From eed4945a9f6981041260a593fde7bc54150c0740 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 00:10:17 +0100
Subject: nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/cluster/denc/web-proxy.sls | 149 ++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
create mode 100644 pillar/cluster/denc/web-proxy.sls
diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
new file mode 100644
index 0000000..4cf84ab
--- /dev/null
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -0,0 +1,149 @@
+{%- from 'map.jinja' import nginx_crtkeypair -%}
+{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
+{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
+{%- set resolver = '192.168.0.115' -%}
+
+nginx:
+ snippets:
+ listen_ha:
+ - listen:
+ - 81.16.19.62:443 ssl http2
+ - '[2a03:4000:20:21f::]:443 ssl http2'
+ proxy:
+ - proxy_set_header:
+ - Host $host
+ - X-Real-IP $remote_addr
+ - X-Forwarded-For $proxy_add_x_forwarded_for
+ - X-Forwarded-Host $host
+ - X-Forwarded-Server $host
+ - X-Forwarded-Port $server_port
+ - X-Forwarded-Proto $scheme
+ - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
+ tls:
+ - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+ {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
+ {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
+ - include: snippets/tls
+ tls_syscidsso:
+ - ssl_trusted_certificate: {{ trustcrt }}
+ - ssl_client_certificate: {{ trustcrt }}
+ - ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
+ - ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
+ - ssl_ocsp: 'on'
+ - ssl_ocsp_responder: {{ stapler }}
+ - ssl_stapling: 'on'
+ - ssl_stapling_responder: {{ stapler }}
+ - ssl_stapling_verify: 'on'
+ - ssl_verify_client: 'on'
+ - resolver: {{ resolver }} ipv6=off
+ - include: snippets.d/tls
+
+ servers:
+ managed:
+ jboss-cluster.conf:
+ available_dir: /etc/nginx/conf.d
+ config:
+ - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
+ - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
+ - upstream jboss:
+ - ip: hash
+ - server:
+ - theia.backend.syscid.com:8443
+ - orpheus.backend.syscid.com:8443
+ - selene.backend.syscid.com:8443
+
+ bookstack.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libertacasa
+ - server_name: libertacasa.info libcasa.info
+ - location /:
+ - proxy_pass: https://bookstack.themis.backend.syscid.com
+ - proxy_http_version: 1.1
+ - client_max_body_size: 20M
+
+ http.conf:
+ config:
+ - server:
+ - listen:
+ - 81.16.19.62:80 default_server
+ - '[2a03:4000:20:21f::]:80 default_server'
+ - include: snippets/robots
+ - location /:
+ - return: 301 https://$host$request_uri
+
+ privatebin.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_lysergic
+ - server_name: pasta.lysergic.dev
+ - location /:
+ - proxy_pass: https://privatebin.themis.backend.syscid.com
+ - proxy_http_version: 1.1
+ - client_max_body_size: 50M
+
+ sso_private.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_syscidsso
+ - server_name: sso.syscid.com
+ - root: /srv/www/sso.syscid.com
+ - location = /: []
+ - location /index.html: []
+ - location /:
+ - proxy_pass: https://jboss
+ - proxy_cache: cache_sso_private
+ - include: snippets/proxy
+ - proxy_buffer_size: 256k
+ - proxy_buffers: 4 512k
+ - proxy_busy_buffers_size: 512k
+ - error_log: /var/log/nginx/sso_private.error.log
+ - access_log: /var/log/nginx/sso_private.access.log combined
+
+ sso_public.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libsso
+ - server_name: sso.casa www.sso.casa
+ - location /:
+ - root: /srv/www/sso.casa
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libsso
+ - server_name: libsso.net www.libsso.net
+ - location /:
+ - root: /srv/www/libsso.net
+ - location /auth: {#- compat, consider removing #}
+ - rewrite: '^/auth(.*)$ https://libsso.net$1 break'
+ {%- for path in ['realms', 'resources', 'js'] %}
+ - location /{{ path }}:
+ - proxy_pass: https://jboss/{{ path }}
+ - proxy_cache: cache_sso_public
+ {#- - proxy_ssl_verify: on #to-do: enable this #}
+ - include: snippets/proxy
+ {%- endfor %}
+ {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
+ - location /{{ path }}:
+ - return: https://liberta.casa/
+ {%- endfor %}
+ - proxy_buffer_size: 256k
+ - proxy_buffers: 4 512k
+ - proxy_busy_buffers_size: 512k
+ - error_log: /var/log/nginx/libsso_public.error.log
+ - access_log: /var/log/nginx/libsso_public.access.log combined
--
cgit v1.2.3
From a0a21a17dbde293b3f665a99998cf88c38b8d07b Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 00:11:36 +0100
Subject: nemesis/hubris: include denc.web-proxy
Add shared nginx configuration to nemesis/hubris HA pair nodes.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/id/hubris_lysergic_dev.sls | 2 ++
pillar/id/nemesis_lysergic_dev.sls | 2 ++
2 files changed, 4 insertions(+)
create mode 100644 pillar/id/hubris_lysergic_dev.sls
create mode 100644 pillar/id/nemesis_lysergic_dev.sls
diff --git a/pillar/id/hubris_lysergic_dev.sls b/pillar/id/hubris_lysergic_dev.sls
new file mode 100644
index 0000000..5794a34
--- /dev/null
+++ b/pillar/id/hubris_lysergic_dev.sls
@@ -0,0 +1,2 @@
+include:
+ - cluster.denc.web-proxy
diff --git a/pillar/id/nemesis_lysergic_dev.sls b/pillar/id/nemesis_lysergic_dev.sls
new file mode 100644
index 0000000..5794a34
--- /dev/null
+++ b/pillar/id/nemesis_lysergic_dev.sls
@@ -0,0 +1,2 @@
+include:
+ - cluster.denc.web-proxy
--
cgit v1.2.3
From 303b06ae8cae4167bca6bafca71d226b32379941 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 20:52:57 +0100
Subject: nemesis/hubris: import keepalived configuration
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/cluster/denc/web-proxy.sls | 65 ++++++++++++++++++++++++++++++++++++---
1 file changed, 61 insertions(+), 4 deletions(-)
diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 4cf84ab..923369e 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -2,13 +2,70 @@
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%}
+{%- set mailer = '192.168.0.120' -%}
+{%- set ha4 = '81.16.19.62' -%}
+{%- set ha6 = '2a03:4000:20:21f::' -%}
+
+keepalived:
+ config:
+ global_defs:
+ notification_email:
+ - system@lysergic.dev
+ notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
+ smtp_server: {{ mailer }}
+ smtp_connect_timeout: 30
+ router_id: SSO_FO
+ vrrp_script:
+ check_nginx_port:
+ script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
+ weight: 5
+ interval: 3
+ timeout: 3
+ check_nginx_process:
+ {#- this is not a good check but better than nothing #}
+ script: '"/usr/bin/pgrep nginx"'
+ weight: 4
+ interval: 2
+ timeout: 10
+ check_useless_process:
+ {#- this is only used for debugging #}
+ script: '"/usr/bin/pgrep useless.sh"'
+ weight: 4
+ interval: 2
+ timeout: 3
+ vrrp_instance:
+ DENCWC:
+ state: MASTER
+ interface: eth1
+ priority: 100
+ virtual_router_id: 100
+ advert_int: 5
+ smtp_alert: true
+ notify_master: '"/usr/local/bin/failover --all"'
+ promote_secondaries: true
+ mcast_src_ip: 192.168.0.50
+ authentication:
+ auth_type: PASS
+ auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
+ virtual_ipaddress:
+ - {{ ha4 }}/32 dev eth0 label failover
+ virtual_ipaddress_excluded:
+ - {{ ha6 }}/64 dev eth0
+ {%- for i in [1, 2, 3] %}
+ - {{ ha6 }}{{ i }}/64 dev eth0
+ {%- endfor %}
+ track_script:
+ {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
+ - check_nginx_process
+ track_interface:
+ - eth0
nginx:
snippets:
listen_ha:
- listen:
- - 81.16.19.62:443 ssl http2
- - '[2a03:4000:20:21f::]:443 ssl http2'
+ - {{ ha4 }}:443 ssl http2
+ - '[{{ ha6 }}]:443 ssl http2'
proxy:
- proxy_set_header:
- Host $host
@@ -75,8 +132,8 @@ nginx:
config:
- server:
- listen:
- - 81.16.19.62:80 default_server
- - '[2a03:4000:20:21f::]:80 default_server'
+ - {{ ha4 }}:80 default_server
+ - '[{{ ha6 }}]:80 default_server'
- include: snippets/robots
- location /:
- return: 301 https://$host$request_uri
--
cgit v1.2.3
From f08bda4256f7c71899c45ea8b5ad73c67f77ae9a Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 21:19:37 +0100
Subject: Add netcup_failover profile
Profile managing a Netcup IP address failover script for use with
keepalived.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
salt/profile/netcup_failover/README.md | 14 +++
salt/profile/netcup_failover/files/failover.sh.j2 | 109 ++++++++++++++++++++++
salt/profile/netcup_failover/init.sls | 10 ++
3 files changed, 133 insertions(+)
create mode 100644 salt/profile/netcup_failover/README.md
create mode 100755 salt/profile/netcup_failover/files/failover.sh.j2
create mode 100644 salt/profile/netcup_failover/init.sls
diff --git a/salt/profile/netcup_failover/README.md b/salt/profile/netcup_failover/README.md
new file mode 100644
index 0000000..fc01bfb
--- /dev/null
+++ b/salt/profile/netcup_failover/README.md
@@ -0,0 +1,14 @@
+This profile installs a script switching failover IP addresses between Netcup hosted VM's.
+
+Required pillar:
+
+```
+profile:
+ netcup_failover:
+ scp_user: 12345
+ scp_pass: xxxx
+ scp_server: v9876
+ mac_address: ff:ff:ff:ff:ff
+ ip4_address: xx.xx.xx.xx/32
+ ip6_address: 'foo:bar::/64'
+```
diff --git a/salt/profile/netcup_failover/files/failover.sh.j2 b/salt/profile/netcup_failover/files/failover.sh.j2
new file mode 100755
index 0000000..92ebd31
--- /dev/null
+++ b/salt/profile/netcup_failover/files/failover.sh.j2
@@ -0,0 +1,109 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{%- set mypillar = salt['pillar.get']('profile:netcup_failover') -%}
+#!/bin/sh
+# Floating IP switching script utilizing the Netcup API
+
+{{ header }}
+
+SCP_USER='{{ mypillar['scp_user'] }}'
+SCP_PASS='{{ mypillar['scp_pass'] }}'
+SCP_SERVER='{{ mypillar['scp_server'] }}'
+MAC='{{ mypillar['mac_address'] }}'
+IP_v4='{{ mypillar['ip4_address'] }}'
+IP_v6='{{ mypillar['ip6_address'] }}'
+
+URL="https://www.servercontrolpanel.de/WSEndUser?xsd=1" ### ?xsd=1 ?wsdl
+
+usage () {
+ echo "$0 [--ipv4 | --ipv6 | --all] [--debug]"
+ exit 2
+}
+
+init () {
+ construct "$1"
+ run
+ parse
+}
+
+construct () {
+ if [ "$1" = "ip4" ];
+ then
+ local IP="$IP_v4"
+ fi
+ if [ "$1" = "ip6" ];
+ then
+ local IP="$IP_v6"
+ fi
+ local CIDR="${IP#*/}"
+ local IP="`echo $IP | sed "s?/$CIDR??"`"
+ if [ "$DEBUG" = "true" ];
+ then
+ echo "[DEBUG] Initiating: $1"
+ echo "[DEBUG] IP Address: $IP"
+ echo "[DEBUG] CIDR Mask: $CIDR"
+ fi
+ XML_BODY="<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:ns1='http://enduser.service.web.vcp.netcup.de/'><SOAP-ENV:Body><ns1:changeIPRouting><loginName>$SCP_USER</loginName><password>$SCP_PASS</password><routedIP>$IP</routedIP><routedMask>$CIDR</routedMask><destinationVserverName>$SCP_SERVER</destinationVserverName><destinationInterfaceMAC>$MAC</destinationInterfaceMAC></ns1:changeIPRouting></SOAP-ENV:Body></SOAP-ENV:Envelope>"
+ if [ "$DEBUG" = "true" ];
+ then
+ echo "[DEBUG] Payload: $XML_BODY"
+ fi
+}
+
+request () {
+ curl -s -H 'Content-Type: text/xml' -H 'SOAPAction:' -d "$XML_BODY" -X POST "$URL"
+}
+
+run () {
+ RESPONSE=`request`
+ if [ "$DEBUG" = "true" ];
+ then
+ echo "[DEBUG] Response: $RESPONSE"
+ fi
+
+}
+
+parse () {
+ local IFS='&'
+ local check_invalid="validation error&IP already assigned&true"
+ for check in $check_invalid;
+ do
+ if [ "$DEBUG" = "true" ];
+ then
+ echo "[DEBUG] Parsing: $check"
+ fi
+ if [ "${RESPONSE#*$check}" = "$RESPONSE" ];
+ then
+ result="Not found"
+ fi
+ if [ "${RESPONSE#*$check}" != "$RESPONSE" ];
+ then
+ result="Found"
+ fi
+ echo "Check for \"$check\": $result"
+ done
+}
+
+MODE="$1"
+
+if [ "$2" = "--debug" ];
+then
+ DEBUG="true"
+ echo "[DEBUG] Script invoked at `date`"
+fi
+
+case "$MODE" in
+ "--ipv4" )
+ init ip4
+ ;;
+ "--ipv6" )
+ init ip6
+ ;;
+ "--all" )
+ init ip6
+ init ip4
+ ;;
+ * )
+ usage
+ ;;
+esac
+
diff --git a/salt/profile/netcup_failover/init.sls b/salt/profile/netcup_failover/init.sls
new file mode 100644
index 0000000..c4d5679
--- /dev/null
+++ b/salt/profile/netcup_failover/init.sls
@@ -0,0 +1,10 @@
+include:
+ - profile.keepalived_script_user
+
+/usr/local/bin/failover:
+ file.managed:
+ - user: keepalived_script
+ - group: wheel
+ - mode: 750
+ - template: jinja
+ - source: salt://{{ slspath }}/files/failover.sh.j2
--
cgit v1.2.3
