From 5edd9764628e863ffb4309233aa5a5beb4c5485e Mon Sep 17 00:00:00 2001 From: Bernhard M. Wiedemann Date: Dec 03 2021 05:57:39 +0000 Subject: Pagure: refactor ssl config and saltify what is deployed atm reduce code duplication => SPOT/DRY --- diff --git a/pillar/role/pagure.sls b/pillar/role/pagure.sls index 96cda96..a51af8a 100644 --- a/pillar/role/pagure.sls +++ b/pillar/role/pagure.sls @@ -35,6 +35,9 @@ profile: database_user: pagure database_host: 192.168.47.4 +{% set listenhttps4=['443', 'ssl'] %} +{% set listenhttps6=['[::]:443', 'ssl'] %} + nginx: ng: servers: @@ -54,14 +57,9 @@ nginx: config: - server: - server_name: code.opensuse.org - - listen: - - 443 - - ssl - - listen: - - '[::]:443' - - ssl - - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt - - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key + - listen: {{ listenhttps4 }} + - listen: {{ listenhttps6 }} + - include: ssl-config - location @pagure: - client_max_body_size: 0 - proxy_set_header: Host $http_host @@ -79,14 +77,9 @@ nginx: config: - server: - server_name: releases.opensuse.org - - listen: - - 443 - - ssl - - listen: - - '[::]:443' - - ssl - - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt - - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key + - listen: {{ listenhttps4 }} + - listen: {{ listenhttps6 }} + - include: ssl-config - location /: - alias: /srv/www/pagure-releases/ - autoindex: 'on' @@ -95,14 +88,9 @@ nginx: config: - server: - server_name: ev.opensuse.org - - listen: - - 443 - - ssl - - listen: - - '[::]:443' - - ssl - - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt - - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key + - listen: {{ listenhttps4 }} + - listen: {{ listenhttps6 }} + - include: ssl-config - location @pagure_ev: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr @@ -116,14 +104,9 @@ nginx: config: - server: - server_name: pages.opensuse.org - - listen: - - 443 - - ssl - - listen: - - '[::]:443' - - ssl - - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt - - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key + - listen: {{ listenhttps4 }} + - listen: {{ listenhttps6 }} + - include: ssl-config - location @pagure_docs: - proxy_set_header: Host $http_host - proxy_set_header: X-Real-IP $remote_addr diff --git a/salt/profile/pagure/files/ssl-config b/salt/profile/pagure/files/ssl-config new file mode 100644 index 0000000..1876074 --- /dev/null +++ b/salt/profile/pagure/files/ssl-config @@ -0,0 +1,19 @@ +# This file is managed by infra/salt + ssl_certificate /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; + ssl_certificate_key /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; + ssl_dhparam /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_rsa.pem; + + ssl_certificate /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_ecdsa.pem; + ssl_certificate_key /etc/ssl/services/letsencrypt/code.opensuse.org.with.chain_ecdsa.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls index e23945c..c91d13c 100644 --- a/salt/profile/pagure/init.sls +++ b/salt/profile/pagure/init.sls @@ -26,6 +26,15 @@ pagure_conf: - watch_in: - module: pagure_web_restart +pagure_ssl_conf: + file.managed: + - name: /etc/nginx/ssl-config + - source: salt://profile/pagure/files/ssl-config + - require_in: + - service: pagure_web_service + - watch_in: + - module: pagure_web_restart + pagure_alembic_conf: file.managed: - name: /etc/pagure/alembic.ini