ip_2.status is defined and nb_ip_2.status|int == 200"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
9
ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml
Normal file
9
ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
- name: Evaluate prefix options
|
||||
set_fact:
|
||||
prefix_id: "{{ nb_prefix.json.results[0].id }}"
|
||||
prefix_display: "{{ nb_prefix.json.results[0].display }}"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
8
ansible/deployment_poc/tasks/netbox_evaluate_site.yml
Normal file
8
ansible/deployment_poc/tasks/netbox_evaluate_site.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Gather site configuration
|
||||
set_fact:
|
||||
site_id: "{{ nb_site.json.results[0].id }}"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
29
ansible/deployment_poc/tasks/netbox_evaluate_vm.yml
Normal file
29
ansible/deployment_poc/tasks/netbox_evaluate_vm.yml
Normal file
@ -0,0 +1,29 @@
|
||||
---
|
||||
- name: Pick hard- and software
|
||||
# not needed, can be pulled from hostvars
|
||||
set_fact:
|
||||
vcpus: "{{ nb_vm.json.results[0].vcpus | int }}"
|
||||
os: "{{ nb_vm.json.results[0].platform.name }}"
|
||||
|
||||
# - name: Pick virtual hardware specifications
|
||||
# # not needed, part of hostvars
|
||||
# set_fact:
|
||||
# memory: "{{ nb_vm.json.results[0].memory }}"
|
||||
# disk: "{{ nb_vm.json.results[0].disk }}"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
||||
- name: Pick metadata
|
||||
set_fact:
|
||||
id: "{{ nb_vm.json.results[0].id }}"
|
||||
site: "{{ hostvars[inventory_hostname]['sites'][0] }}"
|
||||
status: "{{ nb_vm.json.results[0].status.value }}"
|
||||
|
||||
# # not needed, part of hostvars
|
||||
# #tags: "{{ nb_vm.json.results[0].tags[0].slug }}"
|
||||
# #tags: "{{ nb_vm.json.results[0].tags | sum(start=[]) | map(attribute='slug') }}"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
20
ansible/deployment_poc/tasks/netbox_init_interface.yml
Normal file
20
ansible/deployment_poc/tasks/netbox_init_interface.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: Create VM interface objects
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/interfaces/"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: POST
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 201
|
||||
- 400 #interface name already exists. is there an elegant way to limit 400 to this particular case? regex parsing the response text for "The fields virtual_machine, name must make a unique set." would be ugly.
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
body_format: json
|
||||
body: ' {"virtual_machine": {{ id }}, "name": "eth0", "enabled": true, "mac_address": "{{ mac_address }}", "mode": "access"}'
|
||||
register: nb_interface_1
|
||||
delegate_to: localhost
|
||||
#no_log: true
|
||||
|
20
ansible/deployment_poc/tasks/netbox_init_ip.yml
Normal file
20
ansible/deployment_poc/tasks/netbox_init_ip.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: Create IP address object
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/ipam/ip-addresses/"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: POST
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 201
|
||||
- 400
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
body_format: json
|
||||
body: ' {"address": "{{ ip_address_cidr }}", "tenant": 1, "status": "active", "assigned_object_type": "virtualization.vminterface", "assigned_object_id": {{ ifid }}, "dns_name": "{{ vm_fqdn }}"}'
|
||||
register: nb_ip_3
|
||||
when: "ip_address_type|string == 'new'"
|
||||
delegate_to: localhost
|
||||
|
20
ansible/deployment_poc/tasks/netbox_primaryip.yml
Normal file
20
ansible/deployment_poc/tasks/netbox_primaryip.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: Register IP address object ID #only for new addresses, existing ones have ipid set in _evaluate_ip.yml
|
||||
set_fact:
|
||||
ipid: "{{ nb_ip_3.json.id }}"
|
||||
when: "ip_address_type|string == 'new'"
|
||||
|
||||
- name: Set primary IPv4 address
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: PATCH
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
body_format: json
|
||||
body: ' {"primary_ip4": {{ ipid }}}'
|
||||
delegate_to: localhost
|
||||
|
16
ansible/deployment_poc/tasks/netbox_query_cluster.yml
Normal file
16
ansible/deployment_poc/tasks/netbox_query_cluster.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: Locate cluster hosts
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/dcim/devices/?cluster_id={{ nb_vm.json.results[0].cluster.id }}"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_hosts
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
15
ansible/deployment_poc/tasks/netbox_query_interface.yml
Normal file
15
ansible/deployment_poc/tasks/netbox_query_interface.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
- name: Query existing interface
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/interfaces/?name=eth0&virtual_machine_id={{ id }}"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_interface_2
|
||||
delegate_to: localhost
|
||||
when: "nb_interface_1.status|int == 400"
|
||||
|
34
ansible/deployment_poc/tasks/netbox_query_ip.yml
Normal file
34
ansible/deployment_poc/tasks/netbox_query_ip.yml
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
- name: Query existing address
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/ipam/ip-addresses?virtual_machine_id={{ id }}"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_ip_1
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
||||
- name: Query available address
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/ipam/prefixes/{{ prefix_id }}/available-ips/?limit=1"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_ip_2
|
||||
delegate_to: localhost
|
||||
when: "nb_ip_1.json.count|int == 0 or (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value != 'active')"
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
17
ansible/deployment_poc/tasks/netbox_query_prefix.yml
Normal file
17
ansible/deployment_poc/tasks/netbox_query_prefix.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
- name: Query prefix
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/ipam/prefixes/?site_id={{ site_id }}&tenant={{ tenant }}&limit=1"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_prefix
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
17
ansible/deployment_poc/tasks/netbox_query_site.yml
Normal file
17
ansible/deployment_poc/tasks/netbox_query_site.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
- name: Query site
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/dcim/sites/?slug={{ site }}"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_site
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
18
ansible/deployment_poc/tasks/netbox_query_vm.yml
Normal file
18
ansible/deployment_poc/tasks/netbox_query_vm.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
# consider ditching this block, would need to work around missing cluster ID in hostvars
|
||||
- name: Query VM
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/virtual-machines/?name={{ inventory_hostname }}"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: GET
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
register: nb_vm
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_dp
|
||||
- init_ssh
|
||||
|
24
ansible/deployment_poc/tasks/netbox_tags_post.yml
Normal file
24
ansible/deployment_poc/tasks/netbox_tags_post.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
- name: Post-deployment tagging
|
||||
block:
|
||||
- name: Construct body for tagging
|
||||
set_fact:
|
||||
body2: ' {% for tag in tag_exist %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
|
||||
when: tag_exist is defined
|
||||
|
||||
- name: Set post-deployment tags
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: PATCH
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
body_format: json
|
||||
body: ' {"tags": [ {{ body2 }}]}'
|
||||
delegate_to: localhost
|
||||
when: body2 is defined
|
||||
no_log: true
|
||||
|
34
ansible/deployment_poc/tasks/netbox_tags_pre.yml
Normal file
34
ansible/deployment_poc/tasks/netbox_tags_pre.yml
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
- name: Pre-deployment tagging
|
||||
block:
|
||||
- name: Gather tags
|
||||
set_fact:
|
||||
tag_exist: "{{ tags }}"
|
||||
tag_append: "['active-deployment']"
|
||||
|
||||
- name: Merge tags
|
||||
set_fact:
|
||||
tag_merged: "{{ tag_merged + [item] }}"
|
||||
with_items:
|
||||
- "{{ tag_exist }}"
|
||||
- "{{ tag_append }}"
|
||||
|
||||
- name: Construct body for tagging
|
||||
set_fact:
|
||||
body1: ' {% for tag in tag_merged %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
|
||||
|
||||
- name: Set pre-deployment tags
|
||||
ansible.builtin.uri:
|
||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
||||
client_cert: "{{ cert }}"
|
||||
client_key: "{{ key }}"
|
||||
method: PATCH
|
||||
return_content: yes
|
||||
headers:
|
||||
Accept: application/json
|
||||
Authorization: "Token {{ token }}"
|
||||
body_format: json
|
||||
body: ' {"tags": [ {{ body1 }}]}'
|
||||
delegate_to: localhost
|
||||
no_log: true
|
||||
|
42
ansible/deployment_poc/tasks/wait.yml
Normal file
42
ansible/deployment_poc/tasks/wait.yml
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
- name: Sit patiently
|
||||
block:
|
||||
- name: Wait for guest to become alive
|
||||
wait_for:
|
||||
delay: 240
|
||||
connect_timeout: 3
|
||||
sleep: 15
|
||||
port: 22
|
||||
host: '{{ ip_address }}'
|
||||
search_regex: OpenSSH
|
||||
timeout: 600
|
||||
|
||||
# rescue:
|
||||
# - name: Destroy
|
||||
# community.libvirt.virt:
|
||||
# uri: "{{ libvirt_url }}"
|
||||
# command: destroy
|
||||
# name: "{{ vm_name }}"
|
||||
# state: destroyed
|
||||
#
|
||||
# - name: Start
|
||||
# community.libvirt.virt:
|
||||
# uri: "{{ libvirt_url }}"
|
||||
# command: start
|
||||
# name: "{{ vm_name }}"
|
||||
# state: running
|
||||
#
|
||||
# - name: Wait for guest to become alive
|
||||
# wait_for:
|
||||
# delay: 120
|
||||
# connect_timeout: 3
|
||||
# sleep: 15
|
||||
# port: 22
|
||||
# host: '{{ ip_address }}'
|
||||
# search_regex: OpenSSH
|
||||
# timeout: 600
|
||||
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- init_ssh
|
||||
|
5
ansible/deployment_poc/templates/dhcpd.conf.j2
Normal file
5
ansible/deployment_poc/templates/dhcpd.conf.j2
Normal file
@ -0,0 +1,5 @@
|
||||
host {{ vm_name }} {
|
||||
hardware ethernet {{ mac_address }};
|
||||
fixed-address {{ ip_address }};
|
||||
filename "shim.efi";
|
||||
}
|
3
ansible/deployment_poc/templates/grub.j2
Normal file
3
ansible/deployment_poc/templates/grub.j2
Normal file
@ -0,0 +1,3 @@
|
||||
default={% if os == 'openSUSE-Leap-x86_64' %}install-suse{% endif %}{% if os == 'OpenBSD-x86_64' %}install-openbsd{% endif %}
|
||||
|
||||
{% if os == 'openSUSE-Leap-x86_64' %}installfile=autoinst_{{ vm_name }}.xml{% endif %}
|
@ -0,0 +1,16 @@
|
||||
<volume type='file'>
|
||||
<name>{{ inventory_hostname }}_root_disk.qcow2</name>
|
||||
<source>
|
||||
</source>
|
||||
<capacity unit='GB'>{{ disk }}</capacity>
|
||||
<target>
