summaryrefslogtreecommitdiffstats
path: root/pillar
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request 'Repair boolean' (#84) from fix/nginx/boolean into productionPratyush Desai2023-07-311-1/+1
|\ | | | | | | | | Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/84 Reviewed-by: Pratyush Desai <pratyush.desai@liberta.casa>
| * Repair booleanGeorg Pfuetzenreuter2023-07-311-1/+1
| | | | | | | | | | | | | | Follow up to b6e9f753521111919dfcf67e91e02b30fbc41b24, forgot to quote the string causing it to still be converted to a boolean. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | denc-webcluster: exclude 949110Georg Pfuetzenreuter2023-07-311-1/+1
|/ | | | | | ModSecurity rule blocked Bookstack from saving some pages while editing. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repair booleanGeorg Pfuetzenreuter2023-07-211-1/+1
| | | | | | | | | ``` nginx: [emerg] invalid value "True" in "proxy_ssl_verify" directive, it must be "on" or "off" in /etc/nginx/vhosts.d/agola.conf:14 ``` Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add reverse proxy for AgolaGeorg Pfuetzenreuter2023-07-211-0/+11
| | | | | | New service behind ci.lysergic.dev / ci.git.com.de. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Optimize minionGeorg Pfuetzenreuter2023-07-161-0/+2
| | | | | | Cache jobs for later reference, disable unused hardware grains. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add http(s) to thetrip public zoneGeorg Pfuetzenreuter2023-07-011-0/+6
| | | | | | Forgotten in fffbaf46988d89b9f56578ba0d97c07ea056f513. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage firewall on thetripGeorg Pfuetzenreuter2023-07-011-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage firewall on derutil01Georg Pfuetzenreuter2023-06-281-0/+1
| | | | | | Configuration should be imported already. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* remove backslashPratyush Desai2023-06-281-3/+3
| | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* update mediapath for matterbridgePratyush Desai2023-06-271-2/+2
| | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* Add chillnet matterbridge uploadsPratyush Desai2023-06-252-6/+8
| | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* Used /RENAME for #fightclubPratyush Desai2023-05-031-2/+2
|
* Init psyched.devGeorg Pfuetzenreuter2023-05-023-0/+3
| | | | | | | | Add pillar IDs for theia/orpheus/selene to disable sshd management on them (machines use custom configurations for historic reasons, and we like to preserve history). Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init dencpod01.lysergic.devGeorg Pfuetzenreuter2023-05-021-0/+1
| | | | | | Blank machine. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move backup_mode to minion dictGeorg Pfuetzenreuter2023-05-021-1/+1
| | | | | | Is a minion specific option. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable minion file backupGeorg Pfuetzenreuter2023-05-021-0/+1
| | | | | | https://docs.saltproject.io/en/latest/ref/states/backup_mode.html Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Import moni firewall configurationGeorg Pfuetzenreuter2023-05-021-0/+11
| | | | | | Some ports not yet covered by a role. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init phoebe.lysergic.devGeorg Pfuetzenreuter2023-05-021-0/+1
| | | | | | Blank machine. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Disable manage_sshd for philiaGeorg Pfuetzenreuter2023-05-021-0/+1
| | | | | | Machine uses a custom sshd configuration for $reasons. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set ping_on_rotateGeorg Pfuetzenreuter2023-05-011-0/+1
| | | | | | | Enable option to ensure minions are immediately responsive after key rotations. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set env_orderGeorg Pfuetzenreuter2023-05-011-0/+1
| | | | | | | | Option was removed in d4f39e8e5f807169b790d5380c10872d1ba31710, but the default environment seems to not be set to "production" without it being present. Adding it back until a better way is found. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repair BookStack httpd configurationGeorg Pfuetzenreuter2023-05-011-9/+9
| | | | | | | | | - Replace wrong instances of RewriteCond with RewriteRule - Remove wrong quotes around rewrite conditions - Set correct options (seemingly our version of httpd does not set FollowSymLinks by default?) Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Adjust themis httpd directory options' (#50) from ↵Georg Pfuetzenreuter2023-04-301-1/+1
|\ | | | | | | | | | | themis-httpd-fixup into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/50
| * Adjust themis httpd directory optionsGeorg Pfuetzenreuter2023-04-301-1/+1
| | | | | | | | | | | | | | | | Some directory options are not needed and were listed with syntax issues. Set to false to prevent "Options" from being added, which equals "Options +FollowSymLinks". Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Correct SAML realm capitalizationGeorg Pfuetzenreuter2023-04-301-3/+3
|/ | | | | | The Keycloak realm is named "LibertaCasa", not "libertacasa". Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Add empty role.privatebin pillar' (#49) from ↵Georg Pfuetzenreuter2023-04-301-0/+1
|\ | | | | | | | | | | privatebin-role into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/49
| * Add empty role.privatebin pillarGeorg Pfuetzenreuter2023-04-301-0/+1
