Page MenuHomeDevCentral
Files F23843712

D3908.diff
No OneTemporary
Actions

D3908.diff
View Options

diff --git a/pillar/paas/docker/docker-002/main.sls b/pillar/paas/docker/docker-002/main.sls
--- a/pillar/paas/docker/docker-002/main.sls
+++ b/pillar/paas/docker/docker-002/main.sls
@@ -156,6 +156,7 @@
mysql_link: acquisitariat
skip_container: True
config_managed: True
+ anubis_instance: devcentral
# Private instance for Dereckson
river_sector:
@@ -307,3 +308,12 @@
app:
title: Nasqueron Photos
max_album_length: 16
+
+ anubis_instances:
+ devcentral:
+ socket: /run/anubis/devcentral.sock
+ metrics_socket: /run/anubis/devcentral-metrics.sock
+ policies_file: /usr/local/etc/anubis/devcentral.yaml
+ target:
+ service: phabricator
+ container: devcentral
diff --git a/roles/paas-docker/anubis/files/instance.env b/roles/paas-docker/anubis/files/instance.env
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/instance.env
@@ -0,0 +1,17 @@
+{%- set docker_containers = salt['pillar.get']('docker_containers', {}) -%}
+{%- set target_service = config.target.service -%}
+{%- set target_container = config.target.container -%}
+{%- set app_port = docker_containers[target_service][target_container]['app_port'] -%}
+{%- set host = docker_containers[target_service][target_container]['host'] -%}
+
+ANUBIS_LISTEN_ADDR=unix:{{ config.socket }}
+ANUBIS_TARGET_URL=http://localhost:{{ app_port }}
+ANUBIS_HOST={{ host }}
+
+# Metrics on UNIX socket as requested
+ANUBIS_METRICS_ADDR=unix:{{ config.metrics_socket }}
+
+# Credentials from Vault
+# We use the salt['vault.read_secret'] logic expected in the infra
+ANUBIS_API_KEY={{ salt['vault.read_secret']('secret/nasqueron/anubis/' ~ instance, 'api_key') }}
+ANUBIS_DASHBOARD_KEY={{ salt['vault.read_secret']('secret/nasqueron/anubis/' ~ instance, 'dashboard_key') }}
diff --git a/roles/paas-docker/anubis/files/policies.yaml b/roles/paas-docker/anubis/files/policies.yaml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/policies.yaml
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Anubis — Bot policies for {{ instance }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+policies:
+ - name: "Block aggressive AI Scrapers"
+ rules:
+ - condition: "header.user_agent contains 'GPTBot' or header.user_agent contains 'CCBot'"
+ action: "block"
+
+ - name: "Challenge suspicious automated traffic"
+ rules:
+ - condition: "header.user_agent matches '(?i).*(bot|crawler|spider).*' and not (header.user_agent contains 'Googlebot')"
+ action: "challenge"
+
+ - name: "Rate limit API access"
+ rules:
+ - condition: "path starts_with '/api/'"
+ action: "ratelimit"
+ limit: 100
+ period: 60
diff --git a/roles/paas-docker/anubis/init.sls b/roles/paas-docker/anubis/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/init.sls
@@ -0,0 +1,43 @@
+# -------------------------------------------------------------
+# Salt — Anubis (WAF/Reverse Proxy)
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% for instance, config in salt['pillar.get']('anubis_instances', {}).items() %}
+
+anubis_{{ instance }}_config:
+ file.managed:
+ - name: /usr/local/etc/anubis/{{ instance }}.yaml
+ - source: salt://roles/paas-docker/anubis/files/policies.yaml
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ - user: root
+ - group: anubis
+ - mode: 640
+ - makedirs: True
+
+anubis_{{ instance }}_env:
+ file.managed:
+ - name: /usr/local/etc/anubis/{{ instance }}.env
+ - source: salt://roles/paas-docker/anubis/files/instance.env
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+ - user: root
+ - group: anubis
+ - mode: 640
+ - makedirs: True
+
+anubis_{{ instance }}_service:
+ service.running:
+ - name: anubis@{{ instance }}
+ - enable: True
+ - watch:
+ - file: anubis_{{ instance }}_config
+ - file: anubis_{{ instance }}_env
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -43,7 +43,11 @@
proxy_redirect off;
location / {
+{%- if args.get('anubis_instance') %}
+ proxy_pass http://unix:/run/anubis/{{ args['anubis_instance'] }}.sock;
+{%- else %}
proxy_pass http://localhost:{{ app_port }};
+{%- endif %}
}
location ~ ^/maniphest/task/create {
diff --git a/scripts/fix_anubis_devcentral.sh b/scripts/fix_anubis_devcentral.sh
new file mode 100644
--- /dev/null
+++ b/scripts/fix_anubis_devcentral.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# Anubis — Provisioning keys to Vault
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+INSTANCE="devcentral"
+VAULT_PATH="secret/nasqueron/anubis/$INSTANCE"
+
+echo "Generating keys for Anubis $INSTANCE..."
+
+API_KEY=$(openssl rand -base64 32)
+DASHBOARD_KEY=$(openssl rand -base64 32)
+
+echo "Writing keys to Vault at $VAULT_PATH..."
+
+vault kv put "$VAULT_PATH" \
+ api_key="$API_KEY" \
+ dashboard_key="$DASHBOARD_KEY"
+
+echo "Done. You can now run Salt to deploy the configuration."

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 8, 04:07 (19 h, 41 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3432556
Default Alt Text
D3908.diff (5 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator