Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>
arvados_controller_ssl.conf:
enabled: true
overwrite: true
arvados_controller_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: fixme.example.net
config:
- server:
- server_name: fixme.example.net
- proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
- proxy_set_header: 'X-External-Client $external_client'
- include: 'snippets/ssl_hardening_default.conf'
- proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
- proxy_set_header: 'X-External-Client $external_client'
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/fixme.example.net.access.log combined
- error_log: /var/log/nginx/fixme.example.net.error.log
- client_max_body_size: 128m
- access_log: /var/log/nginx/fixme.example.net.access.log combined
- error_log: /var/log/nginx/fixme.example.net.error.log
- client_max_body_size: 128m
arvados_keepproxy_ssl.conf:
enabled: true
overwrite: true
arvados_keepproxy_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: keep.fixme.example.net
config:
- server:
- server_name: keep.fixme.example.net
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined
- error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log
- access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined
- error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log
arvados_collections_download_ssl.conf:
enabled: true
overwrite: true
arvados_collections_download_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: collections.fixme.example.net download.fixme.example.net
config:
- server:
- server_name: collections.fixme.example.net download.fixme.example.net
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/collections.fixme.example.net.access.log combined
- error_log: /var/log/nginx/collections.fixme.example.net.error.log
- access_log: /var/log/nginx/collections.fixme.example.net.access.log combined
- error_log: /var/log/nginx/collections.fixme.example.net.error.log
# replace with the IP address of your resolver
# - resolver: 127.0.0.1
# replace with the IP address of your resolver
# - resolver: 127.0.0.1
- ssl_snakeoil.conf:
- - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
+ arvados-snakeoil.conf:
+ - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
- ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
### SITES
- ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
### SITES
arvados_webshell_ssl.conf:
enabled: true
overwrite: true
arvados_webshell_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: webshell.fixme.example.net
config:
- server:
- server_name: webshell.fixme.example.net
- add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
{%- endfor %}
- include: 'snippets/ssl_hardening_default.conf'
- add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
{%- endfor %}
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
- error_log: /var/log/nginx/webshell.fixme.example.net.error.log
- access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
- error_log: /var/log/nginx/webshell.fixme.example.net.error.log
arvados_websocket_ssl.conf:
enabled: true
overwrite: true
arvados_websocket_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: ws.fixme.example.net
config:
- server:
- server_name: ws.fixme.example.net
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- proxy_http_version: '1.1'
- proxy_request_buffering: 'off'
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/ws.fixme.example.net.access.log combined
- error_log: /var/log/nginx/ws.fixme.example.net.error.log
- access_log: /var/log/nginx/ws.fixme.example.net.access.log combined
- error_log: /var/log/nginx/ws.fixme.example.net.error.log
arvados_workbench2_ssl.conf:
enabled: true
overwrite: true
arvados_workbench2_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: workbench2.fixme.example.net
config:
- server:
- server_name: workbench2.fixme.example.net
- location /config.json:
- return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }}
- include: 'snippets/ssl_hardening_default.conf'
- location /config.json:
- return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }}
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
- access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench2.fixme.example.net.error.log
- access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench2.fixme.example.net.error.log
arvados_workbench_ssl.conf:
enabled: true
overwrite: true
arvados_workbench_ssl.conf:
enabled: true
overwrite: true
+ requires:
+ file: nginx_snippet_arvados-snakeoil.conf
config:
- server:
- server_name: workbench.fixme.example.net
config:
- server:
- server_name: workbench.fixme.example.net
- passenger_enabled: 'on'
- index: index.html index.htm
- include: 'snippets/ssl_hardening_default.conf'
- passenger_enabled: 'on'
- index: index.html index.htm
- include: 'snippets/ssl_hardening_default.conf'
- # - include: 'snippets/letsencrypt.conf'
- - include: 'snippets/ssl_snakeoil.conf'
+ - include: 'snippets/arvados-snakeoil.conf'
# yamllint disable-line rule:line-length
- access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench.fixme.example.net.error.log
# yamllint disable-line rule:line-length
- access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined
- error_log: /var/log/nginx/workbench.fixme.example.net.error.log
- nginx.config
- nginx.service
- nginx.config
- nginx.service
-{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+# Debian uses different dirs for certs and keys, but being a Snake Oil example,
+# we'll keep it simple here.
+{%- set arvados_ca_cert_file = '/etc/ssl/private/arvados-snakeoil-ca.pem' %}
{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
-{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_cert_file = '/etc/ssl/private/arvados-snakeoil-cert.pem' %}
{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
- require:
- pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
- cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
- require:
- pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
- cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+ # We need this before we can add the nginx's snippet
+ - require_in:
+ - file: nginx_snippet_arvados-snakeoil.conf
{%- if grains.get('os_family') == 'Debian' %}
arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
{%- if grains.get('os_family') == 'Debian' %}
arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
- require:
- cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
- pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
- require:
- cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
- pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
-{%- endif %}
-
-arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
- file.managed:
- - name: /etc/nginx/snippets/arvados-snakeoil.conf
- - contents: |
- ssl_certificate {{ arvados_cert_file }};
- ssl_certificate_key {{ arvados_key_file }};
- - watch_in:
- - service: nginx_service
- - require:
- - pkg: passenger_install
- - file: arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run
+ - file: nginx_snippet_arvados-snakeoil.conf
+{%- endif %}