From 0eca62f4ce29c4b986b24b4d5e0bc7980cdc6784 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 16:20:44 +0100
Subject: Add AppArmor profile

Simple profile to allow for management of local profile drop-ins using
pillar values.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 salt/profile/apparmor/local.sls | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 salt/profile/apparmor/local.sls

diff --git a/salt/profile/apparmor/local.sls b/salt/profile/apparmor/local.sls
new file mode 100644
index 0000000..6dbdff3
--- /dev/null
+++ b/salt/profile/apparmor/local.sls
@@ -0,0 +1,9 @@
+{%- set aapillar = salt['pillar.get']('profile:apparmor') %}
+
+{%- if 'local' in aapillar %}
+{%- for profile, lines in aapillar['local'].items() %}
+/etc/apparmor.d/local/{{ profile }}:
+  file.managed:
+    - contents: {{ lines }}
+{%- endfor %}
+{%- endif %}
-- 
cgit v1.2.3


From 7e73f6b1a4524c39a4020a7e4a682341e50c6a7b Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 16:21:23 +0100
Subject: web-proxy: include apparmor.local

Some web proxy servers need additional AppArmor drop-ins, for example
for serving static content.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 salt/role/web-proxy.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/role/web-proxy.sls b/salt/role/web-proxy.sls
index 81f2293..649c69e 100644
--- a/salt/role/web-proxy.sls
+++ b/salt/role/web-proxy.sls
@@ -1,5 +1,6 @@
 include:
   - nginx.pkg
+  - profile.apparmor.local
   - nginx.config
   - nginx.snippets
   - nginx.servers
-- 
cgit v1.2.3


From 2d5da24ce5d695b3f934ec06c654f7ae754b3fbf Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 16:28:19 +0100
Subject: denc-webcluster: nginx AppArmor rules

Allow access to client trust certificate and to static content.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/cluster/denc/web-proxy.sls | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 7b5cebd..7748768 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -209,3 +209,10 @@ firewalld:
       services:
         - http
         - https
+
+profile:
+  apparmor:
+    local:
+      usr.sbin.nginx:
+        - '{{ trustcrt }} r,'
+        - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,'
-- 
cgit v1.2.3