Compare commits
No commits in common. "master" and "devel" have entirely different histories.
13
ansible/deployment_poc/.gitignore
vendored
13
ansible/deployment_poc/.gitignore
vendored
@ -1,13 +0,0 @@
|
|||||||
__pycache__/
|
|
||||||
locks/
|
|
||||||
playbooks/ghost.yml
|
|
||||||
playbooks/test.yml
|
|
||||||
shared/
|
|
||||||
templates/autoinst_*.lysergic.dev.xml.j2
|
|
||||||
templates/generated/
|
|
||||||
variables/deploy-variables.yml
|
|
||||||
inventory.yml
|
|
||||||
*.bak
|
|
||||||
*.example
|
|
||||||
*.old
|
|
||||||
*.tgz
|
|
@ -1 +0,0 @@
|
|||||||
![Flowchart about the deployment and provisioning process](flow.svg)
|
|
@ -1,321 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd">
|
|
||||||
<svg width="106cm" height="76cm" viewBox="-561 -1021 2120 1505" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
||||||
<g>
|
|
||||||
<path style="fill: #ffffff" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0z"/>
|
|
||||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.5 0 L -152.5,0 C -107.489,0 -71,28.8855 -71,64.5177 C -71,100.15 -107.489,129.035 -152.5,129.035 L -478.5,129.035 C -523.511,129.035 -560,100.15 -560,64.5177 C -560,28.8855 -523.511,0 -478.5,0"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.5" y="52.3989">
|
|
||||||
<tspan x="-315.5" y="52.3989">START</tspan>
|
|
||||||
<tspan x="-315.5" y="68.3989"></tspan>
|
|
||||||
<tspan x="-315.5" y="84.3989">"User decides to provision a new virtual machine"</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<path style="fill: #ffffff" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333z"/>
|
|
||||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 40 237.333 L 313.55,180 L 313.55,323.333 L 40,323.333 L 40,237.333"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="176.775" y="252.215">
|
|
||||||
<tspan x="176.775" y="252.215">NetBox</tspan>
|
|
||||||
<tspan x="176.775" y="268.215">(User)</tspan>
|
|
||||||
<tspan x="176.775" y="284.215"></tspan>
|
|
||||||
<tspan x="176.775" y="300.215">1. User creates a "Virtual Machine" object</tspan>
|
|
||||||
<tspan x="176.775" y="316.215">and enters the desired specifications</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-144.538" y1="129.513" x2="93.0249" y2="219.827"/>
|
|
||||||
<polygon style="fill: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="100.035,222.492 88.9113,223.613 93.0249,219.827 92.4649,214.265 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="880" y="240" width="349.4" height="70"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="880" y="240" width="349.4" height="70"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1054.7" y="262.881">
|
|
||||||
<tspan x="1054.7" y="262.881">Webhook</tspan>
|
|
||||||
<tspan x="1054.7" y="278.881"></tspan>
|
|
||||||
<tspan x="1054.7" y="294.881">3. HTTPS POST is received and body data is parsed</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<polygon style="fill: #ffffff" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="897.125,360 1157.24,360 1120.12,462 860,462 "/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1008.62" y="382.881">
|
|
||||||
<tspan x="1008.62" y="382.881">NetBox</tspan>
|
|
||||||
<tspan x="1008.62" y="398.881">(System)</tspan>
|
|
||||||
<tspan x="1008.62" y="414.881"></tspan>
|
|
||||||
<tspan x="1008.62" y="430.881">2. System creates a JSON object</tspan>
|
|
||||||
<tspan x="1008.62" y="446.881">and sends it out via HTTPS POST</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<polygon style="fill: #ffffff" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1248.77,40 1557.74,40 1508.96,174 1200,174 "/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1378.87" y="62.8812">
|
|
||||||
<tspan x="1378.87" y="62.8812">YES</tspan>
|
|
||||||
<tspan x="1378.87" y="78.8812"></tspan>
|
|
||||||
<tspan x="1378.87" y="94.8812">Wehook</tspan>
|
|
||||||
<tspan x="1378.87" y="110.881">(System)</tspan>
|
|
||||||
<tspan x="1378.87" y="126.881"></tspan>
|
|
||||||
<tspan x="1378.87" y="142.881">4. A shell script is executed, initiating</tspan>
|
|
||||||
<tspan x="1378.87" y="158.881">a SSH session</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<polygon style="fill: #ffffff" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="770.22,40 1000.44,108.904 770.22,177.808 540,108.904 "/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="770.22" y="104.785">
|
|
||||||
<tspan x="770.22" y="104.785">Does the received object contain valid JSON</tspan>
|
|
||||||
<tspan x="770.22" y="120.785">with the required attributes?</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<polygon style="fill: #ffffff" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="607.212,340 774.424,411.25 607.212,482.5 440,411.25 "/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="607.212" y="407.131">
|
|
||||||
<tspan x="607.212" y="407.131">Does the created object contain</tspan>
|
|
||||||
<tspan x="607.212" y="423.131">the requireed fields?</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="314.551" y1="302.747" x2="507.445" y2="374.262"/>
|
|
||||||
<polygon style="fill: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="514.478,376.869 503.363,378.081 507.445,374.262 506.839,368.705 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="775.424" y1="411.145" x2="868.251" y2="411.087"/>
|
|
||||||
<polygon style="fill: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="875.751,411.083 865.754,416.089 868.251,411.087 865.748,406.089 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1026.24" y1="358.996" x2="1039.38" y2="320.222"/>
|
|
||||||
<polygon style="fill: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1041.78,313.118 1043.31,324.194 1039.38,320.222 1033.84,320.985 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="578.953" y1="351.04" x2="350.273" y2="-136.195"/>
|
|
||||||
<polygon style="fill: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="347.086,-142.984 355.861,-136.056 350.273,-136.195 346.809,-131.807 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="993.303" y1="239.153" x2="857.778" y2="160.026"/>
|
|
||||||
<polygon style="fill: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="851.301,156.244 862.458,156.968 857.778,160.026 857.416,165.604 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1001.38" y1="108.181" x2="1213.84" y2="107.516"/>
|
|
||||||
<polygon style="fill: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1221.34,107.493 1211.36,112.524 1213.84,107.516 1211.32,102.524 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="700.682" y1="59.8147" x2="418.504" y2="-139.385"/>
|
|
||||||
<polygon style="fill: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="412.377,-143.711 423.43,-142.028 418.504,-139.385 417.663,-133.859 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="1260" y="-240" width="286.601" height="134.793"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1260" y="-240" width="286.601" height="134.793"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1403.3" y="-192.722">
|
|
||||||
<tspan x="1403.3" y="-192.722">Ansible</tspan>
|
|
||||||
<tspan x="1403.3" y="-176.722">(System)</tspan>
|
|
||||||
<tspan x="1403.3" y="-160.722"></tspan>
|
|
||||||
<tspan x="1403.3" y="-144.722">5. A playbook is executed</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1384.81" y1="39.002" x2="1396.48" y2="-94.5735"/>
|
|
||||||
<polygon style="fill: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1397.14,-102.045 1401.25,-91.6477 1396.48,-94.5735 1391.28,-92.5182 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<path style="fill: #ffffff" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92z"/>
|
|
||||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-552.73 1339.34,-560 1392.22,-560 C 1445.12,-560 1471.56,-552.73 1524.45,-530.92 L 1524.45,-414.6 C 1471.56,-392.791 1445.12,-385.521 1392.22,-385.521 C 1339.34,-385.521 1312.89,-392.791 1260,-414.6 L 1260,-530.92"/>
|
|
||||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M 1260 -530.92 C 1312.89,-509.11 1339.34,-501.84 1392.22,-501.84 C 1445.12,-501.84 1471.56,-509.11 1524.45,-530.92"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1392.22" y="-478.339">
|
|
||||||
<tspan x="1392.22" y="-478.339">NetBox</tspan>
|
|
||||||
<tspan x="1392.22" y="-462.339">(System)</tspan>
|
|
||||||
<tspan x="1392.22" y="-446.339"></tspan>
|
|
||||||
<tspan x="1392.22" y="-430.339">6. The Virtual Machine object is queried </tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1400.78" y1="-240.992" x2="1395.84" y2="-374.856"/>
|
|
||||||
<polygon style="fill: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1395.56,-382.351 1400.93,-372.542 1395.84,-374.856 1390.93,-372.173 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<polygon style="fill: #ffffff" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="918.547,-200 1177.09,-97.7588 918.547,4.48232 660,-97.7588 "/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="918.547" y="-109.878">
|
|
||||||
<tspan x="918.547" y="-109.878">Does the Virtual Machine object contain the required</tspan>
|
|
||||||
<tspan x="918.547" y="-93.8776">fields, is it in the correct state and</tspan>
|
|
||||||
<tspan x="918.547" y="-77.8776">compliant?l</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1298.76" y1="-398.763" x2="1013.15" y2="-172.656"/>
|
|
||||||
<polygon style="fill: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1007.27,-168 1012.01,-178.128 1013.15,-172.656 1018.22,-170.287 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="120" y="-280" width="388.45" height="134"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="120" y="-280" width="388.45" height="134"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="314.225" y="-241.119">
|
|
||||||
<tspan x="314.225" y="-241.119">NO</tspan>
|
|
||||||
<tspan x="314.225" y="-225.119"></tspan>
|
|
||||||
<tspan x="314.225" y="-209.119">(System)</tspan>
|
|
||||||
<tspan x="314.225" y="-193.119"></tspan>
|
|
||||||
<tspan x="314.225" y="-177.119">Received data is discarded, and the process is aborted</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="742.533" y1="-131.324" x2="519.002" y2="-173.95"/>
|
|
||||||
<polygon style="fill: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="511.635,-175.355 522.394,-178.393 519.002,-173.95 520.521,-168.57 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="800" y="-420" width="252" height="134.793"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-420" width="252" height="134.793"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="926" y="-380.722">
|
|
||||||
<tspan x="926" y="-380.722">Ansible</tspan>
|
|
||||||
<tspan x="926" y="-364.722">(System)</tspan>
|
|
||||||
<tspan x="926" y="-348.722"></tspan>
|
|
||||||
<tspan x="926" y="-332.722">7. A virtual hard disk is created</tspan>
|
|
||||||
<tspan x="926" y="-316.722">he actual virtual machine is defined</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="800" y="-580" width="230.15" height="86"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="800" y="-580" width="230.15" height="86"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="915.075" y="-557.119">
|
|
||||||
<tspan x="915.075" y="-557.119">Ansible</tspan>
|
|
||||||
<tspan x="915.075" y="-541.119">(System)</tspan>
|
|
||||||
<tspan x="915.075" y="-525.119"></tspan>
|
|
||||||
<tspan x="915.075" y="-509.119">8. The virtual machine is started</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="774.367" y="-709.01" width="289.3" height="86"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="774.367" y="-709.01" width="289.3" height="86"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="919.017" y="-686.129">
|
|
||||||
<tspan x="919.017" y="-686.129">Libvirt</tspan>
|
|
||||||
<tspan x="919.017" y="-670.129">(System)</tspan>
|
|
||||||
<tspan x="919.017" y="-654.129"></tspan>
|
|
||||||
<tspan x="919.017" y="-638.129">9. The virtual machine is network booted </tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="780" y="-860" width="280.125" height="83.646"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-860" width="280.125" height="83.646"/>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="808.012" y1="-860" x2="808.012" y2="-776.354"/>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1032.11" y1="-860" x2="1032.11" y2="-776.354"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="920.062" y="-822.296">
|
|
||||||
<tspan x="920.062" y="-822.296">The DHCP/TFTP/NFS process</tspan>
|
|
||||||
<tspan x="920.062" y="-806.296">loads a network operating system</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="780" y="-1020" width="252.6" height="86"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="780" y="-1020" width="252.6" height="86"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="906.3" y="-997.119">
|
|
||||||
<tspan x="906.3" y="-997.119">OpenSUSE</tspan>
|
|
||||||
<tspan x="906.3" y="-981.119">(System)</tspan>
|
|
||||||
<tspan x="906.3" y="-965.119"></tspan>
|
|
||||||
<tspan x="906.3" y="-949.119">11. The installer initializes the disk </tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.948" y1="-420.998" x2="918.257" y2="-483.286"/>
|
|
||||||
<polygon style="fill: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.814,-490.773 923.396,-481.087 918.257,-483.286 913.414,-480.495 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="916.419" y1="-580.985" x2="917.376" y2="-612.293"/>
|
|
||||||
<polygon style="fill: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="917.605,-619.79 922.297,-609.642 917.376,-612.293 912.302,-609.947 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="919.319" y1="-710.005" x2="919.701" y2="-765.626"/>
|
|
||||||
<polygon style="fill: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="919.753,-773.125 924.684,-763.091 919.701,-765.626 914.684,-763.16 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="1180" y="-1020" width="352.65" height="102"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="1180" y="-1020" width="352.65" height="102"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="1356.32" y="-997.119">
|
|
||||||
<tspan x="1356.32" y="-997.119">OpenSUSE</tspan>
|
|
||||||
<tspan x="1356.32" y="-981.119">(System)</tspan>
|
|
||||||
<tspan x="1356.32" y="-965.119"></tspan>
|
|
||||||
<tspan x="1356.32" y="-949.119">10. Requested oftware specifications</tspan>
|
|
||||||
<tspan x="1356.32" y="-933.119">are collected </tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1179.11" y1="-972.15" x2="1043.33" y2="-974.564"/>
|
|
||||||
<polygon style="fill: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1035.83,-974.697 1045.92,-979.519 1043.33,-974.564 1045.74,-969.52 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1043.88" y1="-860.983" x2="1196.71" y2="-913.817"/>
|
|
||||||
<polygon style="fill: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1203.79,-916.267 1195.98,-908.274 1196.71,-913.817 1192.71,-917.726 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="220" y="-1020" width="352.65" height="102"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="220" y="-1020" width="352.65" height="102"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="396.325" y="-989.119">
|
|
||||||
<tspan x="396.325" y="-989.119">OpenSUSE</tspan>
|
|
||||||
<tspan x="396.325" y="-973.119">(System)</tspan>
|
|
||||||
<tspan x="396.325" y="-957.119"></tspan>
|
|
||||||
<tspan x="396.325" y="-941.119">12. The operating system is installed </tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="779.024" y1="-975.003" x2="583.371" y2="-971.934"/>
|
|
||||||
<polygon style="fill: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="575.872,-971.817 585.793,-976.973 583.371,-971.934 585.95,-966.974 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="921.532" y1="-199.812" x2="923.715" y2="-274.478"/>
|
|
||||||
<polygon style="fill: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="923.935,-281.975 928.64,-271.833 923.715,-274.478 918.644,-272.126 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="1360.09" y1="-917.011" x2="1385.15" y2="-570.617"/>
|
|
||||||
<polygon style="fill: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="1385.69,-563.136 1379.98,-572.75 1385.15,-570.617 1389.95,-573.471 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<rect style="fill: #ffffff" x="-320" y="-1020" width="352.65" height="102"/>
|
|
||||||
<rect style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x="-320" y="-1020" width="352.65" height="102"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-143.675" y="-997.119">
|
|
||||||
<tspan x="-143.675" y="-997.119">OpenSUSE</tspan>
|
|
||||||
<tspan x="-143.675" y="-981.119">(System)</tspan>
|
|
||||||
<tspan x="-143.675" y="-965.119"></tspan>
|
|
||||||
<tspan x="-143.675" y="-949.119">13. The system starts base daemons</tspan>
|
|
||||||
<tspan x="-143.675" y="-933.119">and sends a report via emaill</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="218.997" y1="-969" x2="43.3886" y2="-969"/>
|
|
||||||
<polygon style="fill: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="35.8886,-969 45.8886,-974 43.3886,-969 45.8886,-964 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<path style="fill: #ffffff" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480z"/>
|
|
||||||
<path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" d="M -478.625 -480 L -153.125,-480 C -108.183,-480 -71.75,-451.114 -71.75,-415.482 C -71.75,-379.85 -108.183,-350.965 -153.125,-350.965 L -478.625,-350.965 C -523.567,-350.965 -560,-379.85 -560,-415.482 C -560,-451.114 -523.567,-480 -478.625,-480"/>
|
|
||||||
<text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="-315.875" y="-427.601">
|
|
||||||
<tspan x="-315.875" y="-427.601">END</tspan>
|
|
||||||
<tspan x="-315.875" y="-411.601"></tspan>
|
|
||||||
<tspan x="-315.875" y="-395.601">Pipeline completed</tspan>
|
|
||||||
</text>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="-159.853" y1="-916.998" x2="-292.601" y2="-490.295"/>
|
|
||||||
<polygon style="fill: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-294.829,-483.133 -296.632,-494.167 -292.601,-490.295 -287.084,-491.196 "/>
|
|
||||||
</g>
|
|
||||||
<g>
|
|
||||||
<line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="119.001" y1="-275.735" x2="-115.526" y2="-351.1"/>
|
|
||||||
<polygon style="fill: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
|
|
||||||
<polygon style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" points="-122.666,-353.395 -111.616,-355.096 -115.526,-351.1 -114.676,-345.575 "/>
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 24 KiB |
@ -1,133 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: status_planned
|
|
||||||
gather_facts: no
|
|
||||||
vars:
|
|
||||||
token: "{{ nb_token }}"
|
|
||||||
vm_name: "{{ inventory_hostname }}"
|
|
||||||
tag_merged: []
|
|
||||||
debug_merged: []
|
|
||||||
vars_files:
|
|
||||||
- ../variables/deploy-variables.yml
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Check lock
|
|
||||||
wait_for:
|
|
||||||
path: "{{ lockfile }}"
|
|
||||||
state: absent
|
|
||||||
timeout: 600
|
|
||||||
msg: Lock did not disappear in time
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Create lock
|
|
||||||
file:
|
|
||||||
path: "{{ lockfile }}"
|
|
||||||
state: touch
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Pipeline
|
|
||||||
block:
|
|
||||||
- name: Gather details
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_query_vm.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_query_cluster.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Assign variables
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_cluster.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_vm.yml"
|
|
||||||
|
|
||||||
- name: Verify compliance
|
|
||||||
block:
|
|
||||||
- name: Check status
|
|
||||||
fail:
|
|
||||||
msg: The object is not Planned.
|
|
||||||
when: status != 'planned'
|
|
||||||
|
|
||||||
- name: Check tag
|
|
||||||
fail:
|
|
||||||
msg: The object is marked as already being in deployment.
|
|
||||||
when: '"active-deployment" in tags'
|
|
||||||
|
|
||||||
- name: Check platform
|
|
||||||
fail:
|
|
||||||
msg: The object does not contain a valid platform attribute.
