diff --git a/pillars/roles/firewalld/ssh.sls b/pillars/roles/firewalld/ssh.sls index c489650..23d6bf9 100644 --- a/pillars/roles/firewalld/ssh.sls +++ b/pillars/roles/firewalld/ssh.sls @@ -2,3 +2,5 @@ firewalld: 70_internal: service: ssh: [] + port: + 23454/tcp: [] diff --git a/pillars/roles/nginx/authelia.sls b/pillars/roles/nginx/authelia.sls new file mode 100644 index 0000000..88e32be --- /dev/null +++ b/pillars/roles/nginx/authelia.sls @@ -0,0 +1,6 @@ +nginx: + authelia: + auth: none + https: + port: 8080 + prot: http diff --git a/pillars/roles/nginx/authtypes.txt b/pillars/roles/nginx/authtypes.txt index 4fd27bf..6e27c3a 100644 --- a/pillars/roles/nginx/authtypes.txt +++ b/pillars/roles/nginx/authtypes.txt @@ -1,4 +1,4 @@ blocked: can't access none: public access -simple: file-based auth -ldap: directory based auth - not implemented +ldap: standard directory based auth - not implemented +2fa: two-factor directory based auth diff --git a/pillars/roles/nginx/deluge.sls b/pillars/roles/nginx/deluge.sls index 53314c9..5a9b194 100644 --- a/pillars/roles/nginx/deluge.sls +++ b/pillars/roles/nginx/deluge.sls @@ -1,6 +1,6 @@ nginx: deluge: - auth: none + auth: 2fa https: port: 8112 prot: http diff --git a/pillars/roles/nginx/freeipa_server.sls b/pillars/roles/nginx/freeipa_server.sls index c1cb027..c0ee7c8 100644 --- a/pillars/roles/nginx/freeipa_server.sls +++ b/pillars/roles/nginx/freeipa_server.sls @@ -1,6 +1,6 @@ nginx: ipa: - auth: blocked + auth: 2fa https: port: 8443 prot: https diff --git a/pillars/roles/nginx/headphones.sls b/pillars/roles/nginx/headphones.sls index e9fc132..eae804b 100644 --- a/pillars/roles/nginx/headphones.sls +++ b/pillars/roles/nginx/headphones.sls @@ -1,6 +1,6 @@ nginx: headphones: - auth: blocked + auth: 2fa https: port: 8181 prot: http diff --git a/pillars/roles/nginx/icinga.sls b/pillars/roles/nginx/icinga.sls index 98c9045..7c58f5d 100644 --- a/pillars/roles/nginx/icinga.sls +++ b/pillars/roles/nginx/icinga.sls @@ -1,6 +1,6 @@ nginx: icinga: - auth: blocked + auth: 2fa https: port: 8080 prot: http diff --git a/pillars/roles/nginx/jackett.sls b/pillars/roles/nginx/jackett.sls index 1b9eae4..c1b23cb 100644 --- a/pillars/roles/nginx/jackett.sls +++ b/pillars/roles/nginx/jackett.sls @@ -1,6 +1,6 @@ nginx: jackett: - auth: blocked + auth: 2fa https: port: 9117 prot: http diff --git a/pillars/roles/nginx/pass.sls b/pillars/roles/nginx/pass.sls index 2b680a2..7d19f88 100644 --- a/pillars/roles/nginx/pass.sls +++ b/pillars/roles/nginx/pass.sls @@ -1,6 +1,6 @@ nginx: pass: - auth: none + auth: 2fa https: port: 8080 prot: http diff --git a/pillars/roles/nginx/pkg-cache.sls b/pillars/roles/nginx/pkg-cache.sls index 4d5c7e3..fdb7898 100644 --- a/pillars/roles/nginx/pkg-cache.sls +++ b/pillars/roles/nginx/pkg-cache.sls @@ -1,6 +1,6 @@ nginx: pkg: - auth: blocked + auth: 2fa https: port: 8000 prot: http diff --git a/pillars/roles/nginx/plexmediaserver.sls b/pillars/roles/nginx/plexmediaserver.sls index 3cf49de..7599b71 100644 --- a/pillars/roles/nginx/plexmediaserver.sls +++ b/pillars/roles/nginx/plexmediaserver.sls @@ -1,6 +1,6 @@ nginx: plex: - auth: none + auth: 2fa https: port: 32400 prot: http diff --git a/pillars/roles/nginx/radarr.sls b/pillars/roles/nginx/radarr.sls index 1145f0b..05e2a60 100644 --- a/pillars/roles/nginx/radarr.sls +++ b/pillars/roles/nginx/radarr.sls @@ -1,6 +1,6 @@ nginx: radarr: - auth: blocked + auth: 2fa https: port: 7878 prot: http diff --git a/pillars/roles/nginx/sonarr.sls b/pillars/roles/nginx/sonarr.sls index facf534..ed48e87 100644 --- a/pillars/roles/nginx/sonarr.sls +++ b/pillars/roles/nginx/sonarr.sls @@ -1,6 +1,6 @@ nginx: sonarr: - auth: blocked + auth: 2fa https: port: 8989 prot: http diff --git a/pillars/roles/nginx/sync.sls b/pillars/roles/nginx/sync.sls index 071fd8a..bc2cd3b 100644 --- a/pillars/roles/nginx/sync.sls +++ b/pillars/roles/nginx/sync.sls @@ -1,6 +1,6 @@ nginx: sync: - auth: blocked + auth: 2fa https: port: 8080 prot: http diff --git a/pillars/servers/env/server/authelia.sls b/pillars/servers/env/server/authelia.sls new file mode 100644 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/authelia.