From 96daffc9798c8afcae5de49b386cb8483909f071 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Mar 2023 17:01:00 +0100 Subject: Add privatebin profile+role Signed-off-by: Georg Pfuetzenreuter --- salt/profile/privatebin/init.sls | 55 ++++++++++++++++++++++++++++++++++++++++ salt/role/privatebin.sls | 4 +++ 2 files changed, 59 insertions(+) create mode 100644 salt/profile/privatebin/init.sls create mode 100644 salt/role/privatebin.sls diff --git a/salt/profile/privatebin/init.sls b/salt/profile/privatebin/init.sls new file mode 100644 index 0000000..7b9c036 --- /dev/null +++ b/salt/profile/privatebin/init.sls @@ -0,0 +1,55 @@ +{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%} +{%- set confdir = '/etc/PrivateBin' -%} +{%- set configfile = confdir ~ '/conf.php' -%} + +privatebin_packages: + pkg.installed: + - names: + - PrivateBin-config-httpd + +privatebin_clean: + file.directory: + - name: {{ confdir }} + - clean: True + - onchanges: + - pkg: privatebin_packages + - require: + - pkg: privatebin_packages + +{%- if mypillar | length %} +{{ configfile }}: + ini.options_present: + - separator: '=' + - strict: True + - sections: + {%- macro conf(section, options) %} + {%- for option in options.keys() -%} + {%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %} + {%- set value = mypillar[section][option] -%} + {%- else %} + {%- set value = mypillar[section][option] | quote -%} + {%- endif %} + {{ option }}: {{ value }} + {%- endfor -%} + {%- endmacro %} + {%- for section, options in mypillar.items() %} + {{ section }}: + {{ conf(section, options) }} + {%- endfor %} + - require: + - pkg: privatebin_packages + - watch: + - file: privatebin_clean + - watch_in: + - file: privatebin_permissions +{%- endif %} + +privatebin_permissions: + file.managed: + - mode: '0640' + - user: wwwrun + - group: privatebin + - names: + - {{ configfile }} + - require: + - pkg: privatebin_packages diff --git a/salt/role/privatebin.sls b/salt/role/privatebin.sls new file mode 100644 index 0000000..ec8581d --- /dev/null +++ b/salt/role/privatebin.sls @@ -0,0 +1,4 @@ +include: + - role.web.apache-httpd + - profile.privatebin + - php.fpm -- cgit v1.2.3 From bf3aaa5ff112840a0d89b7df7bd8b85a45842eb0 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Mar 2023 17:01:17 +0100 Subject: id.themis: import PrivateBin configuration Signed-off-by: Georg Pfuetzenreuter --- pillar/id/themis_lysergic_dev.sls | 42 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls index 0773f4f..81538e9 100644 --- a/pillar/id/themis_lysergic_dev.sls +++ b/pillar/id/themis_lysergic_dev.sls @@ -75,3 +75,45 @@ profile: saml2_group_attribute: groups saml2_remove_from_groups: true queue_connection: database + + privatebin: + main: + name: Bin + fileupload: true + syntaxhighlightingtheme: sons-of-obsidian + sizelimit: 310485760 + notice: 'Note: Kittens will die if you abuse this service.' + languageselection: true + urlshortener: ${'secret_privatebin:main:urlshortener'} + qrcode: true + expire: + default: 1week + expire_options: + 5min: 300 + 10min: 600 + 1hour: 3600 + 1day: 86400 + 1week: 604800 + 1month: 2592000 + 1year: 31536000 + never: 0 + formatter_options: + plaintext: Plain Text + syntaxhighlighting: Source Code + markdown: Markdown + traffic: + limit: 10 + header: X_FORWARDED_FOR + dir: /var/lib/PrivateBin/limits + purge: + limit: 300 + batchsize: 10 + dir: /var/lib/PrivateBin/limits + model: + class: Database + model_options: + dsn: ${'secret_privatebin:model_options:dsn'} + tbl: privatebin_ + usr: ${'secret_privatebin:model_options:usr'} + pwd: ${'secret_privatebin:model_options:pwd'} + opt[12]: true -- cgit v1.2.3 From 4ff7a39f0ed24cf279347937f5b96aedfa2e8cce Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Mar 2023 17:21:32 +0100 Subject: id.themis: import PrivateBin httpd vhost Signed-off-by: Georg Pfuetzenreuter --- pillar/id/themis_lysergic_dev.sls | 50 +++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls index 81538e9..5decac5 100644 --- a/pillar/id/themis_lysergic_dev.sls +++ b/pillar/id/themis_lysergic_dev.sls @@ -1,9 +1,26 @@ +{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%} + +{%- macro httpdformulaexcess() -%} + LogLevel: False + ErrorLog: False + LogFormat: False + CustomLog: False + ServerAdmin: False + ServerAlias: False +{%- endmacro -%} +{%- macro httpdcommon(app) -%} + Include {{ common['snippetsdir'] }}ssl_themis.conf + + SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}' + +{%- endmacro -%} + apache: sites: BookStack: - interface: '[fd29:8e45:f292:ff80::1]' - port: 443 - ServerName: bookstack.themis.backend.syscid.com + interface: '{{ common['address'] }}' + port: {{ common['port'] }} + ServerName: bookstack{{ common['domain'] }} DocumentRoot: /srv/www/BookStack/ DirectoryIndex: index.php Directory: @@ -21,19 +38,26 @@ apache: RewriteCond '%{REQUEST_FILENAME} !-d' RewriteCond '%{REQUEST_FILENAME} !-f' RewriteCond '^ index.php [L]' - LogLevel: False - ErrorLog: False - LogFormat: False - CustomLog: False - ServerAdmin: False - ServerAlias: False + {{ httpdformulaexcess() }} Formula_Append: | - Include /etc/apache2/snippets.d/ssl_themis.conf + {{ httpdcommon('BookStack') }} AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript SetOutputFilter DEFLATE - - SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack' - + + PrivateBin: + interface: '{{ common['address'] }}' + port: {{ common['port'] }} + ServerName: privatebin{{ common['domain'] }} + DocumentRoot: /srv/www/PrivateBin/public + DirectoryIndex: index.php + Directory: + /srv/www/PrivateBin/: + Options: false + AllowOverride: None + Require: all granted + {{ httpdformulaexcess() }} + Formula_Append: | + {{ httpdcommon('PrivateBin') }} profile: bookstack: -- cgit v1.2.3 From f32d814658a3005654b10e28c0827fb2a9302678 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sat, 29 Apr 2023 18:39:30 +0200 Subject: id.themis: import backend firewall rules Allow HTTPS traffic. Signed-off-by: Georg Pfuetzenreuter --- pillar/id/themis_lysergic_dev.sls | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls index 5decac5..67a7757 100644 --- a/pillar/id/themis_lysergic_dev.sls +++ b/pillar/id/themis_lysergic_dev.sls @@ -141,3 +141,9 @@ profile: usr: ${'secret_privatebin:model_options:usr'} pwd: ${'secret_privatebin:model_options:pwd'} opt[12]: true + +firewalld: + zones: + backend: + services: + - https -- cgit v1.2.3