summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Update nsd pillar role confignsdPratyush Desai2023-02-201-2/+2
| | | | | | | - add database disable switch under `config_data` - remove `ip4-only` switch under `config_data` (it is host dependent) Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* Add pillar ids for nsdPratyush Desai2023-02-204-0/+22
| | | | | | - add config data for nsd. Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* add nsd pillarPratyush Desai2023-02-193-0/+38
|
* Address salt-lint errors/warningsGeorg Pfuetzenreuter2023-02-156-10/+12
| | | | | | | - remove trailing whitespaces - format octal modes correctly Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Address yamllint errors/warningsGeorg Pfuetzenreuter2023-02-152-2/+5
| | | | | | | - remove spaces, add headers - add ignore for line-lengths in .pipeline.yml Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add linting pipelineGeorg Pfuetzenreuter2023-02-151-0/+11
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Enable prometheus-formula' (#31) from prometheus-formula ↵Georg Pfuetzenreuter2023-02-151-0/+1
|\ | | | | | | | | | | into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/31
| * Enable prometheus-formulaGeorg Pfuetzenreuter2023-02-151-0/+1
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: add ModSecurity adjustments' (#30) from ↵Georg Pfuetzenreuter2023-02-131-0/+9
|\ | | | | | | | | | | import-denc-webcluster-nginx-modsec into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/30
| * denc-webcluster: add ModSecurity adjustmentsGeorg Pfuetzenreuter2023-02-121-0/+9
|/ | | | | | | | With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: nginx listen on HA addresses' (#29) ↵Georg Pfuetzenreuter2023-02-121-5/+5
|\ | | | | | | | | | | from import-denc-webcluster-nginx-listen-fixup into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/29
| * denc-webcluster: nginx listen on HA addressesGeorg Pfuetzenreuter2023-02-121-5/+5
|/ | | | | | Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'AppArmor: reload on drop-in changes' (#28) from ↵Georg Pfuetzenreuter2023-02-121-0/+13
|\ | | | | | | | | | | reload-apparmor into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/28
| * AppArmor: reload on drop-in changesGeorg Pfuetzenreuter2023-02-121-0/+13
|/ | | | | | Self-explanatory. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Manage AppArmor on web-proxie's' (#27) from ↵Georg Pfuetzenreuter2023-02-123-0/+17
|\ | | | | | | | | | | import-denc-webcluster-apparmor into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/27
| * denc-webcluster: nginx AppArmor rulesGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | | | | | | | Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * web-proxy: include apparmor.localGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | | | | | | | | | Some web proxy servers need additional AppArmor drop-ins, for example for serving static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add AppArmor profileGeorg Pfuetzenreuter2023-02-121-0/+9
|/ | | | | | | Simple profile to allow for management of local profile drop-ins using pillar values. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: nginx config fixup' (#26) from ↵Georg Pfuetzenreuter2023-02-121-5/+2
|\ | | | | | | | | | | import-denc-webcluster-iphash into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/26
| * denc-webcluster: nginx config fixupGeorg Pfuetzenreuter2023-02-121-5/+2
|/ | | | | | | | - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'ha-node: vrrp is a protocol' (#25) from vrrp-fixup into ↵Georg Pfuetzenreuter2023-02-121-1/+1
|\ | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/25
| * ha-node: vrrp is a protocolGeorg Pfuetzenreuter2023-02-121-1/+1
|/ | | | | | Accidentally added as a service. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: allow http(s) publicly' (#24) from ↵Georg Pfuetzenreuter2023-02-121-0/+8
|\ | | | | | | | | | | import-denc-webcluster-fw into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/24
| * denc-webcluster: enable keepalived script securityGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | | | | | | | Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * denc-webcluster: allow http(s) publiclyGeorg Pfuetzenreuter2023-02-121-0/+7
|/ | | | | | Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import denc webcluster (nemesis/hubris)' (#12) from ↵Georg Pfuetzenreuter2023-02-1211-0/+367
|\ | | | | | | | | | | import-denc-webcluster into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/12
