From 1b619358a8ffcec0385428275167220be4f8c02b Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 5 Feb 2023 11:56:27 +0100
Subject: deriweb01: import nginx configuration
Transfer local/manual nginx configuration structure into pillar.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/id/deriweb01_rigel_lysergic_dev.sls | 441 +++++++++++++++++++++++++++++
1 file changed, 441 insertions(+)
create mode 100644 pillar/id/deriweb01_rigel_lysergic_dev.sls
diff --git a/pillar/id/deriweb01_rigel_lysergic_dev.sls b/pillar/id/deriweb01_rigel_lysergic_dev.sls
new file mode 100644
index 0000000..5188a25
--- /dev/null
+++ b/pillar/id/deriweb01_rigel_lysergic_dev.sls
@@ -0,0 +1,441 @@
+{%- from 'map.jinja' import nginx_crtkeypair -%}
+{%- set resolver = '[2a01:4f8:11e:2200::2]' -%}
+
+{#- to-do: move other service hosts to backend dict #}
+{%- set backend = {'takahe': 'http://takahe.rigel.lysergic.dev:8000'} %}
+
+{#- generic macros #}
+{%- macro proxyheaders(ForRemAdd=False) -%}
+- proxy_set_header:
+ - 'Host $host'
+ - 'X-Real-IP $remote_addr'
+ - 'X-Forwarded-For {{ '$remote_addr' if ForRemAdd else '$proxy_add_x_forwarded_for' }}'
+ - 'X-Forwarded-Proto $scheme'
+{%- endmacro -%}
+{%- macro proxyheaders2(ForRemAdd=False) -%}
+{{ proxyheaders(ForRemAdd) | indent(16) }}
+{%- endmacro -%}
+{%- macro jf_proxyheaders() -%}
+{{ proxyheaders() | indent(16) }}
+ - 'X-Forwarded-Protocol $scheme'
+ - 'X-Forwarded-Host $http_host'
+{%- endmacro -%}
+{%- macro proxyheaders_upgrade() -%}
+- proxy_set_header: Upgrade $http_upgrade
+- proxy_set_header: Connection $connection_upgrade
+{%- endmacro -%}
+{%- macro proxyheaders2_upgrade() -%}
+{{ proxyheaders_upgrade() | indent(16) }}
+{%- endmacro -%}
+
+{#- application specific macros #}
+{%- macro lcwebirc(port, indentinner) -%}
+ - location /webirc:
+ - proxy_pass: http://[2a01:4f8:11e:2200::cafe]:{{ port }}
+ - proxy_http_version: 1.1
+ {{ proxyheaders_upgrade() | indent(16) }}
+ - proxy_set_header: X-Forwarded-For $remote_addr
+ - proxy_set_header: X-Forwarded-Proto $scheme
+ - proxy_read_timeout: 600s
+{%- endmacro -%}
+{%- macro lcactivitypub(wkpath) -%}
+ - location /.well-known/{{ wkpath }}:
+ - proxy_pass: {{ backend.takahe }}
+ - proxy_set_header: Host $http_host
+ - resolver: '{{ resolver }} ipv4=off valid=24h'
+{%- endmacro -%}
+{%- macro matterbridge_media(name) -%}
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_load
+ - snippets/tls
+ - server_name: {% if name == 'general' %}load.casa{%- else %}{{ name ~ '.load.casa' }}{%- endif %}
+ - location /:
+ - proxy_pass: http://libertacasa-{{ name }}.matterbridge.dericom02.rigel.lysergic.dev
+{%- endmacro -%}
+
+nginx:
+ snippets:
+ tls:
+ - resolver: '{{ resolver }}'
+
+ {#- certificate snippets #}
+ {{ nginx_crtkeypair('exhaustedlife', 'exhausted.life') | indent }}
+ {{ nginx_crtkeypair('georg', 'georg.systems') | indent }}
+ {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
+ {{ nginx_crtkeypair('libertacasa2', 'libertacasa.net') | indent }}
+ {{ nginx_crtkeypair('load', 'load.casa') | indent }}
+ {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
+ {{ nginx_crtkeypair('lysergic_media', 'lysergic.media') | indent }}
+ {{ nginx_crtkeypair('meet', 'meet.com.de') | indent }}
+ {{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }}
+ {{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }}
+
+ {#- locations shared between clearnet and Tor LibertaCasa servers #}
+ libertacasa:
+ - location /:
+ - root: /srv/www/liberta.casa/static/website
+ - index: index.html
+ - location /register:
+ - proxy_pass: http://[2a01:4f8:11e:2200::11]:8965
+ - location /kiwi:
+ - root: /srv/www/liberta.casa
+ - index: index.html
+ - try_files: $uri $uri/ =404
+ - location /gamja:
+ - root: /srv/www/liberta.casa
+ - index: index.html
+
+ servers:
+ managed:
+ general.conf:
+ available_dir: /etc/nginx/conf.d
+ config:
+ - server_names_hash_bucket_size: 128
+ - port_in_redirect: 'off'
+ - server_tokens: 'off'
+ - limit_conn_zone: $binary_remote_addr zone=georg_conn:15m
+ - limit_req_zone: $binary_remote_addr zone=georg_req:15m rate=30r/s
+
+ default-http.conf:
+ config:
+ - server:
+ - server_name: localhost
+ - listen:
+ - '80'
+ - location /:
+ - root: /srv/www/htdocs
+ - index: index.html
+
+ cytube.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_lysergic
+ - snippets/tls
+ - server_name: party.lysergic.dev
+ - location /:
+ - proxy_pass: https://[2a01:4f8:11e:2200::11]:8250
+ - proxy_set_header:
+ - X-Forwarded-For $proxy_add_x_forwarded_for
+ - X-Forwarded-Proto $scheme
+ - Host $http_host
+
+ default-https.conf:
+ config:
+ - server:
+ - listen:
+ - '[2a01:4f8:11e:2200::dead]:443 ssl http2 default_server'
+ - 10.0.10.7:443 ssl http2 default_server
+ - include: snippets/tls_lysergic
+ - root: /srv/www/htdocs
+
+ georg.conf:
+ config:
+ {%- macro georg_includes() %}
+ - include:
+ - snippets/listen
+ - snippets/tls_georg
+ - snippets/tls
+ {%- endmacro %}
+ - server:
+ {{ georg_includes() }}
+ - server_name: www.georg-pfuetzenreuter.net www.georg-pfuetzenreuter.de www.georg-pfuetzenreuter.at 240600.xyz
+ - return: 302 https://georg-pfuetzenreuter.net
+ - server:
+ {{ georg_includes() }}
+ - server_name: gippy.at
+ - return: 302 https://georg-pfuetzenreuter.net
+ - server:
+ {{ georg_includes() }}
+ - snippets/robots
+ - server_name: georg.systems georg-pfuetzenreuter.de
+ - location /:
+ - proxy_pass: https://georg-public01.rigel.lysergic.dev:8989
+ {{ proxyheaders_upgrade() | indent(18) }}
+ - limit_conn: georg_conn 10
+ - limit_req: zone=georg_req burst=5 delay=3
+ - client_body_buffer_size: 2M
+ - resolver: '{{ resolver }} ipv6=on valid=60m'
+ - server:
+ {{ georg_includes() }}
+ - server_name: georg-pfuetzenreuter.net pfuetzenreuter.at
+ - location /:
+ - proxy_pass: https://georg-public01.rigel.lysergic.dev:8989
+ {{ proxyheaders_upgrade() | indent(18) }}
+ - limit_conn: georg_conn 10
+ - limit_req: zone=georg_req burst=10 delay=5
+ - client_body_buffer_size: 2M
+ - resolver: '{{ resolver }} ipv6=on valid=60m'
+ - location /plain:
+ - root: /srv/www/georg
+ - autoindex: 'on'
+
+ hedgedoc.conf:
+ config:
+ {%- macro lysergic_includes() %}
+ - include:
+ - snippets/listen
+ - snippets/tls_lysergic
+ - snippets/tls
+ {%- endmacro %}
+ - map $http_upgrade $connection_upgrade:
+ - default: upgrade
+ - "''": close
+ - server:
+ {{ lysergic_includes() }}
+ - server_name: hd.lysergic.dev hedge.lysergic.dev
+ - return: 302 https://hedgedoc.lysergic.dev
+ - server:
+ {{ lysergic_includes() }}
+ - server_name: hedgedoc.lysergic.dev
+ - location /:
+ - proxy_pass: 'http://[2a01:4f8:11e:2200::11]:3000'
+ {{ proxyheaders2() }}
+ - location /socket.io/:
+ - proxy_pass: 'http://[2a01:4f8:11e:2200::11]:3000'
+ {{ proxyheaders2() }}
+ {{ proxyheaders2_upgrade() }}
+ - location /build:
+ - root: /srv/www/hedgedoc
+
+ hidden.conf:
+ config:
+ - server:
+ - listen: '[2a01:4f8:11e:2200::dead]:8085'
+ - server_name: qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion
+ {#- source the same LibertaCasa locations used on the clearnet #}
+ - include: snippets/libertacasa
+ {#- this proxies to an ergo tor=true + websocket=true listener #}
+ {{ lcwebirc(6663) }}
+ {#- we rewrite the Kiwi configuration with one using our onion websocket #}
+ - location /kiwi/static/config.json:
+ - root: /srv/www/liberta.casa
+ - rewrite: ^/kiwi/static/config.json$ /kiwi/static/config_onion.json
+ {#- we rewrite Gamja configuration with one using our onion websocket #}
+ - location /gamja/config.json:
+ - root: /srv/www/liberta.casa
+ - rewrite: ^/gamja/config.json$ /gamja/config_onion.json
+ - server:
+ - listen: '[2a01:4f8:11e:2200::dead]:8085'
+ - server_name: gitea.qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion
+ - location /:
+ - proxy_pass: https://git.com.de
+ - proxy_ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
+ - server:
+ - listen: '[2a01:4f8:11e:2200::dead]:8085'
+ - server_name: cgit.qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion
+ - location /:
+ - proxy_pass: https://git.casa
+ - proxy_ssl_trusted_certificate: /etc/ssl/ca-bundle.pem
+
+ http.conf:
+ config:
+ - server:
+ - listen:
+ - 10.0.10.7:80 default_server
+ - '[2a01:4f8:11e:2200::dead]:80 default_server'
+ - include: snippets/robots
+ - location /:
+ - return: 301 https://$host$request_uri
+
+ jellyfin.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_lysergic_media
+ - snippets/tls
+ - server_name: lysergic.media www.lysergic.media
+ - set: '$jellyfin [2a01:4f8:11e:2200::abc]:8096'
+ - client_max_body_size: 20M
+ - add_header: X-Frame-Options "SAMEORIGIN"
+ - add_header: X-XSS-Protection "1; mode=block"
+ - add_header: X-Content-Type-Options "nosniff"
+ - location /:
+ - proxy_pass: http://$jellyfin
+ {{ jf_proxyheaders() }}
+ - proxy_buffering: 'off'
+ - location = /web/:
+ - proxy_pass: http://$jellyfin/web/index.html
+ {{ jf_proxyheaders() }}
+ - location /socket:
+ - proxy_pass: http://$jellyfin
+ - proxy_http_version: 1.1
+ {{ proxyheaders_upgrade() | indent(16) }}
+ {{ jf_proxyheaders() }}
+ - location @force_get:
+ - proxy_method: GET
+ - proxy_pass: http://$jellyfin
+ {{ jf_proxyheaders() }}
+ - proxy_buffering: 'off'
+ - location /Items:
+ - proxy_pass: http://$jellyfin
+ {{ jf_proxyheaders() }}
+ - proxy_buffering: 'off'
+ - error_page: 550 = @force_get
+ - if ($request_method = HEAD):
+ - return: 550
+ - access_log: /var/log/nginx/jellyfin.access.log
+ - error_log: /var/log/nginx/jellyfin.error.log
+
+ libertacasa.conf:
+ config:
+ {%- macro lc_includes() %}
+ - include:
+ - snippets/listen
+ - snippets/tls_libertacasa2
+ - snippets/tls
+ - snippets/robots
+ {%- endmacro %}
+ - server:
+ {{ lc_includes() }}
+ - server_name: libertacasa.net libsh.net libsh.com libsso.net libsso.com
+ - return: 302 https://liberta.casa
+ - server:
+ {{ lc_includes() }}
+ - snippets/error
+ - server_name: liberta.casa lib.casa www.liberta.casa www.lib.casa
+ - add_header: Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri
+ {#- this proxies to an ergo websocket=true listener #}
+ {{ lcwebirc(6661) }}
+ {#- we still receive a lot of attempted requests to this, let's reject it properly #}
+ - location /.well-known/matrix:
+ - return: 410
+ {#- IRC channel statistics/graphs #}
+ - location /stats:
+ - proxy_pass: https://stats.theia.psyched.dev/
+ {#- ActivityPub for @liberta.casa domain #}
+ {{ lcactivitypub('webfinger') }}
+ {{ lcactivitypub('host-meta') }}
+ {{ lcactivitypub('nodeinfo') }}
+
+ matterbridge.conf:
+ config:
+ {{ matterbridge_media('general') }}
+ {{ matterbridge_media('irc') }}
+
+ meet.conf:
+ config:
+ - server:
+ {{ lysergic_includes() }}
+ - server_name: meet.lysergic.dev meet.liberta.casa
+ - location /:
+ - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443/
+ - proxy_http_version: 1.1
+ {{ proxyheaders2(True) }}
+ {{ proxyheaders2_upgrade() }}
+ - tcp_nodelay: 'on'
+ - modsecurity_rules: "'SecRuleRemoveById 949110'"
+
+ openmeetings.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_meet
+ - snippets/tls
+ - server_name: meet.com.de www.meet.com.de
+ - location /:
+ - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443
+ - proxy_buffering: 'off'
+ - proxy_pass_header: Server
+ {{ proxyheaders2(True) }}
+ - location /openmeetings/wicket/websocket:
+ - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443/openmeetings/wicket/websocket
+ - proxy_buffering: 'off'
+ - proxy_pass_header: Server
+ {{ proxyheaders2(True) }}
+ {{ proxyheaders2_upgrade() }}
+
+ plantuml.conf:
+ config:
+ - server:
+ {{ lysergic_includes() }}
+ - server_name: pu.lysergic.dev uml.lysergic.dev
+ - return: 302 https://plantuml.lysergic.dev