|
|
||||||
when: os != 'openSUSE-Leap-x86_64' #support more OS's later
|
|
||||||
|
|
||||||
- name: Write tag and journal
|
|
||||||
import_tasks: "../tasks/netbox_tags_pre.yml"
|
|
||||||
|
|
||||||
- name: Gather site configuration
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_query_site.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_site.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Gather prefix
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_query_prefix.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_prefix.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Gather IP address
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_query_ip.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_ip.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Provision virtual machine
|
|
||||||
import_tasks: "../tasks/configure_libvirt.yml"
|
|
||||||
|
|
||||||
- name: Configure DHCP
|
|
||||||
import_tasks: "../tasks/init_dhcp.yml"
|
|
||||||
|
|
||||||
- name: Configure DNS
|
|
||||||
import_tasks: "../tasks/init_dns.yml"
|
|
||||||
|
|
||||||
- name: Configure Deployment Servers
|
|
||||||
import_tasks: "../tasks/init_dps.yml"
|
|
||||||
|
|
||||||
- name: Create interface object in NetBox or use existing one
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_init_interface.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_query_interface.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_evaluate_interface.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Define IP address object in NetBox
|
|
||||||
block:
|
|
||||||
- import_tasks: "../tasks/netbox_init_ip.yml"
|
|
||||||
- import_tasks: "../tasks/netbox_primaryip.yml"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Start VM and attach console
|
|
||||||
import_tasks: "../tasks/init_vm_console.yml"
|
|
||||||
|
|
||||||
- name: Initialize SSH CA
|
|
||||||
import_tasks: "../tasks/init_ssh.yml"
|
|
||||||
|
|
||||||
- name: Assist guest OS installation
|
|
||||||
import_tasks: "../tasks/autoyast_assistant.yml"
|
|
||||||
|
|
||||||
- name: Wait for guest OS installation
|
|
||||||
import_tasks: "../tasks/wait.yml"
|
|
||||||
|
|
||||||
- name: Configure SSH
|
|
||||||
import_tasks: "../tasks/configure_ssh.yml"
|
|
||||||
|
|
||||||
|
|
||||||
always:
|
|
||||||
- name: Restore original tags
|
|
||||||
import_tasks: "../tasks/netbox_tags_post.yml"
|
|
||||||
|
|
||||||
- name: Remove lock
|
|
||||||
file:
|
|
||||||
path: "{{ lockfile }}"
|
|
||||||
state: absent
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Debug
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ status if status is defined}} - {{ tags if tags is defined }} - {{ host if host is defined }} - {{ host_status if host_status is defined }} - {{ namespace if namespace is defined }} - {{ os if os is defined }} - {{ vcpus if vcpus is defined }} - {{ memory if memory is defined }} - {{ disk if disk is defined }}"
|
|
||||||
|
|
@ -1,79 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
|
|
||||||
# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc.
|
|
||||||
#
|
|
||||||
# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
|
|
||||||
# Last edit: 13/02/2022
|
|
||||||
|
|
||||||
PUBKEY="$1"
|
|
||||||
|
|
||||||
|
|
||||||
get_ip_address () {
|
|
||||||
case $KERNEL in
|
|
||||||
"OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
|
|
||||||
;;
|
|
||||||
"Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
}
|
|
||||||
HOSTNAME=$(hostname -s)
|
|
||||||
KERNEL=$(uname)
|
|
||||||
IP_ADDRESS="$(get_ip_address)"
|
|
||||||
if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
|
|
||||||
if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then
|
|
||||||
if [ ! -d /etc/ssh/old ]; then
|
|
||||||
mkdir /etc/ssh/old
|
|
||||||
fi
|
|
||||||
if [ -f /etc/ssh/ssh_known_hosts ]; then
|
|
||||||
mv /etc/ssh/ssh_known_hosts /etc/ssh/old/
|
|
||||||
fi
|
|
||||||
#if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
|
|
||||||
#mv /etc/ssh/ssh_host_* /etc/ssh/old/
|
|
||||||
#fi
|
|
||||||
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
|
|
||||||
mv /etc/ssh/ssh_host_* /etc/ssh/old/
|
|
||||||
fi
|
|
||||||
mv /etc/ssh/sshd_config /etc/ssh/old/
|
|
||||||
if [ -f /etc/ssh/ssh_config ]; then
|
|
||||||
mv /etc/ssh/ssh_config /etc/ssh/old/
|
|
||||||
fi
|
|
||||||
cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
|
|
||||||
ListenAddress %%IP_ADDRESS%%
|
|
||||||
Protocol 2
|
|
||||||
SyslogFacility AUTH
|
|
||||||
LogLevel FATAL
|
|
||||||
|
|
||||||
HostKey /etc/ssh/%%HOSTNAME%%
|
|
||||||
HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub
|
|
||||||
TrustedUserCAKeys /etc/ssh/user_ca
|
|
||||||
PasswordAuthentication no
|
|
||||||
ChallengeResponseAuthentication no
|
|
||||||
AuthenticationMethods publickey
|
|
||||||
|
|
||||||
LoginGraceTime 1m
|
|
||||||
PermitRootLogin no
|
|
||||||
StrictModes yes
|
|
||||||
MaxAuthTries 1
|
|
||||||
MaxSessions 3
|
|
||||||
|
|
||||||
X11Forwarding no
|
|
||||||
PrintMotd yes
|
|
||||||
PrintLastLog yes
|
|
||||||
EOF_SSHD_CONFIG
|
|
||||||
sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config
|
|
||||||
echo "$PUBKEY" > /etc/ssh/user_ca
|
|
||||||
case $KERNEL in
|
|
||||||
"OpenBSD" ) rcctl reload sshd
|
|
||||||
;;
|
|
||||||
"Linux" ) systemctl reload sshd
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
echo "OK"
|
|
||||||
else
|
|
||||||
echo "Missing host certificate and public key, copy them to /etc/ssh/ for me."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "Unsupported operating system, please configure sshd manually."
|
|
||||||
fi
|
|
@ -1,38 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Monitor OS installation
|
|
||||||
block:
|
|
||||||
- name: Monitor first stage
|
|
||||||
ansible.builtin.expect:
|
|
||||||
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
|
|
||||||
responses:
|
|
||||||
"reboot: Restarting system":
|
|
||||||
- "\u001d"
|
|
||||||
timeout: 720
|
|
||||||
ignore_errors: true
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Destroy
|
|
||||||
community.libvirt.virt:
|
|
||||||
uri: "{{ libvirt_url }}"
|
|
||||||
command: destroy
|
|
||||||
name: "{{ vm_name }}"
|
|
||||||
state: destroyed
|
|
||||||
|
|
||||||
- name: Start
|
|
||||||
community.libvirt.virt:
|
|
||||||
uri: "{{ libvirt_url }}"
|
|
||||||
command: start
|
|
||||||
name: "{{ vm_name }}"
|
|
||||||
state: running
|
|
||||||
|
|
||||||
- name: Unlock
|
|
||||||
ansible.builtin.expect:
|
|
||||||
command: "/usr/bin/virsh -c {{ libvirt_url }} console {{ vm_name }} --force"
|
|
||||||
responses:
|
|
||||||
"Please enter passphrase for disk cr_root:":
|
|
||||||
- "{{ luks_passphrase }}"
|
|
||||||
- "\u001d"
|
|
||||||
ignore_errors: yes
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
delegate_to: localhost
|
|
@ -1,40 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Configure DHCP
|
|
||||||
block:
|
|
||||||
- name: Set DHCP host OS
|
|
||||||
set_fact:
|
|
||||||
dhcp_os: "{{ hostvars[dhcp_host]['platforms'][0] }}"
|
|
||||||
|
|
||||||
- name: Insert DHCP host block
|
|
||||||
ansible.builtin.blockinfile:
|
|
||||||
#backup: yes
|
|
||||||
block: "{{ lookup('template', '../templates/dhcpd.conf.j2') }}"
|
|
||||||
marker: "### {mark} Ansible managed block for {{ vm_name }} ###"
|
|
||||||
path: "/etc/dhcpd.conf"
|
|
||||||
#delegate_to: "{{ dhcp_host }}"
|
|
||||||
become: yes
|
|
||||||
become_method: doas
|
|
||||||
when: dhcp_os == 'openbsd-x86_64'
|
|
||||||
|
|
||||||
- name: Restart dhcpd
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/doas
|
|
||||||
- rcctl
|
|
||||||
- restart
|
|
||||||
- dhcpd
|
|
||||||
when: dhcp_os == 'openbsd-x86_64'
|
|
||||||
|
|
||||||
- name: Insert DHCP static mapping
|
|
||||||
vyos.vyos.vyos_config:
|
|
||||||
backup: yes
|
|
||||||
backup_options:
|
|
||||||
dir_path: "/tmp/"
|
|
||||||
comment: "Configured as part of {{ vm_name }} deployment"
|
|
||||||
lines:
|
|
||||||
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} mac-address {{ mac_address }}"
|
|
||||||
- "set service dhcp-server shared-network-name LAN subnet {{ prefix_display }} static-mapping {{ vm_name }} ip-address {{ ip_address }}"
|
|
||||||
save: no # CHANGE BEFORE ROLLOUT
|
|
||||||
when: dhcp_os == 'vyos-x86_64'
|
|
||||||
delegate_to: "{{ dhcp_host }}"
|
|
||||||
|
|
@ -1,56 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Configure DNS
|
|
||||||
block:
|
|
||||||
- name: Set FQDNs
|
|
||||||
set_fact:
|
|
||||||
dns_fqdn: "{{ lookup('community.general.dig', dns_ip + '/PTR') }}"
|
|
||||||
vm_fqdn: "{{ vm_name + '.' + namespace }}"
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
- name: Gather DNS hostname and zonename
|
|
||||||
set_fact:
|
|
||||||
dns_host: "{{ dns_fqdn.split('.')[0] }}"
|
|
||||||
zone: "{{ namespace.split('.')[1] + '.' + namespace.split('.')[2] }}"
|
|
||||||
|
|
||||||
- name: Set DNS host OS
|
|
||||||
set_fact:
|
|
||||||
dns_os: "{{ hostvars[dns_host]['platforms'][0] }}"
|
|
||||||
|
|
||||||
- name: Insert DNS record
|
|
||||||
ansible.builtin.blockinfile:
|
|
||||||
#backup: yes
|
|
||||||
block: "{{ lookup('template', '../templates/nsd_zone.j2') }}"
|
|
||||||
marker: "; {mark} Ansible managed block for {{ vm_name }}"
|
|
||||||
path: "/var/nsd/zones/master/{{ zone }}.zone"
|
|
||||||
when: dns_os == 'openbsd-x86_64'
|
|
||||||
delegate_to: "{{ dns_host }}"
|
|
||||||
|
|
||||||
- name: Reload DNS zone
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/doas
|
|
||||||
- nsd-control
|
|
||||||
- reload
|
|
||||||
- "{{ zone }}"
|
|
||||||
when: dhcp_os == 'openbsd-x86_64'
|
|
||||||
delegate_to: "{{ dns_host }}"
|
|
||||||
|
|
||||||
- name: Insert DNS static host mapping
|
|
||||||
vyos.vyos.vyos_config:
|
|
||||||
backup: yes
|
|
||||||
backup_options:
|
|
||||||
dir_path: "/tmp/"
|
|
||||||
comment: "Configured as part of {{ vm_name }} deployment"
|
|
||||||
lines:
|
|
||||||
- "set system static-host-mapping host-name {{ vm_fqdn }} inet {{ ip_address }}"
|
|
||||||
- "set system static-host-mapping host-name {{ vm_fqdn }} alias {{ vm_name }}"
|
|
||||||
save: no # CHANGE BEFORE ROLLOUT
|
|
||||||
when: dns_os == 'vyos-x86_64'
|
|
||||||
delegate_to: "{{ dns_host }}"
|
|
||||||
|
|
||||||
always:
|
|
||||||
- name: Debug
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ dns_ip if dns_ip is defined }} - {{ dns_host if dns_host is defined }} - {{ dns_fqdn if dns_fqdn is defined }} - {{ dns_os if dns_os is defined }} - {{ vm_fqdn if vm_fqdn is defined }} - {{ zone if zone is defined }}"
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Configure Deployment Server
|
|
||||||
block:
|
|
||||||
- name: Set DP host OS
|
|
||||||
set_fact:
|
|
||||||
dp_os: "{{ hostvars[deployment_host]['platforms'][0] }}"
|
|
||||||
|
|
||||||
- name: Prepare Grub host file
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: ../templates/grub.j2
|
|
||||||
dest: "/srv/www/boot/hosts/{{ ip_address }}.cfg"
|
|
||||||
group: wheel
|
|
||||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
|
||||||
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
|
|
||||||
|
|
||||||
- name: Prepare unattended installation
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: "../templates/autoinst_{{ namespace }}.xml.j2"
|
|
||||||
dest: "/srv/www/autoinst_{{ vm_name }}.xml"
|
|
||||||
group: wheel
|
|
||||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
|
||||||
when: dp_os == 'fedora-x86_64' or dp_os == 'openSUSE-Leap-x86_64'
|
|
||||||
|
|
||||||
- name: Prepare Grub host file for http
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: ../templates/grub.j2
|
|
||||||
dest: "/var/www/htdocs/www/boot/hosts/{{ ip_address }}.cfg"
|
|
||||||
group: wheel
|
|
||||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
|
||||||
when: dp_os == 'openbsd-x86_64'
|
|
||||||
|
|
||||||
- name: Prepare Grub host file for tftp
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: ../templates/grub.j2
|
|
||||||
dest: "/tftpboot/boot/hosts/{{ ip_address }}.cfg"
|
|
||||||
group: wheel
|
|
||||||
mode: '0444'
|
|
||||||
when: dp_os == 'openbsd-x86_64'
|
|
||||||
|
|
||||||
- name: Generate LUKS passphrase #does not quite belong here
|
|
||||||
set_fact:
|
|
||||||
luks_passphrase: "{{ lookup('password', '/dev/null', length=15, chars=hexdigits, seed=inventory_hostname) }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Prepare unattended installation
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: "../templates/autoinst_{{ namespace }}.xml.j2"
|
|
||||||
dest: "/var/www/htdocs/www/autoinst_{{ vm_name }}.xml"
|
|
||||||
group: wheel
|
|
||||||
mode: '0444' #consider 0440 if group is changed to one shared by admins and webserver service user
|
|
||||||
when: dp_os == 'openbsd-x86_64'
|
|
||||||
|
|
||||||
delegate_to: "{{ deployment_host }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
@ -1,79 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Provision VM
|
|
||||||
block:
|
|
||||||
- name: Query volumes
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/virsh
|
|
||||||
- -c
|
|
||||||
- "{{ libvirt_url }}"
|
|
||||||
- vol-list
|
|
||||||
- "{{ storage.name }}"
|
|
||||||
register: volumes
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Create storage template
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: "../templates/libvirt-storage-template.xml.j2"
|
|
||||||
dest: "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
|
|
||||||
group: lysergic
|
|
||||||
mode: '0660'
|
|
||||||
when: vm_name not in volumes.stdout
|
|
||||||
|
|
||||||
- name: Define volume
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/virsh
|
|
||||||
- -c
|
|
||||||
- "{{ libvirt_url }}"
|
|
||||||
- vol-create
|
|
||||||
- "{{ storage.name }}"
|
|
||||||
- "../templates/generated/libvirt-storage-{{ inventory_hostname }}.xml"
|
|
||||||
when: vm_name not in volumes.stdout
|
|
||||||
|
|
||||||
# https://gitlab.com/libvirt/libvirt/-/issues/135
|
|
||||||
- name: Fetch volume path
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/virsh
|
|
||||||
- -c
|
|
||||||
- "{{ libvirt_url }}"
|
|
||||||
- vol-path
|
|
||||||
- --pool
|
|
||||||
- "{{ storage.name }}"
|
|
||||||
- "{{ inventory_hostname }}_root_disk.qcow2"
|
|
||||||
register: volpath
|
|
||||||
|
|
||||||
- name: Store volume path
|
|
||||||
set_fact:
|
|
||||||
volume_path: "{{ volpath.stdout }}"
|
|
||||||
|
|
||||||
- name: Create domain template
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: "../templates/libvirt-template.xml.j2"
|
|
||||||
dest: "../templates/generated/libvirt-{{ inventory_hostname }}.xml"
|
|
||||||
group: lysergic
|
|
||||||
mode: '0660'
|
|
||||||
|
|
||||||
- name: Define domain
|
|
||||||
community.libvirt.virt:
|
|
||||||
uri: "{{ libvirt_url }}"
|
|
||||||
command: define
|
|
||||||
xml: "{{ lookup('template', '../templates/libvirt-template.xml.j2') }}"
|
|
||||||
autostart: no
|
|
||||||
# delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Fetch MAC address
|
|
||||||
ansible.builtin.shell: "/usr/bin/virsh -c {{ libvirt_url }} domiflist {{ vm_name }} | awk '{print $5}' | cut -d/ -f 1 | tail -n 2 | head -n 1" # ewww :-(
|
|
||||||
register: domiflist_mac
|
|
||||||
|
|
||||||
- name: Store MAC address
|
|
||||||
set_fact:
|
|
||||||
mac_address: "{{ domiflist_mac.stdout }}"
|
|
||||||
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
always:
|
|
||||||
- name: Debug
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ libvirt_url if libvirt_url is defined }} - {{ storage.name if storage is defined }} - {{ mac_address if mac_address is defined }}"
|
|
@ -1,65 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Configure SSH server
|
|
||||||
block:
|
|
||||||
- name: Switch user
|
|
||||||
set_fact:
|
|
||||||
ansible_user_original: "{{ lookup('env', 'USER') }}"
|
|
||||||
ansible_ssh_private_key_file_original: "{{ ansible_ssh_private_key_file }}"
|
|
||||||
ansible_user: install
|
|
||||||
ansible_ssh_private_key_file: "{{ installkey }}"
|
|
||||||
|
|
||||||
- name: Test 1
|
|
||||||
ansible.builtin.raw: whoami
|
|
||||||
vars:
|
|
||||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
|
||||||
|
|
||||||
- name: Install SSH host certificate
|
|
||||||
ansible.builtin.copy:
|
|
||||||
checksum: "{{ stat_ssh_cert.stat.checksum }}"
|
|
||||||
dest: "/etc/ssh/{{ vm_name }}"
|
|
||||||
group: root
|
|
||||||
local_follow: no
|
|
||||||
mode: 0400
|
|
||||||
owner: root
|
|
||||||
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
|
||||||
become: yes
|
|
||||||
become_method: sudo
|
|
||||||
become_user: root
|
|
||||||
vars:
|
|
||||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
|
||||||
|
|
||||||
- name: Install SSH host key
|
|
||||||
ansible.builtin.copy:
|
|
||||||
checksum: "{{ stat_ssh_spk.stat.checksum }}"
|
|
||||||
dest: "/etc/ssh/{{ vm_name }}-cert.pub"
|
|
||||||
group: root
|
|
||||||
local_follow: no
|
|
||||||
mode: 0444
|
|
||||||
owner: root
|
|
||||||
src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
|
||||||
become: yes
|
|
||||||
become_method: sudo
|
|
||||||
become_user: root
|
|
||||||
vars:
|
|
||||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
|
||||||
|
|
||||||
- name: Install sshd configuration
|
|
||||||
ansible.builtin.script:
|
|
||||||
cmd: "../shell/configure_sshd.sh '{{ ca_pk }}'"
|
|
||||||
become: yes
|
|
||||||
become_method: sudo
|
|
||||||
become_user: root
|
|
||||||
vars:
|
|
||||||
- ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
|
|
||||||
|
|
||||||
- name: Switch user
|
|
||||||
set_fact:
|
|
||||||
ansible_user: "{{ ansible_user_original }}"
|
|
||||||
ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file_original }}"
|
|
||||||
|
|
||||||
- name: Test 2
|
|
||||||
ansible.builtin.raw: whoami
|
|
||||||
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Initialize DHCP configurator
|
|
||||||
include_tasks: "../tasks/configure_dhcp.yml"
|
|
||||||
vars:
|
|
||||||
dhcp_host: "{{ item }}"
|
|
||||||
with_items: "{{ dhcp_servers }}"
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Initialize DNS configurator
|
|
||||||
include_tasks: "../tasks/configure_dns.yml"
|
|
||||||
vars:
|
|
||||||
dns_ip: "{{ item }}"
|
|
||||||
with_items: "{{ dns_servers }}"
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Initialize Deployment Server configurator
|
|
||||||
include_tasks: "../tasks/configure_dps.yml"
|
|
||||||
vars:
|
|
||||||
deployment_host: "{{ item }}"
|
|
||||||
with_items: "{{ deployment_servers }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Initialize SSH host keys
|
|
||||||
block:
|
|
||||||
- name: Generate SSH host keypair
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- ssh-keygen
|
|
||||||
- -f
|
|
||||||
- "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
|
||||||
- -t
|
|
||||||
- ed25519
|
|
||||||
- -C
|
|
||||||
- "{{ vm_fqdn }}"
|
|
||||||
- -N
|
|
||||||
- ""
|
|
||||||
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
|
||||||
|
|
||||||
- name: Evaluate certificate
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
|
|
||||||
get_attributes: no
|
|
||||||
register: stat_ssh_cert
|
|
||||||
|
|
||||||
# - name: Sign SSH host key
|
|
||||||
# ansible.builtin.command:
|
|
||||||
# argv:
|
|
||||||
# - ssh-keygen
|
|
||||||
# - -s
|
|
||||||
# - "{{ ssh_ca_path }}/{{ tenant }}"
|
|
||||||
# - -I
|
|
||||||
# - "{{ ssh_ca_prefix }} - {{ vm_fqdn }}"
|
|
||||||
# - -hn
|
|
||||||
# - "{{ vm_fqdn }}"
|
|
||||||
# - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
|
|
||||||
# creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
|
||||||
|
|
||||||
- name: Sign SSH host key
|
|
||||||
ansible.builtin.expect:
|
|
||||||
command: ssh-keygen -s "{{ ssh_ca_path }}/{{ tenant }}" -I "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" -hn "{{ vm_fqdn }}" "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
|
|
||||||
responses:
|
|
||||||
Enter passphrase: "{{ ca_pp }}"
|
|
||||||
timeout: 3
|
|
||||||
creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
|
||||||
|
|
||||||
- name: Evaluate public key
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
|
|
||||||
get_attributes: no
|
|
||||||
register: stat_ssh_spk
|
|
||||||
|
|
||||||
no_log: true
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
@ -1,42 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Start VM and attach console inside tmux
|
|
||||||
block:
|
|
||||||
- name: Start VM
|
|
||||||
community.libvirt.virt:
|
|
||||||
uri: "{{ libvirt_url }}"
|
|
||||||
command: start
|
|
||||||
name: "{{ vm_name }}"
|
|
||||||
state: running
|
|
||||||
|
|
||||||
- name: Spawn tmux session
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/tmux
|
|
||||||
- -S
|
|
||||||
- /tmp/ansible
|
|
||||||
- new-session
|
|
||||||
- -d
|
|
||||||
- -s
|
|
||||||
- "{{ vm_name }}"
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Attach console inside tmux
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- /usr/bin/tmux
|
|
||||||
- -S
|
|
||||||
- /tmp/ansible
|
|
||||||
- new-window
|
|
||||||
- -t
|
|
||||||
- "{{ vm_name }}"
|
|
||||||
- /usr/bin/virsh
|
|
||||||
- -c
|
|
||||||
- "{{ libvirt_url }}"
|
|
||||||
- console
|
|
||||||
- "{{ vm_name }}"
|
|
||||||
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Evaluate cluster
|
|
||||||
block:
|
|
||||||
- name: Increment counters
|
|
||||||
set_fact:
|
|
||||||
retry_count: "{{ 0 if retry_count is undefined else retry_count | int +1 }}"
|
|
||||||
host_count: "{{ 0 if retry_count is undefined else host_count | int +1 }}"
|
|
||||||
|
|
||||||
- name: Pick cluster host
|
|
||||||
set_fact:
|
|
||||||
#host_choice: "{{ nb_hosts.json.results[nb_hosts.json.count | random | int] }}" #PICK RANDOM
|
|
||||||
#host_choice: "{{ nb_hosts.json.results[1] }}" #FAIL TEST
|
|
||||||
host_choice: "{{ nb_hosts.json.results[host_count | int] }}" #INCREMENT
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Evaluate cluster host status
|
|
||||||
set_fact:
|
|
||||||
host_status: "{{ host_choice.status.value }}"
|
|
||||||
#register: host_status
|
|
||||||
|
|
||||||
- name: Evaluate cluster host name
|
|
||||||
set_fact:
|
|
||||||
host: "{{ host_choice.name }}"
|
|
||||||
|
|
||||||
- name: Evaluate cluster host status
|
|
||||||
fail:
|
|
||||||
msg: Host is not ready.