| * Manage backend firewall zoneimport-denc-webclusterGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | | | | | | | | | Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * ha-node: allow vrrp in firewallGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | | | | | | | Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add ha-netcup roleGeorg Pfuetzenreuter2023-02-121-0/+3
| | | | | | | | | | | | | | Role managing the Netcup IP failover script plus keepalived. Requires ha-node role introduced via a8bbe056f1. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add keepalived_script_user profileGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | | | | | | | | | Short profile source from other profiles requiring the keepalived_script user to be present. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add netcup_failover profileGeorg Pfuetzenreuter2023-02-123-0/+133
| | | | | | | | | | | | | | Profile managing a Netcup IP address failover script for use with keepalived. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * nemesis/hubris: import keepalived configurationGeorg Pfuetzenreuter2023-02-121-4/+61
| | | | | | | | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * nemesis/hubris: include denc.web-proxyGeorg Pfuetzenreuter2023-02-122-0/+4
| | | | | | | | | | | | Add shared nginx configuration to nemesis/hubris HA pair nodes. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * nemesis/hubris: import nginx configurationGeorg Pfuetzenreuter2023-02-121-0/+149
|/ | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'common-suse: add qemu-guest-agent + remove AutoYaST' ↵Georg Pfuetzenreuter2023-02-121-1/+22
|\ | | | | | | | | | | (#23) from common-suse into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/23
| * common.suse: manage qemu-guest-agentGeorg Pfuetzenreuter2023-02-121-0/+9
| | | | | | | | | | | | Ensure qemu-guest-agent is active on all KVM guests. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * common.suse: remove AutoYaSTGeorg Pfuetzenreuter2023-02-121-1/+13
| | | | | | | | | | | | | | We only use AutoYaST for the OS deployment and don't need the packages afterwards. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Merge pull request 'dericom02: manage web firewall zone' (#22) from ↵Georg Pfuetzenreuter2023-02-121-0/+8
|\ \ | |/ |/| | | | | | | dericom02-webfw into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/22
| * dericom02: manage web firewall zoneGeorg Pfuetzenreuter2023-02-121-0/+8
|/ | | | | | | Import locally configured web zone into Salt. This zone allows the web proxy to reach http for serving Matterbridge media. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'lighttpd: improve dependencies' (#21) from ↵Georg Pfuetzenreuter2023-02-121-0/+5
|\ | | | | | | | | | | lighttpd-watch into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/21
| * lighttpd: improve dependenciesGeorg Pfuetzenreuter2023-02-121-0/+5
|/ | | | | | | - add more explicit Salt ID dependencies - reload service on configuration changes Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'dericom02: disable matterbridge XMPP debug' (#20) from ↵Georg Pfuetzenreuter2023-02-121-1/+1
|\ | | | | | | | | | | matterbridge-xmpp-debug into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/20
| * dericom02: disable matterbridge XMPP debugGeorg Pfuetzenreuter2023-02-121-1/+1
|/ | | | | | It's very noisy - one can enable it on demand if needed. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'matterbridge: restart on changes' (#19) from ↵Georg Pfuetzenreuter2023-02-121-0/+4
|\ | | | | | | | | | | matterbridge-watch into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/19
| * matterbridge: restart on changesGeorg Pfuetzenreuter2023-02-121-0/+4
|/ | | | | | | Matterbridge does detect file changes, but seems to only apply them on a service restart. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'matterbridge: quote numbers' (#18) from ↵Georg Pfuetzenreuter2023-02-121-1/+1
|\ | | | | | | | | | | matterbridge-booleans into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/18
| * matterbridge: quote numbersGeorg Pfuetzenreuter2023-02-121-1/+1
| | | | | | | | | | | | Needed to make the TOML configuration format happy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Merge pull request 'Disable "aithunder" Discord bridge' (#17) from ↵Georg Pfuetzenreuter2023-02-121-1/+3
|\ \ | |/ |/| | | | | | | matterbridge-aithunder into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/17
| * Disable "aithunder" Discord bridgeGeorg Pfuetzenreuter2023-02-121-1/+3
|/ | | | | | Discord room does not exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'dericom02: quote matterbridge booleans' (#16) from ↵Georg Pfuetzenreuter2023-02-121-31/+31
|\ | | | | | | | | | | matterbridge-booleans into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/16