|
||||
<path>{{ storage.name }}</path>
|
||||
<format type='qcow2'/>
|
||||
<permissions>
|
||||
<mode>0660</mode>
|
||||
<owner>455</owner>
|
||||
<group>453</group>
|
||||
</permissions>
|
||||
</target>
|
||||
</volume>
|
||||
|
177
ansible/deployment_poc/templates/libvirt-template.xml.j2
Normal file
177
ansible/deployment_poc/templates/libvirt-template.xml.j2
Normal file
@ -0,0 +1,177 @@
|
||||
<domain type='kvm'>
|
||||
<name>{{ inventory_hostname }}</name>
|
||||
<metadata>
|
||||
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
|
||||
</libosinfo:libosinfo>
|
||||
</metadata>
|
||||
<memory unit='MB'>{{ memory }}</memory>
|
||||
<currentMemory unit='GB'>{{ memory }}</currentMemory>
|
||||
<vcpu placement='static'>{{ vcpus }}</vcpu>
|
||||
<resource>
|
||||
<partition>/machine</partition>
|
||||
</resource>
|
||||
<os>
|
||||
<type arch='x86_64' machine='pc-q35-5.2'>hvm</type>
|
||||
<!--loader readonly='yes' type='pflash'>/opt/firmware/OVMF_09012022_RELEASE_HTTPBOOT.fd</loader-->
|
||||
<loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x86_64-code.bin</loader>
|
||||
<nvram>/var/lib/libvirt/qemu/nvram/{{ inventory_hostname }}_VARS.fd</nvram>
|
||||
<boot dev='hd'/>
|
||||
<boot dev='network'/>
|
||||
<bootmenu enable='no'/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
<apic/>
|
||||
<vmport state='off'/>
|
||||
</features>
|
||||
<cpu mode='custom' match='exact' check='full'>
|
||||
<model fallback='forbid'>Broadwell-IBRS</model>
|
||||
<vendor>Intel</vendor>
|
||||
<feature policy='require' name='vme'/>
|
||||
<feature policy='require' name='ss'/>
|
||||
<feature policy='require' name='vmx'/>
|
||||
<feature policy='require' name='f16c'/>
|
||||
<feature policy='require' name='rdrand'/>
|
||||
<feature policy='require' name='hypervisor'/>
|
||||
<feature policy='require' name='arat'/>
|
||||
<feature policy='require' name='tsc_adjust'/>
|
||||
<feature policy='require' name='umip'/>
|
||||
<feature policy='require' name='md-clear'/>
|
||||
<feature policy='require' name='stibp'/>
|
||||
<feature policy='require' name='arch-capabilities'/>
|
||||
<feature policy='require' name='ssbd'/>
|
||||
<feature policy='require' name='xsaveopt'/>
|
||||
<feature policy='require' name='pdpe1gb'/>
|
||||
<feature policy='require' name='abm'/>
|
||||
<feature policy='require' name='skip-l1dfl-vmentry'/>
|
||||
<feature policy='require' name='pschange-mc-no'/>
|
||||
</cpu>
|
||||
<clock offset='utc'>
|
||||
<timer name='rtc' tickpolicy='catchup'/>
|
||||
<timer name='pit' tickpolicy='delay'/>
|
||||
<timer name='hpet' present='no'/>
|
||||
</clock>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>destroy</on_crash>
|
||||
<pm>
|
||||
<suspend-to-mem enabled='no'/>
|
||||
<suspend-to-disk enabled='no'/>
|
||||
</pm>
|
||||
<devices>
|
||||
<emulator>/usr/bin/qemu-system-x86_64</emulator>
|
||||
<disk type='file' device='disk'>
|
||||
<driver name='qemu' type='qcow2'/>
|
||||
<!--source pool='{{ storage.name }}' volume='{{ inventory_hostname }}_root_disk.qcow2' index='1'/-->
|
||||
<source file='{{ volume_path }}'/>
|
||||
<backingStore/>
|
||||
<target dev='vda' bus='virtio'/>
|
||||
<alias name='virtio-disk0'/>
|
||||
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
|
||||
</disk>
|
||||
<!--disk type='file' device='cdrom'>
|
||||
<driver name='qemu'/>
|
||||
<source file='/mnt/iso/openSUSE-Leap-15.3-NET-x86_64.iso'/>
|
||||
<target dev='sda' bus='sata'/>
|
||||
<readonly/>
|
||||
<boot order='2'/>
|
||||
<alias name='sata0-0-0'/>
|
||||
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
||||
</disk-->
|
||||
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
|
||||
<alias name='usb'/>
|
||||
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
|
||||
</controller>
|
||||
<controller type='sata' index='0'>
|
||||
<alias name='ide'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
|
||||
</controller>
|
||||
<controller type='pci' index='0' model='pcie-root'>
|
||||
<alias name='pcie.0'/>
|
||||
</controller>
|
||||
<controller type='pci' index='1' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='1' port='0x8'/>
|
||||
<alias name='pci.1'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
|
||||
</controller>
|
||||
<controller type='pci' index='2' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='2' port='0x9'/>
|
||||
<alias name='pci.2'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
|
||||
</controller>
|
||||
<controller type='pci' index='3' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='3' port='0xa'/>
|
||||
<alias name='pci.3'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
|
||||
</controller>
|
||||
<controller type='pci' index='4' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='4' port='0xb'/>
|
||||
<alias name='pci.4'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
|
||||
</controller>
|
||||
<controller type='pci' index='5' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='5' port='0xc'/>
|
||||
<alias name='pci.5'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
|
||||
</controller>
|
||||
<controller type='pci' index='6' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='6' port='0xd'/>
|
||||
<alias name='pci.6'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
|
||||
</controller>
|
||||
<controller type='pci' index='7' model='pcie-root-port'>
|
||||
<model name='pcie-root-port'/>
|
||||
<target chassis='7' port='0xe'/>
|
||||
<alias name='pci.7'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
|
||||
</controller>
|
||||
<controller type='virtio-serial' index='0'>
|
||||
<alias name='virtio-serial0'/>
|
||||
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
|
||||
</controller>
|
||||
<interface type='network'>
|
||||
<source network='LAN01'/>
|
||||
<model type='virtio'/>
|
||||
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
|
||||
</interface>
|
||||
<serial type='pty'>
|
||||
<source path='/dev/pts/4'/>
|
||||
<target type='isa-serial' port='0'>
|
||||
<model name='isa-serial'/>
|
||||
</target>
|
||||
<alias name='serial0'/>
|
||||
</serial>
|
||||
<console type='pty' tty='/dev/pts/4'>
|
||||
<source path='/dev/pts/4'/>
|
||||
<target type='serial' port='0'/>
|
||||
<alias name='serial0'/>
|
||||
</console>
|
||||
<channel type='unix'>
|
||||
<target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
|
||||
<alias name='channel0'/>
|
||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
||||
</channel>
|
||||
<input type='mouse' bus='ps2'>
|
||||
<alias name='input0'/>
|
||||
</input>
|
||||
<input type='keyboard' bus='ps2'>
|
||||
<alias name='input1'/>
|
||||
</input>
|
||||
<memballoon model='virtio'>
|
||||
<alias name='balloon0'/>
|
||||
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
|
||||
</memballoon>
|
||||
<rng model='virtio'>
|
||||
<backend model='random'>/dev/urandom</backend>
|
||||
<alias name='rng0'/>
|
||||
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
|
||||
</rng>
|
||||
</devices>
|
||||
</domain>
|
||||
|
2
ansible/deployment_poc/templates/nsd_zone.j2
Normal file
2
ansible/deployment_poc/templates/nsd_zone.j2
Normal file
@ -0,0 +1,2 @@
|
||||
{{ vm_name }} IN A {{ ip_address }}
|
||||
{{ vm_name }}.{{ namespace_short }} IN A {{ ip_address }}
|
14
ca/orpheus.psyched.dev_ext.cnf
Normal file
14
ca/orpheus.psyched.dev_ext.cnf
Normal file
@ -0,0 +1,14 @@
|
||||
[v3_ca]
|
||||
basicConstraints = CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "Web Server Certificate"
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alt_names
|
||||
[ alt_names ]
|
||||
DNS.1 = orpheus.syscid.com
|
||||
DNS.2 = auth.syscid.com
|
||||
DNS.3 = www.syscid.com
|
||||
DNS.4 = sso.syscid.com
|
15
ca/server_cert_ext.cnf
Normal file
15
ca/server_cert_ext.cnf
Normal file
@ -0,0 +1,15 @@
|
||||
[v3_ca]
|
||||
basicConstraints = CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "LDAP01 Server Certificate"
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alt_names
|
||||
[ alt_names ]
|
||||
DNS.1 = ldap.syscid.com
|
||||
DNS.2 = ldap01.syscid.com
|
||||
DNS.3 = dir.syscid.com
|
||||
DNS.4 = dir01.syscid.com
|
||||
DNS.5 = gaia.syscid.com
|
13
ca/web.sun.lysergic.dev_ext.cnf
Normal file
13
ca/web.sun.lysergic.dev_ext.cnf
Normal file
@ -0,0 +1,13 @@
|
||||
[v3_ca]
|
||||
basicConstraints = CA:FALSE
|
||||
nsCertType = server
|
||||
nsComment = "LDAP01 Server Certificate"
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = @alt_names
|
||||
[ alt_names ]
|
||||
DNS.1 = web.sun.lysergic.dev
|
||||
DNS.2 = web.syscid.com
|
||||
DNS.3 = web
|
734
coturn/turnserver.conf
Normal file
734
coturn/turnserver.conf
Normal file
@ -0,0 +1,734 @@
|
||||
# Coturn TURN SERVER configuration file
|
||||
#
|
||||
# Boolean values note: where a boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
||||
# If the value is missing, then it means 'true' by default.
|
||||
#
|
||||
|
||||
# Listener interface device (optional, Linux only).
|
||||
# NOT RECOMMENDED.
|
||||
#
|
||||
#listening-device=eth0
|
||||
|
||||
# TURN listener port for UDP and TCP (Default: 3478).
|
||||
# Note: actually, TLS & DTLS sessions can connect to the
|
||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||
#
|
||||
#listening-port=3478
|
||||
|
||||
# TURN listener port for TLS (Default: 5349).
|
||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||
# port(s), too - if allowed by configuration. The TURN server
|
||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, Coturn currently supports
|
||||
# TLS version 1.0, 1.1 and 1.2.
|
||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||
#
|
||||
#tls-listening-port=5349
|
||||
|
||||
# Alternative listening port for UDP and TCP listeners;
|
||||
# default (or zero) value means "listening port plus one".
|
||||
# This is needed for RFC 5780 support
|
||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
||||
# supports RFC 5780 only if it is started with more than one
|
||||
# listening IP address of the same family (IPv4 or IPv6).
|
||||
# RFC 5780 is supported only by UDP protocol, other protocols
|
||||
# are listening to that endpoint only for "symmetry".
|
||||
#
|
||||
#alt-listening-port=0
|
||||
|
||||
# Alternative listening port for TLS and DTLS protocols.
|
||||
# Default (or zero) value means "TLS listening port plus one".
|
||||
#
|
||||
#alt-tls-listening-port=0
|
||||
|
||||
# Some network setups will require using a TCP reverse proxy in front
|
||||
# of the STUN server. If the proxy port option is set a single listener
|
||||
# is started on the given port that accepts connections using the
|
||||
# haproxy proxy protocol v2.
|
||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
||||
#
|
||||
#tcp-proxy-port=5555
|
||||
|
||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||
# If no IP(s) specified in the config file or in the command line options,
|
||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||
#
|
||||
#listening-ip=172.17.19.101
|
||||
#listening-ip=10.207.21.238
|
||||
#listening-ip=2607:f0d0:1002:51::4
|
||||
listening-ip=192.168.0.115
|
||||
listening-ip=202.61.255.116
|
||||
listening-ip=2a03:4000:55:d20::