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/centipa.sls b/pillars/servers/env/server/centipa.sls new file mode 100644 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/centipa.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/debianipa.sls b/pillars/servers/env/server/debianipa.sls new file mode 100644 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/debianipa.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/maintainer/server/authelia.sls b/pillars/servers/maintainer/server/authelia.sls new file mode 100644 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/authelia.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/centipa.sls b/pillars/servers/maintainer/server/centipa.sls new file mode 100644 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/centipa.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/debianipa.sls b/pillars/servers/maintainer/server/debianipa.sls new file mode 100644 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/debianipa.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/roles/server/authelia.sls b/pillars/servers/roles/server/authelia.sls new file mode 100644 index 0000000..289ba0f --- /dev/null +++ b/pillars/servers/roles/server/authelia.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - authelia + - nginx-proxy diff --git a/pillars/servers/roles/server/centipa.sls b/pillars/servers/roles/server/centipa.sls new file mode 100644 index 0000000..07c13df --- /dev/null +++ b/pillars/servers/roles/server/centipa.sls @@ -0,0 +1,5 @@ +grains: + roles: + - server + - ssh + - saltminion diff --git a/pillars/servers/roles/server/debianipa.sls b/pillars/servers/roles/server/debianipa.sls new file mode 100644 index 0000000..3148d3f --- /dev/null +++ b/pillars/servers/roles/server/debianipa.sls @@ -0,0 +1,6 @@ +grains: + roles: + - server + - ssh + - saltminion + - freeipa_server diff --git a/states/basepkgs/init.sls b/states/basepkgs/init.sls index a4780f0..904fac5 100644 --- a/states/basepkgs/init.sls +++ b/states/basepkgs/init.sls @@ -2,6 +2,7 @@ basepkgs: pkg.installed: - pkgs: + - sudo - nano - wget - openssh @@ -13,6 +14,7 @@ basepkgs: basepkgs: pkg.installed: - pkgs: + - sudo - nano - wget - openssh-server @@ -23,6 +25,7 @@ basepkgs: basepkgs: pkg.installed: - pkgs: + - sudo - nano - wget - openssh-server diff --git a/states/bashrc/init.sls b/states/bashrc/init.sls index 62af1e8..eea15a1 100644 --- a/states/bashrc/init.sls +++ b/states/bashrc/init.sls @@ -18,6 +18,12 @@ - force: true - makedirs: true +/root/.profile: + file.symlink: + - target: /etc/saltbashrc + - force: true + - makedirs: true + #change to local admin user and remove constraint when that's properly set up {% if grains['os_family'] == 'Debian' %} /home/masau/.bashrc: diff --git a/states/roles/maintain/authelia/authelia.service b/states/roles/maintain/authelia/authelia.service new file mode 100644 index 0000000..4968adf --- /dev/null +++ b/states/roles/maintain/authelia/authelia.service @@ -0,0 +1,11 @@ +[Unit] +Description=Runs authelia + +[Service] +ExecStart=/bin/authelia /etc/authelia/config.yml +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/authelia/config.yml b/states/roles/maintain/authelia/config.yml new file mode 100644 index 0000000..8f1b3ff --- /dev/null +++ b/states/roles/maintain/authelia/config.yml @@ -0,0 +1,174 @@ +############################################################### +# Authelia configuration # +############################################################### + +# The port to listen on +port: 8080 + +# Log level +# +# Level of verbosity for logs +logs_level: debug + +# LDAP configuration +# +# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com +ldap: + # The url of the ldap server + url: ldap://ipa.actcur.com + + # The base dn for every entries + base_dn: dc=actcur,dc=com + + # An additional dn to define the scope to all users + additional_users_dn: cn=users,cn=accounts + + # The users filter. + # {0} is the matcher replaced by username. + # 'cn={0}' by default. + users_filter: uid={0} + + # An additional dn to define the scope of groups + additional_groups_dn: cn=groups,cn=accounts + + # The groups filter. + # {0} is the matcher replaced by user dn. + # 'member={0}' by default. + groups_filter: (&(member={0})(objectclass=groupofnames)) + + # The attribute holding the name of the group + group_name_attribute: cn + + # The attribute holding the mail address of the user + mail_attribute: mail + + # The username and password of the admin user. + user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com + password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}" + + +# Access Control +# +# Access control is a set of rules you can use to restrict user access to certain +# resources. +# Any (apply to anyone), per-user or per-group rules can be defined. +# +# If 'access_control' is not defined, ACL rules are disabled and the `allow` default +# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow +# the rules defined. +# +# Note: One can use the wildcard * to match any subdomain. +# It must stand at the beginning of the pattern. (example: *.mydomain.com) +# +# Note: You must put the pattern in simple quotes when using the wildcard for the YAML +# to be syntaxically correct. +# +# Definition: A `rule` is an object with the following keys: `domain`, `policy` +# and `resources`. +# - `domain` defines which domain or set of domains the rule applies to. +# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`. +# - `resources` is a list of regular expressions that matches a set of resources to +# apply the policy to. +# +# Note: Rules follow an order of priority defined as follows: +# In each category (`any`, `groups`, `users`), the latest rules have the highest +# priority. In other words, it means that if a given resource matches two rules in the +# same category, the latest one overrides the first one. +# Each category has also its own priority. That is, `users` has the highest priority, then +# `groups` and `any` has the lowest priority. It means if two rules in different categories +# match a given resource, the one in the category with the highest priority overrides the +# other one. +# +access_control: + # Default policy can either be `allow` or `deny`. + # It is the policy applied to any resource if it has not been overriden + # in the `any`, `groups` or `users` category. + default_policy: deny + + # The rules that apply to anyone. + # The value is a list of rules. + any: + - domain: '*' + policy: allow + + # Group-based rules. The key is a group name and the value + # is a list of rules. + groups: + domain_admins: + # All resources in all domains + - domain: '*.actcur.com' + policy: allow + + +# Configuration of session cookies +# +# The session cookies identify the user once logged in. +session: + # The secret to encrypt the session cookie. + secret: "{%- include 'secure/passwords/authelia_secret_password.txt' -%}" + + # The time before the cookie expires. + expiration: 3600000 + + # The domain to protect. + # Note: the authenticator must also be in that domain. If empty, the cookie + # is restricted to the subdomain of the issuer. + domain: actcur.com + + # The redis connection details + redis: + host: 127.0.0.1 + port: 6379 + +# Configuration of the authentication regulation mechanism. +# +# This mechanism prevents attackers from brute forcing the first factor. +# It bans the user if too many attempts are done in a short period of +# time. +regulation: + # The number of failed login attempts before user is banned. + # Set it to 0 for disabling regulation. + max_retries: 3 + + # The length of time between login attempts before user is banned. + find_time: 120 + + # The length of time before a banned user can login again. + ban_time: 300 + +# Configuration of the storage backend used to store data and secrets. +# +# You must use only an available configuration: local, mongo +storage: + # The directory where the DB files will be saved + #local: /var/lib/authelia/store + + # Settings to connect to mongo server + mongo: + url: mongodb://127.0.0.1/authelia + +# Configuration of the notification system. +# +# Notifications are sent to users when they require a password reset, a u2f +# registration or a TOTP registration. +# Use only an available configuration: filesystem, gmail +notifier: + # Use your gmail account to send the notifications. You can use an app password. + #gmail: + # username: username@gmail.com + # password: password + + # Use a SMTP server for sending notifications + #smtp: + # username: test + # password: test + # secure: false + # host: 'smtp.zoho.com' + # port: 1025 + smtp: + username: notifications@actcur.com + password: "{%- include 'secure/passwords/authelia_notifications_password.txt' -%}" + secure: true + host: 'smtp.zoho.com' + port: 465 + sender: 'Actcur Authelia ' diff --git a/states/roles/maintain/authelia/init.sls b/states/roles/maintain/authelia/init.sls new file mode 100644 index 0000000..bb4e1c8 --- /dev/null +++ b/states/roles/maintain/authelia/init.sls @@ -0,0 +1,52 @@ +authelia_npm: + pkg.installed: + - name: npm + +install_authelia: + npm.installed: + - name: authelia + - force_reinstall: true + +authelia_mongodb: + pkg.installed: + - name: mongodb + service.running: + - name: mongodb + - enable: true + +authelia_redis: + pkg.installed: + - name: redis + service.running: + - name: redis + - enable: true + +#Note - authelia requires manual changes to handle from address atm +#edit /usr/lib/node_modules/authelia/dist/src/server/lib/notifiers/SmtpNotifier.js +#and change line 18 to: +#const transporter = nodemailer.createTransport(smtpOptions,{from: options.from}); +#and remove line 33 (from: "authelia@authelia.com", + +authelia_config: + file.managed: + - name: /etc/authelia/config.yml + - source: salt://roles/maintain/authelia/config.yml + - user: root + - group: root + - mode: 644 + - makedirs: true + - template: jinja + +"/lib/systemd/system/authelia.service": + file.managed: + - source: salt://roles/maintain/authelia/authelia.service + - user: root + - group: root + - mode: 644 + +authelia_service: + service.running: + - name: authelia + - enable: true + - watch: + - file: authelia_config diff --git a/states/roles/maintain/freeipa-server/init.sls b/states/roles/maintain/freeipa-server/init.sls index af0c195..a5bb67c 100644 --- a/states/roles/maintain/freeipa-server/init.sls +++ b/states/roles/maintain/freeipa-server/init.sls @@ -57,5 +57,6 @@ unset_dm_password: restart_apache: service.running: - name: httpd + - enable: false - watch: - cmd: install_cert diff --git a/states/roles/maintain/icinga/init.sls b/states/roles/maintain/icinga/init.sls index 127feb1..cade930 100644 --- a/states/roles/maintain/icinga/init.sls +++ b/states/roles/maintain/icinga/init.sls @@ -29,6 +29,7 @@ icinga-mysql-client: - user: root - group: root - mode: 644 + - makedirs: true /etc/php/php.ini: file.managed: - source: salt://roles/maintain/icinga/php.ini diff --git a/states/roles/maintain/icinga/php.ini b/states/roles/maintain/icinga/php.ini index 723f838..0b977f7 100644 --- a/states/roles/maintain/icinga/php.ini +++ b/states/roles/maintain/icinga/php.ini @@ -897,7 +897,7 @@ extension=gettext.so ;extension=iconv.so ;extension=imap.so ;extension=intl.so -;extension=ldap.so +extension=ldap.so ;extension=mcrypt.so ;extension=mysqli.so ;extension=odbc.so diff --git a/states/roles/maintain/nginx-proxy/auth.conf b/states/roles/maintain/nginx-proxy/auth.conf index 82da9c6..a7b7171 100644 --- a/states/roles/maintain/nginx-proxy/auth.conf +++ b/states/roles/maintain/nginx-proxy/auth.conf @@ -3,11 +3,36 @@ {%- if auth == "none" %} #No authentication -{%- elif auth == "simple" %} - -auth_basic "Restricted Content"; -auth_basic_user_file /etc/nginx/.htpasswd; {%- elif auth == "ldap" %} #Not Implemented +{%- elif auth == "2fa" -%} +#{{location}} + {%- if location == "1" %} + location /auth_verify { + internal; + proxy_pass_request_body off; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header Content-Length ""; + + proxy_pass https://authelia.actcur.com/verify; + } + + {% elif location == "2" %} + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + proxy_set_header Redirect $redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header X-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-Groups $groups; + + error_page 401 =302 https://authelia.actcur.com?redirect=$redirect; + error_page 403 = https://authelia.actcur.com/error/403; + {%- endif -%} {%- endif -%} diff --git a/states/roles/maintain/nginx-proxy/local.conf b/states/roles/maintain/nginx-proxy/local.conf index 0fefb1c..6b65ece 100644 --- a/states/roles/maintain/nginx-proxy/local.conf +++ b/states/roles/maintain/nginx-proxy/local.conf @@ -13,27 +13,32 @@ {%- set prot = "https" -%} {%- endif -%} server { - listen 443; - server_name {{server}}.actcur.com; + listen 443; + server_name {{server}}.actcur.com; - resolver {{ resolver }}; - set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + resolver {{ resolver }}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; - ssl on; - ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; - ssl_session_cache shared:SSL:10m; - client_max_body_size 1024m; - location / { - proxy_pass $backend; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Protocol https; - proxy_set_header X-Forwarded-Ssl on; + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + location / { + proxy_pass $backend; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Ssl on; - # re-write redirects to http as to https, example: /home - proxy_redirect http:// https://; - } + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } + + error_log /var/log/nginx/{{server}}_error.log; + access_log /var/log/nginx/{{server}}_access.log; } {%- endif -%} @@ -48,25 +53,28 @@ server { [%- set prot = "http" -%} {%- endif -%} server { - listen 80; - server_name {{server}}.actcur.com; + listen 80; + server_name {{server}}.actcur.com; - resolver {{resolver}}; - set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + resolver {{resolver}}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; - location / { - proxy_pass $backend; - proxy_set_header Host $host; + location / { + proxy_pass $backend; + proxy_set_header Host $host; - # re-write redirects to https as to http, example: /home - proxy_redirect https:// http://; + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; - } + } + + error_log /var/log/nginx/{{server}}_error.log; + access_log /var/log/nginx/{{server}}_access.log; } {% elif default == "yes" %} server { - listen 80 default_server; - server_name _; - rewrite ^ https://$host$request_uri? permanent; + listen 80 default_server; + server_name _; + rewrite ^ https://$host$request_uri? permanent; } {%- endif -%} diff --git a/states/roles/maintain/nginx-proxy/portal.conf b/states/roles/maintain/nginx-proxy/portal.conf index 07ab7b6..7be1b54 100644 --- a/states/roles/maintain/nginx-proxy/portal.conf +++ b/states/roles/maintain/nginx-proxy/portal.conf @@ -1,41 +1,45 @@ server { - listen 443 default_server; - server_name portal.actcur.com; + listen 443 default_server; + server_name portal.actcur.com; - resolver {{resolver}}; - set $certbot "https://salt.actcur.com"; + resolver {{resolver}}; + set $certbot "https://salt.actcur.com"; - ssl on; - ssl_certificate /etc/nginx/certs/portal.