| * dericom02: quote matterbridge booleansGeorg Pfuetzenreuter2023-02-121-31/+31
|/ | | | | | TOML configuration format needs lowercase boolean values. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Matterbridge media' (#15) from matterbridge-media into ↵Pratyush Desai2023-02-122-2/+24
|\ | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/15
| * dericom02: manage matterbridge mediaGeorg Pfuetzenreuter2023-02-121-2/+13
| | | | | | | | | | | | | | - move base media directory to variable - add lighttpd vhosts to pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * matterbridge: manage media directoriesGeorg Pfuetzenreuter2023-02-121-0/+11
|/ | | | | | Create media directories if defined in the pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'matterbridge: add role pillar' (#14) from ↵Pratyush Desai2023-02-091-0/+1
|\ | | | | | | | | | | matterbridge-pillar-fixup into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/14
| * matterbridge: add role pillarGeorg Pfuetzenreuter2023-02-091-0/+1
|/ | | | | | | Empty for now, adding for future reference and because we enforce role pillars to exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import Matterbridge configuration' (#10) from ↵Pratyush Desai2023-02-091-0/+221
|\ | | | | | | | | | | import-dericom02 into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/10
| * dericom02: import Matterbridge configurationGeorg Pfuetzenreuter2023-02-071-0/+221
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Merge pull request 'Refactor Matterbridge profile' (#11) from ↵Pratyush Desai2023-02-092-23/+26
|\ \ | | | | | | | | | | | | | | | matterbridge-refactor into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/11
| * | Refactor matterbridge profileGeorg Pfuetzenreuter2023-02-072-23/+26
| |/ | | | | | | | | | | | | | | - reduce pillar calls - no longer define possible configuration options, apply settings from pillar 1:1 Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Merge pull request 'Add ha-node role + enable keepalived formula' (#13) from ↵Georg Pfuetzenreuter2023-02-082-0/+3
|\ \ | |/ |/| | | | | | | keepalived-formula into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/13
| * Add ha-node roleGeorg Pfuetzenreuter2023-02-081-0/+2
| | | | | | | | | | | | Add ha-node role for machines in a HA pair using keepalived. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable keepalived-formulaGeorg Pfuetzenreuter2023-02-081-0/+1
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* derimisc01: import Tor configurationGeorg Pfuetzenreuter2023-02-071-0/+14
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add onion-router roleGeorg Pfuetzenreuter2023-02-072-0/+7
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable tor-formulaGeorg Pfuetzenreuter2023-02-061-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set webirc backend to httpsGeorg Pfuetzenreuter2023-02-061-1/+1
| | | | | | Ergo rightfully does not accept plain text websocket connections. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include libertacasa for liberta.casaGeorg Pfuetzenreuter2023-02-061-0/+1
| | | | | | | | Fallout from 77fa39e59c15a2235f210128dab821d2e2fd6ae5 - libertacasa nginx snippet needs to be included in liberta.casa server for main website to operate on the clearnet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repair liberta.casa TLS includeGeorg Pfuetzenreuter2023-02-061-1/+2
| | | | | | | Accidentally mixed up the libertacasa with the libertacasa2 nginx TLS snippet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: include mime.typesGeorg Pfuetzenreuter2023-02-051-0/+1
| | | | | | Always include mime.types on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: common includesGeorg Pfuetzenreuter2023-02-051-1/+4
| | | | | | Always include files in conf.d and vhosts.d on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'web-proxy: common nginx.conf' (#9) from nginxconf into ↵Georg Pfuetzenreuter2023-02-051-0/+25
|\ | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/9
| * web-proxy: common nginx.confGeorg Pfuetzenreuter2023-02-051-0/+25
|/ | | | | | | Import default nginx.conf contents from our custom packaged file into Salt. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: IPv6 listener bracketsGeorg Pfuetzenreuter2023-02-052-3/+12
| | | | | | | Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx from failing to start. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Increase LC repository priorityGeorg Pfuetzenreuter2023-02-051-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'deriweb01: import nginx configuration' (#8) from ↵Georg Pfuetzenreuter2023-02-053-1/+450