|
||||
|
||||
# Auxiliary STUN/TURN server listening endpoint.
|
||||
# Aux servers have almost full TURN and STUN functionality.
|
||||
# The (minor) limitations are:
|
||||
#
|
||||
# 1) Auxiliary servers do not have alternative ports and
|
||||
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
||||
#
|
||||
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
||||
#
|
||||
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
||||
#
|
||||
# There may be multiple aux-server options, each will be used for listening
|
||||
# to client requests.
|
||||
#
|
||||
#aux-server=172.17.19.110:33478
|
||||
#aux-server=[2607:f0d0:1002:51::4]:33478
|
||||
|
||||
# (recommended for older Linuxes only)
|
||||
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
||||
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
||||
# functionality.
|
||||
#
|
||||
#udp-self-balance
|
||||
|
||||
# Relay interface device for relay sockets (optional, Linux only).
|
||||
# NOT RECOMMENDED.
|
||||
#
|
||||
#relay-device=eth1
|
||||
|
||||
# Relay address (the local IP address that will be used to relay the
|
||||
# packets to the peer).
|
||||
# Multiple relay addresses may be used.
|
||||
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
||||
#
|
||||
# If no relay IP(s) specified, then the turnserver will apply the default
|
||||
# policy: it will decide itself which relay addresses to be used, and it
|
||||
# will always be using the client socket IP address as the relay IP address
|
||||
# of the TURN session (if the requested relay address family is the same
|
||||
# as the family of the client socket).
|
||||
#
|
||||
#relay-ip=172.17.19.105
|
||||
#relay-ip=2607:f0d0:1002:51::5
|
||||
|
||||
# For Amazon EC2 users:
|
||||
#
|
||||
# TURN Server public/private address mapping, if the server is behind NAT.
|
||||
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
|
||||
# as relay IP address of all allocations. This scenario works only in a simple case
|
||||
# when one single relay address is be used, and no RFC5780 functionality is required.
|
||||
# That single relay address must be mapped by NAT to the 'external' IP.
|
||||
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
|
||||
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
|
||||
# must be always mapped to the same 'external' port 12345).
|
||||
#
|
||||
# In more complex case when more than one IP address is involved,
|
||||
# that option must be used several times, each entry must
|
||||
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
||||
# RFC5780 NAT discovery STUN functionality will work correctly,
|
||||
# if the addresses are mapped properly, even when the TURN server itself
|
||||
# is behind A NAT.
|
||||
#
|
||||
# By default, this value is empty, and no address mapping is used.
|
||||
#
|
||||
#external-ip=60.70.80.91
|
||||
#
|
||||
#OR:
|
||||
#
|
||||
#external-ip=60.70.80.91/172.17.19.101
|
||||
#external-ip=60.70.80.92/172.17.19.102
|
||||
|
||||
|
||||
# Number of the relay threads to handle the established connections
|
||||
# (in addition to authentication thread and the listener thread).
|
||||
# If explicitly set to 0 then application runs relay process in a
|
||||
# single thread, in the same thread with the listener process
|
||||
# (the authentication thread will still be a separate thread).
|
||||
#
|
||||
# If this parameter is not set, then the default OS-dependent
|
||||
# thread pattern algorithm will be employed. Usually the default
|
||||
# algorithm is optimal, so you have to change this option
|
||||
# if you want to make some fine tweaks.
|
||||
#
|
||||
# In the older systems (Linux kernel before 3.9),
|
||||
# the number of UDP threads is always one thread per network listening
|
||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
||||
# 1 (one) value is set.
|
||||
#
|
||||
#relay-threads=0
|
||||
|
||||
# Lower and upper bounds of the UDP relay endpoints:
|
||||
# (default values are 49152 and 65535)
|
||||
#
|
||||
#min-port=49152
|
||||
#max-port=65535
|
||||
|
||||
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
||||
# By default the verbose mode is off.
|
||||
#verbose
|
||||
|
||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||
# This mode is very annoying and produces lots of output.
|
||||
# Not recommended under normal circumstances.
|
||||
#
|
||||
#Verbose
|
||||
|
||||
# Uncomment to use fingerprints in the TURN messages.
|
||||
# By default the fingerprints are off.
|
||||
#
|
||||
fingerprint
|
||||
|
||||
# Uncomment to use long-term credential mechanism.
|
||||
# By default no credentials mechanism is used (any user allowed).
|
||||
#
|
||||
#lt-cred-mech
|
||||
|
||||
# This option is the opposite of lt-cred-mech.
|
||||
# (TURN Server with no-auth option allows anonymous access).
|
||||
# If neither option is defined, and no users are defined,
|
||||
# then no-auth is default. If at least one user is defined,
|
||||
# in this file, in command line or in usersdb file, then
|
||||
# lt-cred-mech is default.
|
||||
#
|
||||
#no-auth
|
||||
|
||||
# TURN REST API flag.
|
||||
# (Time Limited Long Term Credential)
|
||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||
#
|
||||
# This feature's purpose is to support "TURN Server REST API", see
|
||||
# "TURN REST API" link in the project's page
|
||||
# https://github.com/coturn/coturn/
|
||||
#
|
||||
# This option is used with timestamp:
|
||||
#
|
||||
# usercombo -> "timestamp:userid"
|
||||
# turn user -> usercombo
|
||||
# turn password -> base64(hmac(secret key, usercombo))
|
||||
#
|
||||
# This allows TURN credentials to be accounted for a specific user id.
|
||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
||||
# This option is enabled by turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
||||
# or can be found in the turn_secret table in the database (see below).
|
||||
#
|
||||
# Read more about it:
|
||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||
#
|
||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
||||
# this option then it automatically enables lt-cred-mech internally
|
||||
# as if you had enabled both.
|
||||
#
|
||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
||||
# both mechanisms conduct username and password validation in different ways.
|
||||
#
|
||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
||||
# to avoid any confusion.
|
||||
#
|
||||
use-auth-secret
|
||||
|
||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||
# If not set, then the turn server
|
||||
# will try to use the 'dynamic' value in the turn_secret table
|
||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
||||
#
|
||||
static-auth-secret=$authsec
|
||||
|
||||
# Server name used for
|
||||
# the oAuth authentication purposes.
|
||||
# The default value is the realm name.
|
||||
#
|
||||
#server-name=blackdow.carleon.gov
|
||||
#server-name=orpheus.syscid.com
|
||||
|
||||
# Flag that allows oAuth authentication.
|
||||
#
|
||||
#oauth
|
||||
|
||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
||||
# This option cannot be used with TURN REST API.
|
||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||
# so they can NOT be changed while the turnserver is running.
|
||||
#
|
||||
#user=username1:key1
|
||||
#user=username2:key2
|
||||
# OR:
|
||||
#user=username1:password1
|
||||
#user=username2:password2
|
||||
#
|
||||
# Keys must be generated by turnadmin utility. The key value depends
|
||||
# on user name, realm, and password:
|
||||
#
|
||||
# Example:
|
||||
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
|
||||
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||
# ('0x' in the beginning of the key is what differentiates the key from
|
||||
# password. If it has 0x then it is a key, otherwise it is a password).
|
||||
#
|
||||
# The corresponding user account entry in the config file will be:
|
||||
#
|
||||
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||
# Or, equivalently, with open clear password (less secure):
|
||||
#user=ninefingers:youhavetoberealistic
|
||||
#
|
||||
|
||||
# SQLite database file name.
|
||||
#
|
||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# /var/lib/turn/turndb.
|
||||
#
|
||||
#userdb=/var/db/turndb
|
||||
|
||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
||||
# as the user database.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||
# versions connection string format, see
|
||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||
# for 9.x and newer connection string formats.
|
||||
#
|
||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||
psql-userdb="host=$dbhost dbname=$db user=$dbuser password=$dbpass connect_timeout=30"
|
||||
|
||||
# MySQL database connection string in the case that you are using MySQL
|
||||
# as the user database.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
#
|
||||
# Optional connection string parameters for the secure communications (SSL):
|
||||
# ca, capath, cert, key, cipher
|
||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||
# command options description).
|
||||
#
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||
|
||||
# If you want to use an encrypted password in the MySQL connection string,
|
||||
# then set the MySQL password encryption secret key file with this option.
|
||||
#
|
||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
||||
# If you want to use a cleartext password then do not set this option!
|
||||
#
|
||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
||||
#
|
||||
#secret-key-file=/path/
|
||||
|
||||
# MongoDB database connection string in the case that you are using MongoDB
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
#
|
||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||
|
||||
# Redis database connection string in the case that you are using Redis
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
||||
# This database keeps allocations status information, and it can be also used for publishing
|
||||
# and delivering traffic and allocation event notifications.
|
||||
# The connection string has the same parameters as redis-userdb connection string.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# The default realm to be used for the users when no explicit
|
||||
# origin/realm relationship is found in the database, or if the TURN
|
||||
# server is not using any database (just the commands-line settings
|
||||
# and the userdb file). Must be used with long-term credentials
|
||||
# mechanism or with TURN REST API.
|
||||
#
|
||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
||||
#
|
||||
realm=turn.lysergic.dev
|
||||
|
||||
# This flag sets the origin consistency
|
||||
# check. Across the session, all requests must have the same
|
||||
# main ORIGIN attribute value (if the ORIGIN was
|
||||
# initially used by the session).
|
||||
#
|
||||
#check-origin-consistency
|
||||
|
||||
# Per-user allocation quota.
|
||||
# default value is 0 (no quota, unlimited number of sessions per user).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
#user-quota=0
|
||||
|
||||
# Total allocation quota.
|
||||
# default value is 0 (no quota).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
total-quota=100
|
||||
|
||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||
# (input and output network streams are treated separately). Anything above
|
||||
# that limit will be dropped or temporarily suppressed (within
|
||||
# the available buffer limits).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
#max-bps=0
|
||||
|
||||
#
|
||||
# Maximum server capacity.
|
||||
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
|
||||
# for the sessions, combined (input and output network streams are treated separately).
|
||||
#
|
||||
# bps-capacity=0
|
||||
|
||||
# Uncomment if no UDP client listener is desired.
|
||||
# By default UDP client listener is always started.
|
||||
#
|
||||
#no-udp
|
||||
|
||||
# Uncomment if no TCP client listener is desired.
|
||||
# By default TCP client listener is always started.
|
||||
#
|
||||
#no-tcp
|
||||
|
||||
# Uncomment if no TLS client listener is desired.
|
||||
# By default TLS client listener is always started.
|
||||
#
|
||||
#no-tls
|
||||
|
||||
# Uncomment if no DTLS client listener is desired.
|
||||
# By default DTLS client listener is always started.
|
||||
#
|
||||
#no-dtls
|
||||
|
||||
# Uncomment if no UDP relay endpoints are allowed.
|
||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
||||
#
|
||||
#no-udp-relay
|
||||
|
||||
# Uncomment if no TCP relay endpoints are allowed.
|
||||
# By default TCP relay endpoints are enabled (like in RFC 6062).
|
||||
#
|
||||
#no-tcp-relay
|
||||
|
||||
# Uncomment if extra security is desired,
|
||||
# with nonce value having a limited lifetime.
|
||||
# By default, the nonce value is unique for a session,
|
||||
# and has an unlimited lifetime.
|
||||
# Set this option to limit the nonce lifetime.
|
||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||
# the client will get 438 error and will have to re-authenticate itself.
|
||||
#
|
||||
stale-nonce=600
|
||||
|
||||
# Uncomment if you want to set the maximum allocation
|
||||
# time before it has to be refreshed.
|
||||
# Default is 3600s.
|
||||
#
|
||||
#max-allocate-lifetime=3600
|
||||
|
||||
|
||||
# Uncomment to set the lifetime for the channel.
|
||||
# Default value is 600 secs (10 minutes).
|
||||
# This value MUST not be changed for production purposes.
|
||||
#
|
||||
#channel-lifetime=600
|
||||
|
||||
# Uncomment to set the permission lifetime.
|
||||
# Default to 300 secs (5 minutes).
|
||||
# In production this value MUST not be changed,
|
||||
# however it can be useful for test purposes.
|
||||
#
|
||||
#permission-lifetime=300
|
||||
|
||||
# Certificate file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
#cert=/etc/pki/coturn/public/turn_server_cert.pem
|
||||
cert=/etc/ssl/lysergic/fullchain.pem
|
||||
|
||||
# Private key file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
#pkey=/etc/pki/coturn/private/turn_server_pkey.pem
|
||||
pkey=/etc/ssl/lysergic/private/privkey.pem
|
||||
|
||||
# Private key file password, if it is in encoded format.
|
||||
# This option has no default value.
|
||||
#
|
||||
#pkey-pwd=...
|
||||
|
||||
# Allowed OpenSSL cipher list for TLS/DTLS connections.
|
||||
# Default value is "DEFAULT".
|
||||
#
|
||||
#cipher-list="DEFAULT"