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/portal.actcur.com/privkey.pem; - ssl_session_cache shared:SSL:10m; + ssl on; + ssl_certificate /etc/nginx/certs/portal.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/portal.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; - location /.well-known/acme-challenge/ { - proxy_pass $certbot; - proxy_set_header Host $host; - } + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } - location / { - root /srv/http; - } + location / { + root /srv/http; + } + + error_log /var/log/nginx/portal_error.log; + access_log /var/log/nginx/portal_access.log; } server { - listen 80 default_server; - server_name portal.actcur.com; + listen 80 default_server; + server_name portal.actcur.com; - resolver {{resolver}}; - set $certbot "http://salt.actcur.com"; + resolver {{resolver}}; + set $certbot "http://salt.actcur.com"; - location /.well-known/acme-challenge/ { - proxy_pass $certbot; - proxy_set_header Host $host; - } + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } - location / { - rewrite ^ https://$host$request_uri? permanent; - } + location / { + rewrite ^ https://$host$request_uri? permanent; + } + + error_log /var/log/nginx/portal_error.log; + access_log /var/log/nginx/portal_access.log; } - - diff --git a/states/roles/maintain/nginx-proxy/remote.conf b/states/roles/maintain/nginx-proxy/remote.conf index 08979ca..951d33f 100644 --- a/states/roles/maintain/nginx-proxy/remote.conf +++ b/states/roles/maintain/nginx-proxy/remote.conf @@ -6,35 +6,41 @@ {%- endif -%} server { - listen 443; - server_name {{server}}.actcur.com; + listen 443; + server_name {{server}}.actcur.com; - resolver {{resolver}}; - set $backend "https://{{server}}.actcur.com"; - set $certbot "https://salt.actcur.com"; + resolver {{resolver}}; + set $backend "https://{{server}}.actcur.com"; + set $certbot "https://salt.actcur.com"; - ssl on; - ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; - ssl_session_cache shared:SSL:10m; - client_max_body_size 1024m; - {% include 'roles/maintain/nginx-proxy/auth.conf' %} + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; - location /.well-known/acme-challenge/ { - proxy_pass $certbot; - proxy_set_header Host $host; - } + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + {% set location="1" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %} {%- if auth != "blocked" %} - location / { - proxy_pass $backend; - proxy_set_header Host $host; + location / { + {% set location="2" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %} + proxy_pass $backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; - # re-write redirects to http as to https, example: /home - proxy_redirect http:// https://; - } + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } {%- endif %} + error_log /var/log/nginx/{{server}}_error.log; + access_log /var/log/nginx/{{server}}_access.log; } {%- if pillar['nginx'][server]['http'] is defined-%} @@ -44,24 +50,27 @@ server { {%- set auth = "blocked" -%} {%- endif -%} server { - listen 80; - server_name {{server}}.actcur.com; + listen 80; + server_name {{server}}.actcur.com; - resolver {{resolver}}; - set $backend "http://{{server}}.actcur.com"; - set $certbot "http://salt.actcur.com"; - client_max_body_size 1024m; - location /.well-known/acme-challenge/ { - proxy_pass $certbot; - proxy_set_header Host $host; - } + resolver {{resolver}}; + set $backend "http://{{server}}.actcur.com"; + set $certbot "http://salt.actcur.com"; + client_max_body_size 1024m; + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } - location / { - proxy_pass $backend; - proxy_set_header Host $host; + location / { + proxy_pass $backend; + proxy_set_header Host $host; - # re-write redirects to https as to http, example: /home - proxy_redirect