|\ | | | | | | | | | | import-deriweb01 into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/8
| * web-proxy: add firewall configurationGeorg Pfuetzenreuter2023-02-051-1/+6
| | | | | | | | | | | | | | Allow internal http and https to pass on web proxies. To-do: logic for web proxies directly attached to the internet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable syntax highlightingGeorg Pfuetzenreuter2023-02-051-0/+3
| | | | | | | | | | | | | | Initially for .sls and .jinja/.j2 files - we can add others later on if needed. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * deriweb01: import nginx configurationGeorg Pfuetzenreuter2023-02-051-0/+441
|/ | | | | | Transfer local/manual nginx configuration structure into pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: add common TLS configurationGeorg Pfuetzenreuter2023-02-051-0/+10
| | | | | | Add TLS configuration snippet shared between all web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add nginx crtkeypair macroGeorg Pfuetzenreuter2023-02-052-0/+9
| | | | | | For use in nginx pillars. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add cluster pillarGeorg Pfuetzenreuter2023-02-051-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Refresh LC repositoryGeorg Pfuetzenreuter2023-02-051-0/+1
| | | | | | Configure repository to be refreshed automatically. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add web-proxy roleGeorg Pfuetzenreuter2023-02-042-0/+26
| | | | | | | - web-proxy role to configure nginx - pillar with common nginx configuration Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set default saltenvGeorg Pfuetzenreuter2023-02-011-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Refactor map/macro sourcingGeorg Pfuetzenreuter2023-01-304-3/+25
| | | | | | | | - move pillar macros and map to base directory - move listener logic from macro to map - update includes respectively Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable nginx-formulaGeorg Pfuetzenreuter2023-01-301-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add salt-keydiff packageGeorg Pfuetzenreuter2023-01-301-0/+1
| | | | | | Useful to accept new minions. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage Salt roleproxyGeorg Pfuetzenreuter2023-01-303-0/+48
| | | | | | Add role, profile and pillar for roleproxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.minion: no longer manage grainsGeorg Pfuetzenreuter2023-01-293-22/+0
| | | | | | | | | Grains have only been managed to track roles, however those have since been moved to the Role API. Hence the managed /etc/salt/grains file can safely be removed from management. Existing installations will be cleaned up by me. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set firewalld short zone namesGeorg Pfuetzenreuter2023-01-291-2/+2
| | | | | | To match the SUSE defaults deployed by our AutoYaST configuration. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow IPv6-only interfaces + fixupGeorg Pfuetzenreuter2023-01-291-1/+3
| | | | | | | - interfaces with no IPv4 address would cause a render failure - repair if-clause needed for interfaces with only IPv4 addresses Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Firewall interface mapping logicGeorg Pfuetzenreuter2023-01-293-0/+84
| | | | | | | | | Detect which interfaces belong to which zones, and configure firewalld accordingly. Backend zone is currently only prepared and yet to be tested and enabled. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine interfacesGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | | | Needed for firewall interface-zone mapping logic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: extra quotes around API listenerGeorg Pfuetzenreuter2023-01-291-1/+1
| | | | | | | State would print the colons unquoted into the file, causing the YAML to not parse. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add firewalld rulesGeorg Pfuetzenreuter2023-01-291-0/+10
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common firewalld rulesGeorg Pfuetzenreuter2023-01-292-0/+13
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage firewalldGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge lists on test minionsGeorg Pfuetzenreuter2023-01-291-1/+1
| | | | | | Reflect production setting, allow pillar to merge from different roles. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable firewalld-formulaGeorg Pfuetzenreuter2023-01-291-1/+2
| | | | | | ... and sort list entries alphabetically. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: enable API IPv6 listenerGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | | | | No individual listeners can be configured, hence global dual stack listener it is. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable SSH bannerGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.minion: allow minions without rolesGeorg Pfuetzenreuter2023-01-291-1/+1