|
||||
|
||||
# CA file in OpenSSL format.
|
||||
# Forces TURN server to verify the client SSL certificates.
|
||||
# By default this is not set: there is no default value and the client
|
||||
# certificate is not checked.
|
||||
#
|
||||
# Example:
|
||||
#CA-file=/etc/ssh/id_rsa.cert
|
||||
|
||||
# Curve name for EC ciphers, if supported by OpenSSL
|
||||
# library (TLS and DTLS). The default value is prime256v1,
|
||||
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
||||
# an optimal curve will be automatically calculated, if not defined
|
||||
# by this option.
|
||||
#
|
||||
#ec-curve-name=prime256v1
|
||||
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh566
|
||||
|
||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh1066
|
||||
|
||||
# Use custom DH TLS key, stored in PEM format in the file.
|
||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||
#
|
||||
#dh-file=<DH-PEM-file-name>
|
||||
|
||||
# Flag to prevent stdout log messages.
|
||||
# By default, all log messages go to both stdout and to
|
||||
# the configured log file. With this option everything will
|
||||
# go to the configured log only (unless the log file itself is stdout).
|
||||
#
|
||||
no-stdout-log
|
||||
|
||||
# Option to set the log file name.
|
||||
# By default, the turnserver tries to open a log file in
|
||||
# /var/log, /var/tmp, /tmp and the current directory
|
||||
# (Whichever file open operation succeeds first will be used).
|
||||
# With this option you can set the definite log file name.
|
||||
# The special names are "stdout" and "-" - they will force everything
|
||||
# to the stdout. Also, the "syslog" name will force everything to
|
||||
# the system log (syslog).
|
||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
||||
# to the turnserver process.
|
||||
#
|
||||
log-file=/var/log/coturn/turnserver.log
|
||||
|
||||
# Option to redirect all log output into system log (syslog).
|
||||
#
|
||||
#syslog
|
||||
|
||||
# This flag means that no log file rollover will be used, and the log file
|
||||
# name will be constructed as-is, without PID and date appendage.
|
||||
# This option can be used, for example, together with the logrotate tool.
|
||||
#
|
||||
simple-log
|
||||
|
||||
# Option to set the "redirection" mode. The value of this option
|
||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
||||
# <ip>[:<port>]. The server will send this value in the attribute
|
||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||
# Client will receive only values with the same address family
|
||||
# as the client network endpoint address family.
|
||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
||||
# The client must use the obtained value for subsequent TURN communications.
|
||||
# If more than one --alternate-server option is provided, then the functionality
|
||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||
# If the port number is omitted, then the default port
|
||||
# number 3478 for the UDP/TCP protocols will be used.
|
||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
||||
# in square brackets in such resource identifiers, for example:
|
||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||
# Multiple alternate servers can be set. They will be used in the
|
||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||
# address can be used more than one time with the alternate-server option, so this
|
||||
# can emulate "weighting" of the servers.
|
||||
#
|
||||
# Examples:
|
||||
#alternate-server=1.2.3.4:5678
|
||||
#alternate-server=11.22.33.44:56789
|
||||
#alternate-server=5.6.7.8
|
||||
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||
|
||||
# Option to set alternative server for TLS & DTLS services in form of
|
||||
# <ip>:<port>. If the port number is omitted, then the default port
|
||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
||||
# option for the functionality description.
|
||||
#
|
||||
# Examples:
|
||||
#tls-alternate-server=1.2.3.4:5678
|
||||
#tls-alternate-server=11.22.33.44:56789
|
||||
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||
|
||||
# Option to suppress TURN functionality, only STUN requests will be processed.
|
||||
# Run as STUN server only, all TURN requests will be ignored.
|
||||
# By default, this option is NOT set.
|
||||
#
|
||||
#stun-only
|
||||
|
||||
# Option to hide software version. Enhance security when used in production.
|
||||
# Revealing the specific software version of the agent through the
|
||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
||||
# attacks against software that is known to contain security holes.
|
||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
||||
#
|
||||
#no-software-attribute
|
||||
|
||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||
# Run as TURN server only, all STUN requests will be ignored.
|
||||
# By default, this option is NOT set.
|
||||
#
|
||||
#no-stun
|
||||
|
||||
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
||||
# The default value is ':'.
|
||||
# rest-api-separator=:
|
||||
|
||||
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
||||
# This is an extra security measure.
|
||||
#
|
||||
# (To avoid any security issue that allowing loopback access may raise,
|
||||
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
||||
#
|
||||
# Allow it only for testing in a development environment!
|
||||
# In production it adds a possible security vulnerability, so for security reasons
|
||||
# it is not allowed using it together with empty cli-password.
|
||||
#
|
||||
#allow-loopback-peers
|
||||
|
||||
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
|
||||
# This is an extra security measure.
|
||||
#
|
||||
no-multicast-peers
|
||||
|
||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
||||
# Default is 60 seconds.
|
||||
#
|
||||
#max-allocate-timeout=60
|
||||
|
||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
||||
# addresses, except for a few specific ips within that range.
|
||||
#
|
||||
# This can be used when you do not want users of the turn server to be able to access
|
||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
||||
# internet (e.g. when the turn server is sitting behind a NAT)
|
||||
#
|
||||
# Examples:
|
||||
# denied-peer-ip=83.166.64.0-83.166.95.255
|
||||
# allowed-peer-ip=83.166.68.45
|
||||
allowed-peer-ip=192.168.0.1-192.168.0.254
|
||||
|
||||
# File name to store the pid of the process.
|
||||
# Default is /var/run/turnserver.pid (if superuser account is used) or
|
||||
# /var/tmp/turnserver.pid .
|
||||
#
|
||||
#pidfile="/var/run/turnserver.pid"
|
||||
|
||||
# Require authentication of the STUN Binding request.
|
||||
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
|
||||
#
|
||||
#secure-stun
|
||||
|
||||
# Mobility with ICE (MICE) specs support.
|
||||
#
|
||||
#mobility
|
||||
|
||||
# Allocate Address Family according
|
||||
# If enabled then TURN server allocates address family according the TURN
|
||||
# Client <=> Server communication address family.
|
||||
# (By default Coturn works according RFC 6156.)
|
||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||
#
|
||||
#keep-address-family
|
||||
|
||||
|
||||
# User name to run the process. After the initialization, the turnserver process
|
||||
# will attempt to change the current user ID to that user.
|
||||
#
|
||||
#proc-user=<user-name>
|
||||
|
||||
# Group name to run the process. After the initialization, the turnserver process
|
||||
# will attempt to change the current group ID to that group.
|
||||
#
|
||||
#proc-group=<group-name>
|
||||
|
||||
# Turn OFF the CLI support.
|
||||
# By default it is always ON.
|
||||
# See also options cli-ip and cli-port.
|
||||
#
|
||||
no-cli
|
||||
|
||||
#Local system IP address to be used for CLI server endpoint. Default value
|
||||
# is 127.0.0.1.
|
||||
#
|
||||
#cli-ip=127.0.0.1
|
||||
|
||||
# CLI server port. Default is 5766.
|
||||
#
|
||||
#cli-port=5766
|
||||
|
||||
# CLI access password. Default is empty (no password).
|
||||
# For the security reasons, it is recommended that you use the encrypted
|
||||
# form of the password (see the -P command in the turnadmin utility).
|
||||
#
|
||||
# Secure form for password 'qwerty':
|
||||
#
|
||||
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
|
||||
#
|
||||
# Or unsecure form for the same password:
|
||||
#
|
||||
#cli-password=qwerty
|
||||
|
||||
# Enable Web-admin support on https. By default it is Disabled.
|
||||
# If it is enabled it also enables a http a simple static banner page
|
||||
# with a small reminder that the admin page is available only on https.
|
||||
#
|
||||
#web-admin
|
||||
|
||||
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
|
||||
#
|
||||
#web-admin-ip=127.0.0.1
|
||||
|
||||
# Web-admin server port. Default is 8080.
|
||||
#
|
||||
#web-admin-port=8080
|
||||
|
||||
# Web-admin server listen on STUN/TURN worker threads
|
||||
# By default it is disabled for security resons! (Not recommended in any production environment!)
|
||||
#
|
||||
#web-admin-listen-on-workers
|
||||
|
||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||
# Only for those applications when you want to run
|
||||
# server applications on the relay endpoints.
|
||||
# This option eliminates the IP permissions check on
|
||||
# the packets incoming to the relay endpoints.
|
||||
#
|
||||
#server-relay
|
||||
|
||||
# Maximum number of output sessions in ps CLI command.
|
||||
# This value can be changed on-the-fly in CLI. The default value is 256.
|
||||
#
|
||||
#cli-max-output-sessions
|
||||
|
||||
# Set network engine type for the process (for internal purposes).
|
||||
#
|
||||
#ne=[1|2|3]
|
||||
|
||||
# Do not allow an TLS/DTLS version of protocol
|
||||
#
|
||||
no-sslv3
|
||||
no-tlsv1
|
||||
no-tlsv1_1
|
||||
no-tlsv1_2
|
@ -1,9 +1,11 @@
|
||||
# Cronjob for Restic Backup to S3
|
||||
# Cronjob for Restic Backup to Wasabi S3
|
||||
# Created and last modified: 20/07/2021
|
||||
# georg@lysergic.dev
|
||||
|
||||
MAILTO=system
|
||||
SHELL=/bin/sh
|
||||
|
||||
#This will make a deduplicating backup every day at 22:00 and send an email to system@lysergic.dev as well as #universe
|
||||
0 22 * * * restic /opt/restic/run.sh |& mail -s "S3 Backup - $(hostname -f) - $(date)" ircsystem
|
||||
#This will make a deduplicating (is that the right word?) backup every day at 23:00 and send an email to system@lysergic.dev as well as #universe
|
||||
0 22 * * * restic /opt/restic/run.sh |& mail -s "[S3 Backup] - $(hostname -f) - $(date)" ircsystem
|
||||
#This will remove everything except the last 30 days worth of snapshots every two days at 22:30
|
||||
0 4 */2 * * restic /opt/restic/cleanup.sh |& mail -s "[S3 Cleanup] - $(date)" ircsystem
|
||||
|
21
cron/cron.daily/mysql-status.sh
Normal file
21
cron/cron.daily/mysql-status.sh
Normal file
@ -0,0 +1,21 @@
|
||||
#!/bin/sh
|
||||
OUTPUT="nc -N 127.0.0.2 2424"
|
||||
maximumSecondsBehind=20
|
||||
/opt/mysql/bin/mysql -u repl-status -p'$dbmonpass' -e 'SHOW REPLICA STATUS \G' > /tmp/replicationstatus.txt
|
||||
|
||||
slaveRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_IO_Running: Yes" | wc -l)"
|
||||
slaveSQLRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_SQL_Running: Yes" | wc -l)"
|
||||
secondsBehind="$(cat /tmp/replicationstatus.txt | grep "Seconds_Behind_Source" | tr -dc '0-9')"
|
||||
|
||||
echo $slaveRunning | $OUTPUT
|
||||
echo $slaveSQLRunning | $OUTPUT
|
||||
echo $secondsBehind | $OUTPUT
|
||||
|
||||
if [[ $slaveRunning != 1 || $slaveSQLRunning != 1 || $secondsBehind -gt $maximumSecondsBehind ]]; then
|
||||
echo
|
||||
echo "Replikacja wydaje się być popieprzona. Sending logs via email. @cranberry" | $OUTPUT
|
||||
/usr/bin/mail -s "[MySQL Replication Monitor] Issue on $(hostname) at $(date)" system@lysergic.dev < /tmp/replicationstatus.txt
|
||||
else
|
||||
echo
|
||||
echo "Replikacja wydaje się być zdrowa." | $OUTPUT
|
||||
fi
|
13
dirsrv/instance-syscid_gaia.ini
Normal file
13
dirsrv/instance-syscid_gaia.ini
Normal file
@ -0,0 +1,13 @@
|
||||
[general]
|
||||
config_version = 2
|
||||
|
||||
[slapd]
|
||||
instance_name = syscid
|
||||
root_password = $dirmgrpass
|
||||
|
||||
[backend-userroot]
|
||||
create_suffix_entry = yes
|
||||
sample_entries = yes
|
||||
suffix = dc=syscid,dc=com
|
||||
|
||||
|
12
dirsrv/instance-syscid_orpheus.ini
Normal file
12
dirsrv/instance-syscid_orpheus.ini
Normal file
@ -0,0 +1,12 @@
|
||||
[general]
|
||||
config_version = 2
|
||||
|
||||
[slapd]
|
||||
instance_name = syscid
|
||||
root_password = $dirmgrpass
|
||||
|
||||
[backend-userroot]
|
||||
create_suffix_entry = True
|
||||
sample_entries = no
|
||||
suffix = dc=syscid,dc=com
|
||||
|
35
dirsrv/ldif/sudoers-389.ldif
Normal file
35
dirsrv/ldif/sudoers-389.ldif
Normal file
@ -0,0 +1,35 @@
|
||||
dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
||||
objectClass: top
|
||||
objectClass: sudoRole
|
||||
cn: defaults
|
||||
description: Default sudoOption's go here
|
||||
sudoOption: always_set_home
|
||||
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
sudoOption: env_reset
|
||||
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
||||
sudoOption: insults
|
||||
sudoOption: mail_badpass
|
||||
sudoOption: log_output
|
||||
sudoOption: timestamp_timeout=15
|
||||
sudoOrder: 1
|
||||
|
||||
dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
||||
objectClass: top
|
||||
objectClass: sudoRole
|
||||
cn: root
|
||||
sudoUser: root
|
||||
sudoHost: ALL
|
||||
sudoRunAsUser: ALL
|
||||
sudoCommand: ALL
|
||||
sudoOrder: 2
|
||||
|
||||
dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
||||
objectClass: top
|
||||
objectClass: sudoRole
|
||||
cn: %wheel
|
||||
sudoUser: %wheel
|
||||
sudoHost: ALL
|
||||
sudoRunAsUser: ALL
|
||||
sudoCommand: ALL
|
||||
sudoOrder: 3
|
||||
|
153
dirsrv/misc/sudoers2ldif.pl
Normal file
153
dirsrv/misc/sudoers2ldif.pl
Normal file
@ -0,0 +1,153 @@
|
||||
#!/usr/bin/env perl
|
||||
#
|
||||
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
#
|
||||
# Permission to use, copy, modify, and distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
#
|
||||
|
||||
use strict;