|
|
||||||
when: host_status != 'active'
|
|
||||||
|
|
||||||
- name: Evaluate cluster host configuration
|
|
||||||
block:
|
|
||||||
- name: Cluster derived variables 1/2
|
|
||||||
set_fact:
|
|
||||||
storage: "{{ host_choice.config_context.storage[0] }}"
|
|
||||||
deployment_servers: "{{ host_choice.config_context.deployment_servers }}"
|
|
||||||
dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}"
|
|
||||||
dns_servers: "{{ host_choice.config_context.dns_servers }}"
|
|
||||||
namespace: "{{ host_choice.config_context.namespace }}"
|
|
||||||
gateway: "{{ host_choice.config_context.gateway }}"
|
|
||||||
- name: Cluster derived variables 2/2
|
|
||||||
set_fact:
|
|
||||||
namespace_short: "{{ namespace.split('.')[0] }}"
|
|
||||||
when: host_status == 'active'
|
|
||||||
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
rescue:
|
|
||||||
- name: Check retry counter
|
|
||||||
fail:
|
|
||||||
msg: "Too many retries - no host is ready"
|
|
||||||
when: retry_count | int == 3 and host_status != 'active'
|
|
||||||
|
|
||||||
- debug:
|
|
||||||
msg: "{{ host if host is defined }} - {{ host_status if host_status is defined }}"
|
|
||||||
|
|
||||||
- name: Re-evaluate cluster
|
|
||||||
include_tasks: "../tasks/netbox_evaluate_cluster.yml"
|
|
||||||
when: host_status != 'active'
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Register interface ID
|
|
||||||
set_fact:
|
|
||||||
ifid: '{{ nb_interface_2.json.results[0].id }}'
|
|
||||||
when: "nb_interface_1.status|int == 400"
|
|
||||||
|
|
||||||
- name: Register interface ID
|
|
||||||
set_fact:
|
|
||||||
ifid: '{{ nb_interface_1.json.id }}'
|
|
||||||
when: "nb_interface_1.status|int == 201"
|
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Define existing IP address
|
|
||||||
set_fact:
|
|
||||||
ip_address: "{{ nb_ip_1.json.results[0].address | ansible.netcommon.ipaddr('address') }}"
|
|
||||||
ip_address_cidr: "{{ nb_ip_1.json.results[0].address }}"
|
|
||||||
ip_address_type: "existing"
|
|
||||||
ipid: "{{ nb_ip_1.json.results[0].id }}"
|
|
||||||
when: "nb_ip_1.status|int == 200 and nb_ip_1.json.count|int != 0 and (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value == 'active')"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
- name: Define new IP address
|
|
||||||
set_fact:
|
|
||||||
ip_address: "{{ nb_ip_2.json[0].address | ansible.netcommon.ipaddr('address') }}"
|
|
||||||
ip_address_cidr: "{{ nb_ip_2.json[0].address }}"
|
|
||||||
ip_address_type: "new"
|
|
||||||
when: "nb_ip_2.status is defined and nb_ip_2.status|int == 200"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Evaluate prefix options
|
|
||||||
set_fact:
|
|
||||||
prefix_id: "{{ nb_prefix.json.results[0].id }}"
|
|
||||||
prefix_display: "{{ nb_prefix.json.results[0].display }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Gather site configuration
|
|
||||||
set_fact:
|
|
||||||
site_id: "{{ nb_site.json.results[0].id }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Pick hard- and software
|
|
||||||
# not needed, can be pulled from hostvars
|
|
||||||
set_fact:
|
|
||||||
vcpus: "{{ nb_vm.json.results[0].vcpus | int }}"
|
|
||||||
os: "{{ nb_vm.json.results[0].platform.name }}"
|
|
||||||
|
|
||||||
# - name: Pick virtual hardware specifications
|
|
||||||
# # not needed, part of hostvars
|
|
||||||
# set_fact:
|
|
||||||
# memory: "{{ nb_vm.json.results[0].memory }}"
|
|
||||||
# disk: "{{ nb_vm.json.results[0].disk }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
- name: Pick metadata
|
|
||||||
set_fact:
|
|
||||||
id: "{{ nb_vm.json.results[0].id }}"
|
|
||||||
site: "{{ hostvars[inventory_hostname]['sites'][0] }}"
|
|
||||||
status: "{{ nb_vm.json.results[0].status.value }}"
|
|
||||||
|
|
||||||
# # not needed, part of hostvars
|
|
||||||
# #tags: "{{ nb_vm.json.results[0].tags[0].slug }}"
|
|
||||||
# #tags: "{{ nb_vm.json.results[0].tags | sum(start=[]) | map(attribute='slug') }}"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Create VM interface objects
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/interfaces/"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: POST
|
|
||||||
return_content: yes
|
|
||||||
status_code:
|
|
||||||
- 201
|
|
||||||
- 400 #interface name already exists. is there an elegant way to limit 400 to this particular case? regex parsing the response text for "The fields virtual_machine, name must make a unique set." would be ugly.
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
body_format: json
|
|
||||||
body: ' {"virtual_machine": {{ id }}, "name": "eth0", "enabled": true, "mac_address": "{{ mac_address }}", "mode": "access"}'
|
|
||||||
register: nb_interface_1
|
|
||||||
delegate_to: localhost
|
|
||||||
#no_log: true
|
|
||||||
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Create IP address object
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/ipam/ip-addresses/"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: POST
|
|
||||||
return_content: yes
|
|
||||||
status_code:
|
|
||||||
- 201
|
|
||||||
- 400
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
body_format: json
|
|
||||||
body: ' {"address": "{{ ip_address_cidr }}", "tenant": 1, "status": "active", "assigned_object_type": "virtualization.vminterface", "assigned_object_id": {{ ifid }}, "dns_name": "{{ vm_fqdn }}"}'
|
|
||||||
register: nb_ip_3
|
|
||||||
when: "ip_address_type|string == 'new'"
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Register IP address object ID #only for new addresses, existing ones have ipid set in _evaluate_ip.yml
|
|
||||||
set_fact:
|
|
||||||
ipid: "{{ nb_ip_3.json.id }}"
|
|
||||||
when: "ip_address_type|string == 'new'"
|
|
||||||
|
|
||||||
- name: Set primary IPv4 address
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: PATCH
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
body_format: json
|
|
||||||
body: ' {"primary_ip4": {{ ipid }}}'
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Locate cluster hosts
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/dcim/devices/?cluster_id={{ nb_vm.json.results[0].cluster.id }}"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_hosts
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Query existing interface
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/interfaces/?name=eth0&virtual_machine_id={{ id }}"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_interface_2
|
|
||||||
delegate_to: localhost
|
|
||||||
when: "nb_interface_1.status|int == 400"
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Query existing address
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/ipam/ip-addresses?virtual_machine_id={{ id }}"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_ip_1
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
||||||
- name: Query available address
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/ipam/prefixes/{{ prefix_id }}/available-ips/?limit=1"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_ip_2
|
|
||||||
delegate_to: localhost
|
|
||||||
when: "nb_ip_1.json.count|int == 0 or (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value != 'active')"
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Query prefix
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/ipam/prefixes/?site_id={{ site_id }}&tenant={{ tenant }}&limit=1"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_prefix
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Query site
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/dcim/sites/?slug={{ site }}"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_site
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
# consider ditching this block, would need to work around missing cluster ID in hostvars
|
|
||||||
- name: Query VM
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/virtual-machines/?name={{ inventory_hostname }}"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: GET
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
register: nb_vm
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_dp
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Post-deployment tagging
|
|
||||||
block:
|
|
||||||
- name: Construct body for tagging
|
|
||||||
set_fact:
|
|
||||||
body2: ' {% for tag in tag_exist %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
|
|
||||||
when: tag_exist is defined
|
|
||||||
|
|
||||||
- name: Set post-deployment tags
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: PATCH
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
body_format: json
|
|
||||||
body: ' {"tags": [ {{ body2 }}]}'
|
|
||||||
delegate_to: localhost
|
|
||||||
when: body2 is defined
|
|
||||||
no_log: true
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Pre-deployment tagging
|
|
||||||
block:
|
|
||||||
- name: Gather tags
|
|
||||||
set_fact:
|
|
||||||
tag_exist: "{{ tags }}"
|
|
||||||
tag_append: "['active-deployment']"
|
|
||||||
|
|
||||||
- name: Merge tags
|
|
||||||
set_fact:
|
|
||||||
tag_merged: "{{ tag_merged + [item] }}"
|
|
||||||
with_items:
|
|
||||||
- "{{ tag_exist }}"
|
|
||||||
- "{{ tag_append }}"
|
|
||||||
|
|
||||||
- name: Construct body for tagging
|
|
||||||
set_fact:
|
|
||||||
body1: ' {% for tag in tag_merged %}{% if loop.last %}{"slug": "{{ tag }}"}{% else %}{"slug": "{{ tag }}"},{% endif %}{% endfor %}'
|
|
||||||
|
|
||||||
- name: Set pre-deployment tags
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ endpoint }}/virtualization/virtual-machines/{{ id }}/"
|
|
||||||
client_cert: "{{ cert }}"
|
|
||||||
client_key: "{{ key }}"
|
|
||||||
method: PATCH
|
|
||||||
return_content: yes
|
|
||||||
headers:
|
|
||||||
Accept: application/json
|
|
||||||
Authorization: "Token {{ token }}"
|
|
||||||
body_format: json
|
|
||||||
body: ' {"tags": [ {{ body1 }}]}'
|
|
||||||
delegate_to: localhost
|
|
||||||
no_log: true
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Sit patiently
|
|
||||||
block:
|
|
||||||
- name: Wait for guest to become alive
|
|
||||||
wait_for:
|
|
||||||
delay: 240
|
|
||||||
connect_timeout: 3
|
|
||||||
sleep: 15
|
|
||||||
port: 22
|
|
||||||
host: '{{ ip_address }}'
|
|
||||||
search_regex: OpenSSH
|
|
||||||
timeout: 600
|
|
||||||
|
|
||||||
# rescue:
|
|
||||||
# - name: Destroy
|
|
||||||
# community.libvirt.virt:
|
|
||||||
# uri: "{{ libvirt_url }}"
|
|
||||||
# command: destroy
|
|
||||||
# name: "{{ vm_name }}"
|
|
||||||
# state: destroyed
|
|
||||||
#
|
|
||||||
# - name: Start
|
|
||||||
# community.libvirt.virt:
|
|
||||||
# uri: "{{ libvirt_url }}"
|
|
||||||
# command: start
|
|
||||||
# name: "{{ vm_name }}"
|
|
||||||
# state: running
|
|
||||||
#
|
|
||||||
# - name: Wait for guest to become alive
|
|
||||||
# wait_for:
|
|
||||||
# delay: 120
|
|
||||||
# connect_timeout: 3
|
|
||||||
# sleep: 15
|
|
||||||
# port: 22
|
|
||||||
# host: '{{ ip_address }}'
|
|
||||||
# search_regex: OpenSSH
|
|
||||||
# timeout: 600
|
|
||||||
|
|
||||||
delegate_to: localhost
|
|
||||||
tags:
|
|
||||||
- init_ssh
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
|||||||
host {{ vm_name }} {
|
|
||||||
hardware ethernet {{ mac_address }};
|
|
||||||
fixed-address {{ ip_address }};
|
|
||||||
filename "shim.efi";
|
|
||||||
}
|
|
@ -1,3 +0,0 @@
|
|||||||
default={% if os == 'openSUSE-Leap-x86_64' %}install-suse{% endif %}{% if os == 'OpenBSD-x86_64' %}install-openbsd{% endif %}
|
|
||||||
|
|
||||||
{% if os == 'openSUSE-Leap-x86_64' %}installfile=autoinst_{{ vm_name }}.xml{% endif %}
|
|
@ -1,16 +0,0 @@
|
|||||||
<volume type='file'>
|
|
||||||
<name>{{ inventory_hostname }}_root_disk.qcow2</name>
|
|
||||||
<source>
|
|
||||||
</source>
|
|
||||||
<capacity unit='GB'>{{ disk }}</capacity>
|
|
||||||
<target>
|
|
||||||
<path>{{ storage.name }}</path>
|
|
||||||
<format type='qcow2'/>
|
|
||||||
<permissions>
|
|
||||||
<mode>0660</mode>
|
|
||||||
<owner>455</owner>
|
|
||||||
<group>453</group>
|
|
||||||
</permissions>
|
|
||||||
</target>
|
|
||||||
</volume>
|
|
||||||
|
|
@ -1,177 +0,0 @@
|
|||||||
<domain type='kvm'>
|
|
||||||
<name>{{ inventory_hostname }}</name>
|
|
||||||
<metadata>
|
|
||||||
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
|
|
||||||
</libosinfo:libosinfo>
|
|
||||||
</metadata>
|
|
||||||
<memory unit='MB'>{{ memory }}</memory>
|
|
||||||
<currentMemory unit='GB'>{{ memory }}</currentMemory>
|
|
||||||
<vcpu placement='static'>{{ vcpus }}</vcpu>
|
|
||||||
<resource>
|
|
||||||
<partition>/machine</partition>
|
|
||||||
</resource>
|
|
||||||
<os>
|
|
||||||
<type arch='x86_64' machine='pc-q35-5.2'>hvm</type>
|
|
||||||
<!--loader readonly='yes' type='pflash'>/opt/firmware/OVMF_09012022_RELEASE_HTTPBOOT.fd</loader-->
|
|
||||||
<loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x86_64-code.bin</loader>
|
|
||||||
<nvram>/var/lib/libvirt/qemu/nvram/{{ inventory_hostname }}_VARS.fd</nvram>
|
|
||||||
<boot dev='hd'/>
|
|
||||||
<boot dev='network'/>
|
|
||||||
<bootmenu enable='no'/>
|
|
||||||
</os>
|
|
||||||
<features>
|
|
||||||
<acpi/>
|
|
||||||
<apic/>
|
|
||||||
<vmport state='off'/>
|
|
||||||
</features>
|
|
||||||
<cpu mode='custom' match='exact' check='full'>
|
|
||||||
<model fallback='forbid'>Broadwell-IBRS</model>
|
|
||||||
<vendor>Intel</vendor>
|
|
||||||
<feature policy='require' name='vme'/>
|
|
||||||
<feature policy='require' name='ss'/>
|
|
||||||
<feature policy='require' name='vmx'/>