| | | | | | | If-clause to check for Syndic roles caused regression on minions without any assigned roles. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: skip on empty mineGeorg Pfuetzenreuter2023-01-281-4/+6
| | | | | | | | | | Don't fail if mine does not contain information about the queried minion. In the future it would be nice to add another conditional to allow such minions to fall-back to the locally executed network module for masterless setups. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: set rootgroupGeorg Pfuetzenreuter2023-01-281-0/+1
| | | | | | Needed for formula to not nuke Syndic key permissions. Little bit ugly. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: use mined addressesGeorg Pfuetzenreuter2023-01-281-2/+3
| | | | | | | The network module run on the Salt master, but the macro should fetch minion addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IPv6 addressesGeorg Pfuetzenreuter2023-01-281-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IP addressesGeorg Pfuetzenreuter2023-01-281-0/+3
| | | | | | Add Salt mine configuration to collect minion IP addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: increase LDAP scopeGeorg Pfuetzenreuter2023-01-281-1/+1
| | | | | | | Likely needed as it does not support searching a more fine grained base DN. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: switch to CherryPyGeorg Pfuetzenreuter2023-01-281-3/+3
| | | | | | Tornado does not support all the features. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add ldap + completion packagesGeorg Pfuetzenreuter2023-01-271-0/+3
| | | | | | | - python-ldap is needed for authenticating with the API - shell completions are useful :-) Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add LDAP configurationGeorg Pfuetzenreuter2023-01-271-0/+11
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add Salt API configurationGeorg Pfuetzenreuter2023-01-272-0/+5
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Relay via static zz0.email hostGeorg Pfuetzenreuter2023-01-273-0/+11
| | | | | | | | Split horizon for the complete .email zone is not feasible for all sites, and TLS certificate currently does not cover any of the internal hostnames. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Manage common SSH server' (#6) from ssh into productionGeorg Pfuetzenreuter2023-01-276-1/+63
|\ | | | | | | Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/6
| * Manage common SSH serverGeorg Pfuetzenreuter2023-01-266-1/+63
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* mta.postfix->global.mta pillar; remove mta profileGeorg Pfuetzenreuter2023-01-264-5/+3
| | | | | | | This is more a MTA configuration for system email on all hosts instead of a dedicated email server role. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move common to global pillarGeorg Pfuetzenreuter2023-01-262-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Read formulas from central fileGeorg Pfuetzenreuter2023-01-264-11/+19
| | | | | | | | - add formulas.yaml file containing list of all enabled formulas - read formulas from said file in role.salt.master and prepare_minion.py - add symlink for easier tracking of the file Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Postfix: configure alias_databaseGeorg Pfuetzenreuter2023-01-251-0/+1
| | | | | | | Not needed, but the formula writes a hash:/ entry default, which might cause confusion in the future, since our alias_maps is using lmdb:/. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repository: remove comment, add priorityGeorg Pfuetzenreuter2023-01-251-2/+1
| | | | | | | | LibertaCasa RPM repsitory: - comment was not added by Salt, it attempted to re-add it every time - set lower priority Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow local system mail in PostfixGeorg Pfuetzenreuter2023-01-251-1/+2
| | | | | | | | - correct mydestination to allow lysergic.dev to be sent through the relay - correct relayhost to use SMTPS port Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Revert OS pillar split' (#4) from revert-ospillarsplit ↵Georg Pfuetzenreuter2023-01-245-8/+7
|\ | | | | | | | | | | into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/4
| * Include Postfix pillar via roleGeorg Pfuetzenreuter2023-01-244-1/+2
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Revert "Split to OS specific common pillar"Georg Pfuetzenreuter2023-01-243-7/+5
|/ | | | This reverts commit 4863396938c7c638517cbefc3a2773c9eb29bc69.