|
||||
|
||||
#
|
||||
# Converts a sudoers file to LDIF format in prepration for loading into
|
||||
# the LDAP server.
|
||||
#
|
||||
|
||||
# BUGS:
|
||||
# Does not yet handle multiple lines with : in them
|
||||
# Does not yet remove quotation marks from options
|
||||
# Does not yet escape + at the beginning of a dn
|
||||
# Does not yet handle line wraps correctly
|
||||
# Does not yet handle multiple roles with same name (needs tiebreaker)
|
||||
#
|
||||
# CAVEATS:
|
||||
# Sudoers entries can have multiple RunAs entries that override former ones,
|
||||
# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
|
||||
|
||||
my %RA;
|
||||
my %UA;
|
||||
my %HA;
|
||||
my %CA;
|
||||
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
|
||||
my @options=();
|
||||
|
||||
my $did_defaults=0;
|
||||
my $order = 0;
|
||||
|
||||
# parse sudoers one line at a time
|
||||
while (<>){
|
||||
|
||||
# remove comment
|
||||
s/#.*//;
|
||||
|
||||
# line continuation
|
||||
$_.=<> while s/\\\s*$//s;
|
||||
|
||||
# cleanup newline
|
||||
chomp;
|
||||
|
||||
# ignore blank lines
|
||||
next if /^\s*$/;
|
||||
|
||||
if (/^Defaults\s+/i) {
|
||||
my $opt=$';
|
||||
$opt=~s/\s+$//; # remove trailing whitespace
|
||||
push @options,$opt;
|
||||
} elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
|
||||
|
||||
# Aliases or Definitions
|
||||
my ($p1,$p2,$p3)=($1,$2,$3);
|
||||
$p2=~s/\s+$//; # remove trailing whitespace
|
||||
$p3=~s/\s+$//; # remove trailing whitespace
|
||||
|
||||
if ($p1 eq "User_Alias") {
|
||||
$UA{$p2}=$p3;
|
||||
} elsif ($p1 eq "Runas_Alias") {
|
||||
$RA{$p2}=$p3;
|
||||
} elsif ($p1 eq "Host_Alias") {
|
||||
$HA{$p2}=$p3;
|
||||
} elsif ($p1 eq "Cmnd_Alias") {
|
||||
$CA{$p2}=$p3;
|
||||
} else {
|
||||
if (!$did_defaults++){
|
||||
# do this once
|
||||
print "dn: cn=defaults,$base\n";
|
||||
print "objectClass: top\n";
|
||||
print "objectClass: sudoRole\n";
|
||||
print "cn: defaults\n";
|
||||
print "description: Default sudoOption's go here\n";
|
||||
print "sudoOption: $_\n" foreach @options;
|
||||
printf "sudoOrder: %d\n", ++$order;
|
||||
print "\n";
|
||||
}
|
||||
# Definition
|
||||
my @users=split /\s*,\s*/,$p1;
|
||||
my @hosts=split /\s*,\s*/,$p2;
|
||||
my @cmds= split /\s*,\s*/,$p3;
|
||||
@options=();
|
||||
print "dn: cn=$users[0],$base\n";
|
||||
print "objectClass: top\n";
|
||||
print "objectClass: sudoRole\n";
|
||||
print "cn: $users[0]\n";
|
||||
# will clobber options
|
||||
print "sudoUser: $_\n" foreach expand(\%UA,@users);
|
||||
print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
|
||||
foreach (@cmds) {
|
||||
if (s/^\(([^\)]+)\)\s*//) {
|
||||
my @runas = split(/:\s*/, $1);
|
||||
if (defined($runas[0])) {
|
||||
print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
|
||||
}
|
||||
if (defined($runas[1])) {
|
||||
print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
|
||||
}
|
||||
}
|
||||
}
|
||||
print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
|
||||
print "sudoOption: $_\n" foreach @options;
|
||||
printf "sudoOrder: %d\n", ++$order;
|
||||
print "\n";
|
||||
}
|
||||
|
||||
} else {
|
||||
print "parse error: $_\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# recursively expand hash elements
|
||||
sub expand{
|
||||
my $ref=shift;
|
||||
my @a=();
|
||||
|
||||
# preen the line a little
|
||||
foreach (@_){
|
||||
# if NOPASSWD: directive found, mark entire entry as not requiring
|
||||
s/NOPASSWD:\s*// && push @options,"!authenticate";
|
||||
s/PASSWD:\s*// && push @options,"authenticate";
|
||||
s/NOEXEC:\s*// && push @options,"noexec";
|
||||
s/EXEC:\s*// && push @options,"!noexec";
|
||||
s/SETENV:\s*// && push @options,"setenv";
|
||||
s/NOSETENV:\s*// && push @options,"!setenv";
|
||||
s/LOG_INPUT:\s*// && push @options,"log_input";
|
||||
s/NOLOG_INPUT:\s*// && push @options,"!log_input";
|
||||
s/LOG_OUTPUT:\s*// && push @options,"log_output";
|
||||
s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
|
||||
s/[[:upper:]]+://; # silently remove other tags
|
||||
s/\s+$//; # right trim
|
||||
}
|
||||
|
||||
# do the expanding
|
||||
push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
|
||||
@a;
|
||||
}
|
32
generic/nsswitch.conf
Normal file
32
generic/nsswitch.conf
Normal file
@ -0,0 +1,32 @@
|
||||
###
|
||||
##
|
||||
## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
|
||||
#ä
|
||||
## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
|
||||
## georg@lysergic.dev
|
||||
##
|
||||
###
|
||||
|
||||
passwd: sss files
|
||||
group: sss files
|
||||
shadow: sss compat
|
||||
# initgroups: compat
|
||||
|
||||
hosts: files dns
|
||||
networks: files dns
|
||||
|
||||
aliases: files usrfiles
|
||||
ethers: files usrfiles
|
||||
gshadow: files usrfiles
|
||||
netgroup: files nis
|
||||
protocols: files usrfiles
|
||||
publickey: files
|
||||
rpc: files usrfiles
|
||||
services: files usrfiles
|
||||
|
||||
automount: files nis
|
||||
bootparams: files
|
||||
netmasks: files
|
||||
|
||||
sudoers: sss
|
||||
|
7
mysqld/my_percona_node04.cnf
Normal file
7
mysqld/my_percona_node04.cnf
Normal file
@ -0,0 +1,7 @@
|
||||
[client]
|
||||
socket=/run/mysql/mysql.sock
|
||||
[mysqld]
|
||||
log-error=/var/log/mysql/mysqld.log
|
||||
port=3306
|
||||
bind-address = 127.0.0.1,10.0.0.31
|
||||
datadir = /var/lib/mysql
|
15
nginx/01/adminer.conf
Normal file
15
nginx/01/adminer.conf
Normal file
@ -0,0 +1,15 @@
|
||||
#include php-fpm;
|
||||
server {
|
||||
listen 192.168.0.110:8084 ssl;
|
||||
server_name adminer-local.one.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/adminer1;
|
||||
index adminer.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
location / {
|
||||
}
|
||||
|
||||
include php;
|
||||
}
|
41
nginx/01/dnsui.conf
Normal file
41
nginx/01/dnsui.conf
Normal file
@ -0,0 +1,41 @@
|
||||
server {
|
||||
listen 192.168.0.110:8084 ssl;
|
||||
server_name dnsui-local.one.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/dnsui1/public_html;
|
||||
index init.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
# auth_basic "NS1 Intranet";
|
||||
# auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @php;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location @php {
|
||||
rewrite ^/(.*)$ /init.php/$1 last;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location /init.php {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
|
||||
location /info.php {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
|
||||
|
||||
error_log /var/log/nginx/dnsui1.log;
|
||||
}
|
123
nginx/01/hidden.conf
Normal file
123
nginx/01/hidden.conf
Normal file
@ -0,0 +1,123 @@
|
||||
server {
|
||||
# server_name localhost;
|
||||
listen 127.0.0.1:9191;
|
||||
root /mnt/gluster01/web/liberta.casa;
|
||||
}
|
||||
server {
|
||||
server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion;
|
||||
listen 127.0.0.1:9191;
|
||||
|
||||
autoindex off;
|
||||
port_in_redirect off;
|
||||
|
||||
location /kiwi/static/config.json {
|
||||
root /mnt/gluster01/web/liberta.casa;
|
||||
rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json;
|
||||
}
|
||||
|
||||
location /kiwi {
|
||||
root /mnt/gluster01/web/liberta.casa;
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
root /srv/www/liberta.casa/static/website;
|
||||
index index.html;
|
||||
|
||||
}
|
||||
|
||||
location /register {
|
||||
proxy_pass http://127.0.0.1:8965;
|
||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
||||
}
|
||||
|
||||
location /libcasa {
|
||||
root /srv/www/superseriousstats/libertacasa;
|
||||
index index.html;
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
location /libcasa.info {
|
||||
root /srv/www/superseriousstats/libertacasa;
|
||||
index index.html;
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
}
|
||||
}
|
||||
|
||||
location /gamja {
|
||||
root /srv/www/gamja;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
location /socket {
|
||||
proxy_pass http://192.168.0.110:8068;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
location /convos {
|
||||
rewrite ^/convos/?(.*)$ /$1 break;
|
||||
proxy_pass http://[::1]:8089;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Request-Base "$scheme://$host/convos";
|
||||
}
|
||||
|
||||
location /candy {
|
||||
root /srv/www/candy/;
|
||||
index index.html;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
location /candy-source {
|
||||
root /srv/www/candy/;
|
||||
}
|
||||
|
||||
|
||||
error_log /var/log/nginx/liberta.casa.err;
|
||||
|
||||
|
||||
#location / {
|
||||
# root /srv/www/liberta.casa;
|
||||
# try_files $uri $uri/ =404;
|
||||
#}
|
||||
|
||||
location /webirc {
|
||||
proxy_pass http://127.0.0.2:6669;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
}
|
||||
#server {
|
||||
# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion;
|
||||
# listen 9191;
|
||||
#
|
||||
# location /webirc {
|
||||
# proxy_pass http://127.0.0.2:6668;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "Upgrade";
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# }
|
||||
#}
|
11
nginx/01/http.conf
Normal file
11
nginx/01/http.conf
Normal file
@ -0,0 +1,11 @@
|
||||
#server {
|
||||
# listen 81.16.19.64:80 default_server;
|
||||
# listen 45.129.182.13:80 default_server;
|
||||
# listen [2a03:4000:47:58a::]:80 default_server;
|
||||
# return 302 https://$host$request_uri;
|
||||
#}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
79
nginx/01/keycloak.conf
Normal file
79
nginx/01/keycloak.conf
Normal file
@ -0,0 +1,79 @@
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz;
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
location / {
|
||||
proxy_pass http://127.0.0.5:10090;
|
||||
proxy_set_header Host $host:10090;
|
||||
proxy_set_header Origin http://$host:10090;
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass_request_headers on;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
|
||||
server_name keycloak-prod-theia.two.secure.squirrelcube.xyz;
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://192.168.0.110:8180;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
##
|
||||
## PRODUCTION CONFIG
|
||||
## Keycloak Frontend Load Balancer
|
||||
## Instance: theia
|
||||
##
|
||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
||||
|
||||
upstream jboss {
|
||||
ip_hash;
|
||||
server 192.168.0.110:8843;
|
||||
server 192.168.0.115:8843;
|
||||
server 192.168.0.120:8843;
|
||||
}
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
server_name sso.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#location = / {
|
||||
# return 302 /auth/;
|
||||
#}
|
||||
|
||||
location / {
|
||||
proxy_pass https://jboss;
|
||||
proxy_cache backcache;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
proxy_buffer_size 256k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_busy_buffers_size 512k;
|
||||
|
||||
}
|
||||
|
5
nginx/01/lan.conf
Normal file
5
nginx/01/lan.conf
Normal file
@ -0,0 +1,5 @@
|
||||
server {
|
||||
listen 127.0.0.2:80;
|
||||
server_name theia.local;
|
||||
root /srv/www/lan;
|
||||
}
|
209
nginx/01/liberta.casa.conf
Normal file
209
nginx/01/liberta.casa.conf
Normal file
@ -0,0 +1,209 @@
|
||||
server {
|
||||
server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa;
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
#listen [::]:443 ssl http2;
|
||||
|
||||
root /srv/www/liberta.casa/static/website;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
return 302 https://liberta.casa;
|
||||
}
|
||||
server {
|
||||
server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com;
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
|
||||
root /srv/www/liberta.casa/static/website;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
return 302 https://liberta.casa;
|
||||
}
|
||||
server {
|
||||
server_name liberta.casa lib.casa;
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
#listen [::]:443 ssl http2;
|
||||
|
||||
root /srv/www/liberta.casa/static/website;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
root /srv/www/liberta.casa/static/website;
|
||||
index index.html;
|
||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
||||
}
|
||||
|
||||
location /kiwi {
|
||||
root /mnt/gluster01/web/liberta.casa;
|
||||
index index.html;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /register {
|
||||
proxy_pass http://127.0.0.1:8965;
|
||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
||||
}
|
||||
|
||||
location /webirc {
|
||||
proxy_pass http://192.168.0.110:8068;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
location /libcasa {
|
||||
root /srv/www/superseriousstats/libertacasa;
|
||||
index index.html;
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
location /libcasa.info {
|
||||
root /srv/www/superseriousstats/libertacasa;
|
||||
index index.html;
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass 172.168.100.1:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
}
|
||||
}
|
||||
|
||||
location /gamja {
|
||||
root /srv/www/gamja;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
location /socket {
|
||||
proxy_pass http://192.168.0.110:8068;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# location /convos {
|
||||
# proxy_pass http://[::1]:8089;
|
||||
# proxy_read_timeout 600s;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# }
|
||||
#
|
||||
# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) {
|
||||
# root /srv/www/convos/convos/public;
|
||||
# }
|
||||
|
||||
location /convos {
|
||||
rewrite ^/convos/?(.*)$ /$1 break;
|
||||
proxy_pass http://[::1]:8089;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Request-Base "$scheme://$host/convos";
|
||||
}
|
||||
|
||||
location /candy {
|
||||
root /srv/www/candy/;
|
||||
index index.html;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
location /candy-source {
|
||||
root /srv/www/candy/;
|
||||
}
|
||||
|
||||
## https://xmpp.org/extensions/xep-0156.html#http
|
||||
## Provides an alternative to SRV lookups, needed for compliance
|
||||
location /.well-known/host-meta {
|
||||
root /srv/www/xmpp;
|
||||
default_type 'application/xrd+xml';
|
||||
add_header Access-Control-Allow-Origin '*' always;
|
||||
}
|
||||
location /.well-known/host-meta.json {
|
||||
root /srv/www/xmpp;
|
||||
default_type 'application/jrd+json';
|
||||
add_header Access-Control-Allow-Origin '*' always;
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/liberta.casa.err;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
server_name katyusha.liberta.casa;
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:8086;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old;
|
||||
error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug;
|
||||
}
|
240
nginx/01/matrix.conf
Normal file
240
nginx/01/matrix.conf
Normal file
@ -0,0 +1,240 @@
|
||||
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA
|
||||
|
||||
##SYNAPSE
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl;
|
||||
|
||||
# For the federation port
|
||||
listen 81.16.19.64:8448 ssl default_server;
|
||||
listen 192.168.0.110:8448 ssl;
