From eed4945a9f6981041260a593fde7bc54150c0740 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 00:10:17 +0100
Subject: nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
pillar/cluster/denc/web-proxy.sls | 149 ++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
create mode 100644 pillar/cluster/denc/web-proxy.sls
diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
new file mode 100644
index 0000000..4cf84ab
--- /dev/null
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -0,0 +1,149 @@
+{%- from 'map.jinja' import nginx_crtkeypair -%}
+{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
+{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
+{%- set resolver = '192.168.0.115' -%}
+
+nginx:
+ snippets:
+ listen_ha:
+ - listen:
+ - 81.16.19.62:443 ssl http2
+ - '[2a03:4000:20:21f::]:443 ssl http2'
+ proxy:
+ - proxy_set_header:
+ - Host $host
+ - X-Real-IP $remote_addr
+ - X-Forwarded-For $proxy_add_x_forwarded_for
+ - X-Forwarded-Host $host
+ - X-Forwarded-Server $host
+ - X-Forwarded-Port $server_port
+ - X-Forwarded-Proto $scheme
+ - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
+ tls:
+ - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+ {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
+ {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
+ - include: snippets/tls
+ {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
+ - include: snippets/tls
+ tls_syscidsso:
+ - ssl_trusted_certificate: {{ trustcrt }}
+ - ssl_client_certificate: {{ trustcrt }}
+ - ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
+ - ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
+ - ssl_ocsp: 'on'
+ - ssl_ocsp_responder: {{ stapler }}
+ - ssl_stapling: 'on'
+ - ssl_stapling_responder: {{ stapler }}
+ - ssl_stapling_verify: 'on'
+ - ssl_verify_client: 'on'
+ - resolver: {{ resolver }} ipv6=off
+ - include: snippets.d/tls
+
+ servers:
+ managed:
+ jboss-cluster.conf:
+ available_dir: /etc/nginx/conf.d
+ config:
+ - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
+ - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
+ - upstream jboss:
+ - ip: hash
+ - server:
+ - theia.backend.syscid.com:8443
+ - orpheus.backend.syscid.com:8443
+ - selene.backend.syscid.com:8443
+
+ bookstack.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libertacasa
+ - server_name: libertacasa.info libcasa.info
+ - location /:
+ - proxy_pass: https://bookstack.themis.backend.syscid.com
+ - proxy_http_version: 1.1
+ - client_max_body_size: 20M
+
+ http.conf:
+ config:
+ - server:
+ - listen:
+ - 81.16.19.62:80 default_server
+ - '[2a03:4000:20:21f::]:80 default_server'
+ - include: snippets/robots
+ - location /:
+ - return: 301 https://$host$request_uri
+
+ privatebin.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_lysergic
+ - server_name: pasta.lysergic.dev
+ - location /:
+ - proxy_pass: https://privatebin.themis.backend.syscid.com
+ - proxy_http_version: 1.1
+ - client_max_body_size: 50M
+
+ sso_private.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_syscidsso
+ - server_name: sso.syscid.com
+ - root: /srv/www/sso.syscid.com
+ - location = /: []
+ - location /index.html: []
+ - location /:
+ - proxy_pass: https://jboss
+ - proxy_cache: cache_sso_private
+ - include: snippets/proxy
+ - proxy_buffer_size: 256k
+ - proxy_buffers: 4 512k
+ - proxy_busy_buffers_size: 512k
+ - error_log: /var/log/nginx/sso_private.error.log
+ - access_log: /var/log/nginx/sso_private.access.log combined
+
+ sso_public.conf:
+ config:
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libsso
+ - server_name: sso.casa www.sso.casa
+ - location /:
+ - root: /srv/www/sso.casa
+ - server:
+ - include:
+ - snippets/listen
+ - snippets/tls_libsso
+ - server_name: libsso.net www.libsso.net
+ - location /:
+ - root: /srv/www/libsso.net
+ - location /auth: {#- compat, consider removing #}
+ - rewrite: '^/auth(.*)$ https://libsso.net$1 break'
+ {%- for path in ['realms', 'resources', 'js'] %}
+ - location /{{ path }}:
+ - proxy_pass: https://jboss/{{ path }}
+ - proxy_cache: cache_sso_public
+ {#- - proxy_ssl_verify: on #to-do: enable this #}
+ - include: snippets/proxy
+ {%- endfor %}
+ {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
+ - location /{{ path }}:
+ - return: https://liberta.casa/
+ {%- endfor %}
+ - proxy_buffer_size: 256k
+ - proxy_buffers: 4 512k
+ - proxy_busy_buffers_size: 512k
+ - error_log: /var/log/nginx/libsso_public.error.log
+ - access_log: /var/log/nginx/libsso_public.access.log combined
--
cgit v1.2.3