* Merge pull request 'Include role.salt.common in master' (#3) from ↵Georg Pfuetzenreuter2023-01-241-0/+3
|\ | | | | | | | | | | master-include-common into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/3
| * Include role.salt.common in masterGeorg Pfuetzenreuter2023-01-241-0/+3
|/ | | | | | | Needed to allow individual apply's of salt.master without breaking common configuration options. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Manage global Postfix'es + make common pillar OS based' ↵Georg Pfuetzenreuter2023-01-247-6/+39
|\ | | | | | | | | | | (#2) from postfix into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/2
| * Manage aliasesGeorg Pfuetzenreuter2023-01-241-1/+8
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable postfix-formulaGeorg Pfuetzenreuter2023-01-242-1/+2
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Manage common PostfixGeorg Pfuetzenreuter2023-01-244-0/+26
| | | | | | | | | | | | | | | | | | | | Add configuration for global client MTA's. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> Enable Postfix management Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Split to OS specific common pillarGeorg Pfuetzenreuter2023-01-242-5/+4
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include users in pipelineGeorg Pfuetzenreuter2023-01-221-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include users in common.suseGeorg Pfuetzenreuter2023-01-221-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enforce ID and roles in topGeorg Pfuetzenreuter2023-01-221-2/+7
| | | | | | | | Adapt to current private pillar top: - match ID grain for inclusion of ID files - move roles under conditional Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable users-formulaGeorg Pfuetzenreuter2023-01-221-2/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Wrap zypper pillar in OS checkGeorg Pfuetzenreuter2023-01-221-0/+2
| | | | | | Zypper pillar data is not needed on non-SUSE systems. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add common_packages to common.suseGeorg Pfuetzenreuter2023-01-221-0/+6
| | | | | | | Add ID and initialize with fish and system-group wheel packages. More packages to be added later on. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Disable refreshdb_forceGeorg Pfuetzenreuter2023-01-221-0/+3
| | | | | | Speed up state.apply's. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Remove release from RPM key checkGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | | | | Release tag can be different from machine to machine. Checking for the version tag should be good enough. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage LC repository + ca-certificatesGeorg Pfuetzenreuter2023-01-221-0/+34
| | | | | | | | | manage - home:crameleon:LibertaCasa repository - ca-certificates-syscid in common SUSE state. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Connect syndic minions to syndic masterGeorg Pfuetzenreuter2023-01-221-1/+11
| | | | | | | | Syndics are generally the masters assigned to their region. We want the minions on syndics to connect to their upstream master ("master of masters") instead of to themselves. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add admins to redis group on mastersGeorg Pfuetzenreuter2023-01-221-10/+13
| | | | | | | Avoid permissions errors if Salt attempts to write to Redis during non-root state.apply calls. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use central machine-roles endpointGeorg Pfuetzenreuter2023-01-222-2/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use http.query instead of nbroles moduleGeorg Pfuetzenreuter2023-01-223-4/+4
| | | | | | | | This is an attempt to remove the need for the custom nbroles module. If it works out, the localhost reference should be replaced with a global roles API endpoint. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: configure publisher_aclGeorg Pfuetzenreuter2023-01-221-0/+12
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Update symlink to nbroles.pyGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | | | Fallout from b112ee3131f82cf8b8bc09726b9088950f9dc6dc. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: manage formulasGeorg Pfuetzenreuter2023-01-222-1/+12
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move extmods to salt/Georg Pfuetzenreuter2023-01-222-0/+0
| | | | | | Allow for extension modules to be delivered using the Salt file server. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: move file_roots to productionGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: move gpg_keydir to masterGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | | | | 'gpg_keydir' is a master specific setting, it does not work under the top level 'salt' key. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: manage extension modulesGeorg Pfuetzenreuter2023-01-222-2/+34
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Configure Redis for Salt masterGeorg Pfuetzenreuter2023-01-221-0/+65
| | | | | | | Add Redis configuration to salt.master profile for caching on Salt masters. To-Do: move configuration to a formula based approach. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Update salt.master role pillarGeorg Pfuetzenreuter2023-01-221-2/+5
| | | | | | | - add missing settings needed for use in production - correct existing settings with new advancements Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set Salt log level to infoGeorg Pfuetzenreuter2023-01-221-0/+1
| | | | | | | Globally setting log level for easier initial setup. Later on we should consider removing it again, or moving it to the salt:master pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add salt.syndic role + pillarGeorg Pfuetzenreuter2023-01-222-0/+6