|
||||
|
||||
# For bridge
|
||||
listen 127.0.0.2:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
server_name matrix.liberta.casa;
|
||||
|
||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||
proxy_pass http://[::1]:8077;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.liberta.casa:8448"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:8077/;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug;
|
||||
|
||||
}
|
||||
|
||||
#ELEMENT
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl;
|
||||
server_name element.liberta.casa;
|
||||
|
||||
root /mnt/gluster01/web/matrix/element-libertacasa;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
|
||||
|
||||
}
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl;
|
||||
server_name m.liberta.casa;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
return 301 https://element.liberta.casa$request_uri;
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
|
||||
|
||||
}
|
||||
|
||||
#SYDENT
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
server_name ident.matrix.liberta.casa;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.4:8074/;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 20M;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug;
|
||||
|
||||
}
|
||||
|
||||
#DIMENSION
|
||||
server {
|
||||
server_name integrations.matrix.liberta.casa;
|
||||
listen 81.16.19.64:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://127.0.0.1:8184;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug;
|
||||
|
||||
}
|
||||
|
||||
#KEYS
|
||||
server {
|
||||
server_name keys.matrix.liberta.casa;
|
||||
listen 81.16.19.64:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://127.0.0.2:8076;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "keys.matrix.liberta.casa:443"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug;
|
||||
|
||||
}
|
||||
|
||||
#MAUBOT
|
||||
server {
|
||||
server_name maubot.matrix.liberta.casa;
|
||||
listen 81.16.19.64:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
# location /_matrix/maubot/v1/logs {
|
||||
# proxy_pass http://127.0.0.2:29419;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "Upgrade";
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# }
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:29419;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
|
||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog;
|
||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug;
|
||||
|
||||
}
|
74
nginx/01/mattermost.conf
Normal file
74
nginx/01/mattermost.conf
Normal file
@ -0,0 +1,74 @@
|
||||
upstream mattermost {
|
||||
server 127.0.0.2:8065;
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
|
||||
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen 192.168.0.110:443 ssl http2;
|
||||
server_name mattermost.casa;
|
||||
|
||||
http2_push_preload on;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_early_data on;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
#ssl_session_cache shared:SSL:50m;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
#add_header X-Early-Data $tls1_3_early_data;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location /libcasa/channels/town-square {
|
||||
return https://mattermost.casa/libcasa/channels/libcasa;
|
||||
}
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
client_max_body_size 50M;
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
client_body_timeout 60;
|
||||
send_timeout 300;
|
||||
lingering_timeout 5;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 90s;
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass http://mattermost;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_set_header Connection "";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
client_max_body_size 50M;
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_cache mattermost_cache;
|
||||
proxy_cache_revalidate on;
|
||||
proxy_cache_min_uses 2;
|
||||
proxy_cache_use_stale timeout;
|
||||
proxy_cache_lock on;
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass http://mattermost;
|
||||
}
|
||||
}
|
18
nginx/01/mirror.conf
Normal file
18
nginx/01/mirror.conf
Normal file
@ -0,0 +1,18 @@
|
||||
server {
|
||||
listen 45.129.182.13:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
|
||||
server_name 3zy.de;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem;
|
||||
|
||||
location / {
|
||||
root /mnt/gluster01/mirror;
|
||||
# fancyindex on;
|
||||
# fancyindex_exact_size on;
|
||||
autoindex on;
|
||||
autoindex_exact_size on;
|
||||
autoindex_localtime on;
|
||||
}
|
||||
}
|
16
nginx/01/nsedit.conf
Normal file
16
nginx/01/nsedit.conf
Normal file
@ -0,0 +1,16 @@
|
||||
include php-fpm;
|
||||
|
||||
server {
|
||||
listen 192.168.0.110:8083 ssl;
|
||||
server_name nsedit1-local.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/nsedit1;
|
||||
index index.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
location / {
|
||||
}
|
||||
|
||||
include php;
|
||||
}
|
41
nginx/01/omnidb.conf
Normal file
41
nginx/01/omnidb.conf
Normal file
@ -0,0 +1,41 @@
|
||||
server {
|
||||
listen 127.0.0.2:8085 ssl;
|
||||
server_name omnidb-local.one.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Ssl https;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
proxy_set_header Host $host;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 45.129.182.13:25483 ssl;
|
||||
listen [2a03:4000:47:58a::]:25483 ssl;
|
||||
server_name omnidb1.one.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Ssl https;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-Port 25483;
|
||||
proxy_set_header Host $host;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
28
nginx/01/tp.3gy.de.conf
Normal file
28
nginx/01/tp.3gy.de.conf
Normal file
@ -0,0 +1,28 @@
|
||||
server {
|
||||
server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz;
|
||||
listen 45.129.182.13:443 ssl;
|
||||
listen [2a03:4000:47:58a::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass https://[::1]:3080/;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 3600;
|
||||
}
|
||||
}
|
301
nginx/01/xmpp.conf
Normal file
301
nginx/01/xmpp.conf
Normal file
@ -0,0 +1,301 @@
|
||||
#Prosody (DEPRECATED!)
|
||||
#server {
|
||||
# listen 81.16.19.64:443 ssl http2;
|
||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
# server_name xmpp.liberta.casa;
|
||||
#
|
||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
||||
# ssl_session_timeout 1d;
|
||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
# ssl_session_tickets off;
|
||||
#
|
||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
# resolver 127.0.0.4;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass http://[::1]:5280;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
#
|
||||
# }
|
||||
#
|
||||
# location /xmpp-websocket {
|
||||
# proxy_pass http://[::1]:5280/xmpp-websocket;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "Upgrade";
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_read_timeout 900s;
|
||||
# }
|
||||
# location /candy/http-bind {
|
||||
# proxy_pass https://127.0.0.2:5443/http-bind;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "Upgrade";
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_read_timeout 900s;
|
||||
# }
|
||||
# location /candy {
|
||||
# root /srv/www/candy/;
|
||||
# index index.html;
|
||||
# }
|
||||
# location /candy-source {
|
||||
# root /srv/www/candy/;
|
||||
# }
|
||||
#}
|
||||
|
||||
#mod_http_upload_external
|
||||
|
||||
#server {
|
||||
# listen 81.16.19.64:443 ssl http2;
|
||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
#
|
||||
# server_name up.xmpp.liberta.casa;
|
||||
#
|
||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
||||
# ssl_session_timeout 1d;
|
||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
# ssl_session_tickets off;
|
||||
#
|
||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
# resolver 127.0.0.4;
|
||||
#
|
||||
## client_max_body_size 50m;
|
||||
#
|
||||
# location / {
|
||||
# if ( $request_method = OPTIONS ) {
|
||||
# add_header Access-Control-Allow-Origin '*';
|
||||
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
|
||||
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
|
||||
# add_header Access-Control-Allow-Credentials 'true';
|
||||
# add_header Content-Length 0;
|
||||
# add_header Content-Type text/plain;
|
||||
# return 200;
|
||||
# }
|
||||
# proxy_pass http://[::1]:5050/upload/;
|
||||
# proxy_request_buffering off;
|
||||
# }
|
||||
#}
|
||||
|
||||
#server {
|
||||
# listen 81.16.19.64:443 ssl http2;
|
||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
# server_name xmpp.lib.casa;
|
||||
#
|
||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
||||
# ssl_session_timeout 1d;
|
||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
# ssl_session_tickets off;
|
||||
#
|
||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
# resolver 127.0.0.4;
|
||||
#
|
||||
# location / {
|
||||
# root /srv/www/jappix;
|
||||
# index index.php;
|
||||
# location ~ \.php$ {
|
||||
# fastcgi_pass 172.168.100.1:9100;
|
||||
# include fastcgi_params;
|
||||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# error_log /var/log/nginx/xmpp.lib.casa.err;
|
||||
#}
|
||||
|
||||
|
||||
####
|
||||
## ejabberd
|
||||
####
|
||||
|
||||
## mod_http_upload
|
||||
|
||||
perl_modules /usr/local/lib/perl;
|
||||
perl_require upload.pm;
|
||||
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
listen 127.0.0.2:443 ssl http2;
|
||||
server_name up.xmpp.lib.casa up.xmpp.liberta.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
root /opt/ejabberd/upload;
|
||||
|
||||
location / {
|
||||
perl upload::handle;
|
||||
}
|
||||
|
||||
client_max_body_size 40m;
|
||||
|
||||
# location / {
|
||||
# if ( $request_method = OPTIONS ) {
|
||||
# add_header Access-Control-Allow-Origin '*';
|
||||
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
|
||||
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
|
||||
# add_header Access-Control-Allow-Credentials 'true';
|
||||
# add_header Content-Length 0;
|
||||
# add_header Content-Type text/plain;
|
||||
# return 200;
|
||||
# }
|
||||
# proxy_pass http://127.0.0.2:5443;
|
||||
# proxy_request_buffering off;
|
||||
# }
|
||||
|
||||
error_log /var/log/nginx/up.xmpp.lib.casa.err;
|
||||
}
|
||||
|
||||
|
||||
## Everything
|
||||
|
||||
server {
|
||||
listen 81.16.19.64:443 ssl http2;
|
||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
||||
server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
|
||||
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
#location / {
|
||||
# proxy_pass https://127.0.0.2:5443;
|
||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
||||
# proxy_set_header Host $host;
|
||||
#
|
||||
#}
|
||||
|
||||
location / {
|
||||
root /srv/www/xmpp;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
location /upload {
|
||||
return https://up.xmpp.lib.casa;
|
||||
}
|
||||
|
||||
location /bosh {
|
||||
proxy_pass https://127.0.0.2:5443;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
location /ws {
|
||||
proxy_pass https://127.0.0.2:5443;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# location /xmpp-websocket {
|
||||
# proxy_pass http://[::1]:5280/xmpp-websocket;
|
||||
# proxy_http_version 1.1;
|
||||
# proxy_set_header Upgrade $http_upgrade;
|
||||
# proxy_set_header Connection "Upgrade";
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_read_timeout 900s;
|
||||
# }
|
||||
location /candy/http-bind {
|
||||
proxy_pass https://127.0.0.2:5443/http-bind;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 900s;
|
||||
}
|
||||
location /candy {
|
||||
root /srv/www/candy/;
|
||||
index index.html;
|
||||
}
|
||||
location /candy-source {
|
||||
root /srv/www/candy/;
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/xmpp.lib.casa.err;
|
||||
|
||||
}
|
||||
|
||||
|
||||
## ejabberd_web_admin
|
||||
|
||||
server {
|
||||
listen 127.0.0.2:443 ssl http2;
|
||||
server_name ejabberd-local.one.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:5280;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
}
|
||||
}
|
||||
|
35
nginx/02/bastelstube.conf
Normal file
35
nginx/02/bastelstube.conf
Normal file
@ -0,0 +1,35 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name www.lysergic.dev lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
root /srv/www/htdocs/bastelstube;
|
||||
index index.html;
|
||||
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
}
|
17
nginx/02/cachet.conf
Normal file
17
nginx/02/cachet.conf
Normal file
@ -0,0 +1,17 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name status.liberta.casa status.lib.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://cachet.local:8033;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
30
nginx/02/confluence.conf
Normal file
30
nginx/02/confluence.conf
Normal file
@ -0,0 +1,30 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
server_name confluence.psyched.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/psyched/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
#ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
client_max_body_size 100m;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:8090;
|
||||
}
|
||||
location /synchrony {
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:8091/synchrony;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
}
|
||||
}
|
17
nginx/02/default.conf
Normal file
17
nginx/02/default.conf
Normal file
@ -0,0 +1,17 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2 default_server;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
root /srv/www/htdocs/default;
|
||||
index index.html;
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:80 default_server;
|
||||
listen [2a03:4000:55:d20::]:80 default_server;
|
||||
|
||||
root /srv/www/htdocs/default;
|
||||
index index.html;
|
||||
}
|
27
nginx/02/dnsui.conf
Normal file
27
nginx/02/dnsui.conf
Normal file
@ -0,0 +1,27 @@
|
||||
server {
|
||||
listen 192.168.0.115:8084 ssl;
|
||||
server_name dnsui-local.two.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/dnsui2/public_html;
|
||||
index init.php;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @php;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location @php {
|
||||
rewrite ^/(.*)$ /init.php/$1 last;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location /init.php {
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
}
|
38
nginx/02/drone.conf
Normal file
38
nginx/02/drone.conf
Normal file
@ -0,0 +1,38 @@
|
||||
#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
|
||||
}
|
||||
}
|
||||
|
||||
#Runner Exec
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.3:3000;
|
||||
}
|
||||
}
|
||||
|
||||
#Runner SSH
|
||||
server {
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.3:3001;
|
||||
}
|
||||
}
|
39
nginx/02/etherpad.conf
Normal file
39
nginx/02/etherpad.conf
Normal file
@ -0,0 +1,39 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:9001;
|
||||
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_header Server;
