diff options
| author | Georg Pfuetzenreuter | 2023-04-30 14:37:12 +0200 |
|---|---|---|
| committer | Georg Pfuetzenreuter | 2023-04-30 14:37:12 +0200 |
| commit | b1249e69eb51b619dde5a3b0ffc162c86ffff16f (patch) | |
| tree | 1b593d83d7c4982d6579641bef14371d1c1d699f | |
| parent | 87bb69fa376ffd78b6e619732c5c921e131b49f8 (diff) | |
| parent | f32d814658a3005654b10e28c0827fb2a9302678 (diff) | |
| download | salt-b1249e69eb51b619dde5a3b0ffc162c86ffff16f.tar.gz salt-b1249e69eb51b619dde5a3b0ffc162c86ffff16f.tar.bz2 salt-b1249e69eb51b619dde5a3b0ffc162c86ffff16f.zip | |
Merge pull request 'Import themis / PrivateBin' (#40) from privatebin into production
Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/40
| -rw-r--r-- | pillar/id/themis_lysergic_dev.sls | 98 | ||||
| -rw-r--r-- | salt/profile/privatebin/init.sls | 55 | ||||
| -rw-r--r-- | salt/role/privatebin.sls | 4 |
3 files changed, 144 insertions, 13 deletions
diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls index 0773f4f..67a7757 100644 --- a/pillar/id/themis_lysergic_dev.sls +++ b/pillar/id/themis_lysergic_dev.sls @@ -1,9 +1,26 @@ +{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%} + +{%- macro httpdformulaexcess() -%} + LogLevel: False + ErrorLog: False + LogFormat: False + CustomLog: False + ServerAdmin: False + ServerAlias: False +{%- endmacro -%} +{%- macro httpdcommon(app) -%} + Include {{ common['snippetsdir'] }}ssl_themis.conf + <FilesMatch '\.php$'> + SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}' + </FilesMatch> +{%- endmacro -%} + apache: sites: BookStack: - interface: '[fd29:8e45:f292:ff80::1]' - port: 443 - ServerName: bookstack.themis.backend.syscid.com + interface: '{{ common['address'] }}' + port: {{ common['port'] }} + ServerName: bookstack{{ common['domain'] }} DocumentRoot: /srv/www/BookStack/ DirectoryIndex: index.php Directory: @@ -21,19 +38,26 @@ apache: RewriteCond '%{REQUEST_FILENAME} !-d' RewriteCond '%{REQUEST_FILENAME} !-f' RewriteCond '^ index.php [L]' - LogLevel: False - ErrorLog: False - LogFormat: False - CustomLog: False - ServerAdmin: False - ServerAlias: False + {{ httpdformulaexcess() }} Formula_Append: | - Include /etc/apache2/snippets.d/ssl_themis.conf + {{ httpdcommon('BookStack') }} AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript SetOutputFilter DEFLATE - <FilesMatch '\.php$'> - SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack' - </FilesMatch> + + PrivateBin: + interface: '{{ common['address'] }}' + port: {{ common['port'] }} + ServerName: privatebin{{ common['domain'] }} + DocumentRoot: /srv/www/PrivateBin/public + DirectoryIndex: index.php + Directory: + /srv/www/PrivateBin/: + Options: false + AllowOverride: None + Require: all granted + {{ httpdformulaexcess() }} + Formula_Append: | + {{ httpdcommon('PrivateBin') }} profile: bookstack: @@ -75,3 +99,51 @@ profile: saml2_group_attribute: groups saml2_remove_from_groups: true queue_connection: database + + privatebin: + main: + name: Bin + fileupload: true + syntaxhighlightingtheme: sons-of-obsidian + sizelimit: 310485760 + notice: 'Note: Kittens will die if you abuse this service.' + languageselection: true + urlshortener: ${'secret_privatebin:main:urlshortener'} + qrcode: true + expire: + default: 1week + expire_options: + 5min: 300 + 10min: 600 + 1hour: 3600 + 1day: 86400 + 1week: 604800 + 1month: 2592000 + 1year: 31536000 + never: 0 + formatter_options: + plaintext: Plain Text + syntaxhighlighting: Source Code + markdown: Markdown + traffic: + limit: 10 + header: X_FORWARDED_FOR + dir: /var/lib/PrivateBin/limits + purge: + limit: 300 + batchsize: 10 + dir: /var/lib/PrivateBin/limits + model: + class: Database + model_options: + dsn: ${'secret_privatebin:model_options:dsn'} + tbl: privatebin_ + usr: ${'secret_privatebin:model_options:usr'} + pwd: ${'secret_privatebin:model_options:pwd'} + opt[12]: true + +firewalld: + zones: + backend: + services: + - https diff --git a/salt/profile/privatebin/init.sls b/salt/profile/privatebin/init.sls new file mode 100644 index 0000000..7b9c036 --- /dev/null +++ b/salt/profile/privatebin/init.sls @@ -0,0 +1,55 @@ +{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%} +{%- set confdir = '/etc/PrivateBin' -%} +{%- set configfile = confdir ~ '/conf.php' -%} + +privatebin_packages: + pkg.installed: + - names: + - PrivateBin-config-httpd + +privatebin_clean: + file.directory: + - name: {{ confdir }} + - clean: True + - onchanges: + - pkg: privatebin_packages + - require: + - pkg: privatebin_packages + +{%- if mypillar | length %} +{{ configfile }}: + ini.options_present: + - separator: '=' + - strict: True + - sections: + {%- macro conf(section, options) %} + {%- for option in options.keys() -%} + {%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %} + {%- set value = mypillar[section][option] -%} + {%- else %} + {%- set value = mypillar[section][option] | quote -%} + {%- endif %} + {{ option }}: {{ value }} + {%- endfor -%} + {%- endmacro %} + {%- for section, options in mypillar.items() %} + {{ section }}: + {{ conf(section, options) }} + {%- endfor %} + - require: + - pkg: privatebin_packages + - watch: + - file: privatebin_clean + - watch_in: + - file: privatebin_permissions +{%- endif %} + +privatebin_permissions: + file.managed: + - mode: '0640' + - user: wwwrun + - group: privatebin + - names: + - {{ configfile }} + - require: + - pkg: privatebin_packages diff --git a/salt/role/privatebin.sls b/salt/role/privatebin.sls new file mode 100644 index 0000000..ec8581d --- /dev/null +++ b/salt/role/privatebin.sls @@ -0,0 +1,4 @@ +include: + - role.web.apache-httpd + - profile.privatebin + - php.fpm |