https:// http://; - } + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; + } + + error_log /var/log/nginx/{{server}}_error.log; + access_log /var/log/nginx/{{server}}_access.log; } {%- endif -%} diff --git a/states/productionize/freeipa/auto/init.sls b/states/systems/core/freeipa/auto/init.sls similarity index 100% rename from states/productionize/freeipa/auto/init.sls rename to states/systems/core/freeipa/auto/init.sls diff --git a/states/systems/core/freeipa/enable.sls b/states/systems/core/freeipa/enable.sls new file mode 100644 index 0000000..4ce08f8 --- /dev/null +++ b/states/systems/core/freeipa/enable.sls @@ -0,0 +1,14 @@ +enable_freeipa: + grains.present: + - name: freeipa_enabled + - value: true + - force: true + +{% if grains['os_family'] == 'Arch' %} +include: + - systems.core.freeipa + - systems.core.freeipa.manual +{% else %} +include: + - systems.core.freeipa.auto +{% endif %} diff --git a/states/systems/core/freeipa/init.sls b/states/systems/core/freeipa/init.sls new file mode 100644 index 0000000..a120dbd --- /dev/null +++ b/states/systems/core/freeipa/init.sls @@ -0,0 +1,78 @@ +{##only run if freeipa is enabled##} +{%- if grains['freeipa_enabled'] is defined -%} + {%- if grains['freeipa_enabled'] == true %} +{% set hostname=grains['host'] %} +{% set ip=grains['fqdn_ip4'][0] %} +install_sssd: + pkg.installed: + - name: sssd + +/etc/sssd/sssd.conf: + file.managed: + - source: salt://systems/core/freeipa/manual/sssd.conf + - user: root + - group: root + - mode: 600 + - template: jinja + - context: + hostname: {{hostname}} + +/etc/nsswitch.conf: + file.managed: + - source: salt://systems/core/freeipa/manual/nsswitch.conf + - user: root + - group: root + - mode: 644 + +/etc/nscd.conf: + file.managed: + - source: salt://systems/core/freeipa/manual/nscd.conf + - user: root + - group: root + - mode: 644 + +/etc/krb5.conf: + file.managed: + - source: salt://systems/core/freeipa/manual/krb5.conf + - user: root + - group: root + - mode: 644 + +/etc/pam.d: + file.recurse: + - source: salt://systems/core/freeipa/manual/pam.d/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + +/etc/sudoers.d/freeipa: + file.managed: + - source: salt://systems/core/freeipa/manual/sudoers + - user: root + - group: root + - mode: 644 + +freeipa_sssd_service: + service.running: + - name: sssd + - enable: true + - watch: + - file: /etc/sssd/sssd.conf + - file: /etc/nsswitch.conf + - file: /etc/nscd.conf + - file: /etc/krb5.conf + - file: /etc/pam.d + +freeipa_nscd_service: + service.running: + - name: nscd + - enable: true + - watch: + - file: /etc/sssd/sssd.conf + - file: /etc/nsswitch.conf + - file: /etc/nscd.conf + - file: /etc/krb5.conf + - file: /etc/pam.d + {% endif %} +{% endif %} diff --git a/states/productionize/freeipa/manual/init.sls b/states/systems/core/freeipa/manual/init.sls similarity index 50% rename from states/productionize/freeipa/manual/init.sls rename to states/systems/core/freeipa/manual/init.sls index be52a03..8954e33 100644 --- a/states/productionize/freeipa/manual/init.sls +++ b/states/systems/core/freeipa/manual/init.sls @@ -1,48 +1,5 @@ {% set hostname=grains['host'] %} {% set ip=grains['fqdn_ip4'][0] %} -install_sssd: - pkg.installed: - - name: sssd - -/etc/sssd/sssd.conf: - file.managed: - - source: salt://productionize/freeipa/manual/sssd.conf - - user: root - - group: root - - mode: 600 - - template: jinja - - context: - hostname: {{hostname}} - -/etc/nsswitch.conf: - file.managed: - - source: salt://productionize/freeipa/manual/nsswitch.conf - - user: root - - group: root - - mode: 644 - -/etc/nscd.conf: - file.managed: - - source: salt://productionize/freeipa/manual/nscd.conf - - user: root - - group: root - - mode: 644 - -/etc/krb5.conf: - file.managed: - - source: salt://productionize/freeipa/manual/krb5.conf - - user: root - - group: root - - mode: 644 - -/etc/pam.d: - file.recurse: - - source: salt://productionize/freeipa/manual/pam.d/ - - user: root - - group: root - - dir_mode: 755 - - file_mode: 644 - freeipa_sshpass: pkg.installed: - name: sshpass @@ -70,24 +27,20 @@ unset_salt_ipa_password: - value: "False" - false_unsets: true -freeipa_sssd_service: +freeipa_setup_sssd_service_down: + service.dead: + - name: sssd + +freeipa_setup_sssd_service: service.running: - name: sssd - enable: true - - watch: - - file: /etc/sssd/sssd.conf - - file: /etc/nsswitch.conf - - file: /etc/nscd.conf - - file: /etc/krb5.conf - - file: /etc/pam.d -freeipa_nscd_service: +freeipa_setup_nscd_service_down: + service.dead: + - name: nscd + +freeipa_setup_nscd_service: service.running: - name: nscd - enable: true - - watch: - - file: /etc/sssd/sssd.conf - - file: /etc/nsswitch.conf - - file: /etc/nscd.conf - - file: /etc/krb5.conf - - file: /etc/pam.d diff --git a/states/productionize/freeipa/manual/krb5.conf b/states/systems/core/freeipa/manual/krb5.conf similarity index 100% rename from states/productionize/freeipa/manual/krb5.conf rename to states/systems/core/freeipa/manual/krb5.conf diff --git a/states/productionize/freeipa/manual/nscd.conf b/states/systems/core/freeipa/manual/nscd.conf similarity index 100% rename from states/productionize/freeipa/manual/nscd.conf rename to states/systems/core/freeipa/manual/nscd.conf diff --git a/states/productionize/freeipa/manual/nsswitch.conf b/states/systems/core/freeipa/manual/nsswitch.conf similarity index 100% rename from states/productionize/freeipa/manual/nsswitch.conf rename to states/systems/core/freeipa/manual/nsswitch.conf diff --git a/states/productionize/freeipa/manual/pam.d/passwd b/states/systems/core/freeipa/manual/pam.d/passwd similarity index 100% rename from states/productionize/freeipa/manual/pam.d/passwd rename to states/systems/core/freeipa/manual/pam.d/passwd diff --git a/states/productionize/freeipa/manual/pam.d/sss b/states/systems/core/freeipa/manual/pam.d/sss similarity index 100% rename from states/productionize/freeipa/manual/pam.d/sss rename to states/systems/core/freeipa/manual/pam.d/sss diff --git a/states/productionize/freeipa/manual/pam.d/su b/states/systems/core/freeipa/manual/pam.d/su similarity index 100% rename from states/productionize/freeipa/manual/pam.d/su rename to states/systems/core/freeipa/manual/pam.d/su diff --git a/states/productionize/freeipa/manual/pam.d/su-l b/states/systems/core/freeipa/manual/pam.d/su-l similarity index 100% rename from states/productionize/freeipa/manual/pam.d/su-l rename to states/systems/core/freeipa/manual/pam.d/su-l diff --git a/states/productionize/freeipa/manual/pam.d/sudo b/states/systems/core/freeipa/manual/pam.d/sudo similarity index 100% rename from states/productionize/freeipa/manual/pam.d/sudo rename to states/systems/core/freeipa/manual/pam.d/sudo diff --git a/states/productionize/freeipa/manual/pam.d/system-auth b/states/systems/core/freeipa/manual/pam.d/system-auth similarity index 100% rename from states/productionize/freeipa/manual/pam.d/system-auth rename to states/systems/core/freeipa/manual/pam.d/system-auth diff --git a/states/productionize/freeipa/manual/sssd.conf b/states/systems/core/freeipa/manual/sssd.conf similarity index 100% rename from states/productionize/freeipa/manual/sssd.conf rename to states/systems/core/freeipa/manual/sssd.conf diff --git a/states/systems/core/freeipa/manual/sudoers b/states/systems/core/freeipa/manual/sudoers new file mode 100644 index 0000000..eafdd8f --- /dev/null +++ b/states/systems/core/freeipa/manual/sudoers @@ -0,0 +1,2 @@ +%domain_admins ALL=(ALL) ALL +%server_admins ALL=(ALL) ALL diff --git a/states/top.sls b/states/top.sls index 09c48bc..96cdcb9 100644 --- a/states/top.sls +++ b/states/top.sls @@ -10,6 +10,7 @@ - match: grain_pcre - repos.aur - systems.arch.mirrors + - systems.core.freeipa '*': - update - basepkgs