|
|
||||||
<feature policy='require' name='f16c'/>
|
|
||||||
<feature policy='require' name='rdrand'/>
|
|
||||||
<feature policy='require' name='hypervisor'/>
|
|
||||||
<feature policy='require' name='arat'/>
|
|
||||||
<feature policy='require' name='tsc_adjust'/>
|
|
||||||
<feature policy='require' name='umip'/>
|
|
||||||
<feature policy='require' name='md-clear'/>
|
|
||||||
<feature policy='require' name='stibp'/>
|
|
||||||
<feature policy='require' name='arch-capabilities'/>
|
|
||||||
<feature policy='require' name='ssbd'/>
|
|
||||||
<feature policy='require' name='xsaveopt'/>
|
|
||||||
<feature policy='require' name='pdpe1gb'/>
|
|
||||||
<feature policy='require' name='abm'/>
|
|
||||||
<feature policy='require' name='skip-l1dfl-vmentry'/>
|
|
||||||
<feature policy='require' name='pschange-mc-no'/>
|
|
||||||
</cpu>
|
|
||||||
<clock offset='utc'>
|
|
||||||
<timer name='rtc' tickpolicy='catchup'/>
|
|
||||||
<timer name='pit' tickpolicy='delay'/>
|
|
||||||
<timer name='hpet' present='no'/>
|
|
||||||
</clock>
|
|
||||||
<on_poweroff>destroy</on_poweroff>
|
|
||||||
<on_reboot>restart</on_reboot>
|
|
||||||
<on_crash>destroy</on_crash>
|
|
||||||
<pm>
|
|
||||||
<suspend-to-mem enabled='no'/>
|
|
||||||
<suspend-to-disk enabled='no'/>
|
|
||||||
</pm>
|
|
||||||
<devices>
|
|
||||||
<emulator>/usr/bin/qemu-system-x86_64</emulator>
|
|
||||||
<disk type='file' device='disk'>
|
|
||||||
<driver name='qemu' type='qcow2'/>
|
|
||||||
<!--source pool='{{ storage.name }}' volume='{{ inventory_hostname }}_root_disk.qcow2' index='1'/-->
|
|
||||||
<source file='{{ volume_path }}'/>
|
|
||||||
<backingStore/>
|
|
||||||
<target dev='vda' bus='virtio'/>
|
|
||||||
<alias name='virtio-disk0'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
|
|
||||||
</disk>
|
|
||||||
<!--disk type='file' device='cdrom'>
|
|
||||||
<driver name='qemu'/>
|
|
||||||
<source file='/mnt/iso/openSUSE-Leap-15.3-NET-x86_64.iso'/>
|
|
||||||
<target dev='sda' bus='sata'/>
|
|
||||||
<readonly/>
|
|
||||||
<boot order='2'/>
|
|
||||||
<alias name='sata0-0-0'/>
|
|
||||||
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
|
||||||
</disk-->
|
|
||||||
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
|
|
||||||
<alias name='usb'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='sata' index='0'>
|
|
||||||
<alias name='ide'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='0' model='pcie-root'>
|
|
||||||
<alias name='pcie.0'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='1' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='1' port='0x8'/>
|
|
||||||
<alias name='pci.1'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='2' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='2' port='0x9'/>
|
|
||||||
<alias name='pci.2'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='3' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='3' port='0xa'/>
|
|
||||||
<alias name='pci.3'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='4' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='4' port='0xb'/>
|
|
||||||
<alias name='pci.4'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='5' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='5' port='0xc'/>
|
|
||||||
<alias name='pci.5'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='6' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='6' port='0xd'/>
|
|
||||||
<alias name='pci.6'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='pci' index='7' model='pcie-root-port'>
|
|
||||||
<model name='pcie-root-port'/>
|
|
||||||
<target chassis='7' port='0xe'/>
|
|
||||||
<alias name='pci.7'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
|
|
||||||
</controller>
|
|
||||||
<controller type='virtio-serial' index='0'>
|
|
||||||
<alias name='virtio-serial0'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
|
|
||||||
</controller>
|
|
||||||
<interface type='network'>
|
|
||||||
<source network='LAN01'/>
|
|
||||||
<model type='virtio'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
|
|
||||||
</interface>
|
|
||||||
<serial type='pty'>
|
|
||||||
<source path='/dev/pts/4'/>
|
|
||||||
<target type='isa-serial' port='0'>
|
|
||||||
<model name='isa-serial'/>
|
|
||||||
</target>
|
|
||||||
<alias name='serial0'/>
|
|
||||||
</serial>
|
|
||||||
<console type='pty' tty='/dev/pts/4'>
|
|
||||||
<source path='/dev/pts/4'/>
|
|
||||||
<target type='serial' port='0'/>
|
|
||||||
<alias name='serial0'/>
|
|
||||||
</console>
|
|
||||||
<channel type='unix'>
|
|
||||||
<target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
|
|
||||||
<alias name='channel0'/>
|
|
||||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
|
||||||
</channel>
|
|
||||||
<input type='mouse' bus='ps2'>
|
|
||||||
<alias name='input0'/>
|
|
||||||
</input>
|
|
||||||
<input type='keyboard' bus='ps2'>
|
|
||||||
<alias name='input1'/>
|
|
||||||
</input>
|
|
||||||
<memballoon model='virtio'>
|
|
||||||
<alias name='balloon0'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
|
|
||||||
</memballoon>
|
|
||||||
<rng model='virtio'>
|
|
||||||
<backend model='random'>/dev/urandom</backend>
|
|
||||||
<alias name='rng0'/>
|
|
||||||
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
|
|
||||||
</rng>
|
|
||||||
</devices>
|
|
||||||
</domain>
|
|
||||||
|
|
@ -1,2 +0,0 @@
|
|||||||
{{ vm_name }} IN A {{ ip_address }}
|
|
||||||
{{ vm_name }}.{{ namespace_short }} IN A {{ ip_address }}
|
|
@ -1,14 +0,0 @@
|
|||||||
[v3_ca]
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
nsCertType = server
|
|
||||||
nsComment = "Web Server Certificate"
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
authorityKeyIdentifier = keyid,issuer:always
|
|
||||||
keyUsage = critical, digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage = serverAuth
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
[ alt_names ]
|
|
||||||
DNS.1 = orpheus.syscid.com
|
|
||||||
DNS.2 = auth.syscid.com
|
|
||||||
DNS.3 = www.syscid.com
|
|
||||||
DNS.4 = sso.syscid.com
|
|
@ -1,15 +0,0 @@
|
|||||||
[v3_ca]
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
nsCertType = server
|
|
||||||
nsComment = "LDAP01 Server Certificate"
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
authorityKeyIdentifier = keyid,issuer:always
|
|
||||||
keyUsage = critical, digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage = serverAuth
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
[ alt_names ]
|
|
||||||
DNS.1 = ldap.syscid.com
|
|
||||||
DNS.2 = ldap01.syscid.com
|
|
||||||
DNS.3 = dir.syscid.com
|
|
||||||
DNS.4 = dir01.syscid.com
|
|
||||||
DNS.5 = gaia.syscid.com
|
|
@ -1,13 +0,0 @@
|
|||||||
[v3_ca]
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
nsCertType = server
|
|
||||||
nsComment = "LDAP01 Server Certificate"
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
authorityKeyIdentifier = keyid,issuer:always
|
|
||||||
keyUsage = critical, digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage = serverAuth
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
[ alt_names ]
|
|
||||||
DNS.1 = web.sun.lysergic.dev
|
|
||||||
DNS.2 = web.syscid.com
|
|
||||||
DNS.3 = web
|
|
@ -1,734 +0,0 @@
|
|||||||
# Coturn TURN SERVER configuration file
|
|
||||||
#
|
|
||||||
# Boolean values note: where a boolean value is supposed to be used,
|
|
||||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
|
||||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
|
||||||
# If the value is missing, then it means 'true' by default.
|
|
||||||
#
|
|
||||||
|
|
||||||
# Listener interface device (optional, Linux only).
|
|
||||||
# NOT RECOMMENDED.
|
|
||||||
#
|
|
||||||
#listening-device=eth0
|
|
||||||
|
|
||||||
# TURN listener port for UDP and TCP (Default: 3478).
|
|
||||||
# Note: actually, TLS & DTLS sessions can connect to the
|
|
||||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
|
||||||
#
|
|
||||||
#listening-port=3478
|
|
||||||
|
|
||||||
# TURN listener port for TLS (Default: 5349).
|
|
||||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
|
||||||
# port(s), too - if allowed by configuration. The TURN server
|
|
||||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
|
||||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
|
||||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
|
||||||
# For secure TCP connections, Coturn currently supports
|
|
||||||
# TLS version 1.0, 1.1 and 1.2.
|
|
||||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
|
||||||
#
|
|
||||||
#tls-listening-port=5349
|
|
||||||
|
|
||||||
# Alternative listening port for UDP and TCP listeners;
|
|
||||||
# default (or zero) value means "listening port plus one".
|
|
||||||
# This is needed for RFC 5780 support
|
|
||||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
|
||||||
# supports RFC 5780 only if it is started with more than one
|
|
||||||
# listening IP address of the same family (IPv4 or IPv6).
|
|
||||||
# RFC 5780 is supported only by UDP protocol, other protocols
|
|
||||||
# are listening to that endpoint only for "symmetry".
|
|
||||||
#
|
|
||||||
#alt-listening-port=0
|
|
||||||
|
|
||||||
# Alternative listening port for TLS and DTLS protocols.
|
|
||||||
# Default (or zero) value means "TLS listening port plus one".
|
|
||||||
#
|
|
||||||
#alt-tls-listening-port=0
|
|
||||||
|
|
||||||
# Some network setups will require using a TCP reverse proxy in front
|
|
||||||
# of the STUN server. If the proxy port option is set a single listener
|
|
||||||
# is started on the given port that accepts connections using the
|
|
||||||
# haproxy proxy protocol v2.
|
|
||||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
|
||||||
#
|
|
||||||
#tcp-proxy-port=5555
|
|
||||||
|
|
||||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
|
||||||
# If no IP(s) specified in the config file or in the command line options,
|
|
||||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
|
||||||
#
|
|
||||||
#listening-ip=172.17.19.101
|
|
||||||
#listening-ip=10.207.21.238
|
|
||||||
#listening-ip=2607:f0d0:1002:51::4
|
|
||||||
listening-ip=192.168.0.115
|
|
||||||
listening-ip=202.61.255.116
|
|
||||||
listening-ip=2a03:4000:55:d20::
|
|
||||||
|
|
||||||
# Auxiliary STUN/TURN server listening endpoint.
|
|
||||||
# Aux servers have almost full TURN and STUN functionality.
|
|
||||||
# The (minor) limitations are:
|
|
||||||
#
|
|
||||||
# 1) Auxiliary servers do not have alternative ports and
|
|
||||||
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
|
||||||
#
|
|
||||||
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
|
||||||
#
|
|
||||||
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
|
||||||
#
|
|
||||||
# There may be multiple aux-server options, each will be used for listening
|
|
||||||
# to client requests.
|
|
||||||
#
|
|
||||||
#aux-server=172.17.19.110:33478
|
|
||||||
#aux-server=[2607:f0d0:1002:51::4]:33478
|
|
||||||
|
|
||||||
# (recommended for older Linuxes only)
|
|
||||||
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
|
||||||
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
|
||||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
|
||||||
# functionality.
|
|
||||||
#
|
|
||||||
#udp-self-balance
|
|
||||||
|
|
||||||
# Relay interface device for relay sockets (optional, Linux only).
|
|
||||||
# NOT RECOMMENDED.
|
|
||||||
#
|
|
||||||
#relay-device=eth1
|
|
||||||
|
|
||||||
# Relay address (the local IP address that will be used to relay the
|
|
||||||
# packets to the peer).
|
|
||||||
# Multiple relay addresses may be used.
|
|
||||||
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
|
||||||
#
|
|
||||||
# If no relay IP(s) specified, then the turnserver will apply the default
|
|
||||||
# policy: it will decide itself which relay addresses to be used, and it
|
|
||||||
# will always be using the client socket IP address as the relay IP address
|
|
||||||
# of the TURN session (if the requested relay address family is the same
|
|
||||||
# as the family of the client socket).
|
|
||||||
#
|
|
||||||
#relay-ip=172.17.19.105
|
|
||||||
#relay-ip=2607:f0d0:1002:51::5
|
|
||||||
|
|
||||||
# For Amazon EC2 users:
|
|
||||||
#
|
|
||||||
# TURN Server public/private address mapping, if the server is behind NAT.
|
|
||||||
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
|
|
||||||
# as relay IP address of all allocations. This scenario works only in a simple case
|
|
||||||
# when one single relay address is be used, and no RFC5780 functionality is required.
|
|
||||||
# That single relay address must be mapped by NAT to the 'external' IP.
|
|
||||||
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
|
|
||||||
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
|
|
||||||
# must be always mapped to the same 'external' port 12345).
|
|
||||||
#
|
|
||||||
# In more complex case when more than one IP address is involved,
|
|
||||||
# that option must be used several times, each entry must
|
|
||||||
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
|
||||||
# RFC5780 NAT discovery STUN functionality will work correctly,
|
|
||||||
# if the addresses are mapped properly, even when the TURN server itself
|
|
||||||
# is behind A NAT.
|
|
||||||
#
|
|
||||||
# By default, this value is empty, and no address mapping is used.
|
|
||||||
#
|
|
||||||
#external-ip=60.70.80.91
|
|
||||||
#
|
|
||||||
#OR:
