| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
- remove trailing whitespaces
- format octal modes correctly
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- remove spaces, add headers
- add ignore for line-lengths in .pipeline.yml
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
With the rollout of our Salted configuration, ModSecurity came enforced.
This adds necessary rules to PrivateBin and BookStack for correct
operation.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Accidentally configured to listen only internally.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Allow access to client trust certificate and to static content.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
- remove keys duplicated by include
- repair wrong snippets include directory
- repair wrong ip_hash option syntax
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Accidentally added as a service.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Prevent script tampering.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Public firewall rules were missing from initial import.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Configure backend firewall zones if applicable. Allow all UDP for
cluster traffic.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Needed for keepalived operation.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add shared nginx configuration to nemesis/hubris HA pair nodes.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Import locally configured web zone into Salt. This zone allows the web
proxy to reach http for serving Matterbridge media.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
It's very noisy - one can enable it on demand if needed.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Discord room does not exist.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
TOML configuration format needs lowercase boolean values.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- move base media directory to variable
- add lighttpd vhosts to pillar
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Empty for now, adding for future reference and because we enforce role
pillars to exist.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|\
| |
| |
| |
| |
| | |
import-dericom02 into production
Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/10
|
| |
| |
| |
| | |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|/
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Ergo rightfully does not accept plain text websocket connections.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
Fallout from 77fa39e59c15a2235f210128dab821d2e2fd6ae5 - libertacasa
nginx snippet needs to be included in liberta.casa server for main
website to operate on the clearnet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Accidentally mixed up the libertacasa with the libertacasa2 nginx
TLS snippet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Always include mime.types on web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Always include files in conf.d and vhosts.d on web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Import default nginx.conf contents from our custom packaged file into
Salt.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx
from failing to start.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Allow internal http and https to pass on web proxies.
To-do: logic for web proxies directly attached to the internet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Transfer local/manual nginx configuration structure into pillar.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add TLS configuration snippet shared between all web-proxies.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
For use in nginx pillars.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- web-proxy role to configure nginx
- pillar with common nginx configuration
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
- move pillar macros and map to base directory
- move listener logic from macro to map
- update includes respectively
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add role, profile and pillar for roleproxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
To match the SUSE defaults deployed by our AutoYaST configuration.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- interfaces with no IPv4 address would cause a render failure
- repair if-clause needed for interfaces with only IPv4 addresses
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
|
| |
Detect which interfaces belong to which zones, and configure firewalld
accordingly.
Backend zone is currently only prepared and yet to be tested and
enabled.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Needed for firewall interface-zone mapping logic.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
State would print the colons unquoted into the file, causing the YAML to
not parse.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
... and sort list entries alphabetically.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
No individual listeners can be configured, hence global dual stack
listener it is.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
|
|
| |
Don't fail if mine does not contain information about the queried
minion.
In the future it would be nice to add another conditional to allow such
minions to fall-back to the locally executed network module for
masterless setups.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Needed for formula to not nuke Syndic key permissions. Little bit ugly.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
The network module run on the Salt master, but the macro should fetch
minion addresses.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Add Salt mine configuration to collect minion IP addresses.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Likely needed as it does not support searching a more fine grained base
DN.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Tornado does not support all the features.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
Split horizon for the complete .email zone is not feasible for all
sites, and TLS certificate currently does not cover any of the internal
hostnames.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
This is more a MTA configuration for system email on all hosts instead of
a dedicated email server role.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
- add formulas.yaml file containing list of all enabled formulas
- read formulas from said file in role.salt.master and prepare_minion.py
- add symlink for easier tracking of the file
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Not needed, but the formula writes a hash:/ entry default, which might
cause confusion in the future, since our alias_maps is using lmdb:/.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
- correct mydestination to allow lysergic.dev to be sent through the
relay
- correct relayhost to use SMTPS port
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
This reverts commit 4863396938c7c638517cbefc3a2773c9eb29bc69.
|
|
|
|
|
|
|
| |
Needed to allow individual apply's of salt.master without breaking
common configuration options.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
|
|
| |
Add configuration for global client MTA's.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Enable Postfix management
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
Adapt to current private pillar top:
- match ID grain for inclusion of ID files
- move roles under conditional
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Zypper pillar data is not needed on non-SUSE systems.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
Speed up state.apply's.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
|
| |
This is an attempt to remove the need for the custom nbroles module. If
it works out, the localhost reference should be replaced with a global
roles API endpoint.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
'gpg_keydir' is a master specific setting, it does not work under the
top level 'salt' key.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- add missing settings needed for use in production
- correct existing settings with new advancements
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Globally setting log level for easier initial setup. Later on we should
consider removing it again, or moving it to the salt:master pillar.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
- adapt preparation script to new environment
- add sample mocking pillar including README
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
| |
File was only used for testing secrets and is no longer in use.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
|
|
|
| |
Module should now replace ${...} variables during rendering. Pillar
references need to be quoted.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
|
|
| |
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|
|
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
|