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* roles.py: exclude salt.commonGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | | | Role is targetted globally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Sync roles in pipelineGeorg Pfuetzenreuter2023-01-221-0/+15
| | | | | | Call rolesyncer on new commits to production. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add rolesyncer scriptGeorg Pfuetzenreuter2023-01-211-0/+77
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* roles.py: remove exclusionsGeorg Pfuetzenreuter2023-01-211-1/+1
| | | | | | | These were only relevant during testing. Leaving the empty list in case exclusions need to be added in the future. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init pipeline configGeorg Pfuetzenreuter2023-01-211-0/+18
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add empty salt.common SLSGeorg Pfuetzenreuter2023-01-211-0/+1
| | | | | | | Roles under salt/ are enforced to be existent - adding "empty" file to match pillar/role/salt/. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Configure formulas in prepare_minion.pyGeorg Pfuetzenreuter2023-01-211-0/+9
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add clone_formulas scriptGeorg Pfuetzenreuter2023-01-211-0/+12
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* roles.py: repair role walkingGeorg Pfuetzenreuter2023-01-211-3/+10
| | | | | | | | Improve nested role support introduced with 442ff683d1e5b3c15a7ef90b27c4be2b3e70ff30 by correctly converting subdirectories into nested state references. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Remove test-webserver roleGeorg Pfuetzenreuter2023-01-211-2/+0
| | | | | | | No longer used, referenced profile removed in a1782581bb5124ecee97baa86ef8a312ad4828d0. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Update mocking baseGeorg Pfuetzenreuter2023-01-213-3/+46
| | | | | | | - adapt preparation script to new environment - add sample mocking pillar including README Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add nbroles_to_grains script + add noteGeorg Pfuetzenreuter2023-01-212-0/+5
| | | | | | | Script allows for testing and pipeline minions to work without access to the roles API. Additionally added a note about this in prepare_minion.py. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add id/role pillar README'sGeorg Pfuetzenreuter2023-01-212-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* roles.py: support nested roles + cli invocationGeorg Pfuetzenreuter2023-01-211-4/+9
| | | | | | | | - walk both pillar and salt roles - support nested roles / state files in subdirectories - allow test invocation of the script from the command line Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Target roles without grains in topsGeorg Pfuetzenreuter2023-01-212-8/+7
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Link nbroles module to extmodsGeorg Pfuetzenreuter2023-01-211-0/+1
| | | | | | Module is needed by masters as well. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init lookup.pyGeorg Pfuetzenreuter2023-01-211-0/+113
| | | | | | | | Importing local lookup.py script into Git - this file is loaded as an external pillar module by Salt masters to allow for external pillars to be referenced inside external pillars. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use nbroles instead of grainsGeorg Pfuetzenreuter2023-01-213-4/+16
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Remove common secret includeGeorg Pfuetzenreuter2023-01-201-1/+0
| | | | | | File was only used for testing secrets and is no longer in use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add secret variablesGeorg Pfuetzenreuter2023-01-201-0/+16
| | | | | | | Module should now replace ${...} variables during rendering. Pillar references need to be quoted. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init master role w/ pillarGeorg Pfuetzenreuter2023-01-153-0/+40
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Re-order minion profileGeorg Pfuetzenreuter2023-01-152-4/+5
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use custom minion master configurationGeorg Pfuetzenreuter2023-01-152-1/+9
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use traditional grains managementGeorg Pfuetzenreuter2023-01-154-14/+8
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move managed grains to minion pillarGeorg Pfuetzenreuter2023-01-152-2/+7
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init salted salt + minion pillarGeorg Pfuetzenreuter2023-01-155-1/+11
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Cleanup after devel importGeorg Pfuetzenreuter2023-01-152-9/+0
| | | | | | | - remove RPM public key import - remove test-webserver profile Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Refactor common treeGeorg Pfuetzenreuter2023-01-153-3/+3
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Ignore missing ID'sGeorg Pfuetzenreuter2023-01-151-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include common secret pillarGeorg Pfuetzenreuter2023-01-151-0/+3
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init pillarGeorg Pfuetzenreuter2023-01-152-0/+16
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Import profiles/roles from salt-develGeorg Pfuetzenreuter2023-01-1521-1/+731
| | | | | | - + renaming baseline to common Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* InitGeorg Pfuetzenreuter2023-01-154-0/+59
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>