|
||||
|
||||
# Note you might want to pass these headers etc too.
|
||||
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
||||
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||
proxy_http_version 1.1; # recommended with keepalive connections
|
||||
|
||||
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
|
||||
}
|
||||
}
|
23
nginx/02/georg.conf
Normal file
23
nginx/02/georg.conf
Normal file
@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
|
||||
|
||||
ssl_certificate /etc/ssl/georg/533088712.crt;
|
||||
ssl_certificate_key /etc/ssl/georg/my.key;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
root /srv/www/htdocs/georg;
|
||||
index index.html;
|
||||
|
||||
}
|
65
nginx/02/git.conf
Normal file
65
nginx/02/git.conf
Normal file
@ -0,0 +1,65 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
server_name git.lysergic.dev git.de.com;
|
||||
|
||||
return 302 https://git.com.de;
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
||||
|
||||
server_name git.casa;
|
||||
|
||||
# return 302 https://git.com.de/libertacasa;
|
||||
|
||||
|
||||
root /srv/www/htdocs;
|
||||
|
||||
try_files $uri @cgit;
|
||||
|
||||
location @cgit {
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
|
||||
fastcgi_param PATH_INFO $uri;
|
||||
fastcgi_param QUERY_STRING $args;
|
||||
fastcgi_param HTTP_HOST $server_name;
|
||||
fastcgi_pass unix:/run/fcgiwrap.sock;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 192.168.0.115:443 ssl http2;
|
||||
|
||||
server_name git.com.de;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:3501;
|
||||
}
|
||||
}
|
15
nginx/02/grafana.conf
Normal file
15
nginx/02/grafana.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
server_name grafana.lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:3000/;
|
||||
}
|
||||
}
|
42
nginx/02/graylog.conf
Normal file
42
nginx/02/graylog.conf
Normal file
@ -0,0 +1,42 @@
|
||||
server {
|
||||
listen 192.168.0.115:8087 ssl;
|
||||
server_name graylog-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:9000;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
|
||||
#server {
|
||||
# listen 202.61.255.116:443 ssl http2;
|
||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
# server_name glpub.two.secure.squirrelcube.xyz;
|
||||
#
|
||||
# ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
# ssl_session_timeout 1d;
|
||||
# ssl_session_cache shared:MozSSLS:10m;
|
||||
# ssl_session_tickets off;
|
||||
# ssl_protocols TLSv1.3;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
# resolver 127.0.0.4;
|
||||
#
|
||||
# location /streams {
|
||||
# proxy_pass http://127.0.0.1:9000/;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_http_version 1.1;
|
||||
# }
|
||||
#}
|
57
nginx/02/jitsi.conf
Normal file
57
nginx/02/jitsi.conf
Normal file
@ -0,0 +1,57 @@
|
||||
#server_names_hash_bucket_size 64;
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
# tls configuration that is not covered in this guide
|
||||
# we recommend the use of https://certbot.eff.org/
|
||||
server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
|
||||
# set the root
|
||||
root /srv/jitsi-meet;
|
||||
index index.html;
|
||||
location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
|
||||
rewrite ^/(.*)$ / break;
|
||||
}
|
||||
location / {
|
||||
ssi on;
|
||||
}
|
||||
# BOSH, Bidirectional-streams Over Synchronous HTTP
|
||||
# https://en.wikipedia.org/wiki/BOSH_(protocol)
|
||||
location = /http-bind {
|
||||
proxy_pass http://127.0.0.1:5280/http-bind;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_method POST;
|
||||
proxy_buffering off;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
# external_api.js must be accessible from the root of the
|
||||
# installation for the electron version of Jitsi Meet to work
|
||||
# https://github.com/jitsi/jitsi-meet-electron
|
||||
location /external_api.js {
|
||||
alias /srv/jitsi-meet/libs/external_api.min.js;
|
||||
}
|
||||
# xmpp websockets
|
||||
location /xmpp-websocket {
|
||||
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
server_name meet-auth.sso.casa;
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:3002;
|
||||
}
|
||||
}
|
219
nginx/02/keycloak.conf
Normal file
219
nginx/02/keycloak.conf
Normal file
@ -0,0 +1,219 @@
|
||||
#########################################
|
||||
## SECTION 1 ##
|
||||
## DEVELOPMENT / STAGING CONFIGURATION ##
|
||||
#########################################
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name auth.syscid.com sso.syscid.com;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
# location /auth {
|
||||
# return 302 https://auth.syscid.com/auth/realms/master/account/;
|
||||
# }
|
||||
# location /auth/realms/master/account/ {
|
||||
# proxy_pass https://10.0.0.10;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# }
|
||||
location / {
|
||||
proxy_pass https://10.0.0.10;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
|
||||
server_name keycloak-internal.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
|
||||
|
||||
location / {
|
||||
proxy_pass https://10.0.0.10;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
#########################################
|
||||
## SECTION 2 ##
|
||||
## Everything below here is PRODUCTION ##
|
||||
#########################################
|
||||
|
||||
##
|
||||
## WildFly Management UI access through Teleport
|
||||
##
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
location / {
|
||||
proxy_pass http://127.0.0.5:9990;
|
||||
|
||||
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
|
||||
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header X-Forwarded-Host $host;
|
||||
# proxy_set_header X-Forwarded-Server $host;
|
||||
# proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# proxy_set_header Authorization $http_authorization;
|
||||
# proxy_pass_header Authorization;
|
||||
proxy_set_header Host $host:10090;
|
||||
proxy_set_header Origin http://$host:10090;
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass_request_headers on;
|
||||
}
|
||||
}
|
||||
|
||||
##
|
||||
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
|
||||
##
|
||||
#server {
|
||||
# listen 127.0.0.1:443 ssl http2;
|
||||
# listen 192.168.0.115:443 ssl http2;
|
||||
#
|
||||
# server_name intra.sso.casa;
|
||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass https://192.168.0.115:8843/;
|
||||
# proxy_ssl_verify off;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# #proxy_set_header X-Forwarded-Host $host;
|
||||
# #proxy_set_header X-Forwarded-Server $host;
|
||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto https;
|
||||
# }
|
||||
# proxy_buffer_size 128k;
|
||||
# proxy_buffers 4 256k;
|
||||
# proxy_busy_buffers_size 256k;
|
||||
#}
|
||||
|
||||
##
|
||||
## Standalone Keycloak Frontend on Orpheus
|
||||
##
|
||||
|
||||
#server {
|
||||
# listen 202.61.255.116:443 ssl http2;
|
||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
#
|
||||
# server_name sso.casa;
|
||||
#
|
||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
#
|
||||
# location / {
|
||||
# proxy_pass https://192.168.0.115:8843/;
|
||||
# proxy_ssl_verify off;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# #proxy_set_header X-Forwarded-Host $host;
|
||||
# #proxy_set_header X-Forwarded-Server $host;
|
||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
||||
# proxy_set_header X-Forwarded-Proto https;
|
||||
# }
|
||||
# proxy_buffer_size 128k;
|
||||
# proxy_buffers 4 256k;
|
||||
# proxy_busy_buffers_size 256k;
|
||||
#
|
||||
## location ~ /auth/admin {
|
||||
## deny all;
|
||||
## return 403;
|
||||
## }
|
||||
#
|
||||
#}
|
||||
|
||||
##
|
||||
## Keycloak Frontend Load Balancer
|
||||
##
|
||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
||||
|
||||
upstream jboss {
|
||||
ip_hash;
|
||||
server 192.168.0.110:8843;
|
||||
server 192.168.0.115:8843;
|
||||
server 192.168.0.120:8843;