| | | | | | | | | | | | | | For some reason Salt complains about the file missing, albeit us using "ignore_missing" in the top file. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Add manage_firewall conditionalGeorg Pfuetzenreuter2023-04-306-0/+8
|/ | | | | | | Allow us to enroll machines in Salt which do not yet have their firewall configuration imported without having their rules overwritten. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add empty role.bookstack pillarGeorg Pfuetzenreuter2023-04-301-0/+1
| | | | | | | For some reason Salt complains about the file missing (albeit us using having "ignore_missing" enabled in the pillar top). Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow saltenv/pillarenv overrideGeorg Pfuetzenreuter2023-04-301-2/+2
| | | | | | | To ease development, allow saltenv=<branch>/pillarenv=<branch> instead of enforcing the production branch. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import themis / PrivateBin' (#40) from privatebin into ↵Georg Pfuetzenreuter2023-04-301-13/+85
|\ | | | | | | | | | | production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/40
| * id.themis: import backend firewall rulesprivatebinGeorg Pfuetzenreuter2023-04-291-0/+6
| | | | | | | | | | | | Allow HTTPS traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * id.themis: import PrivateBin httpd vhostGeorg Pfuetzenreuter2023-03-121-13/+37
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| * id.themis: import PrivateBin configurationGeorg Pfuetzenreuter2023-03-121-0/+42
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Add tg lucy channel mappingPratyush Desai2023-04-141-0/+1
| | | | | | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* | Add Chillnet to matterbridgePratyush Desai2023-04-102-0/+34
| | | | | | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* | Refactor matterbridge_media macroPratyush Desai2023-04-101-6/+5
|/ | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* Enable php-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add php-fpm roleGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable memcached-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add memcached roleGeorg Pfuetzenreuter2023-02-261-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* profile.apache-httpd: manage snippetsGeorg Pfuetzenreuter2023-02-261-0/+10
| | | | | | | - add apache-httpd profile with snippets configuration - add TLS snippet to apache-httpd role pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* id.themis: add BookStack configurationGeorg Pfuetzenreuter2023-02-261-0/+41
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* id.themis: add BookStack httpd configurationGeorg Pfuetzenreuter2023-02-261-0/+36
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add web.apache-httpd roleGeorg Pfuetzenreuter2023-02-261-0/+3
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable apache-formulaGeorg Pfuetzenreuter2023-02-261-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage Prometheus firewall rulesGeorg Pfuetzenreuter2023-02-212-0/+15
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Moni: Read Blackbox targets as JSONGeorg Pfuetzenreuter2023-02-211-2/+2
| | | | | | Use uniform JSON target files instead of a JSON/YAML mix. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Import Prometheus server configurationGeorg Pfuetzenreuter2023-02-214-0/+173
| | | | | | | | | | | * add new roles: - monitoring.prometheus - monitoring.prometheus-alertmanager - monitoring.prometheus-exporter-blackbox * add common Prometheus and Prometheus Alertmanager pillar data * add moni.lysergic.dev specific Prometheus pillar data Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Address salt-lint errors/warningsGeorg Pfuetzenreuter2023-02-152-3/+3
| | | | | | | - remove trailing whitespaces - format octal modes correctly Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Address yamllint errors/warningsGeorg Pfuetzenreuter2023-02-151-0/+1
| | | | | | | - remove spaces, add headers - add ignore for line-lengths in .pipeline.yml Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable prometheus-formulaGeorg Pfuetzenreuter2023-02-151-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: add ModSecurity adjustmentsGeorg Pfuetzenreuter2023-02-121-0/+9
| | | | | | | | With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx listen on HA addressesGeorg Pfuetzenreuter2023-02-121-5/+5
| | | | | | Accidentally configured to listen only internally. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx AppArmor rulesGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: nginx config fixupGeorg Pfuetzenreuter2023-02-121-5/+2
| | | | | | | | - remove keys duplicated by include - repair wrong snippets include directory - repair wrong ip_hash option syntax Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* ha-node: vrrp is a protocolGeorg Pfuetzenreuter2023-02-121-1/+1
| | | | | | Accidentally added as a service. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: enable keepalived script securityGeorg Pfuetzenreuter2023-02-121-0/+1
| | | | | | Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* denc-webcluster: allow http(s) publiclyGeorg Pfuetzenreuter2023-02-121-0/+7
| | | | | | Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage backend firewall zoneimport-denc-webclusterGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | | Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* ha-node: allow vrrp in firewallGeorg Pfuetzenreuter2023-02-122-0/+7
| | | | | | Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* nemesis/hubris: import keepalived configurationGeorg Pfuetzenreuter2023-02-121-4/+61
| | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* nemesis/hubris: include denc.web-proxyGeorg Pfuetzenreuter2023-02-122-0/+4
| | | | | | Add shared nginx configuration to nemesis/hubris HA pair nodes. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* nemesis/hubris: import nginx configurationGeorg Pfuetzenreuter2023-02-121-0/+149
| | | | | | Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* dericom02: manage web firewall zoneGeorg Pfuetzenreuter2023-02-121-0/+8
| | | | | | | Import locally configured web zone into Salt. This zone allows the web proxy to reach http for serving Matterbridge media. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* dericom02: disable matterbridge XMPP debugGeorg Pfuetzenreuter2023-02-121-1/+1
| | | | | | It's very noisy - one can enable it on demand if needed. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Disable "aithunder" Discord bridgeGeorg Pfuetzenreuter2023-02-121-1/+3
| | | | | | Discord room does not exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* dericom02: quote matterbridge booleansGeorg Pfuetzenreuter2023-02-121-31/+31
| | | | | | TOML configuration format needs lowercase boolean values. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* dericom02: manage matterbridge mediaGeorg Pfuetzenreuter2023-02-121-2/+13
| | | | | | | - move base media directory to variable - add lighttpd vhosts to pillar Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* matterbridge: add role pillarGeorg Pfuetzenreuter2023-02-091-0/+1
| | | | | | | Empty for now, adding for future reference and because we enforce role pillars to exist. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Merge pull request 'Import Matterbridge configuration' (#10) from ↵Pratyush Desai2023-02-091-0/+221
|\ | | | | | | | | | | import-dericom02 into production Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/10
| * dericom02: import Matterbridge configurationGeorg Pfuetzenreuter2023-02-071-0/+221
| | | | | | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* | Enable keepalived-formulaGeorg Pfuetzenreuter2023-02-081-0/+1
|/ | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* derimisc01: import Tor configurationGeorg Pfuetzenreuter2023-02-071-0/+14
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add onion-router roleGeorg Pfuetzenreuter2023-02-071-0/+5
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable tor-formulaGeorg Pfuetzenreuter2023-02-061-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set webirc backend to httpsGeorg Pfuetzenreuter2023-02-061-1/+1
| | | | | | Ergo rightfully does not accept plain text websocket connections. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include libertacasa for liberta.casaGeorg Pfuetzenreuter2023-02-061-0/+1
| | | | | | | | Fallout from 77fa39e59c15a2235f210128dab821d2e2fd6ae5 - libertacasa nginx snippet needs to be included in liberta.casa server for main website to operate on the clearnet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Repair liberta.casa TLS includeGeorg Pfuetzenreuter2023-02-061-1/+2
| | | | | | | Accidentally mixed up the libertacasa with the libertacasa2 nginx TLS snippet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: include mime.typesGeorg Pfuetzenreuter2023-02-051-0/+1
| | | | | | Always include mime.types on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: common includesGeorg Pfuetzenreuter2023-02-051-1/+4
| | | | | | Always include files in conf.d and vhosts.d on web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: common nginx.confGeorg Pfuetzenreuter2023-02-051-0/+25
| | | | | | | Import default nginx.conf contents from our custom packaged file into Salt. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: IPv6 listener bracketsGeorg Pfuetzenreuter2023-02-052-3/+12
| | | | | | | Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx from failing to start. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: add firewall configurationGeorg Pfuetzenreuter2023-02-051-1/+6
| | | | | | | Allow internal http and https to pass on web proxies. To-do: logic for web proxies directly attached to the internet. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* deriweb01: import nginx configurationGeorg Pfuetzenreuter2023-02-051-0/+441
| | | | | | Transfer local/manual nginx configuration structure into pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* web-proxy: add common TLS configurationGeorg Pfuetzenreuter2023-02-051-0/+10
| | | | | | Add TLS configuration snippet shared between all web-proxies. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add nginx crtkeypair macroGeorg Pfuetzenreuter2023-02-052-0/+9
| | | | | | For use in nginx pillars. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add cluster pillarGeorg Pfuetzenreuter2023-02-051-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add web-proxy roleGeorg Pfuetzenreuter2023-02-041-0/+21
| | | | | | | - web-proxy role to configure nginx - pillar with common nginx configuration Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set default saltenvGeorg Pfuetzenreuter2023-02-011-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Refactor map/macro sourcingGeorg Pfuetzenreuter2023-01-304-3/+25
| | | | | | | | - move pillar macros and map to base directory - move listener logic from macro to map - update includes respectively Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable nginx-formulaGeorg Pfuetzenreuter2023-01-301-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage Salt roleproxyGeorg Pfuetzenreuter2023-01-301-0/+12