|
|
||||||
#
|
|
||||||
#external-ip=60.70.80.91/172.17.19.101
|
|
||||||
#external-ip=60.70.80.92/172.17.19.102
|
|
||||||
|
|
||||||
|
|
||||||
# Number of the relay threads to handle the established connections
|
|
||||||
# (in addition to authentication thread and the listener thread).
|
|
||||||
# If explicitly set to 0 then application runs relay process in a
|
|
||||||
# single thread, in the same thread with the listener process
|
|
||||||
# (the authentication thread will still be a separate thread).
|
|
||||||
#
|
|
||||||
# If this parameter is not set, then the default OS-dependent
|
|
||||||
# thread pattern algorithm will be employed. Usually the default
|
|
||||||
# algorithm is optimal, so you have to change this option
|
|
||||||
# if you want to make some fine tweaks.
|
|
||||||
#
|
|
||||||
# In the older systems (Linux kernel before 3.9),
|
|
||||||
# the number of UDP threads is always one thread per network listening
|
|
||||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
|
||||||
# 1 (one) value is set.
|
|
||||||
#
|
|
||||||
#relay-threads=0
|
|
||||||
|
|
||||||
# Lower and upper bounds of the UDP relay endpoints:
|
|
||||||
# (default values are 49152 and 65535)
|
|
||||||
#
|
|
||||||
#min-port=49152
|
|
||||||
#max-port=65535
|
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
|
||||||
# By default the verbose mode is off.
|
|
||||||
#verbose
|
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
|
||||||
# This mode is very annoying and produces lots of output.
|
|
||||||
# Not recommended under normal circumstances.
|
|
||||||
#
|
|
||||||
#Verbose
|
|
||||||
|
|
||||||
# Uncomment to use fingerprints in the TURN messages.
|
|
||||||
# By default the fingerprints are off.
|
|
||||||
#
|
|
||||||
fingerprint
|
|
||||||
|
|
||||||
# Uncomment to use long-term credential mechanism.
|
|
||||||
# By default no credentials mechanism is used (any user allowed).
|
|
||||||
#
|
|
||||||
#lt-cred-mech
|
|
||||||
|
|
||||||
# This option is the opposite of lt-cred-mech.
|
|
||||||
# (TURN Server with no-auth option allows anonymous access).
|
|
||||||
# If neither option is defined, and no users are defined,
|
|
||||||
# then no-auth is default. If at least one user is defined,
|
|
||||||
# in this file, in command line or in usersdb file, then
|
|
||||||
# lt-cred-mech is default.
|
|
||||||
#
|
|
||||||
#no-auth
|
|
||||||
|
|
||||||
# TURN REST API flag.
|
|
||||||
# (Time Limited Long Term Credential)
|
|
||||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
|
||||||
#
|
|
||||||
# This feature's purpose is to support "TURN Server REST API", see
|
|
||||||
# "TURN REST API" link in the project's page
|
|
||||||
# https://github.com/coturn/coturn/
|
|
||||||
#
|
|
||||||
# This option is used with timestamp:
|
|
||||||
#
|
|
||||||
# usercombo -> "timestamp:userid"
|
|
||||||
# turn user -> usercombo
|
|
||||||
# turn password -> base64(hmac(secret key, usercombo))
|
|
||||||
#
|
|
||||||
# This allows TURN credentials to be accounted for a specific user id.
|
|
||||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
|
||||||
# This option is enabled by turning on secret-based authentication.
|
|
||||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
|
||||||
# or can be found in the turn_secret table in the database (see below).
|
|
||||||
#
|
|
||||||
# Read more about it:
|
|
||||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
|
||||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
|
||||||
#
|
|
||||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
|
||||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
|
||||||
# this option then it automatically enables lt-cred-mech internally
|
|
||||||
# as if you had enabled both.
|
|
||||||
#
|
|
||||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
|
||||||
# both mechanisms conduct username and password validation in different ways.
|
|
||||||
#
|
|
||||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
|
||||||
# to avoid any confusion.
|
|
||||||
#
|
|
||||||
use-auth-secret
|
|
||||||
|
|
||||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
|
||||||
# If not set, then the turn server
|
|
||||||
# will try to use the 'dynamic' value in the turn_secret table
|
|
||||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
|
||||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
|
||||||
#
|
|
||||||
static-auth-secret=$authsec
|
|
||||||
|
|
||||||
# Server name used for
|
|
||||||
# the oAuth authentication purposes.
|
|
||||||
# The default value is the realm name.
|
|
||||||
#
|
|
||||||
#server-name=blackdow.carleon.gov
|
|
||||||
#server-name=orpheus.syscid.com
|
|
||||||
|
|
||||||
# Flag that allows oAuth authentication.
|
|
||||||
#
|
|
||||||
#oauth
|
|
||||||
|
|
||||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
|
||||||
# This option cannot be used with TURN REST API.
|
|
||||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
|
||||||
# so they can NOT be changed while the turnserver is running.
|
|
||||||
#
|
|
||||||
#user=username1:key1
|
|
||||||
#user=username2:key2
|
|
||||||
# OR:
|
|
||||||
#user=username1:password1
|
|
||||||
#user=username2:password2
|
|
||||||
#
|
|
||||||
# Keys must be generated by turnadmin utility. The key value depends
|
|
||||||
# on user name, realm, and password:
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
|
|
||||||
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
|
|
||||||
# ('0x' in the beginning of the key is what differentiates the key from
|
|
||||||
# password. If it has 0x then it is a key, otherwise it is a password).
|
|
||||||
#
|
|
||||||
# The corresponding user account entry in the config file will be:
|
|
||||||
#
|
|
||||||
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
|
||||||
# Or, equivalently, with open clear password (less secure):
|
|
||||||
#user=ninefingers:youhavetoberealistic
|
|
||||||
#
|
|
||||||
|
|
||||||
# SQLite database file name.
|
|
||||||
#
|
|
||||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
|
||||||
# /var/lib/turn/turndb.
|
|
||||||
#
|
|
||||||
#userdb=/var/db/turndb
|
|
||||||
|
|
||||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
|
||||||
# as the user database.
|
|
||||||
# This database can be used for the long-term credential mechanism
|
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
|
||||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
|
||||||
# versions connection string format, see
|
|
||||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
|
||||||
# for 9.x and newer connection string formats.
|
|
||||||
#
|
|
||||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
|
||||||
psql-userdb="host=$dbhost dbname=$db user=$dbuser password=$dbpass connect_timeout=30"
|
|
||||||
|
|
||||||
# MySQL database connection string in the case that you are using MySQL
|
|
||||||
# as the user database.
|
|
||||||
# This database can be used for the long-term credential mechanism
|
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
|
||||||
#
|
|
||||||
# Optional connection string parameters for the secure communications (SSL):
|
|
||||||
# ca, capath, cert, key, cipher
|
|
||||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
|
||||||
# command options description).
|
|
||||||
#
|
|
||||||
# Use the string format below (space separated parameters, all optional):
|
|
||||||
#
|
|
||||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
|
||||||
|
|
||||||
# If you want to use an encrypted password in the MySQL connection string,
|
|
||||||
# then set the MySQL password encryption secret key file with this option.
|
|
||||||
#
|
|
||||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
|
||||||
# If you want to use a cleartext password then do not set this option!
|
|
||||||
#
|
|
||||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
|
||||||
#
|
|
||||||
#secret-key-file=/path/
|
|
||||||
|
|
||||||
# MongoDB database connection string in the case that you are using MongoDB
|
|
||||||
# as the user database.
|
|
||||||
# This database can be used for long-term credential mechanism
|
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
|
||||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
|
||||||
#
|
|
||||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
|
||||||
|
|
||||||
# Redis database connection string in the case that you are using Redis
|
|
||||||
# as the user database.
|
|
||||||
# This database can be used for long-term credential mechanism
|
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
|
||||||
# Use the string format below (space separated parameters, all optional):
|
|
||||||
#
|
|
||||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
|
||||||
|
|
||||||
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
|
||||||
# This database keeps allocations status information, and it can be also used for publishing
|
|
||||||
# and delivering traffic and allocation event notifications.
|
|
||||||
# The connection string has the same parameters as redis-userdb connection string.
|
|
||||||
# Use the string format below (space separated parameters, all optional):
|
|
||||||
#
|
|
||||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
|
||||||
|
|
||||||
# The default realm to be used for the users when no explicit
|
|
||||||
# origin/realm relationship is found in the database, or if the TURN
|
|
||||||
# server is not using any database (just the commands-line settings
|
|
||||||
# and the userdb file). Must be used with long-term credentials
|
|
||||||
# mechanism or with TURN REST API.
|
|
||||||
#
|
|
||||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
|
||||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
|
||||||
#
|
|
||||||
realm=turn.lysergic.dev
|
|
||||||
|
|
||||||
# This flag sets the origin consistency
|
|
||||||
# check. Across the session, all requests must have the same
|
|
||||||
# main ORIGIN attribute value (if the ORIGIN was
|
|
||||||
# initially used by the session).
|
|
||||||
#
|
|
||||||
#check-origin-consistency
|
|
||||||
|
|
||||||
# Per-user allocation quota.
|
|
||||||
# default value is 0 (no quota, unlimited number of sessions per user).
|
|
||||||
# This option can also be set through the database, for a particular realm.
|
|
||||||
#
|
|
||||||
#user-quota=0
|
|
||||||
|
|
||||||
# Total allocation quota.
|
|
||||||
# default value is 0 (no quota).
|
|
||||||
# This option can also be set through the database, for a particular realm.
|
|
||||||
#
|
|
||||||
total-quota=100
|
|
||||||
|
|
||||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
|
||||||
# (input and output network streams are treated separately). Anything above
|
|
||||||
# that limit will be dropped or temporarily suppressed (within
|
|
||||||
# the available buffer limits).
|
|
||||||
# This option can also be set through the database, for a particular realm.
|
|
||||||
#
|
|
||||||
#max-bps=0
|
|
||||||
|
|
||||||
#
|
|
||||||
# Maximum server capacity.
|
|
||||||
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
|
|
||||||
# for the sessions, combined (input and output network streams are treated separately).
|
|
||||||
#
|
|
||||||
# bps-capacity=0
|
|
||||||
|
|
||||||
# Uncomment if no UDP client listener is desired.
|
|
||||||
# By default UDP client listener is always started.
|
|
||||||
#
|
|
||||||
#no-udp
|
|
||||||
|
|
||||||
# Uncomment if no TCP client listener is desired.
|
|
||||||
# By default TCP client listener is always started.
|
|
||||||
#
|
|
||||||
#no-tcp
|
|
||||||
|
|
||||||
# Uncomment if no TLS client listener is desired.
|
|
||||||
# By default TLS client listener is always started.
|
|
||||||
#
|
|
||||||
#no-tls
|
|
||||||
|
|
||||||
# Uncomment if no DTLS client listener is desired.
|
|
||||||
# By default DTLS client listener is always started.
|
|
||||||
#
|
|
||||||
#no-dtls
|
|
||||||
|
|
||||||
# Uncomment if no UDP relay endpoints are allowed.
|
|
||||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
|
||||||
#
|
|
||||||
#no-udp-relay
|
|
||||||
|
|
||||||
# Uncomment if no TCP relay endpoints are allowed.
|
|
||||||
# By default TCP relay endpoints are enabled (like in RFC 6062).
|
|
||||||
#
|
|
||||||
#no-tcp-relay
|
|
||||||
|
|
||||||
# Uncomment if extra security is desired,
|
|
||||||
# with nonce value having a limited lifetime.
|
|
||||||
# By default, the nonce value is unique for a session,
|
|
||||||
# and has an unlimited lifetime.
|
|
||||||
# Set this option to limit the nonce lifetime.
|
|
||||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
|
||||||
# the client will get 438 error and will have to re-authenticate itself.
|
|
||||||
#
|
|
||||||
stale-nonce=600
|
|
||||||
|
|
||||||
# Uncomment if you want to set the maximum allocation
|
|
||||||
# time before it has to be refreshed.
|
|
||||||
# Default is 3600s.
|
|
||||||
#
|
|
||||||
#max-allocate-lifetime=3600
|
|
||||||
|
|
||||||
|
|
||||||
# Uncomment to set the lifetime for the channel.
|
|
||||||
# Default value is 600 secs (10 minutes).
|
|
||||||
# This value MUST not be changed for production purposes.
|
|
||||||
#
|
|
||||||
#channel-lifetime=600
|
|
||||||
|
|
||||||
# Uncomment to set the permission lifetime.
|
|
||||||
# Default to 300 secs (5 minutes).
|
|
||||||
# In production this value MUST not be changed,
|
|
||||||
# however it can be useful for test purposes.
|
|
||||||
#
|
|
||||||
#permission-lifetime=300
|
|
||||||
|
|
||||||
# Certificate file.
|
|
||||||
# Use an absolute path or path relative to the
|
|
||||||
# configuration file.
|
|
||||||
# Use PEM file format.
|
|
||||||
#
|
|
||||||
#cert=/etc/pki/coturn/public/turn_server_cert.pem
|
|
||||||
cert=/etc/ssl/lysergic/fullchain.pem
|
|
||||||
|
|
||||||
# Private key file.
|
|
||||||
# Use an absolute path or path relative to the
|
|
||||||
# configuration file.
|
|
||||||
# Use PEM file format.
|
|
||||||
#
|
|
||||||
#pkey=/etc/pki/coturn/private/turn_server_pkey.pem
|
|
||||||
pkey=/etc/ssl/lysergic/private/privkey.pem
|
|
||||||
|
|
||||||
# Private key file password, if it is in encoded format.
|
|
||||||
# This option has no default value.
|
|
||||||
#
|
|
||||||
#pkey-pwd=...
|
|
||||||
|
|
||||||
# Allowed OpenSSL cipher list for TLS/DTLS connections.
|
|
||||||
# Default value is "DEFAULT".
|
|
||||||
#
|
|
||||||
#cipher-list="DEFAULT"
|
|
||||||
|
|
||||||
# CA file in OpenSSL format.
|
|
||||||
# Forces TURN server to verify the client SSL certificates.
|
|
||||||
# By default this is not set: there is no default value and the client
|
|
||||||
# certificate is not checked.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#CA-file=/etc/ssh/id_rsa.cert
|
|
||||||
|
|
||||||
# Curve name for EC ciphers, if supported by OpenSSL
|
|
||||||
# library (TLS and DTLS). The default value is prime256v1,
|
|
||||||
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
|
||||||
# an optimal curve will be automatically calculated, if not defined
|
|
||||||
# by this option.
|
|
||||||
#
|
|
||||||
#ec-curve-name=prime256v1
|
|
||||||
|
|
||||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
|
||||||
#
|
|
||||||
#dh566
|
|
||||||
|
|
||||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
|
||||||
#
|
|
||||||
#dh1066
|
|
||||||
|
|
||||||
# Use custom DH TLS key, stored in PEM format in the file.
|
|
||||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
|
||||||
#
|
|
||||||
#dh-file=<DH-PEM-file-name>
|
|
||||||
|
|
||||||
# Flag to prevent stdout log messages.
|
|
||||||
# By default, all log messages go to both stdout and to
|
|
||||||
# the configured log file. With this option everything will
|
|
||||||
# go to the configured log only (unless the log file itself is stdout).
|
|
||||||
#
|
|
||||||
no-stdout-log
|
|
||||||
|
|
||||||
# Option to set the log file name.
|
|
||||||
# By default, the turnserver tries to open a log file in
|
|
||||||
# /var/log, /var/tmp, /tmp and the current directory
|
|
||||||
# (Whichever file open operation succeeds first will be used).
|
|
||||||
# With this option you can set the definite log file name.
|
|
||||||
# The special names are "stdout" and "-" - they will force everything
|
|
||||||
# to the stdout. Also, the "syslog" name will force everything to
|
|
||||||
# the system log (syslog).
|
|
||||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
|
||||||
# to the turnserver process.
|
|
||||||
#
|
|
||||||
log-file=/var/log/coturn/turnserver.log
|
|
||||||
|
|
||||||
# Option to redirect all log output into system log (syslog).
|
|
||||||
#
|
|
||||||
#syslog
|
|
||||||
|
|
||||||
# This flag means that no log file rollover will be used, and the log file
|
|
||||||
# name will be constructed as-is, without PID and date appendage.
|
|
||||||
# This option can be used, for example, together with the logrotate tool.
|
|
||||||
#
|
|
||||||
simple-log
|
|
||||||
|
|
||||||
# Option to set the "redirection" mode. The value of this option
|
|
||||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
|
||||||
# <ip>[:<port>]. The server will send this value in the attribute
|
|
||||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
|
||||||
# Client will receive only values with the same address family
|
|
||||||
# as the client network endpoint address family.
|
|
||||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
|
||||||
# The client must use the obtained value for subsequent TURN communications.
|
|
||||||
# If more than one --alternate-server option is provided, then the functionality
|
|
||||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
|
||||||
# If the port number is omitted, then the default port
|
|
||||||
# number 3478 for the UDP/TCP protocols will be used.
|
|
||||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
|
||||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
|
||||||
# in square brackets in such resource identifiers, for example:
|
|
||||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
|
||||||
# Multiple alternate servers can be set. They will be used in the
|
|
||||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
|
||||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
|
||||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
|
||||||
# address can be used more than one time with the alternate-server option, so this
|
|
||||||
# can emulate "weighting" of the servers.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#alternate-server=1.2.3.4:5678
|
|
||||||
#alternate-server=11.22.33.44:56789
|
|
||||||
#alternate-server=5.6.7.8
|
|
||||||
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
|
||||||
|
|
||||||
# Option to set alternative server for TLS & DTLS services in form of
|
|
||||||
# <ip>:<port>. If the port number is omitted, then the default port
|
|
||||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
|
||||||
# option for the functionality description.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#tls-alternate-server=1.2.3.4:5678
|
|
||||||
#tls-alternate-server=11.22.33.44:56789
|
|
||||||
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
|
||||||
|
|
||||||
# Option to suppress TURN functionality, only STUN requests will be processed.
|
|
||||||
# Run as STUN server only, all TURN requests will be ignored.
|
|
||||||
# By default, this option is NOT set.
|
|
||||||
#
|
|
||||||
#stun-only
|
|
||||||
|
|
||||||
# Option to hide software version. Enhance security when used in production.
|
|
||||||
# Revealing the specific software version of the agent through the
|
|
||||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
|
||||||
# attacks against software that is known to contain security holes.
|
|
||||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
|
||||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
|
||||||
#
|
|
||||||
#no-software-attribute
|
|
||||||
|
|
||||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
|
||||||
# Run as TURN server only, all STUN requests will be ignored.
|
|
||||||
# By default, this option is NOT set.
|
|
||||||
#
|
|
||||||
#no-stun
|
|
||||||
|
|
||||||
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
|
||||||
# The default value is ':'.
|
|
||||||
# rest-api-separator=:
|
|
||||||
|
|
||||||
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
|
||||||
# This is an extra security measure.
|
|
||||||
#
|
|
||||||
# (To avoid any security issue that allowing loopback access may raise,
|
|
||||||
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
|
||||||
#
|
|
||||||
# Allow it only for testing in a development environment!
|
|
||||||
# In production it adds a possible security vulnerability, so for security reasons
|
|
||||||
# it is not allowed using it together with empty cli-password.
|
|
||||||
#
|
|
||||||
#allow-loopback-peers
|
|
||||||
|
|
||||||
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
|
|
||||||
# This is an extra security measure.
|
|
||||||
#
|
|
||||||
no-multicast-peers
|
|
||||||
|
|
||||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
|
||||||
# Default is 60 seconds.
|
|
||||||
#
|
|
||||||
#max-allocate-timeout=60
|
|
||||||
|
|
||||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
|
||||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
|
||||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
|
||||||
# addresses, except for a few specific ips within that range.
|
|
||||||
#
|
|
||||||
# This can be used when you do not want users of the turn server to be able to access
|
|
||||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
|
||||||
# internet (e.g. when the turn server is sitting behind a NAT)
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
# denied-peer-ip=83.166.64.0-83.166.95.255
|
|
||||||
# allowed-peer-ip=83.166.68.45
|
|
||||||
allowed-peer-ip=192.168.0.1-192.168.0.254
|
|
||||||
|
|
||||||
# File name to store the pid of the process.
|
|
||||||
# Default is /var/run/turnserver.pid (if superuser account is used) or
|
|
||||||
# /var/tmp/turnserver.pid .
|
|
||||||
#
|
|
||||||
#pidfile="/var/run/turnserver.pid"
