From eed4945a9f6981041260a593fde7bc54150c0740 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 00:10:17 +0100 Subject: nemesis/hubris: import nginx configuration Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 149 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 pillar/cluster/denc/web-proxy.sls diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls new file mode 100644 index 0000000..4cf84ab --- /dev/null +++ b/pillar/cluster/denc/web-proxy.sls @@ -0,0 +1,149 @@ +{%- from 'map.jinja' import nginx_crtkeypair -%} +{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} +{%- set stapler = 'http://gaia.syscid.com:8900/' -%} +{%- set resolver = '192.168.0.115' -%} + +nginx: + snippets: + listen_ha: + - listen: + - 81.16.19.62:443 ssl http2 + - '[2a03:4000:20:21f::]:443 ssl http2' + proxy: + - proxy_set_header: + - Host $host + - X-Real-IP $remote_addr + - X-Forwarded-For $proxy_add_x_forwarded_for + - X-Forwarded-Host $host + - X-Forwarded-Server $host + - X-Forwarded-Port $server_port + - X-Forwarded-Proto $scheme + - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt + tls: + - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + + {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #} + {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }} + - include: snippets/tls + tls_syscidsso: + - ssl_trusted_certificate: {{ trustcrt }} + - ssl_client_certificate: {{ trustcrt }} + - ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt + - ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key + - ssl_ocsp: 'on' + - ssl_ocsp_responder: {{ stapler }} + - ssl_stapling: 'on' + - ssl_stapling_responder: {{ stapler }} + - ssl_stapling_verify: 'on' + - ssl_verify_client: 'on' + - resolver: {{ resolver }} ipv6=off + - include: snippets.d/tls + + servers: + managed: + jboss-cluster.conf: + available_dir: /etc/nginx/conf.d + config: + - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m + - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m + - upstream jboss: + - ip: hash + - server: + - theia.backend.syscid.com:8443 + - orpheus.backend.syscid.com:8443 + - selene.backend.syscid.com:8443 + + bookstack.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_libertacasa + - server_name: libertacasa.info libcasa.info + - location /: + - proxy_pass: https://bookstack.themis.backend.syscid.com + - proxy_http_version: 1.1 + - client_max_body_size: 20M + + http.conf: + config: + - server: + - listen: + - 81.16.19.62:80 default_server + - '[2a03:4000:20:21f::]:80 default_server' + - include: snippets/robots + - location /: + - return: 301 https://$host$request_uri + + privatebin.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_lysergic + - server_name: pasta.lysergic.dev + - location /: + - proxy_pass: https://privatebin.themis.backend.syscid.com + - proxy_http_version: 1.1 + - client_max_body_size: 50M + + sso_private.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_syscidsso + - server_name: sso.syscid.com + - root: /srv/www/sso.syscid.com + - location = /: [] + - location /index.html: [] + - location /: + - proxy_pass: https://jboss + - proxy_cache: cache_sso_private + - include: snippets/proxy + - proxy_buffer_size: 256k + - proxy_buffers: 4 512k + - proxy_busy_buffers_size: 512k + - error_log: /var/log/nginx/sso_private.error.log + - access_log: /var/log/nginx/sso_private.access.log combined + + sso_public.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_libsso + - server_name: sso.casa www.sso.casa + - location /: + - root: /srv/www/sso.casa + - server: + - include: + - snippets/listen + - snippets/tls_libsso + - server_name: libsso.net www.libsso.net + - location /: + - root: /srv/www/libsso.net + - location /auth: {#- compat, consider removing #} + - rewrite: '^/auth(.