From af2c5b00611388e8580f42f984a97eba943b0c1f Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 21:20:56 +0100
Subject: Add keepalived_script_user profile
Short profile source from other profiles requiring the keepalived_script
user to be present.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
salt/profile/keepalived_script_user/init.sls | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 salt/profile/keepalived_script_user/init.sls
diff --git a/salt/profile/keepalived_script_user/init.sls b/salt/profile/keepalived_script_user/init.sls
new file mode 100644
index 0000000..6f7e13c
--- /dev/null
+++ b/salt/profile/keepalived_script_user/init.sls
@@ -0,0 +1,7 @@
+keepalived_script_user:
+ user.present:
+ - name: keepalived_script
+ - createhome: False
+ - home: /var/lib/keepalived
+ - shell: /usr/sbin/nologin
+ - system: True
--
cgit v1.2.3
From 0581510c1065a30e0fe8722181f862676e6cd9a2 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 21:21:46 +0100
Subject: Add ha-netcup role
Role managing the Netcup IP failover script plus keepalived.
Requires ha-node role introduced via a8bbe056f1.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
salt/role/ha-netcup.sls | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 salt/role/ha-netcup.sls
diff --git a/salt/role/ha-netcup.sls b/salt/role/ha-netcup.sls
new file mode 100644
index 0000000..e963c0a
--- /dev/null
+++ b/salt/role/ha-netcup.sls
@@ -0,0 +1,3 @@
+include:
+ - profile.netcup_failover
+ - role.ha-node
--
cgit v1.2.3
From bef66c1f8a5500a24ae41286c3f377c07f47cd30 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 05:54:20 +0100
Subject: ha-node: allow vrrp in firewall
Needed for keepalived operation.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/role/ha-netcup.sls | 2 ++
pillar/role/ha-node.sls | 5 +++++
2 files changed, 7 insertions(+)
create mode 100644 pillar/role/ha-netcup.sls
create mode 100644 pillar/role/ha-node.sls
diff --git a/pillar/role/ha-netcup.sls b/pillar/role/ha-netcup.sls
new file mode 100644
index 0000000..6c2e9a8
--- /dev/null
+++ b/pillar/role/ha-netcup.sls
@@ -0,0 +1,2 @@
+include:
+ - role.ha-node
diff --git a/pillar/role/ha-node.sls b/pillar/role/ha-node.sls
new file mode 100644
index 0000000..d52076a
--- /dev/null
+++ b/pillar/role/ha-node.sls
@@ -0,0 +1,5 @@
+firewalld:
+ zones:
+ internal:
+ services:
+ - vrrp
--
cgit v1.2.3
From c5ce94d7b5217265cc50b6aa98a2074f4885d5eb Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 06:04:16 +0100
Subject: Manage backend firewall zone
Configure backend firewall zones if applicable. Allow all UDP for
cluster traffic.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/global/init.sls | 4 ++++
pillar/role/ha-node.sls | 3 +++
2 files changed, 7 insertions(+)
diff --git a/pillar/global/init.sls b/pillar/global/init.sls
index 5b174bf..c35306c 100644
--- a/pillar/global/init.sls
+++ b/pillar/global/init.sls
@@ -26,6 +26,10 @@ firewalld:
public:
short: Public
{{ firewall_interfaces(public) }}
+ {%- if backend | length %}
+ backend:
+ {{ firewall_interfaces(backend) }}
+ {%- endif %}
{%- endif %}
mine_functions:
diff --git a/pillar/role/ha-node.sls b/pillar/role/ha-node.sls
index d52076a..137e1af 100644
--- a/pillar/role/ha-node.sls
+++ b/pillar/role/ha-node.sls
@@ -3,3 +3,6 @@ firewalld:
internal:
services:
- vrrp
+ backend:
+ protocols:
+ - udp
--
cgit v1.2.3