|
|
||||||
|
|
||||||
# Require authentication of the STUN Binding request.
|
|
||||||
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
|
|
||||||
#
|
|
||||||
#secure-stun
|
|
||||||
|
|
||||||
# Mobility with ICE (MICE) specs support.
|
|
||||||
#
|
|
||||||
#mobility
|
|
||||||
|
|
||||||
# Allocate Address Family according
|
|
||||||
# If enabled then TURN server allocates address family according the TURN
|
|
||||||
# Client <=> Server communication address family.
|
|
||||||
# (By default Coturn works according RFC 6156.)
|
|
||||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
|
||||||
#
|
|
||||||
#keep-address-family
|
|
||||||
|
|
||||||
|
|
||||||
# User name to run the process. After the initialization, the turnserver process
|
|
||||||
# will attempt to change the current user ID to that user.
|
|
||||||
#
|
|
||||||
#proc-user=<user-name>
|
|
||||||
|
|
||||||
# Group name to run the process. After the initialization, the turnserver process
|
|
||||||
# will attempt to change the current group ID to that group.
|
|
||||||
#
|
|
||||||
#proc-group=<group-name>
|
|
||||||
|
|
||||||
# Turn OFF the CLI support.
|
|
||||||
# By default it is always ON.
|
|
||||||
# See also options cli-ip and cli-port.
|
|
||||||
#
|
|
||||||
no-cli
|
|
||||||
|
|
||||||
#Local system IP address to be used for CLI server endpoint. Default value
|
|
||||||
# is 127.0.0.1.
|
|
||||||
#
|
|
||||||
#cli-ip=127.0.0.1
|
|
||||||
|
|
||||||
# CLI server port. Default is 5766.
|
|
||||||
#
|
|
||||||
#cli-port=5766
|
|
||||||
|
|
||||||
# CLI access password. Default is empty (no password).
|
|
||||||
# For the security reasons, it is recommended that you use the encrypted
|
|
||||||
# form of the password (see the -P command in the turnadmin utility).
|
|
||||||
#
|
|
||||||
# Secure form for password 'qwerty':
|
|
||||||
#
|
|
||||||
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
|
|
||||||
#
|
|
||||||
# Or unsecure form for the same password:
|
|
||||||
#
|
|
||||||
#cli-password=qwerty
|
|
||||||
|
|
||||||
# Enable Web-admin support on https. By default it is Disabled.
|
|
||||||
# If it is enabled it also enables a http a simple static banner page
|
|
||||||
# with a small reminder that the admin page is available only on https.
|
|
||||||
#
|
|
||||||
#web-admin
|
|
||||||
|
|
||||||
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
|
|
||||||
#
|
|
||||||
#web-admin-ip=127.0.0.1
|
|
||||||
|
|
||||||
# Web-admin server port. Default is 8080.
|
|
||||||
#
|
|
||||||
#web-admin-port=8080
|
|
||||||
|
|
||||||
# Web-admin server listen on STUN/TURN worker threads
|
|
||||||
# By default it is disabled for security resons! (Not recommended in any production environment!)
|
|
||||||
#
|
|
||||||
#web-admin-listen-on-workers
|
|
||||||
|
|
||||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
|
||||||
# Only for those applications when you want to run
|
|
||||||
# server applications on the relay endpoints.
|
|
||||||
# This option eliminates the IP permissions check on
|
|
||||||
# the packets incoming to the relay endpoints.
|
|
||||||
#
|
|
||||||
#server-relay
|
|
||||||
|
|
||||||
# Maximum number of output sessions in ps CLI command.
|
|
||||||
# This value can be changed on-the-fly in CLI. The default value is 256.
|
|
||||||
#
|
|
||||||
#cli-max-output-sessions
|
|
||||||
|
|
||||||
# Set network engine type for the process (for internal purposes).
|
|
||||||
#
|
|
||||||
#ne=[1|2|3]
|
|
||||||
|
|
||||||
# Do not allow an TLS/DTLS version of protocol
|
|
||||||
#
|
|
||||||
no-sslv3
|
|
||||||
no-tlsv1
|
|
||||||
no-tlsv1_1
|
|
||||||
no-tlsv1_2
|
|
@ -1,11 +1,9 @@
|
|||||||
# Cronjob for Restic Backup to Wasabi S3
|
# Cronjob for Restic Backup to S3
|
||||||
# Created and last modified: 20/07/2021
|
# Created and last modified: 20/07/2021
|
||||||
# georg@lysergic.dev
|
# georg@lysergic.dev
|
||||||
|
|
||||||
MAILTO=system
|
MAILTO=system
|
||||||
SHELL=/bin/sh
|
SHELL=/bin/sh
|
||||||
|
|
||||||
#This will make a deduplicating (is that the right word?) backup every day at 23:00 and send an email to system@lysergic.dev as well as #universe
|
#This will make a deduplicating backup every day at 22:00 and send an email to system@lysergic.dev as well as #universe
|
||||||
0 22 * * * restic /opt/restic/run.sh |& mail -s "[S3 Backup] - $(hostname -f) - $(date)" ircsystem
|
0 22 * * * restic /opt/restic/run.sh |& mail -s "S3 Backup - $(hostname -f) - $(date)" ircsystem
|
||||||
#This will remove everything except the last 30 days worth of snapshots every two days at 22:30
|
|
||||||
0 4 */2 * * restic /opt/restic/cleanup.sh |& mail -s "[S3 Cleanup] - $(date)" ircsystem
|
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
OUTPUT="nc -N 127.0.0.2 2424"
|
|
||||||
maximumSecondsBehind=20
|
|
||||||
/opt/mysql/bin/mysql -u repl-status -p'$dbmonpass' -e 'SHOW REPLICA STATUS \G' > /tmp/replicationstatus.txt
|
|
||||||
|
|
||||||
slaveRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_IO_Running: Yes" | wc -l)"
|
|
||||||
slaveSQLRunning="$(cat /tmp/replicationstatus.txt | grep "Replica_SQL_Running: Yes" | wc -l)"
|
|
||||||
secondsBehind="$(cat /tmp/replicationstatus.txt | grep "Seconds_Behind_Source" | tr -dc '0-9')"
|
|
||||||
|
|
||||||
echo $slaveRunning | $OUTPUT
|
|
||||||
echo $slaveSQLRunning | $OUTPUT
|
|
||||||
echo $secondsBehind | $OUTPUT
|
|
||||||
|
|
||||||
if [[ $slaveRunning != 1 || $slaveSQLRunning != 1 || $secondsBehind -gt $maximumSecondsBehind ]]; then
|
|
||||||
echo
|
|
||||||
echo "Replikacja wydaje się być popieprzona. Sending logs via email. @cranberry" | $OUTPUT
|
|
||||||
/usr/bin/mail -s "[MySQL Replication Monitor] Issue on $(hostname) at $(date)" system@lysergic.dev < /tmp/replicationstatus.txt
|
|
||||||
else
|
|
||||||
echo
|
|
||||||
echo "Replikacja wydaje się być zdrowa." | $OUTPUT
|
|
||||||
fi
|
|
@ -1,13 +0,0 @@
|
|||||||
[general]
|
|
||||||
config_version = 2
|
|
||||||
|
|
||||||
[slapd]
|
|
||||||
instance_name = syscid
|
|
||||||
root_password = $dirmgrpass
|
|
||||||
|
|
||||||
[backend-userroot]
|
|
||||||
create_suffix_entry = yes
|
|
||||||
sample_entries = yes
|
|
||||||
suffix = dc=syscid,dc=com
|
|
||||||
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
[general]
|
|
||||||
config_version = 2
|
|
||||||
|
|
||||||
[slapd]
|
|
||||||
instance_name = syscid
|
|
||||||
root_password = $dirmgrpass
|
|
||||||
|
|
||||||
[backend-userroot]
|
|
||||||
create_suffix_entry = True
|
|
||||||
sample_entries = no
|
|
||||||
suffix = dc=syscid,dc=com
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
dn: cn=defaults,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
|
||||||
objectClass: top
|
|
||||||
objectClass: sudoRole
|
|
||||||
cn: defaults
|
|
||||||
description: Default sudoOption's go here
|
|
||||||
sudoOption: always_set_home
|
|
||||||
sudoOption: secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
|
||||||
sudoOption: env_reset
|
|
||||||
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
||||||
sudoOption: insults
|
|
||||||
sudoOption: mail_badpass
|
|
||||||
sudoOption: log_output
|
|
||||||
sudoOption: timestamp_timeout=15
|
|
||||||
sudoOrder: 1
|
|
||||||
|
|
||||||
dn: cn=root,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
|
||||||
objectClass: top
|
|
||||||
objectClass: sudoRole
|
|
||||||
cn: root
|
|
||||||
sudoUser: root
|
|
||||||
sudoHost: ALL
|
|
||||||
sudoRunAsUser: ALL
|
|
||||||
sudoCommand: ALL
|
|
||||||
sudoOrder: 2
|
|
||||||
|
|
||||||
dn: cn=%wheel,ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
|
||||||
objectClass: top
|
|
||||||
objectClass: sudoRole
|
|
||||||
cn: %wheel
|
|
||||||
sudoUser: %wheel
|
|
||||||
sudoHost: ALL
|
|
||||||
sudoRunAsUser: ALL
|
|
||||||
sudoCommand: ALL
|
|
||||||
sudoOrder: 3
|
|
||||||
|
|
@ -1,153 +0,0 @@
|
|||||||
#!/usr/bin/env perl
|
|
||||||
#
|
|
||||||
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
||||||
#
|
|
||||||
# Permission to use, copy, modify, and distribute this software for any
|
|
||||||
# purpose with or without fee is hereby granted, provided that the above
|
|
||||||
# copyright notice and this permission notice appear in all copies.
|
|
||||||
#
|
|
||||||
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#
|
|
||||||
|
|
||||||
use strict;
|
|
||||||
|
|
||||||
#
|
|
||||||
# Converts a sudoers file to LDIF format in prepration for loading into
|
|
||||||
# the LDAP server.
|
|
||||||
#
|
|
||||||
|
|
||||||
# BUGS:
|
|
||||||
# Does not yet handle multiple lines with : in them
|
|
||||||
# Does not yet remove quotation marks from options
|
|
||||||
# Does not yet escape + at the beginning of a dn
|
|
||||||
# Does not yet handle line wraps correctly
|
|
||||||
# Does not yet handle multiple roles with same name (needs tiebreaker)
|
|
||||||
#
|
|
||||||
# CAVEATS:
|
|
||||||
# Sudoers entries can have multiple RunAs entries that override former ones,
|
|
||||||
# with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
|
|
||||||
|
|
||||||
my %RA;
|
|
||||||
my %UA;
|
|
||||||
my %HA;
|
|
||||||
my %CA;
|
|
||||||
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
|
|
||||||
my @options=();
|
|
||||||
|
|
||||||
my $did_defaults=0;
|
|
||||||
my $order = 0;
|
|
||||||
|
|
||||||
# parse sudoers one line at a time
|
|
||||||
while (<>){
|
|
||||||
|
|
||||||
# remove comment
|
|
||||||
s/#.*//;
|
|
||||||
|
|
||||||
# line continuation
|
|
||||||
$_.=<> while s/\\\s*$//s;
|
|
||||||
|
|
||||||
# cleanup newline
|
|
||||||
chomp;
|
|
||||||
|
|
||||||
# ignore blank lines
|
|
||||||
next if /^\s*$/;
|
|
||||||
|
|
||||||
if (/^Defaults\s+/i) {
|
|
||||||
my $opt=$';
|
|
||||||
$opt=~s/\s+$//; # remove trailing whitespace
|
|
||||||
push @options,$opt;
|
|
||||||
} elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
|
|
||||||
|
|
||||||
# Aliases or Definitions
|
|
||||||
my ($p1,$p2,$p3)=($1,$2,$3);
|
|
||||||
$p2=~s/\s+$//; # remove trailing whitespace
|
|
||||||
$p3=~s/\s+$//; # remove trailing whitespace
|
|
||||||
|
|
||||||
if ($p1 eq "User_Alias") {
|
|
||||||
$UA{$p2}=$p3;
|
|
||||||
} elsif ($p1 eq "Runas_Alias") {
|
|
||||||
$RA{$p2}=$p3;
|
|
||||||
} elsif ($p1 eq "Host_Alias") {
|
|
||||||
$HA{$p2}=$p3;
|
|
||||||
} elsif ($p1 eq "Cmnd_Alias") {
|
|
||||||
$CA{$p2}=$p3;
|
|
||||||
} else {
|
|
||||||
if (!$did_defaults++){
|
|
||||||
# do this once
|
|
||||||
print "dn: cn=defaults,$base\n";
|
|
||||||
print "objectClass: top\n";
|
|
||||||
print "objectClass: sudoRole\n";
|
|
||||||
print "cn: defaults\n";
|
|
||||||
print "description: Default sudoOption's go here\n";
|
|
||||||
print "sudoOption: $_\n" foreach @options;
|
|
||||||
printf "sudoOrder: %d\n", ++$order;
|
|
||||||
print "\n";
|
|
||||||
}
|
|
||||||
# Definition
|
|
||||||
my @users=split /\s*,\s*/,$p1;
|
|
||||||
my @hosts=split /\s*,\s*/,$p2;
|
|
||||||
my @cmds= split /\s*,\s*/,$p3;
|
|
||||||
@options=();
|
|
||||||
print "dn: cn=$users[0],$base\n";
|
|
||||||
print "objectClass: top\n";
|
|
||||||
print "objectClass: sudoRole\n";
|
|
||||||
print "cn: $users[0]\n";
|
|
||||||
# will clobber options
|
|
||||||
print "sudoUser: $_\n" foreach expand(\%UA,@users);
|
|
||||||
print "sudoHost: $_\n" foreach expand(\%HA,@hosts);
|
|
||||||
foreach (@cmds) {
|
|
||||||
if (s/^\(([^\)]+)\)\s*//) {
|
|
||||||
my @runas = split(/:\s*/, $1);
|
|
||||||
if (defined($runas[0])) {
|
|
||||||
print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
|
|
||||||
}
|
|
||||||
if (defined($runas[1])) {
|
|
||||||
print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
|
|
||||||
print "sudoOption: $_\n" foreach @options;
|
|
||||||
printf "sudoOrder: %d\n", ++$order;
|
|
||||||
print "\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
} else {
|
|
||||||
print "parse error: $_\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# recursively expand hash elements
|
|
||||||
sub expand{
|
|
||||||
my $ref=shift;
|
|
||||||
my @a=();
|
|
||||||
|
|
||||||
# preen the line a little
|
|
||||||
foreach (@_){
|
|
||||||
# if NOPASSWD: directive found, mark entire entry as not requiring
|
|
||||||
s/NOPASSWD:\s*// && push @options,"!authenticate";
|
|
||||||
s/PASSWD:\s*// && push @options,"authenticate";
|
|
||||||
s/NOEXEC:\s*// && push @options,"noexec";
|
|
||||||
s/EXEC:\s*// && push @options,"!noexec";
|
|
||||||
s/SETENV:\s*// && push @options,"setenv";
|
|
||||||
s/NOSETENV:\s*// && push @options,"!setenv";
|
|
||||||
s/LOG_INPUT:\s*// && push @options,"log_input";
|
|
||||||
s/NOLOG_INPUT:\s*// && push @options,"!log_input";
|
|
||||||
s/LOG_OUTPUT:\s*// && push @options,"log_output";
|
|
||||||
s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
|
|
||||||
s/[[:upper:]]+://; # silently remove other tags
|
|
||||||
s/\s+$//; # right trim
|
|
||||||
}
|
|
||||||
|
|
||||||
# do the expanding
|
|
||||||
push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
|
|
||||||
@a;
|
|
||||||
}
|
|
@ -1,32 +0,0 @@
|
|||||||
###
|
|
||||||
##
|
|
||||||
## Prototype Name Service Switch configuration for GNU/Linux systems in the namespaces lysergic.dev / syscid.com / liberta.casa
|
|
||||||
#ä
|
|
||||||
## Unless otherwise stated, system/scripts/sh/deploy_directory_client.sh should be run instead of manually setting this file.
|
|
||||||
## georg@lysergic.dev
|
|
||||||
##
|
|
||||||
###
|
|
||||||
|
|
||||||
passwd: sss files
|
|
||||||
group: sss files
|
|
||||||
shadow: sss compat
|
|
||||||
# initgroups: compat
|
|
||||||
|
|
||||||
hosts: files dns
|
|
||||||
networks: files dns
|
|
||||||
|
|
||||||
aliases: files usrfiles
|
|
||||||
ethers: files usrfiles
|
|
||||||
gshadow: files usrfiles
|
|
||||||
netgroup: files nis
|
|
||||||
protocols: files usrfiles
|
|
||||||
publickey: files
|
|
||||||
rpc: files usrfiles
|
|
||||||
services: files usrfiles
|
|
||||||
|
|
||||||
automount: files nis
|
|
||||||
bootparams: files
|
|
||||||
netmasks: files
|
|
||||||
|
|
||||||
sudoers: sss
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
|||||||
[client]
|
|
||||||
socket=/run/mysql/mysql.sock
|
|
||||||
[mysqld]
|
|
||||||
log-error=/var/log/mysql/mysqld.log
|
|
||||||
port=3306
|
|
||||||
bind-address = 127.0.0.1,10.0.0.31
|
|
||||||
datadir = /var/lib/mysql
|
|
@ -1,15 +0,0 @@
|
|||||||
#include php-fpm;
|
|
||||||
server {
|
|
||||||
listen 192.168.0.110:8084 ssl;
|
|
||||||
server_name adminer-local.one.secure.squirrelcube.xyz;
|
|
||||||
root /mnt/gluster01/web/adminer1;
|
|
||||||
index adminer.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
}
|
|
||||||
|
|
||||||
include php;
|
|
||||||
}
|
|
@ -1,41 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.110:8084 ssl;
|
|
||||||
server_name dnsui-local.one.secure.squirrelcube.xyz;
|
|
||||||
root /mnt/gluster01/web/dnsui1/public_html;
|
|
||||||
index init.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
# auth_basic "NS1 Intranet";
|
|
||||||
# auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ @php;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location @php {
|
|
||||||
rewrite ^/(.*)$ /init.php/$1 last;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location /init.php {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /info.php {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
error_log /var/log/nginx/dnsui1.log;
|
|
||||||
}
|
|
@ -1,123 +0,0 @@
|
|||||||
server {
|
|
||||||
# server_name localhost;
|
|
||||||
listen 127.0.0.1:9191;
|
|
||||||
root /mnt/gluster01/web/liberta.casa;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
server_name qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion;
|
|
||||||
listen 127.0.0.1:9191;
|
|
||||||
|
|
||||||
autoindex off;
|
|
||||||
port_in_redirect off;
|
|
||||||
|
|
||||||
location /kiwi/static/config.json {
|
|
||||||
root /mnt/gluster01/web/liberta.casa;
|
|
||||||
rewrite ^/kiwi/static/config.json$ /kiwi_onion/static/config.json;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kiwi {
|
|
||||||
root /mnt/gluster01/web/liberta.casa;
|
|
||||||
index index.html;
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /srv/www/liberta.casa/static/website;
|
|
||||||
index index.html;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
location /register {
|
|
||||||
proxy_pass http://127.0.0.1:8965;
|
|
||||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /libcasa {
|
|
||||||
root /srv/www/superseriousstats/libertacasa;
|
|
||||||
index index.html;
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
location /libcasa.info {
|
|
||||||
root /srv/www/superseriousstats/libertacasa;
|
|
||||||
index index.html;
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
location /gamja {
|
|
||||||
root /srv/www/gamja;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /socket {
|
|
||||||
proxy_pass http://192.168.0.110:8068;
|
|
||||||
proxy_read_timeout 600s;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /convos {
|
|
||||||
rewrite ^/convos/?(.*)$ /$1 break;
|
|
||||||
proxy_pass http://[::1]:8089;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Request-Base "$scheme://$host/convos";
|
|
||||||
}
|
|
||||||
|
|
||||||
location /candy {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
index index.html;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
location /candy-source {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
error_log /var/log/nginx/liberta.casa.err;
|
|
||||||
|
|
||||||
|
|
||||||
#location / {
|
|
||||||
# root /srv/www/liberta.casa;
|
|
||||||
# try_files $uri $uri/ =404;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location /webirc {
|
|
||||||
proxy_pass http://127.0.0.2:6669;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
#server {
|
|
||||||
# server_name cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion;
|
|
||||||
# listen 9191;
|
|
||||||
#
|
|
||||||
# location /webirc {
|
|
||||||
# proxy_pass http://127.0.0.2:6668;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# }
|
|
||||||
#}
|
|
@ -1,11 +0,0 @@
|
|||||||
#server {
|
|
||||||
# listen 81.16.19.64:80 default_server;
|
|
||||||
# listen 45.129.182.13:80 default_server;
|
|
||||||
# listen [2a03:4000:47:58a::]:80 default_server;
|
|
||||||
# return 302 https://$host$request_uri;
|
|
||||||
#}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80 default_server;
|
|
||||||
return 302 https://$host$request_uri;
|
|
||||||
}
|
|
@ -1,79 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
server_name wildfly-keycloak-prod-theia.two.secure.squirrelcube.xyz;
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.5:10090;
|
|
||||||
proxy_set_header Host $host:10090;
|
|
||||||
proxy_set_header Origin http://$host:10090;
|
|
||||||
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass_request_headers on;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
|
|
||||||
server_name keycloak-prod-theia.two.secure.squirrelcube.xyz;
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://192.168.0.110:8180;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
##
|
|
||||||
## PRODUCTION CONFIG
|
|
||||||
## Keycloak Frontend Load Balancer
|
|
||||||
## Instance: theia
|
|
||||||
##
|
|
||||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
|
||||||
|
|
||||||
upstream jboss {
|
|
||||||
ip_hash;
|
|
||||||
server 192.168.0.110:8843;
|
|
||||||
server 192.168.0.115:8843;
|
|
||||||
server 192.168.0.120:8843;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
server_name sso.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#location = / {
|
|
||||||
# return 302 /auth/;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://jboss;
|
|
||||||
proxy_cache backcache;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
}
|
|
||||||
proxy_buffer_size 256k;
|
|
||||||
proxy_buffers 4 512k;
|
|
||||||
proxy_busy_buffers_size 512k;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 127.0.0.2:80;
|
|
||||||
server_name theia.local;
|
|
||||||
root /srv/www/lan;
|
|
||||||
}
|
|
@ -1,209 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name libertacasa.xyz libertacasa.info libcasa.info www.libertacasa.xyz www.libertacasa.info www.libcasa.info www.lib.casa www.liberta.casa;
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
#listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
root /srv/www/liberta.casa/static/website;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
return 302 https://liberta.casa;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
server_name libertacasa.net libsh.net libsh.com libsso.net libsso.com;
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
|
|
||||||
root /srv/www/liberta.casa/static/website;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/libertacasa.net.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/libertacasa.net.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
return 302 https://liberta.casa;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
server_name liberta.casa lib.casa;
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
#listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
root /srv/www/liberta.casa/static/website;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/liberta.casa.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/liberta.casa.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /srv/www/liberta.casa/static/website;
|
|
||||||
index index.html;
|
|
||||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /kiwi {
|
|
||||||
root /mnt/gluster01/web/liberta.casa;
|
|
||||||
index index.html;
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /register {
|
|
||||||
proxy_pass http://127.0.0.1:8965;
|
|
||||||
add_header Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /webirc {
|
|
||||||
proxy_pass http://192.168.0.110:8068;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /libcasa {
|
|
||||||
root /srv/www/superseriousstats/libertacasa;
|
|
||||||
index index.html;
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
location /libcasa.info {
|
|
||||||
root /srv/www/superseriousstats/libertacasa;
|
|
||||||
index index.html;
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_pass 172.168.100.1:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
location /gamja {
|
|
||||||
root /srv/www/gamja;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /socket {
|
|
||||||
proxy_pass http://192.168.0.110:8068;
|
|
||||||
proxy_read_timeout 600s;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
# location /convos {
|
|
||||||
# proxy_pass http://[::1]:8089;
|
|
||||||
# proxy_read_timeout 600s;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# location ~ ^/(asset|convos-api.yaml|emoji|font|images|themes) {
|
|
||||||
# root /srv/www/convos/convos/public;
|
|
||||||
# }
|
|
||||||
|
|
||||||
location /convos {
|
|
||||||
rewrite ^/convos/?(.*)$ /$1 break;
|
|
||||||
proxy_pass http://[::1]:8089;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Request-Base "$scheme://$host/convos";
|
|
||||||
}
|
|
||||||
|
|
||||||
location /candy {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
index index.html;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
location /candy-source {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
}
|
|
||||||
|
|
||||||
## https://xmpp.org/extensions/xep-0156.html#http
|
|
||||||
## Provides an alternative to SRV lookups, needed for compliance
|
|
||||||
location /.well-known/host-meta {
|
|
||||||
root /srv/www/xmpp;
|
|
||||||
default_type 'application/xrd+xml';
|
|
||||||
add_header Access-Control-Allow-Origin '*' always;
|
|
||||||
}
|
|
||||||
location /.well-known/host-meta.json {
|
|
||||||
root /srv/www/xmpp;
|
|
||||||
default_type 'application/jrd+json';
|
|
||||||
add_header Access-Control-Allow-Origin '*' always;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_log /var/log/nginx/liberta.casa.err;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name katyusha.liberta.casa;
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/irc.casa.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/irc.casa.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://[::1]:8086;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5014,tag=nginx_access_katyusha graylog_old;
|
|
||||||
error_log syslog:server=192.168.0.115:5014,tag=nginx_error_katyusha debug;
|
|
||||||
}
|
|
@ -1,240 +0,0 @@
|
|||||||
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LIBERTA.CASA
|
|
||||||
|
|
||||||
##SYNAPSE
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
|
|
||||||
# For the federation port
|
|
||||||
listen 81.16.19.64:8448 ssl default_server;
|
|
||||||
listen 192.168.0.110:8448 ssl;
|
|
||||||
|
|
||||||
# For bridge
|
|
||||||
listen 127.0.0.2:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
server_name matrix.liberta.casa;
|
|
||||||
|
|
||||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
|
||||||
proxy_pass http://[::1]:8077;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
client_max_body_size 50M;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/client {
|
|
||||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/server {