| | | | | | Add role, profile and pillar for roleproxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set firewalld short zone namesGeorg Pfuetzenreuter2023-01-291-2/+2
| | | | | | To match the SUSE defaults deployed by our AutoYaST configuration. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow IPv6-only interfaces + fixupGeorg Pfuetzenreuter2023-01-291-1/+3
| | | | | | | - interfaces with no IPv4 address would cause a render failure - repair if-clause needed for interfaces with only IPv4 addresses Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Firewall interface mapping logicGeorg Pfuetzenreuter2023-01-293-0/+84
| | | | | | | | | Detect which interfaces belong to which zones, and configure firewalld accordingly. Backend zone is currently only prepared and yet to be tested and enabled. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine interfacesGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | | | Needed for firewall interface-zone mapping logic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: extra quotes around API listenerGeorg Pfuetzenreuter2023-01-291-1/+1
| | | | | | | State would print the colons unquoted into the file, causing the YAML to not parse. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add firewalld rulesGeorg Pfuetzenreuter2023-01-291-0/+10
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common firewalld rulesGeorg Pfuetzenreuter2023-01-292-0/+13
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable firewalld-formulaGeorg Pfuetzenreuter2023-01-291-1/+2
| | | | | | ... and sort list entries alphabetically. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: enable API IPv6 listenerGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | | | | No individual listeners can be configured, hence global dual stack listener it is. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable SSH bannerGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: skip on empty mineGeorg Pfuetzenreuter2023-01-281-4/+6
| | | | | | | | | | Don't fail if mine does not contain information about the queried minion. In the future it would be nice to add another conditional to allow such minions to fall-back to the locally executed network module for masterless setups. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: set rootgroupGeorg Pfuetzenreuter2023-01-281-0/+1
| | | | | | Needed for formula to not nuke Syndic key permissions. Little bit ugly. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: use mined addressesGeorg Pfuetzenreuter2023-01-281-2/+3
| | | | | | | The network module run on the Salt master, but the macro should fetch minion addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IPv6 addressesGeorg Pfuetzenreuter2023-01-281-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IP addressesGeorg Pfuetzenreuter2023-01-281-0/+3
| | | | | | Add Salt mine configuration to collect minion IP addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: increase LDAP scopeGeorg Pfuetzenreuter2023-01-281-1/+1
| | | | | | | Likely needed as it does not support searching a more fine grained base DN. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: switch to CherryPyGeorg Pfuetzenreuter2023-01-281-3/+3
| | | | | | Tornado does not support all the features. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add LDAP configurationGeorg Pfuetzenreuter2023-01-271-0/+11
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: add Salt API configurationGeorg Pfuetzenreuter2023-01-271-0/+4
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Relay via static zz0.email hostGeorg Pfuetzenreuter2023-01-271-0/+1
| | | | | | | | Split horizon for the complete .email zone is not feasible for all sites, and TLS certificate currently does not cover any of the internal hostnames. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common SSH serverGeorg Pfuetzenreuter2023-01-264-0/+50
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* mta.postfix->global.mta pillar; remove mta profileGeorg Pfuetzenreuter2023-01-262-1/+1
| | | | | | | This is more a MTA configuration for system email on all hosts instead of a dedicated email server role. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move common to global pillarGeorg Pfuetzenreuter2023-01-262-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Read formulas from central fileGeorg Pfuetzenreuter2023-01-262-1/+4
| | | | | | | | - add formulas.yaml file containing list of all enabled formulas - read formulas from said file in role.salt.master and prepare_minion.py - add symlink for easier tracking of the file Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Postfix: configure alias_databaseGeorg Pfuetzenreuter2023-01-251-0/+1
| | | | | | | Not needed, but the formula writes a hash:/ entry default, which might cause confusion in the future, since our alias_maps is using lmdb:/. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow local system mail in PostfixGeorg Pfuetzenreuter2023-01-251-1/+2
| | | | | | | | - correct mydestination to allow lysergic.dev to be sent through the relay - correct relayhost to use SMTPS port Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include Postfix pillar via roleGeorg Pfuetzenreuter2023-01-242-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Revert "Split to OS specific common pillar"Georg Pfuetzenreuter2023-01-243-7/+5
| | | | This reverts commit 4863396938c7c638517cbefc3a2773c9eb29bc69.
