Merge pull request 'Manage AppArmor on web-proxie's' (#27) from import-denc-webcluster-apparmor into production

Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/27

3 files changed, 17 insertions, 0 deletions

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 7b5cebd..7748768 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -209,3 +209,10 @@ firewalld:
       services:
         - http
         - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '{{ trustcrt }} r,'
+        - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,'
diff --git a/salt/profile/apparmor/local.sls b/salt/profile/apparmor/local.sls
new file mode 100644
index 0000000..6dbdff3
--- /dev/null
+++ b/salt/profile/apparmor/local.sls
@@ -0,0 +1,9 @@
+{%- set aapillar = salt['pillar.get']('profile:apparmor') %}
+
+{%- if 'local' in aapillar %}
+{%- for profile, lines in aapillar['local'].items() %}
+/etc/apparmor.d/local/{{ profile }}:
+  file.managed:
+    - contents: {{ lines }}
+{%- endfor %}
+{%- endif %}
diff --git a/salt/role/web-proxy.sls b/salt/role/web-proxy.sls
index 81f2293..649c69e 100644
--- a/salt/role/web-proxy.sls
+++ b/salt/role/web-proxy.sls
@@ -1,5 +1,6 @@
 include:
   - nginx.pkg
+  - profile.apparmor.local
   - nginx.config
   - nginx.snippets
   - nginx.servers