|
|
||||||
return 200 '{"m.server": "matrix.liberta.casa:8448"}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://[::1]:8077/;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
# Nginx by default only allows file uploads up to 1M in size
|
|
||||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
||||||
client_max_body_size 50M;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_synapse graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_synapse debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#ELEMENT
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
server_name element.liberta.casa;
|
|
||||||
|
|
||||||
root /mnt/gluster01/web/matrix/element-libertacasa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
server_name m.liberta.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
return 301 https://element.liberta.casa$request_uri;
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_element graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_element debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#SYDENT
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
server_name ident.matrix.liberta.casa;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.4:8074/;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# Nginx by default only allows file uploads up to 1M in size
|
|
||||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
||||||
client_max_body_size 20M;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_sydent graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_sydent debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#DIMENSION
|
|
||||||
server {
|
|
||||||
server_name integrations.matrix.liberta.casa;
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_pass http://127.0.0.1:8184;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_dimension graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_dimension debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#KEYS
|
|
||||||
server {
|
|
||||||
server_name keys.matrix.liberta.casa;
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_pass http://127.0.0.2:8076;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/client {
|
|
||||||
return 200 '{"m.homeserver": {"base_url": "https://keys.matrix.liberta.casa"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/server {
|
|
||||||
return 200 '{"m.server": "keys.matrix.liberta.casa:443"}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_keys graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_keys debug;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#MAUBOT
|
|
||||||
server {
|
|
||||||
server_name maubot.matrix.liberta.casa;
|
|
||||||
listen 81.16.19.64:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/liberta.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
# location /_matrix/maubot/v1/logs {
|
|
||||||
# proxy_pass http://127.0.0.2:29419;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# }
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:29419;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
|
||||||
|
|
||||||
access_log syslog:server=192.168.0.115:5013,tag=nginx_access_lc_matrix_maubot graylog;
|
|
||||||
error_log syslog:server=192.168.0.115:5013,tag=nginx_error_lc_matrix_maubot debug;
|
|
||||||
|
|
||||||
}
|
|
@ -1,74 +0,0 @@
|
|||||||
upstream mattermost {
|
|
||||||
server 127.0.0.2:8065;
|
|
||||||
keepalive 32;
|
|
||||||
}
|
|
||||||
|
|
||||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen 192.168.0.110:443 ssl http2;
|
|
||||||
server_name mattermost.casa;
|
|
||||||
|
|
||||||
http2_push_preload on;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/mattermost.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/mattermost.casa/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_early_data on;
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
#ssl_session_cache shared:SSL:50m;
|
|
||||||
add_header Strict-Transport-Security max-age=15768000;
|
|
||||||
#add_header X-Early-Data $tls1_3_early_data;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location /libcasa/channels/town-square {
|
|
||||||
return https://mattermost.casa/libcasa/channels/libcasa;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
|
||||||
client_max_body_size 50M;
|
|
||||||
proxy_buffers 256 16k;
|
|
||||||
proxy_buffer_size 16k;
|
|
||||||
client_body_timeout 60;
|
|
||||||
send_timeout 300;
|
|
||||||
lingering_timeout 5;
|
|
||||||
proxy_connect_timeout 90;
|
|
||||||
proxy_send_timeout 300;
|
|
||||||
proxy_read_timeout 90s;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_pass http://mattermost;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_set_header Connection "";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
|
||||||
client_max_body_size 50M;
|
|
||||||
proxy_buffers 256 16k;
|
|
||||||
proxy_buffer_size 16k;
|
|
||||||
proxy_read_timeout 600s;
|
|
||||||
proxy_cache mattermost_cache;
|
|
||||||
proxy_cache_revalidate on;
|
|
||||||
proxy_cache_min_uses 2;
|
|
||||||
proxy_cache_use_stale timeout;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_pass http://mattermost;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,18 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 45.129.182.13:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name 3zy.de;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/3zy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/3zy.de/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /mnt/gluster01/mirror;
|
|
||||||
# fancyindex on;
|
|
||||||
# fancyindex_exact_size on;
|
|
||||||
autoindex on;
|
|
||||||
autoindex_exact_size on;
|
|
||||||
autoindex_localtime on;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,16 +0,0 @@
|
|||||||
include php-fpm;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 192.168.0.110:8083 ssl;
|
|
||||||
server_name nsedit1-local.secure.squirrelcube.xyz;
|
|
||||||
root /mnt/gluster01/web/nsedit1;
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
}
|
|
||||||
|
|
||||||
include php;
|
|
||||||
}
|
|
@ -1,41 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 127.0.0.2:8085 ssl;
|
|
||||||
server_name omnidb-local.one.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:8086;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Ssl https;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
proxy_set_header X-Forwarded-Port 443;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 45.129.182.13:25483 ssl;
|
|
||||||
listen [2a03:4000:47:58a::]:25483 ssl;
|
|
||||||
server_name omnidb1.one.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://omnidb-backend.one.secure.squirrelcube.xyz:25482;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Ssl https;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
proxy_set_header X-Forwarded-Port 25483;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,28 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name tp.3gy.de one.tp.3gy.de *.one.secure.squirrelcube.xyz;
|
|
||||||
listen 45.129.182.13:443 ssl;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/tp.3gy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/tp.3gy.de/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
#ssl_ciphers
|
|
||||||
#ssl_prefer_server_ciphers
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://[::1]:3080/;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_read_timeout 3600;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,301 +0,0 @@
|
|||||||
#Prosody (DEPRECATED!)
|
|
||||||
#server {
|
|
||||||
# listen 81.16.19.64:443 ssl http2;
|
|
||||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
# server_name xmpp.liberta.casa;
|
|
||||||
#
|
|
||||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
|
||||||
# ssl_session_timeout 1d;
|
|
||||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
# ssl_session_tickets off;
|
|
||||||
#
|
|
||||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
# ssl_prefer_server_ciphers off;
|
|
||||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
# ssl_stapling on;
|
|
||||||
# ssl_stapling_verify on;
|
|
||||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
# resolver 127.0.0.4;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# proxy_pass http://[::1]:5280;
|
|
||||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
#
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# location /xmpp-websocket {
|
|
||||||
# proxy_pass http://[::1]:5280/xmpp-websocket;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_read_timeout 900s;
|
|
||||||
# }
|
|
||||||
# location /candy/http-bind {
|
|
||||||
# proxy_pass https://127.0.0.2:5443/http-bind;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_read_timeout 900s;
|
|
||||||
# }
|
|
||||||
# location /candy {
|
|
||||||
# root /srv/www/candy/;
|
|
||||||
# index index.html;
|
|
||||||
# }
|
|
||||||
# location /candy-source {
|
|
||||||
# root /srv/www/candy/;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
#mod_http_upload_external
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 81.16.19.64:443 ssl http2;
|
|
||||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
#
|
|
||||||
# server_name up.xmpp.liberta.casa;
|
|
||||||
#
|
|
||||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
|
||||||
# ssl_session_timeout 1d;
|
|
||||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
# ssl_session_tickets off;
|
|
||||||
#
|
|
||||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
# ssl_prefer_server_ciphers off;
|
|
||||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
# ssl_stapling on;
|
|
||||||
# ssl_stapling_verify on;
|
|
||||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
# resolver 127.0.0.4;
|
|
||||||
#
|
|
||||||
## client_max_body_size 50m;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# if ( $request_method = OPTIONS ) {
|
|
||||||
# add_header Access-Control-Allow-Origin '*';
|
|
||||||
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
|
|
||||||
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
|
|
||||||
# add_header Access-Control-Allow-Credentials 'true';
|
|
||||||
# add_header Content-Length 0;
|
|
||||||
# add_header Content-Type text/plain;
|
|
||||||
# return 200;
|
|
||||||
# }
|
|
||||||
# proxy_pass http://[::1]:5050/upload/;
|
|
||||||
# proxy_request_buffering off;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 81.16.19.64:443 ssl http2;
|
|
||||||
# listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
# server_name xmpp.lib.casa;
|
|
||||||
#
|
|
||||||
# ssl_certificate /etc/letsencrypt/live/xmpp.liberta.casa/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/letsencrypt/live/xmpp.liberta.casa/privkey.pem;
|
|
||||||
# ssl_session_timeout 1d;
|
|
||||||
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
# ssl_session_tickets off;
|
|
||||||
#
|
|
||||||
# ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
# ssl_prefer_server_ciphers off;
|
|
||||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
# ssl_stapling on;
|
|
||||||
# ssl_stapling_verify on;
|
|
||||||
# #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
# resolver 127.0.0.4;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# root /srv/www/jappix;
|
|
||||||
# index index.php;
|
|
||||||
# location ~ \.php$ {
|
|
||||||
# fastcgi_pass 172.168.100.1:9100;
|
|
||||||
# include fastcgi_params;
|
|
||||||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# error_log /var/log/nginx/xmpp.lib.casa.err;
|
|
||||||
#}
|
|
||||||
|
|
||||||
|
|
||||||
####
|
|
||||||
## ejabberd
|
|
||||||
####
|
|
||||||
|
|
||||||
## mod_http_upload
|
|
||||||
|
|
||||||
perl_modules /usr/local/lib/perl;
|
|
||||||
perl_require upload.pm;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
listen 127.0.0.2:443 ssl http2;
|
|
||||||
server_name up.xmpp.lib.casa up.xmpp.liberta.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
root /opt/ejabberd/upload;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
perl upload::handle;
|
|
||||||
}
|
|
||||||
|
|
||||||
client_max_body_size 40m;
|
|
||||||
|
|
||||||
# location / {
|
|
||||||
# if ( $request_method = OPTIONS ) {
|
|
||||||
# add_header Access-Control-Allow-Origin '*';
|
|
||||||
# add_header Access-Control-Allow-Methods 'PUT, GET, OPTIONS, HEAD';
|
|
||||||
# add_header Access-Control-Allow-Headers 'Authorization, Content-Type';
|
|
||||||
# add_header Access-Control-Allow-Credentials 'true';
|
|
||||||
# add_header Content-Length 0;
|
|
||||||
# add_header Content-Type text/plain;
|
|
||||||
# return 200;
|
|
||||||
# }
|
|
||||||
# proxy_pass http://127.0.0.2:5443;
|
|
||||||
# proxy_request_buffering off;
|
|
||||||
# }
|
|
||||||
|
|
||||||
error_log /var/log/nginx/up.xmpp.lib.casa.err;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## Everything
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 81.16.19.64:443 ssl http2;
|
|
||||||
listen [2a03:4000:47:58a::]:443 ssl http2;
|
|
||||||
server_name xmpp.liberta.casa xmpp.lib.casa jabber.liberta.casa jabber.lib.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lego/certificates/xmpp.liberta.casa.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/lego/certificates/xmpp.liberta.casa.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
#location / {
|
|
||||||
# proxy_pass https://127.0.0.2:5443;
|
|
||||||
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
#
|
|
||||||
#}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /srv/www/xmpp;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /upload {
|
|
||||||
return https://up.xmpp.lib.casa;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /bosh {
|
|
||||||
proxy_pass https://127.0.0.2:5443;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /ws {
|
|
||||||
proxy_pass https://127.0.0.2:5443;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
}
|
|
||||||
|
|
||||||
# location /xmpp-websocket {
|
|
||||||
# proxy_pass http://[::1]:5280/xmpp-websocket;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# proxy_set_header Upgrade $http_upgrade;
|
|
||||||
# proxy_set_header Connection "Upgrade";
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_read_timeout 900s;
|
|
||||||
# }
|
|
||||||
location /candy/http-bind {
|
|
||||||
proxy_pass https://127.0.0.2:5443/http-bind;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_read_timeout 900s;
|
|
||||||
}
|
|
||||||
location /candy {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
location /candy-source {
|
|
||||||
root /srv/www/candy/;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_log /var/log/nginx/xmpp.lib.casa.err;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## ejabberd_web_admin
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 127.0.0.2:443 ssl http2;
|
|
||||||
server_name ejabberd-local.one.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:5280;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name www.lysergic.dev lysergic.dev;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSLS:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
root /srv/www/htdocs/bastelstube;
|
|
||||||
index index.html;
|
|
||||||
|
|
||||||
|
|
||||||
location /.well-known/matrix/client {
|
|
||||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/server {
|
|
||||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,17 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name status.liberta.casa status.lib.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://cachet.local:8033;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,30 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl;
|
|
||||||
server_name confluence.psyched.dev;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/psyched/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/psyched/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 5m;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
#ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 100m;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_pass http://localhost:8090;
|
|
||||||
}
|
|
||||||
location /synchrony {
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_pass http://localhost:8091/synchrony;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,17 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2 default_server;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2 default_server;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
root /srv/www/htdocs/default;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:80 default_server;
|
|
||||||
listen [2a03:4000:55:d20::]:80 default_server;
|
|
||||||
|
|
||||||
root /srv/www/htdocs/default;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
@ -1,27 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.115:8084 ssl;
|
|
||||||
server_name dnsui-local.two.secure.squirrelcube.xyz;
|
|
||||||
root /mnt/gluster01/web/dnsui2/public_html;
|
|
||||||
index init.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ @php;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location @php {
|
|
||||||
rewrite ^/(.*)$ /init.php/$1 last;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location /init.php {
|
|
||||||
fastcgi_pass 172.168.100.2:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,38 +0,0 @@
|
|||||||
#Drone (only for RPC access from other nodes - UI access is proxied directly through Teleport)
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:443 ssl http2;
|
|
||||||
server_name drone.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://drone-local.two.secure.squirrelcube.xyz;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#Runner Exec
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:443 ssl http2;
|
|
||||||
server_name drone-runner-exec-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.3:3000;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#Runner SSH
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:443 ssl http2;
|
|
||||||
server_name drone-runner-ssh-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.3:3001;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,39 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name pad.hugz.io pad.lsd25.dev pad.lysergic.dev;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:9001;
|
|
||||||
proxy_buffering off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_pass_header Server;
|
|
||||||
|
|
||||||
# Note you might want to pass these headers etc too.
|
|
||||||
proxy_set_header X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
|
||||||
proxy_http_version 1.1; # recommended with keepalive connections
|
|
||||||
|
|
||||||
# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,23 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name georg-pfuetzenreuter.net pfuetzenreuter.at gippy.at;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/georg/533088712.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/georg/my.key;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSLS:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/georg/533088712.ca-bundle;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
root /srv/www/htdocs/georg;
|
|
||||||
index index.html;
|
|
||||||
|
|
||||||
}
|
|
@ -1,65 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
server_name git.lysergic.dev git.de.com;
|
|
||||||
|
|
||||||
return 302 https://git.com.de;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/liberta.casa/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/liberta.casa/private/privkey.pem;
|
|
||||||
|
|
||||||
server_name git.casa;
|
|
||||||
|
|
||||||
# return 302 https://git.com.de/libertacasa;
|
|
||||||
|
|
||||||
|
|
||||||
root /srv/www/htdocs;
|
|
||||||
|
|
||||||
try_files $uri @cgit;
|
|
||||||
|
|
||||||
location @cgit {
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME /srv/www/cgi-bin/cgit/cgit.cgi;
|
|
||||||
fastcgi_param PATH_INFO $uri;
|
|
||||||
fastcgi_param QUERY_STRING $args;
|
|
||||||
fastcgi_param HTTP_HOST $server_name;
|
|
||||||
fastcgi_pass unix:/run/fcgiwrap.sock;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
listen 192.168.0.115:443 ssl http2;
|
|
||||||
|
|
||||||
server_name git.com.de;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:3501;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
server_name grafana.lysergic.dev;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 5m;
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://[::1]:3000/;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,42 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.115:8087 ssl;
|
|
||||||
server_name graylog-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:9000;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 202.61.255.116:443 ssl http2;
|
|
||||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
# server_name glpub.two.secure.squirrelcube.xyz;
|
|
||||||
#
|
|
||||||
# ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
# ssl_session_timeout 1d;
|
|
||||||
# ssl_session_cache shared:MozSSLS:10m;
|
|
||||||
# ssl_session_tickets off;
|
|
||||||
# ssl_protocols TLSv1.3;
|
|
||||||
# ssl_prefer_server_ciphers off;
|
|
||||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
# ssl_stapling on;
|
|
||||||
# ssl_stapling_verify on;
|
|
||||||
# ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
# resolver 127.0.0.4;
|
|
||||||
#
|
|
||||||
# location /streams {
|
|
||||||
# proxy_pass http://127.0.0.1:9000/;
|
|
||||||
# proxy_set_header X-Forwarded-Host $host;
|
|
||||||
# proxy_set_header X-Forwarded-Server $host;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_http_version 1.1;
|
|
||||||
# }
|
|
||||||
#}
|
|
@ -1,57 +0,0 @@
|
|||||||
#server_names_hash_bucket_size 64;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
# tls configuration that is not covered in this guide
|
|
||||||
# we recommend the use of https://certbot.eff.org/
|
|
||||||
server_name meet.lysergic.dev meet.liberta.casa meet.lib.casa;
|
|
||||||
# set the root
|
|
||||||
root /srv/jitsi-meet;
|
|
||||||
index index.html;
|
|
||||||
location ~ ^/([a-zA-Z0-9=_\-\?]+)$ {
|
|
||||||
rewrite ^/(.*)$ / break;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
ssi on;
|
|
||||||
}
|
|
||||||
# BOSH, Bidirectional-streams Over Synchronous HTTP
|
|
||||||
# https://en.wikipedia.org/wiki/BOSH_(protocol)
|
|
||||||
location = /http-bind {
|
|
||||||
proxy_pass http://127.0.0.1:5280/http-bind;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_method POST;
|
|
||||||
proxy_buffering off;
|
|
||||||
tcp_nodelay on;
|
|
||||||
}
|
|
||||||
# external_api.js must be accessible from the root of the
|
|
||||||
# installation for the electron version of Jitsi Meet to work
|
|
||||||
# https://github.com/jitsi/jitsi-meet-electron
|
|
||||||
location /external_api.js {
|
|
||||||
alias /srv/jitsi-meet/libs/external_api.min.js;
|
|
||||||
}
|
|
||||||
# xmpp websockets
|
|
||||||
location /xmpp-websocket {
|
|
||||||
proxy_pass http://127.0.0.1:5280/xmpp-websocket;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
tcp_nodelay on;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
server_name meet-auth.sso.casa;
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:3002;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,219 +0,0 @@
|
|||||||
#########################################
|
|
||||||
## SECTION 1 ##
|
|
||||||
## DEVELOPMENT / STAGING CONFIGURATION ##
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name auth.syscid.com sso.syscid.com;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
|
||||||
|
|
||||||
# location /auth {
|
|
||||||
# return 302 https://auth.syscid.com/auth/realms/master/account/;
|
|
||||||
# }
|
|
||||||
# location /auth/realms/master/account/ {
|
|
||||||
# proxy_pass https://10.0.0.10;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header X-Forwarded-Host $host;
|
|
||||||
# proxy_set_header X-Forwarded-Server $host;
|
|
||||||
# proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# }
|
|
||||||
location / {
|
|
||||||
proxy_pass https://10.0.0.10;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
|
|
||||||
server_name keycloak-internal.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
|
||||||
|
|
||||||
return 302 https://keycloak.two.secure.squirrelcube.xyz/admin/master/console/;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://10.0.0.10;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#########################################
|
|
||||||
## SECTION 2 ##
|
|
||||||
## Everything below here is PRODUCTION ##
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
##
|
|
||||||
## WildFly Management UI access through Teleport
|
|
||||||
##
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
server_name wildfly-keycloak-prod-orpheus.two.secure.squirrelcube.xyz;
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.5:9990;
|
|
||||||
|
|
||||||
## This bit does not look production worthy, I think we can remove the commented out lines, but am not sure yet. should check whether the correct IP address is passed through to WildFly on failed authentication attempts.
