summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* id.themis: import backend firewall rulesprivatebinGeorg Pfuetzenreuter2023-04-291-0/+6
| | | | | | Allow HTTPS traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* id.themis: import PrivateBin httpd vhostGeorg Pfuetzenreuter2023-03-121-13/+37
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* id.themis: import PrivateBin configurationGeorg Pfuetzenreuter2023-03-121-0/+42
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add privatebin profile+roleGeorg Pfuetzenreuter2023-03-122-0/+59
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import themis / BookStack' (#35) from bookstack into ↵Pratyush Desai2023-03-1111-0/+212
|\ | | | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/35 Reviewed-by: Pratyush Desai <pratyush.desai@liberta.casa>
| * profile.bookstack: quote keysbookstackGeorg Pfuetzenreuter2023-03-111-2/+6
| | | | | | | | | | | | Some keys needed quoting to pass the YAML parser. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable php-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * role.bookstack: include php-fpmGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add php-fpm roleGeorg Pfuetzenreuter2023-02-262-0/+3
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable memcached-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * role.bookstack: include memcachedGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add memcached roleGeorg Pfuetzenreuter2023-02-262-0/+4
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * profile.apache-httpd: manage snippetsGeorg Pfuetzenreuter2023-02-263-1/+42
| | | | | | | | | | | | | | - add apache-httpd profile with snippets configuration - add TLS snippet to apache-httpd role pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * id.themis: add BookStack configurationGeorg Pfuetzenreuter2023-02-261-0/+41
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * id.themis: add BookStack httpd configurationGeorg Pfuetzenreuter2023-02-261-0/+36
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add bookstack profile+roleGeorg Pfuetzenreuter2023-02-262-0/+73
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add web.apache-httpd roleGeorg Pfuetzenreuter2023-02-262-0/+5
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Enable apache-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import moni Prometheus configuration' (#32) from ↵Georg Pfuetzenreuter2023-02-2511-10/+223
|\ | | | | | | | | | | prometheus-moni into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/32
| * Disable commit lintingGeorg Pfuetzenreuter2023-02-211-9/+9
| | | | | | | | | | | | Temporary change until imports with existing messages are finished. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Manage Prometheus firewall rulesGeorg Pfuetzenreuter2023-02-212-0/+15
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Moni: Read Blackbox targets as JSONGeorg Pfuetzenreuter2023-02-211-2/+2
| | | | | | | | | | | | Use uniform JSON target files instead of a JSON/YAML mix. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * p.node_exporter->p.prometheus.node_exporterGeorg Pfuetzenreuter2023-02-212-1/+1
| | | | | | | | | | | | | | | | Since the last commit introduced a new Prometheus targets profile, it makes sense to move node_exporter underneath the Prometheus tree as well. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Manage Prometheus targetsGeorg Pfuetzenreuter2023-02-214-2/+21
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Import Prometheus server configurationGeorg Pfuetzenreuter2023-02-217-0/+179
| | | | | | | | | | | | | | | | | | | | | | * add new roles: - monitoring.prometheus - monitoring.prometheus-alertmanager - monitoring.prometheus-exporter-blackbox * add common Prometheus and Prometheus Alertmanager pillar data * add moni.lysergic.dev specific Prometheus pillar data Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Merge pull request 'pipeline.gommit: allow more characters in prefix' (#38) ↵Pratyush Desai2023-02-221-1/+1
|\ \ | |/ |/| | | | | | | | | from commit-lint into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/38 Reviewed-by: Pratyush Desai <pratyush.desai@liberta.casa>
| * pipeline.gommit: allow more characters in prefixGeorg Pfuetzenreuter2023-02-201-1/+1
|/ | | | | | | - For profiles/roles with - or _ in their name - In the future we should rename all - to _ and adjust the regex to forbid all - Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Commmit lint: allow pipeline + more characters' (#37) ↵Pratyush Desai2023-02-201-1/+1
|\ | | | | | | | | | | from commit-lint into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/37
| * pipeline.gommit: allow pipeline + more charactersGeorg Pfuetzenreuter2023-02-191-1/+1
|/ | | | | | | - allow pipeline.* prefix - allow some special characters in summary Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Enable commit message linting' (#36) from commit-lint ↵Pratyush Desai2023-02-193-1/+73
|\ | | | | | | | | | | | | into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/36 Reviewed-by: Pratyush Desai <pratyush.desai@liberta.casa>
| * Enable commit lintingGeorg Pfuetzenreuter2023-02-191-1/+11
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add commit lintingGeorg Pfuetzenreuter2023-02-192-0/+62
|/ | | | | | | - add gommit configuration - add wrapper script Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Linting' (#33) from linting into productionGeorg Pfuetzenreuter2023-02-158-12/+28
|\ | | | | | | Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/33