* Include role.salt.common in masterGeorg Pfuetzenreuter2023-01-241-0/+3
| | | | | | | Needed to allow individual apply's of salt.master without breaking common configuration options. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage aliasesGeorg Pfuetzenreuter2023-01-241-1/+8
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable postfix-formulaGeorg Pfuetzenreuter2023-01-241-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common PostfixGeorg Pfuetzenreuter2023-01-242-0/+22
| | | | | | | | | | Add configuration for global client MTA's. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> Enable Postfix management Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Split to OS specific common pillarGeorg Pfuetzenreuter2023-01-242-5/+4
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enforce ID and roles in topGeorg Pfuetzenreuter2023-01-221-2/+7
| | | | | | | | Adapt to current private pillar top: - match ID grain for inclusion of ID files - move roles under conditional Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable users-formulaGeorg Pfuetzenreuter2023-01-221-2/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Wrap zypper pillar in OS checkGeorg Pfuetzenreuter2023-01-221-0/+2
| | | | | | Zypper pillar data is not needed on non-SUSE systems. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Disable refreshdb_forceGeorg Pfuetzenreuter2023-01-221-0/+3
| | | | | | Speed up state.apply's. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use central machine-roles endpointGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use http.query instead of nbroles moduleGeorg Pfuetzenreuter2023-01-221-2/+2
| | | | | | | | This is an attempt to remove the need for the custom nbroles module. If it works out, the localhost reference should be replaced with a global roles API endpoint. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: manage formulasGeorg Pfuetzenreuter2023-01-221-1/+5
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: move file_roots to productionGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: move gpg_keydir to masterGeorg Pfuetzenreuter2023-01-221-1/+1
| | | | | | | 'gpg_keydir' is a master specific setting, it does not work under the top level 'salt' key. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* salt.master: manage extension modulesGeorg Pfuetzenreuter2023-01-221-1/+4
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Update salt.master role pillarGeorg Pfuetzenreuter2023-01-221-2/+5
| | | | | | | - add missing settings needed for use in production - correct existing settings with new advancements Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set Salt log level to infoGeorg Pfuetzenreuter2023-01-221-0/+1
| | | | | | | Globally setting log level for easier initial setup. Later on we should consider removing it again, or moving it to the salt:master pillar. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add salt.syndic role + pillarGeorg Pfuetzenreuter2023-01-221-0/+4
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Update mocking baseGeorg Pfuetzenreuter2023-01-212-0/+42
| | | | | | | - adapt preparation script to new environment - add sample mocking pillar including README Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add id/role pillar README'sGeorg Pfuetzenreuter2023-01-212-0/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Target roles without grains in topsGeorg Pfuetzenreuter2023-01-211-5/+3
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use nbroles instead of grainsGeorg Pfuetzenreuter2023-01-211-2/+2
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Remove common secret includeGeorg Pfuetzenreuter2023-01-201-1/+0
| | | | | | File was only used for testing secrets and is no longer in use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Add secret variablesGeorg Pfuetzenreuter2023-01-201-0/+16
| | | | | | | Module should now replace ${...} variables during rendering. Pillar references need to be quoted. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init master role w/ pillarGeorg Pfuetzenreuter2023-01-151-0/+36
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Re-order minion profileGeorg Pfuetzenreuter2023-01-151-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use custom minion master configurationGeorg Pfuetzenreuter2023-01-151-1/+0
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Use traditional grains managementGeorg Pfuetzenreuter2023-01-151-6/+0
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move managed grains to minion pillarGeorg Pfuetzenreuter2023-01-151-1/+7
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init salted salt + minion pillarGeorg Pfuetzenreuter2023-01-153-0/+9
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Ignore missing ID'sGeorg Pfuetzenreuter2023-01-151-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Include common secret pillarGeorg Pfuetzenreuter2023-01-151-0/+3
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Init pillarGeorg Pfuetzenreuter2023-01-152-0/+16
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>