|
|
||||||
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header X-Forwarded-Host $host;
|
|
||||||
# proxy_set_header X-Forwarded-Server $host;
|
|
||||||
# proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
# proxy_set_header Authorization $http_authorization;
|
|
||||||
# proxy_pass_header Authorization;
|
|
||||||
proxy_set_header Host $host:10090;
|
|
||||||
proxy_set_header Origin http://$host:10090;
|
|
||||||
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass_request_headers on;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
##
|
|
||||||
## Used for testing of the AdminUrl backend to rule out issues by the Teleport proxy
|
|
||||||
##
|
|
||||||
#server {
|
|
||||||
# listen 127.0.0.1:443 ssl http2;
|
|
||||||
# listen 192.168.0.115:443 ssl http2;
|
|
||||||
#
|
|
||||||
# server_name intra.sso.casa;
|
|
||||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# proxy_pass https://192.168.0.115:8843/;
|
|
||||||
# proxy_ssl_verify off;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# #proxy_set_header X-Forwarded-Host $host;
|
|
||||||
# #proxy_set_header X-Forwarded-Server $host;
|
|
||||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
# proxy_set_header X-Forwarded-Proto https;
|
|
||||||
# }
|
|
||||||
# proxy_buffer_size 128k;
|
|
||||||
# proxy_buffers 4 256k;
|
|
||||||
# proxy_busy_buffers_size 256k;
|
|
||||||
#}
|
|
||||||
|
|
||||||
##
|
|
||||||
## Standalone Keycloak Frontend on Orpheus
|
|
||||||
##
|
|
||||||
|
|
||||||
#server {
|
|
||||||
# listen 202.61.255.116:443 ssl http2;
|
|
||||||
# listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
#
|
|
||||||
# server_name sso.casa;
|
|
||||||
#
|
|
||||||
# ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
|
||||||
# ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# proxy_pass https://192.168.0.115:8843/;
|
|
||||||
# proxy_ssl_verify off;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# #proxy_set_header X-Forwarded-Host $host;
|
|
||||||
# #proxy_set_header X-Forwarded-Server $host;
|
|
||||||
# #proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
# proxy_set_header X-Forwarded-Proto https;
|
|
||||||
# }
|
|
||||||
# proxy_buffer_size 128k;
|
|
||||||
# proxy_buffers 4 256k;
|
|
||||||
# proxy_busy_buffers_size 256k;
|
|
||||||
#
|
|
||||||
## location ~ /auth/admin {
|
|
||||||
## deny all;
|
|
||||||
## return 403;
|
|
||||||
## }
|
|
||||||
#
|
|
||||||
#}
|
|
||||||
|
|
||||||
##
|
|
||||||
## Keycloak Frontend Load Balancer
|
|
||||||
##
|
|
||||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
|
||||||
|
|
||||||
upstream jboss {
|
|
||||||
ip_hash;
|
|
||||||
server 192.168.0.110:8843;
|
|
||||||
server 192.168.0.115:8843;
|
|
||||||
server 192.168.0.120:8843;
|
|
||||||
|
|
||||||
# only available in NGINX Plus - very sad!!
|
|
||||||
# sticky learn
|
|
||||||
# create=$upstream_cookie_AUTH_SESSION_ID
|
|
||||||
# lookup=$cookie_AUTH_SESSION_ID
|
|
||||||
# zone=client_sessions:1m;
|
|
||||||
}
|
|
||||||
|
|
||||||
# same ordeal
|
|
||||||
#match jboss_check {
|
|
||||||
# status 200;
|
|
||||||
# header Content-Type = text/html;
|
|
||||||
# body ~ "WildFly is running";
|
|
||||||
#}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
listen 127.0.0.1:443 ssl http2;
|
|
||||||
server_name sso.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#location = / {
|
|
||||||
# return 302 /auth/;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://jboss;
|
|
||||||
proxy_cache backcache;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
|
|
||||||
# yup, nginx plus
|
|
||||||
#health_check match=jboss_check;
|
|
||||||
}
|
|
||||||
proxy_buffer_size 256k;
|
|
||||||
proxy_buffers 4 512k;
|
|
||||||
proxy_busy_buffers_size 512k;
|
|
||||||
|
|
||||||
}
|
|
@ -1,79 +0,0 @@
|
|||||||
##WEBSERVER DEFINITIONS FOR ALL MATRIX SERVICES ON LYSERGIC.DEV
|
|
||||||
|
|
||||||
##SYNAPSE
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl;
|
|
||||||
|
|
||||||
# For the federation port
|
|
||||||
listen 202.61.255.116:8448 ssl default_server;
|
|
||||||
listen [2a03:4000:55:d20::]:8448 ssl;
|
|
||||||
listen 192.168.0.115:8448 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
server_name matrix.lysergic.dev;
|
|
||||||
|
|
||||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
|
||||||
proxy_pass http://[::1]:8763;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
client_max_body_size 100M;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/client {
|
|
||||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.lysergic.dev"}, "m.identity_server": {"base_url": "https://ident.matrix.liberta.casa"}}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.well-known/matrix/server {
|
|
||||||
return 200 '{"m.server": "matrix.lysergic.dev:8448"}';
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://[::1]:8763/;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
client_max_body_size 100M;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#ELEMENT
|
|
||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl;
|
|
||||||
server_name element.lysergic.dev;
|
|
||||||
|
|
||||||
root /mnt/gluster01/web/matrix/element-lysergic;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
}
|
|
||||||
|
|
@ -1,15 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name 3zy.de;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/3zy.de/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/3zy.de/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /mnt/gluster01/mirror;
|
|
||||||
fancyindex on;
|
|
||||||
fancyindex_exact_size on;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,22 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.115:8084 ssl;
|
|
||||||
server_name phpldapadmin-local.two.secure.squirrelcube.xyz;
|
|
||||||
root /srv/www/phpLDAPadmin/phpLDAPadmin/htdocs;
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_pass 172.168.100.2:9100;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name pasta.lysergic.dev p.lsd25.dev p.lsd-25.dev;
|
|
||||||
listen 202.61.255.116:443;
|
|
||||||
listen [2a03:4000:55:d20::]:443;
|
|
||||||
root /mnt/gluster01/web/privatebin/PrivateBin;
|
|
||||||
index index.php;
|
|
||||||
charset utf-8;
|
|
||||||
disable_symlinks off;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
client_max_body_size 300M;
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_pass 172.168.100.2:9100;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,67 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.115:8092 ssl http2;
|
|
||||||
server_name prometheus-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://172.16.9.2:9090/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:8093 ssl http2;
|
|
||||||
server_name prometheus-alertmanager-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://172.16.9.2:9093/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:8094 ssl http2;
|
|
||||||
server_name prometheus-blackbox-exporter-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://172.16.9.2:9115/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:8095 ssl http2;
|
|
||||||
server_name prometheus-nginx-exporter-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://172.16.9.2:9113/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:8095 ssl http2;
|
|
||||||
server_name prometheus-wireguard-exporter-mercury.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://172.16.9.2:9586/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 192.168.0.115:8095 ssl http2;
|
|
||||||
server_name prometheus-wireguard-exporter-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:9586/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name scooper.irc.lsd.systems;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/irc/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/irc/private/privkey.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSLS:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
fastcgi_pass unix:/var/run/kfcgi/scooper.sock;
|
|
||||||
fastcgi_split_path_info (/)(.*);
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
||||||
include fastcgi_params;
|
|
||||||
auth_basic "I <3 Internet Relay Chat";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/scooper;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name lsd25.xyz;
|
|
||||||
listen 202.61.255.116:443;
|
|
||||||
listen [2a03:4000:55:d20::]:443;
|
|
||||||
root /mnt/gluster01/web/shlink-web;
|
|
||||||
index index.html;
|
|
||||||
charset utf-8;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
|
||||||
expires -1;
|
|
||||||
}
|
|
||||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
|
||||||
expires 1M;
|
|
||||||
add_header Cache-Control "public";
|
|
||||||
}
|
|
||||||
location ~* \.(?:css|js)$ {
|
|
||||||
expires 1y;
|
|
||||||
add_header Cache-Control "public";
|
|
||||||
}
|
|
||||||
location ~* .+\.(css|js|html|png|jpe?g|gif|bmp|ico|json|csv|otf|eot|svg|svgz|ttf|woff|woff2|ijmap|pdf|tif|map) {
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
auth_basic "Lysergic URL Shortening Service";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/shlink-web;
|
|
||||||
try_files $uri $uri/ /index.html$is_args$args;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,29 +0,0 @@
|
|||||||
include php-fpm;
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name lsd25.dev lsd-25.dev mcdonalds.pw;
|
|
||||||
listen 202.61.255.116:443;
|
|
||||||
listen [2a03:4000:55:d20::]:443;
|
|
||||||
root /mnt/gluster01/web/shlink/public;
|
|
||||||
index index.php;
|
|
||||||
charset utf-8;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_pass 172.168.100.2:9100;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ /\.ht {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.116:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name orpheus.syscid.com www.syscid.com;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/syscid/orpheus.psyched.dev.crt;
|
|
||||||
ssl_certificate_key /etc/ssl/syscid/orpheus.psyched.dev.key;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /srv/www/htdocs/syscid;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,28 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name tp.3gy.de two.tp.3gy.de *.two.secure.squirrelcube.xyz;
|
|
||||||
listen 202.61.255.116:443 ssl;
|
|
||||||
listen [2a03:4000:55:d20::]:443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
#ssl_ciphers
|
|
||||||
#ssl_prefer_server_ciphers
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://[::1]:3080/;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_read_timeout 3600;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,23 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.115:8086 ssl;
|
|
||||||
server_name xen-orchestra-local.two.secure.squirrelcube.xyz;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://127.0.0.2:8089;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_redirect default;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_read_timeout 1800;
|
|
||||||
client_max_body_size 4G;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,31 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name 3gy.de;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
|
|
||||||
resolver 172.168.100.2;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
root /srv/www/htdocs/3gy/;
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,34 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name hugz.io up.hugz.io www.hugz.io;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/hugz/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/hugz/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
|
|
||||||
error_page 403 /beauties-ip.html;
|
|
||||||
location = /beauties-ip.html {
|
|
||||||
root /srv/www/error;
|
|
||||||
allow all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://192.168.0.120:8922;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
client_max_body_size 200M;
|
|
||||||
types {} default_type "text/plain; charset=utf-8";
|
|
||||||
deny 2a01:7e00::f03c:91ff:feae:d55;
|
|
||||||
deny 176.58.107.169;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,31 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
|
||||||
listen 192.168.0.120:443 ssl http2;
|
|
||||||
|
|
||||||
server_name party.lysergic.dev;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
resolver 127.0.0.4;
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:8250;
|
|
||||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /jsxc {
|
|
||||||
root /srv/www/jsxc.party;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,16 +0,0 @@
|
|||||||
#server {
|
|
||||||
# listen 202.61.255.100:80 default_server;
|
|
||||||
#
|
|
||||||
# root /srv/www/htdocs/default;
|
|
||||||
# index index.html;
|
|
||||||
#}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2 default_server;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2 default_server;
|
|
||||||
|
|
||||||
root /srv/www/htdocs/default;
|
|
||||||
index index.html;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/parking/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.100:80;
|
|
||||||
listen 192.168.0.120:80;
|
|
||||||
server_name deploy.squirrelcube.xyz;
|
|
||||||
root /srv/www/deploy;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
autoindex on;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /secret {
|
|
||||||
auth_basic "Lysergic Deployment Services";
|
|
||||||
auth_basic_user_file /etc/nginx/auth/deployment;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,27 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.120:8084 ssl;
|
|
||||||
server_name dnsui-local.secure.squirrelcube.xyz;
|
|
||||||
root /mnt/gluster01/web/dnsui3/public_html;
|
|
||||||
index init.php;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/tp/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/tp/private/privkey.pem;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ @php;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location @php {
|
|
||||||
rewrite ^/(.*)$ /init.php/$1 last;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
location /init.php {
|
|
||||||
fastcgi_pass 172.168.100.3:9100;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
auth_basic "NS1 Intranet";
|
|
||||||
auth_basic_user_file /mnt/gluster01/web/auth/dnsui;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,6 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 202.61.255.100:80 default_server;
|
|
||||||
listen [2a03:4000:55:d1d::]:80 default_server;
|
|
||||||
listen 81.16.18.137:80 default_server;
|
|
||||||
return 302 https://$host$request_uri;
|
|
||||||
}
|
|
@ -1,43 +0,0 @@
|
|||||||
##
|
|
||||||
## PRODUCTION CONFIG
|
|
||||||
## Keycloak Frontend Load Balancer
|
|
||||||
## Instance: selene
|
|
||||||
##
|
|
||||||
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
|
|
||||||
|
|
||||||
upstream jboss {
|
|
||||||
ip_hash;
|
|
||||||
server 192.168.0.110:8843;
|
|
||||||
server 192.168.0.115:8843;
|
|
||||||
server 192.168.0.120:8843;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
|
||||||
server_name sso.casa;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/libertacasa.net/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/libertacasa.net/private/privkey.pem;
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
#location = / {
|
|
||||||
# return 302 /auth/;
|
|
||||||
#}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://jboss;
|
|
||||||
proxy_cache backcache;
|
|
||||||
proxy_ssl_verify off;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
|
||||||
}
|
|
||||||
proxy_buffer_size 256k;
|
|
||||||
proxy_buffers 4 512k;
|
|
||||||
proxy_busy_buffers_size 512k;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.120:80;
|
|
||||||
root /srv/www/local;
|
|
||||||
}
|
|
@ -1,124 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 192.168.0.120:443 ssl http2;
|
|
||||||
|
|
||||||
server_name zz0.email;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
|
|
||||||
resolver 172.168.100.2;
|
|
||||||
|
|
||||||
location /Microsoft-Server-ActiveSync {
|
|
||||||
proxy_pass http://127.0.0.2:8080/Microsoft-Server-ActiveSync;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_connect_timeout 75;
|
|
||||||
proxy_send_timeout 3650;
|
|
||||||
proxy_read_timeout 3650;
|
|
||||||
proxy_buffers 64 256k;
|
|
||||||
client_body_buffer_size 512k;
|
|
||||||
client_max_body_size 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.2:8080/;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
client_max_body_size 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 202.61.255.100:443 ssl http2;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name sogo.zz0.email zz0.email;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/mail/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/mail/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
ssl_trusted_certificate /etc/ssl/ca-bundle.pem;
|
|
||||||
|
|
||||||
resolver 172.168.100.2;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 302 /SOGo;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /SOGo {
|
|
||||||
proxy_pass http://127.0.0.2:20000;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
|
|
||||||
proxy_set_header x-webobjects-remote-host $remote_addr;
|
|
||||||
proxy_set_header x-webobjects-server-name $server_name;
|
|
||||||
proxy_set_header x-webobjects-server-url https://$http_host;
|
|
||||||
proxy_set_header x-webobjects-server-port $server_port;
|
|
||||||
proxy_send_timeout 3600;
|
|
||||||
proxy_read_timeout 3600;
|
|
||||||
client_body_buffer_size 128k;
|
|
||||||
client_max_body_size 0;
|
|
||||||
break;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
location /SOGo.woa/WebServerResources/ {
|
|
||||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /.woa/WebServerResources/ {
|
|
||||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /SOGo/WebServerResources/ {
|
|
||||||
alias /opt/GNUstep/SOGo/WebServerResources/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
|
||||||
alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
|
||||||
}
|
|
||||||
|
|
||||||
#trying to make / serve SOGo with no fuzz....
|
|
||||||
# location /WebServerResources/ {
|
|
||||||
# alias /opt/GNUstep/SOGo/WebServerResources/;
|
|
||||||
# }
|
|
||||||
|
|
||||||
# location (^/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
|
|
||||||
# alias /opt/GNUstep/SOGo/$1.SOGo/Resources/$2;
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
@ -1,71 +0,0 @@
|
|||||||
server {
|
|
||||||
server_name ts.lsd25.xyz;
|
|
||||||
listen 202.61.255.100:443 ssl;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
|
||||||
|
|
||||||
root /opt/matterbridge/tripsit/bridgemedia;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
|
||||||
#ssl_ciphers
|
|
||||||
#ssl_prefer_server_ciphers
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
#ssl_stapling on;
|
|
||||||
#ssl_stapling_verify on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
server_name lc.lsd25.xyz;
|
|
||||||
listen 202.61.255.100:443 ssl;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
|
||||||
|
|
||||||
root /opt/matterbridge/libertacasa/bridgemedia;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/lysergic/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/lysergic/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
|
||||||
#ssl_ciphers
|
|
||||||
#ssl_prefer_server_ciphers
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
#ssl_stapling on;
|
|
||||||
#ssl_stapling_verify on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name lsd.airforce;
|
|
||||||
listen 202.61.255.100:443 ssl;
|
|
||||||
listen [2a03:4000:55:d1d::]:443 ssl;
|
|
||||||
|
|
||||||
root /opt/matterbridge/tripsit/bridgemedia2;
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/parking/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/ssl/parking/private/privkey.pem;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
|
||||||
#ssl_ciphers
|
|
||||||
#ssl_prefer_server_ciphers
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
#ssl_stapling on;
|
|
||||||
#ssl_stapling_verify on;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user