+ - server:
+ {{ lysergic_includes() }}
+ - server_name: plantuml.lysergic.dev
+ - location /:
+ - proxy_pass: http://[2a01:4f8:11e:2200::11]:8086
+ {#- PlantUML needs a very specific proxy configuration, hence not using the macros #}
+ - proxy_set_header: HOST $host
+ - proxy_set_header: X-Forwarded-Host $host
+ - proxy_set_header: X-Forwarded-Proto $scheme
+ - proxy_redirect: http://$host/ https://$host/
+
+ pub.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_pub_sectigo
+ - snippets/tls
+ - server_name: pub.syscid.com
+ - root: /srv/www/pub
+ - autoindex: 'on'
+
+ takahe.conf:
+ config:
+ {%- macro takahe_includes() %}
+ - include:
+ - snippets/listen
+ - snippets/tls_takahe
+ - snippets/tls
+ - snippets/robots
+ - snippets/error
+ {%- endmacro %}
+ {%- macro takahe_gohome() %}
+ - location = /:
+ - return: 302 https://social.liberta.casa
+ {%- endmacro %}
+ {%- set takaheresolver = '- resolver: ' ~ '\'' ~ resolver ~ ' ipv4=off ipv6=on valid=24h\'' -%}
+ {#- Main #}
+ - server:
+ {{ takahe_includes() }}
+ - server_name: social.liberta.casa
+ - location /:
+ - proxy_pass: {{ backend.takahe }}
+ {#- does not need X-Real-IP, to-do: add conditional to macro #}
+ {{ proxyheaders2() }}
+ {{ takaheresolver }}
+ {#- Media #}
+ - server:
+ {{ takahe_includes() }}
+ - server_name: social.load.casa
+ {{ takahe_gohome() }}
+ - location /:
+ - proxy_pass: http://media.takahe.rigel.lysergic.dev:8001
+ {{ takaheresolver }}
+ {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #}
+ - server:
+ {{ takahe_includes() }}
+ - server_name: despair.life
+ {{ takahe_gohome() }}
+ {#- if someone clicks "Log in" on despair.life, the SAML IDP (Keycloak) would redirect back to despair.life, which breaks the session cookie originating from social.liberta.casa (Django only allows a single "cookie domain" - hence we rewrite the login endpoints to handle sessions exclusively via social.liberta.casa #}
+ {%- for talopath in ['auth', 'saml2'] %}
+ - location /{{ talopath }}:
+ - rewrite: ^/(.*) https://social.liberta.casa/$1 redirect
+ {%- endfor %}
+ - location /:
+ - proxy_pass: {{ backend.takahe }}
+ {{ proxyheaders2() }}
+ {{ takaheresolver }}
+ {#- exhausted.life (secondary domain in Takahe) #}
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_exhaustedlife
+ - snippets/tls
+ - snippets/robots
+ - snippets/error
+ - server_name: exhausted.life
+ {{ takahe_gohome() }}
+ - location /.well-known/:
+ - proxy_pass: {{ backend.takahe }}
+ - sub_filter_types: application/xml
+ - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life
+
--
cgit v1.2.3
From 785986d2acc45ddb5451dffc1840b13accdd871c Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 5 Feb 2023 12:07:13 +0100
Subject: Enable syntax highlighting
Initially for .sls and .jinja/.j2 files - we can add others later on if
needed.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
.gitattributes | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 .gitattributes
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..f086e49
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+*.sls gitlab-language=jinja?parent=yaml
+*.jinja gitlab-language=jinja
+*.j2 gitlab-language=jinja
--
cgit v1.2.3
From 5e02090bc6037ac2e30190d97c3717c3fee01f96 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 5 Feb 2023 14:29:25 +0100
Subject: web-proxy: add firewall configuration
Allow internal http and https to pass on web proxies.
To-do: logic for web proxies directly attached to the internet.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/role/web-proxy.sls | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/pillar/role/web-proxy.sls b/pillar/role/web-proxy.sls
index 1b7497c..2adc81c 100644
--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@@ -28,4 +28,9 @@ nginx:
{%- endfor %}
{%- endif %}
-
+firewalld:
+ zones:
+ internal:
+ services:
+ - http
+ - https
--
cgit v1.2.3