|
||||
|
||||
# only available in NGINX Plus - very sad!!
|
||||
# sticky learn
|
||||
# create=$upstream_cookie_AUTH_SESSION_ID
|
||||
# lookup=$cookie_AUTH_SESSION_ID
|
||||
# zone=client_sessions:1m;
|
||||
}
|
||||
|
||||
# same ordeal
|
||||
#match jboss_check {
|
||||
# status 200;
|
||||
# header Content-Type = text/html;
|
||||
# body ~ "WildFly is running";
|
||||
#}
|
||||
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name sso.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#location = / {
|
||||
# return 302 /auth/;
|
||||
#}
|
||||
|
||||
location / {
|
||||
proxy_pass https://jboss;
|
||||
proxy_cache backcache;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# yup, nginx plus
|
||||
#health_check match=jboss_check;
|
||||
}
|
||||
proxy_buffer_size 256k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_busy_buffers_size 512k;
|
||||
|
||||
}
|
79
nginx/02/matrix.conf
Normal file
79
nginx/02/matrix.conf
Normal file
@ -0,0 +1,79 @@
|
||||
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
|
||||
|
||||
##SYNAPSE
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
|
||||
# For the federation port
|
||||
listen 202.61.255.116:8448 ssl default_server;
|
||||
listen [2a03:4000:55:d20::]:8448 ssl;
|
||||
listen 192.168.0.115:8448 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
server_name matrix.lysergic.dev;
|
||||
|
||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||
proxy_pass http://[::1]:8763;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 100M;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://[::1]:8763/;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 100M;
|
||||
}
|
||||
}
|
||||
|
||||
#ELEMENT
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
server_name element.lysergic.dev;
|
||||
|
||||
root /mnt/gluster01/web/matrix/element-lysergic;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
}
|
||||
|
15
nginx/02/mirror.conf
Normal file
15
nginx/02/mirror.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name 3zy.de;
|
||||
|
||||
ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
root /mnt/gluster01/mirror;
|
||||
fancyindex on;
|
||||
fancyindex_exact_size on;
|
||||
}
|
||||
}
|
22
nginx/02/phpldapadmin.conf
Normal file
22
nginx/02/phpldapadmin.conf
Normal file
@ -0,0 +1,22 @@
|
||||
server {
|
||||
listen 192.168.0.115:8084 ssl;
|
||||
server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
|
||||
root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
|
||||
index index.php;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
}
|
||||
|
24
nginx/02/privatebin.conf
Normal file
24
nginx/02/privatebin.conf
Normal file
@ -0,0 +1,24 @@
|
||||
server {
|
||||
server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/privatebin/PrivateBin;
|
||||
index index.php;
|
||||
charset utf-8;
|
||||
disable_symlinks off;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
client_max_body_size 300M;
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
}
|
67
nginx/02/prometheus.conf
Normal file
67
nginx/02/prometheus.conf
Normal file
@ -0,0 +1,67 @@
|
||||
server {
|
||||
listen 192.168.0.115:8092 ssl http2;
|
||||
server_name prometheus-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9090/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8093 ssl http2;
|
||||
server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9093/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8094 ssl http2;
|
||||
server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9115/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9113/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.16.9.2:9586/;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 192.168.0.115:8095 ssl http2;
|
||||
server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:9586/;
|
||||
}
|
||||
}
|
||||
|
29
nginx/02/scooper.conf
Normal file
29
nginx/02/scooper.conf
Normal file
@ -0,0 +1,29 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name scooper.irc.lsd.systems;
|
||||
|
||||
ssl_certificate /etc/ssl/irc/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSLS:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
|
||||
fastcgi_split_path_info (/)(.*);
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include fastcgi_params;
|
||||
auth_basic "I <3 Internet Relay Chat";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/scooper;
|
||||
}
|
||||
}
|
||||
|
31
nginx/02/shlink-web.conf
Normal file
31
nginx/02/shlink-web.conf
Normal file
@ -0,0 +1,31 @@
|
||||
server {
|
||||
server_name lsd25.xyz;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/shlink-web;
|
||||
index index.html;
|
||||
charset utf-8;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||
expires -1;
|
||||
}
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
||||
expires 1M;
|
||||
add_header Cache-Control "public";
|
||||
}
|
||||
location ~* \.(?:css|js)$ {
|
||||
expires 1y;
|
||||
add_header Cache-Control "public";
|
||||
}
|
||||
location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location / {
|
||||
auth_basic "Lysergic URL Shortening Service";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
|
||||
try_files $uri $uri/ /index.html$is_args$args;
|
||||
}
|
||||
}
|
29
nginx/02/shlink.conf
Normal file
29
nginx/02/shlink.conf
Normal file
@ -0,0 +1,29 @@
|
||||
include php-fpm;
|
||||
|
||||
server {
|
||||
server_name lsd25.dev lsd-25.dev mcdonalds.pw;
|
||||
listen 202.61.255.116:443;
|
||||
listen [2a03:4000:55:d20::]:443;
|
||||
root /mnt/gluster01/web/shlink/public;
|
||||
index index.php;
|
||||
charset utf-8;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$is_args$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_pass 172.168.100.2:9100;
|
||||
}
|
||||
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
}
|
||||
}
|
15
nginx/02/syscid.conf
Normal file
15
nginx/02/syscid.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.116:443 ssl http2;
|
||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
||||
|
||||
server_name orpheus.syscid.com www.syscid.com;
|
||||
|
||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
||||
|
||||
location / {
|
||||
root /srv/www/htdocs/syscid;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
}
|
28
nginx/02/tp.3gy.de.conf
Normal file
28
nginx/02/tp.3gy.de.conf
Normal file
@ -0,0 +1,28 @@
|
||||
server {
|
||||
server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
|
||||
listen 202.61.255.116:443 ssl;
|
||||
listen [2a03:4000:55:d20::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass https://[::1]:3080/;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_read_timeout 3600;
|
||||
}
|
||||
}
|
23
nginx/02/xen-orchestra.conf
Normal file
23
nginx/02/xen-orchestra.conf
Normal file
@ -0,0 +1,23 @@
|
||||
server {
|
||||
listen 192.168.0.115:8086 ssl;
|
||||
server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
location / {
|
||||
proxy_pass https://127.0.0.2:8089;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect default;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 1800;
|
||||
client_max_body_size 4G;
|
||||
}
|
||||
}
|
31
nginx/03/3gy.conf
Normal file
31
nginx/03/3gy.conf
Normal file
@ -0,0 +1,31 @@
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
||||
|
||||
server_name 3gy.de;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
|
||||
resolver 172.168.100.2;
|
||||
|
||||
location / {
|
||||
root /srv/www/htdocs/3gy/;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
}
|
34
nginx/03/beauties.conf
Normal file
34
nginx/03/beauties.conf
Normal file
@ -0,0 +1,34 @@
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
||||
|
||||
server_name hugz.io up.hugz.io www.hugz.io;
|
||||
|
||||
ssl_certificate /etc/ssl/hugz/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/hugz/private/privkey.pem;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
error_page 403 /beauties-ip.html;
|
||||
location = /beauties-ip.html {
|
||||
root /srv/www/error;
|
||||
allow all;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://192.168.0.120:8922;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
client_max_body_size 200M;
|
||||
types {} default_type "text/plain; charset=utf-8";
|
||||
deny 2a01:7e00::f03c:91ff:feae:d55;
|
||||
deny 176.58.107.169;
|
||||
}
|
||||
|
||||
}
|
31
nginx/03/cytube.conf
Normal file
31
nginx/03/cytube.conf
Normal file
@ -0,0 +1,31 @@
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
||||
listen 192.168.0.120:443 ssl http2;
|
||||
|
||||
server_name party.lysergic.dev;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
resolver 127.0.0.4;
|
||||
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8250;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
}
|
||||
|
||||
location /jsxc {
|
||||
root /srv/www/jsxc.party;
|
||||
}
|
||||
}
|
16
nginx/03/default.conf
Normal file
16
nginx/03/default.conf
Normal file
@ -0,0 +1,16 @@
|
||||
#server {
|
||||
# listen 202.61.255.100:80 default_server;
|
||||
#
|
||||
# root /srv/www/htdocs/default;
|
||||
# index index.html;
|
||||
#}
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2 default_server;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2 default_server;
|
||||
|
||||
root /srv/www/htdocs/default;
|
||||
index index.html;
|
||||
|
||||
ssl_certificate /etc/ssl/parking/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
|
||||
}
|
15
nginx/03/deploy.conf
Normal file
15
nginx/03/deploy.conf
Normal file
@ -0,0 +1,15 @@
|
||||
server {
|
||||
listen 202.61.255.100:80;
|
||||
listen 192.168.0.120:80;
|
||||
server_name deploy.squirrelcube.xyz;
|
||||
root /srv/www/deploy;
|
||||
|
||||
location / {
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
location /secret {
|
||||
auth_basic "Lysergic Deployment Services";
|
||||
auth_basic_user_file /etc/nginx/auth/deployment;
|
||||
}
|
||||
}
|
27
nginx/03/dnsui.conf
Normal file
27
nginx/03/dnsui.conf
Normal file
@ -0,0 +1,27 @@
|
||||
server {
|
||||
listen 192.168.0.120:8084 ssl;
|
||||
server_name dnsui-local.secure.squirrelcube.xyz;
|
||||
root /mnt/gluster01/web/dnsui3/public_html;
|
||||
index init.php;
|
||||
|
||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ @php;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location @php {
|
||||
rewrite ^/(.*)$ /init.php/$1 last;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
location /init.php {
|
||||
fastcgi_pass 172.168.100.3:9100;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||
auth_basic "NS1 Intranet";
|
||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
||||
}
|
||||
}
|
6
nginx/03/http.conf
Normal file
6
nginx/03/http.conf
Normal file
@ -0,0 +1,6 @@
|
||||
server {
|
||||
listen 202.61.255.100:80 default_server;
|
||||
listen [2a03:4000:55:d1d::]:80 default_server;
|
||||
listen 81.16.18.137:80 default_server;
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
43
nginx/03/keycloak.conf
Normal file
43
nginx/03/keycloak.conf
Normal file
@ -0,0 +1,43 @@
|
||||
##
|
||||
## PRODUCTION CONFIG
|
||||
## Keycloak Frontend Load Balancer
|
||||
## Instance: selene
|
||||
##
|
||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
||||
|
||||
upstream jboss {
|
||||
ip_hash;
|
||||
server 192.168.0.110:8843;
|
||||
server 192.168.0.115:8843;
|
||||
server 192.168.0.120:8843;
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
||||
server_name sso.casa;
|
||||
|
||||
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
||||
ssl_session_cache shared:SSL:1m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
#location = / {
|
||||
# return 302 /auth/;
|
||||
#}
|
||||
|
||||
location / {
|
||||
proxy_pass https://jboss;
|
||||
proxy_cache backcache;
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
proxy_buffer_size 256k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_busy_buffers_size 512k;
|
||||
|
||||
}
|
||||
|
||||
|
4
nginx/03/local.conf
Normal file
4
nginx/03/local.conf
Normal file
@ -0,0 +1,4 @@
|
||||
server {
|
||||
listen 192.168.0.120:80;
|
||||
root /srv/www/local;
|
||||
}
|
124
nginx/03/mail.conf
Normal file
124
nginx/03/mail.conf
Normal file
@ -0,0 +1,124 @@
|
||||
server {
|
||||
listen 192.168.0.120:443 ssl http2;
|
||||
|
||||
server_name zz0.email;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
|
||||
resolver 172.168.100.2;
|
||||
|
||||
location /Microsoft-Server-ActiveSync {
|
||||
proxy_pass http://127.0.0.2:8080/Microsoft-Server-ActiveSync;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_connect_timeout 75;
|
||||
proxy_send_timeout 3650;
|
||||
proxy_read_timeout 3650;
|
||||
proxy_buffers 64 256k;
|
||||
client_body_buffer_size 512k;
|
||||
client_max_body_size 0;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.2:8080/;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
client_max_body_size 0;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 202.61.255.100:443 ssl http2;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
||||
|
||||
server_name sogo.zz0.email zz0.email;
|
||||
|
||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
||||
|
||||
resolver 172.168.100.2;
|
||||
|
||||
location / {
|
||||
return 302 /SOGo;
|
||||
}
|
||||
|
||||
location /SOGo {
|
||||
proxy_pass http://127.0.0.2:20000;
|
||||
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
||||
proxy_set_header x-webobjects-remote-host $remote_addr;
|
||||
proxy_set_header x-webobjects-server-name $server_name;
|
||||
proxy_set_header x-webobjects-server-url https://$http_host;
|
||||
proxy_set_header x-webobjects-server-port $server_port;
|
||||
proxy_send_timeout 3600;
|
||||
proxy_read_timeout 3600;
|
||||
client_body_buffer_size 128k;
|
||||
client_max_body_size 0;
|
||||
break;
|
||||
|
||||
}
|
||||
|
||||
|
||||
location /SOGo.woa/WebServerResources/ {
|
||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /.woa/WebServerResources/ {
|
||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location /SOGo/WebServerResources/ {
|
||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
||||
}
|
||||
|
||||
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
||||
alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
||||
}
|
||||
|
||||
#trying to make / serve SOGo with no fuzz....
|
||||
# location /WebServerResources/ {
|
||||
# alias /opt/GNUstep/SOGo/WebServerResources/;
|
||||
# }
|
||||
|
||||
# location (^/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
||||
# alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
||||
# }
|
||||
|
||||
|
||||
}
|
||||
|
71
nginx/03/matterbridge.conf
Normal file
71
nginx/03/matterbridge.conf
Normal file
@ -0,0 +1,71 @@
|
||||
server {
|
||||
server_name ts.lsd25.xyz;
|
||||
listen 202.61.255.100:443 ssl;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
||||
|
||||
root /opt/matterbridge/tripsit/bridgemedia;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
}
|
||||
}
|
||||
server {
|
||||
server_name lc.lsd25.xyz;
|
||||
listen 202.61.255.100:443 ssl;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
||||
|
||||
root /opt/matterbridge/libertacasa/bridgemedia;
|
||||
|
||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name lsd.airforce;
|
||||
listen 202.61.255.100:443 ssl;
|
||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
||||
|
||||
root /opt/matterbridge/tripsit/bridgemedia2;
|
||||
|
||||
ssl_certificate /etc/ssl/parking/fullchain.pem;
|
||||
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
||||
#ssl_ciphers
|
||||
#ssl_prefer_server_ciphers
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
|
||||
location / {
|
||||
}
|
||||
}
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user