summaryrefslogtreecommitdiffstats
path: root/pillar/cluster
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request 'Repair boolean' (#84) from fix/nginx/boolean into productionPratyush Desai2023-07-311-1/+1
|\ | | | | | | | | Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/84 Reviewed-by: Pratyush Desai <pratyush.desai@liberta.casa>
| * Repair booleanGeorg Pfuetzenreuter2023-07-311-1/+1
| | | | | | | | | | | | | | Follow up to b6e9f753521111919dfcf67e91e02b30fbc41b24, forgot to quote the string causing it to still be converted to a boolean. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | denc-webcluster: exclude 949110Georg Pfuetzenreuter2023-07-311-1/+1
|/ | | | | | ModSecurity rule blocked Bookstack from saving some pages while editing. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repair booleanGeorg Pfuetzenreuter2023-07-211-1/+1
| | | | | | | | | ``` nginx: [emerg] invalid value "True" in "proxy_ssl_verify" directive, it must be "on" or "off" in /etc/nginx/vhosts.d/agola.conf:14 ``` Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add reverse proxy for AgolaGeorg Pfuetzenreuter2023-07-211-0/+11
| | | | | | New service behind ci.lysergic.dev / ci.git.com.de. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add manage_firewall conditionalGeorg Pfuetzenreuter2023-04-301-0/+1
| | | | | | | Allow us to enroll machines in Salt which do not yet have their firewall configuration imported without having their rules overwritten. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: add ModSecurity adjustmentsGeorg Pfuetzenreuter2023-02-121-0/+9
| | | | | | | | With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx listen on HA addressesGeorg Pfuetzenreuter2023-02-121-5/+5
| | | | | | Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx AppArmor rulesGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx config fixupGeorg Pfuetzenreuter2023-02-121-5/+2
| | | | | | | | - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: enable keepalived script securityGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: allow http(s) publiclyGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* nemesis/hubris: import keepalived configurationGeorg Pfuetzenreuter2023-02-121-4/+61
| | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* nemesis/hubris: import nginx configurationGeorg Pfuetzenreuter2023-02-121-0/+149
| | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add cluster pillarGeorg Pfuetzenreuter2023-02-051-0/+2
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>