*)$ https://libsso.net$1 break' + {%- for path in ['realms', 'resources', 'js'] %} + - location /{{ path }}: + - proxy_pass: https://jboss/{{ path }} + - proxy_cache: cache_sso_public + {#- - proxy_ssl_verify: on #to-do: enable this #} + - include: snippets/proxy + {%- endfor %} + {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %} + - location /{{ path }}: + - return: https://liberta.casa/ + {%- endfor %} + - proxy_buffer_size: 256k + - proxy_buffers: 4 512k + - proxy_busy_buffers_size: 512k + - error_log: /var/log/nginx/libsso_public.error.log + - access_log: /var/log/nginx/libsso_public.access.log combined -- cgit v1.2.3 From a0a21a17dbde293b3f665a99998cf88c38b8d07b Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 00:11:36 +0100 Subject: nemesis/hubris: include denc.web-proxy Add shared nginx configuration to nemesis/hubris HA pair nodes. Signed-off-by: Georg Pfuetzenreuter --- pillar/id/hubris_lysergic_dev.sls | 2 ++ pillar/id/nemesis_lysergic_dev.sls | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 pillar/id/hubris_lysergic_dev.sls create mode 100644 pillar/id/nemesis_lysergic_dev.sls diff --git a/pillar/id/hubris_lysergic_dev.sls b/pillar/id/hubris_lysergic_dev.sls new file mode 100644 index 0000000..5794a34 --- /dev/null +++ b/pillar/id/hubris_lysergic_dev.sls @@ -0,0 +1,2 @@ +include: + - cluster.denc.web-proxy diff --git a/pillar/id/nemesis_lysergic_dev.sls b/pillar/id/nemesis_lysergic_dev.sls new file mode 100644 index 0000000..5794a34 --- /dev/null +++ b/pillar/id/nemesis_lysergic_dev.sls @@ -0,0 +1,2 @@ +include: + - cluster.denc.web-proxy -- cgit v1.2.3 From 303b06ae8cae4167bca6bafca71d226b32379941 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 20:52:57 +0100 Subject: nemesis/hubris: import keepalived configuration Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 65 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 4 deletions(-) diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 4cf84ab..923369e 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -2,13 +2,70 @@ {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} {%- set stapler = 'http://gaia.syscid.com:8900/' -%} {%- set resolver = '192.168.0.115' -%} +{%- set mailer = '192.168.0.120' -%} +{%- set ha4 = '81.16.19.62' -%} +{%- set ha6 = '2a03:4000:20:21f::' -%} + +keepalived: + config: + global_defs: + notification_email: + - system@lysergic.dev + notification_email_from: failover@{{ grains['host'] }}.lysergic.dev + smtp_server: {{ mailer }} + smtp_connect_timeout: 30 + router_id: SSO_FO + vrrp_script: + check_nginx_port: + script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"' + weight: 5 + interval: 3 + timeout: 3 + check_nginx_process: + {#- this is not a good check but better than nothing #} + script: '"/usr/bin/pgrep nginx"' + weight: 4 + interval: 2 + timeout: 10 + check_useless_process: + {#- this is only used for debugging #} + script: '"/usr/bin/pgrep useless.sh"' + weight: 4 + interval: 2 + timeout: 3 + vrrp_instance: + DENCWC: + state: MASTER + interface: eth1 + priority: 100 + virtual_router_id: 100 + advert_int: 5 + smtp_alert: true + notify_master: '"/usr/local/bin/failover --all"' + promote_secondaries: true + mcast_src_ip: 192.168.0.50 + authentication: + auth_type: PASS + auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'} + virtual_ipaddress: + - {{ ha4 }}/32 dev eth0 label failover + virtual_ipaddress_excluded: + - {{ ha6 }}/64 dev eth0 + {%- for i in [1, 2, 3] %} + - {{ ha6 }}{{ i }}/64 dev eth0 + {%- endfor %} + track_script: + {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #} + - check_nginx_process + track_interface: + - eth0 nginx: snippets: listen_ha: - listen: - - 81.16.19.62:443 ssl http2 - - '[2a03:4000:20:21f::]:443 ssl http2' + - {{ ha4 }}:443 ssl http2 + - '[{{ ha6 }}]:443 ssl http2' proxy: - proxy_set_header: - Host $host @@ -75,8 +132,8 @@ nginx: config: - server: - listen: - - 81.16.19.62:80 default_server - - '[2a03:4000:20:21f::]:80 default_server' + - {{ ha4 }}:80 default_server + - '[{{ ha6 }}]:80 default_server' - include: snippets/robots - location /: - return: 301 https://$host$request_uri -- cgit v1.2.3 From f08bda4256f7c71899c45ea8b5ad73c67f77ae9a Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 21:19:37 +0100 Subject: Add netcup_failover profile Profile managing a Netcup IP address failover script for use with keepalived. Signed-off-by: Georg Pfuetzenreuter --- salt/profile/netcup_failover/README.md | 14 +++ salt/profile/netcup_failover/files/failover.sh.j2 | 109 ++++++++++++++++++++++ salt/profile/netcup_failover/init.sls | 10 ++ 3 files changed, 133 insertions(+) create mode 100644 salt/profile/netcup_failover/README.md create mode 100755 salt/profile/netcup_failover/files/failover.sh.j2 create mode 100644 salt/profile/netcup_failover/init.sls diff --git a/salt/profile/netcup_failover/README.md b/salt/profile/netcup_failover/README.md new file mode 100644 index 0000000..fc01bfb --- /dev/null +++ b/salt/profile/netcup_failover/README.md @@ -0,0 +1,14 @@ +This profile installs a script switching failover IP addresses between Netcup hosted VM's. + +Required pillar: + +``` +profile: + netcup_failover: + scp_user: 12345 + scp_pass: xxxx + scp_server: v9876 + mac_address: ff:ff:ff:ff:ff + ip4_address: xx.xx.xx.xx/32 + ip6_address: 'foo:bar::/64' +``` diff --git a/salt/profile/netcup_failover/files/failover.sh.j2 b/salt/profile/netcup_failover/files/failover.sh.j2 new file mode 100755 index 0000000..92ebd31 --- /dev/null +++ b/salt/profile/netcup_failover/files/failover.sh.j2 @@ -0,0 +1,109 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{%- set mypillar = salt['pillar.get']('profile:netcup_failover') -%} +#!/bin/sh +# Floating IP switching script utilizing the Netcup API + +{{ header }} + +SCP_USER='{{ mypillar['scp_user'] }}' +SCP_PASS='{{ mypillar['scp_pass'] }}' +SCP_SERVER='{{ mypillar['scp_server'] }}' +MAC='{{ mypillar['mac_address'] }}' +IP_v4='{{ mypillar['ip4_address'] }}' +IP_v6='{{ mypillar['ip6_address'] }}' + +URL="https://www.servercontrolpanel.de/WSEndUser?xsd=1" ### ?xsd=1 ?wsdl + +usage () { + echo "$0 [--ipv4 | --ipv6 | --all] [--debug]" + exit 2 +} + +init () { + construct "$1" + run + parse +} + +construct () { + if [ "$1" = "ip4" ]; + then + local IP="$IP_v4" + fi + if [ "$1" = "ip6" ]; + then + local IP="$IP_v6" + fi + local CIDR="${IP#*/}" + local IP="`echo $IP | sed "s?/$CIDR??"`" + if [ "$DEBUG" = "true" ]; + then + echo "[DEBUG] Initiating: $1" + echo "[DEBUG] IP Address: $IP" + echo "[DEBUG] CIDR Mask: $CIDR" + fi + XML_BODY="$SCP_USER$SCP_PASS$IP$CIDR$SCP_SERVER$MAC" + if [ "$DEBUG" = "true" ]; + then + echo "[DEBUG] Payload: $XML_BODY" + fi +} + +request () { + curl -s -H 'Content-Type: text/xml' -H 'SOAPAction:' -d "$XML_BODY" -X POST "$URL" +} + +run () { + RESPONSE=`request` + if [ "$DEBUG" = "true" ]; + then + echo "[DEBUG] Response: $RESPONSE" + fi + +} + +parse () { + local IFS='&' + local check_invalid="validation error&IP already assigned&true" + for check in $check_invalid; + do + if [ "$DEBUG" = "true" ]; + then + echo "[DEBUG] Parsing: $check" + fi + if [ "${RESPONSE#*$check}" = "$RESPONSE" ]; + then + result="Not found" + fi + if [ "${RESPONSE#*$check}" != "$RESPONSE" ]; + then + result="Found" + fi + echo "Check for \"$check\": $result" + done +} + +MODE="$1" + +if [ "$2" = "--debug" ]; +then + DEBUG="true" + echo "[DEBUG] Script invoked at `date`" +fi + +case "$MODE" in + "--ipv4" ) + init ip4 + ;; + "--ipv6" ) + init ip6 + ;; + "--all" ) + init ip6 + init ip4 + ;; + * ) + usage + ;; +esac + diff --git a/salt/profile/netcup_failover/init.sls b/salt/profile/netcup_failover/init.sls new file mode 100644 index 0000000..c4d5679 --- /dev/null +++ b/salt/profile/netcup_failover/init.sls @@ -0,0 +1,10 @@ +include: + - profile.keepalived_script_user + +/usr/local/bin/failover: + file.managed: + - user: keepalived_script + - group: wheel + - mode: 750 + - template: jinja + - source: salt://{{ slspath }}/files/failover.sh.j2 -- cgit v1.2.3 From af2c5b00611388e8580f42f984a97eba943b0c1f Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 21:20:56 +0100 Subject: Add keepalived_script_user profile Short profile source from other profiles requiring the keepalived_script user to be present. Signed-off-by: Georg Pfuetzenreuter --- salt/profile/keepalived_script_user/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/profile/keepalived_script_user/init.sls diff --git a/salt/profile/keepalived_script_user/init.sls b/salt/profile/keepalived_script_user/init.sls new file mode 100644 index 0000000..6f7e13c --- /dev/null +++ b/salt/profile/keepalived_script_user/init.sls @@ -0,0 +1,7 @@ +keepalived_script_user: + user.present: + - name: keepalived_script + - createhome: False + - home: /var/lib/keepalived + - shell: /usr/sbin/nologin + - system: True -- cgit v1.2.3 From 0581510c1065a30e0fe8722181f862676e6cd9a2 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 21:21:46 +0100 Subject: Add ha-netcup role Role managing the Netcup IP failover script plus keepalived. Requires ha-node role introduced via a8bbe056f1. Signed-off-by: Georg Pfuetzenreuter --- salt/role/ha-netcup.sls | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 salt/role/ha-netcup.sls diff --git a/salt/role/ha-netcup.sls b/salt/role/ha-netcup.sls new file mode 100644 index 0000000..e963c0a --- /dev/null +++ b/salt/role/ha-netcup.sls @@ -0,0 +1,3 @@ +include: + - profile.netcup_failover + - role.ha-node -- cgit v1.2.3 From bef66c1f8a5500a24ae41286c3f377c07f47cd30 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 05:54:20 +0100 Subject: ha-node: allow vrrp in firewall Needed for keepalived operation. Signed-off-by: Georg Pfuetzenreuter --- pillar/role/ha-netcup.sls | 2 ++ pillar/role/ha-node.sls | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 pillar/role/ha-netcup.sls create mode 100644 pillar/role/ha-node.sls diff --git a/pillar/role/ha-netcup.sls b/pillar/role/ha-netcup.sls new file mode 100644 index 0000000..6c2e9a8 --- /dev/null +++ b/pillar/role/ha-netcup.sls @@ -0,0 +1,2 @@ +include: + - role.ha-node diff --git a/pillar/role/ha-node.sls b/pillar/role/ha-node.sls new file mode 100644 index 0000000..d52076a --- /dev/null +++ b/pillar/role/ha-node.sls @@ -0,0 +1,5 @@ +firewalld: + zones: + internal: + services: + - vrrp -- cgit v1.2.3 From c5ce94d7b5217265cc50b6aa98a2074f4885d5eb Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 06:04:16 +0100 Subject: Manage backend firewall zone Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter --- pillar/global/init.sls | 4 ++++ pillar/role/ha-node.sls | 3 +++ 2 files changed, 7 insertions(+) diff --git a/pillar/global/init.sls b/pillar/global/init.sls index 5b174bf..c35306c 100644 --- a/pillar/global/init.sls +++ b/pillar/global/init.sls @@ -26,6 +26,10 @@ firewalld: public: short: Public {{ firewall_interfaces(public) }} + {%- if backend | length %} + backend: + {{ firewall_interfaces(backend) }} + {%- endif %} {%- endif %} mine_functions: diff --git a/pillar/role/ha-node.sls b/pillar/role/ha-node.sls index d52076a..137e1af 100644 --- a/pillar/role/ha-node.sls +++ b/pillar/role/ha-node.sls @@ -3,3 +3,6 @@ firewalld: internal: services: - vrrp + backend: + protocols: + - udp -- cgit v1.2.3