| * Address salt-lint errors/warningsGeorg Pfuetzenreuter2023-02-156-10/+12
| | | | | | | | | | | | | | - remove trailing whitespaces - format octal modes correctly Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Address yamllint errors/warningsGeorg Pfuetzenreuter2023-02-152-2/+5
| | | | | | | | | | | | | | - remove spaces, add headers - add ignore for line-lengths in .pipeline.yml Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add linting pipelineGeorg Pfuetzenreuter2023-02-151-0/+11
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Enable prometheus-formula' (#31) from prometheus-formula ↵Georg Pfuetzenreuter2023-02-151-0/+1
|\ | | | | | | | | | | into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/31
| * Enable prometheus-formulaGeorg Pfuetzenreuter2023-02-151-0/+1
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: add ModSecurity adjustments' (#30) from ↵Georg Pfuetzenreuter2023-02-131-0/+9
|\ | | | | | | | | | | import-denc-webcluster-nginx-modsec into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/30
| * denc-webcluster: add ModSecurity adjustmentsGeorg Pfuetzenreuter2023-02-121-0/+9
|/ | | | | | | | With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: nginx listen on HA addresses' (#29) ↵Georg Pfuetzenreuter2023-02-121-5/+5
|\ | | | | | | | | | | from import-denc-webcluster-nginx-listen-fixup into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/29
| * denc-webcluster: nginx listen on HA addressesGeorg Pfuetzenreuter2023-02-121-5/+5
|/ | | | | | Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'AppArmor: reload on drop-in changes' (#28) from ↵Georg Pfuetzenreuter2023-02-121-0/+13
|\ | | | | | | | | | | reload-apparmor into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/28
| * AppArmor: reload on drop-in changesGeorg Pfuetzenreuter2023-02-121-0/+13
|/ | | | | | Self-explanatory. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Manage AppArmor on web-proxie's' (#27) from ↵Georg Pfuetzenreuter2023-02-123-0/+17
|\ | | | | | | | | | | import-denc-webcluster-apparmor into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/27
| * denc-webcluster: nginx AppArmor rulesGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | | | | | | | Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * web-proxy: include apparmor.localGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | | | | | | | | | Some web proxy servers need additional AppArmor drop-ins, for example for serving static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add AppArmor profileGeorg Pfuetzenreuter2023-02-121-0/+9
|/ | | | | | | Simple profile to allow for management of local profile drop-ins using pillar values. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: nginx config fixup' (#26) from ↵Georg Pfuetzenreuter2023-02-121-5/+2
|\ | | | | | | | | | | import-denc-webcluster-iphash into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/26
| * denc-webcluster: nginx config fixupGeorg Pfuetzenreuter2023-02-121-5/+2
|/ | | | | | | | - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'ha-node: vrrp is a protocol' (#25) from vrrp-fixup into ↵Georg Pfuetzenreuter2023-02-121-1/+1
|\ | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/25
| * ha-node: vrrp is a protocolGeorg Pfuetzenreuter2023-02-121-1/+1
|/ | | | | | Accidentally added as a service. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'denc-webcluster: allow http(s) publicly' (#24) from ↵Georg Pfuetzenreuter2023-02-121-0/+8
|\ | | | | | | | | | | import-denc-webcluster-fw into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/24
| * denc-webcluster: enable keepalived script securityGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | | | | | | | Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * denc-webcluster: allow http(s) publiclyGeorg Pfuetzenreuter2023-02-121-0/+7
|/ | | | | | Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import denc webcluster (nemesis/hubris)' (#12) from ↵Georg Pfuetzenreuter2023-02-1211-0/+367
|\ | | | | | | | | | | import-denc-webcluster into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/12
| * Manage backend firewall zoneimport-denc-webclusterGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | | | | | | | | | Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * ha-node: allow vrrp in firewallGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | | | | | | | Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add ha-netcup roleGeorg Pfuetzenreuter2023-02-121-0/+3
| | | | | | | | | | | | | | Role managing the Netcup IP failover script plus keepalived. Requires ha-node role introduced via a8bbe056f1. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add keepalived_script_user profileGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | | | | | | | | | Short profile source from other profiles requiring the keepalived_script user to be present. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * Add netcup_failover profileGeorg Pfuetzenreuter2023-02-123-0/+133
| | | | | | | | | | | | | | Profile managing a Netcup IP address failover script for use with keepalived. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * nemesis/hubris: import keepalived configurationGeorg Pfuetzenreuter2023-02-121-4/+61
| | | | | | | | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * nemesis/hubris: include denc.web-proxyGeorg Pfuetzenreuter2023-02-122-0/+4
| | | | | | | | | | | | Add shared nginx configuration to nemesis/hubris HA pair nodes. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| *