Page MenuHomeDevCentral
Files F23843995

D3908.id10126.diff
No OneTemporary
Actions

D3908.id10126.diff
View Options

diff --git a/pillar/paas/docker/docker-002/main.sls b/pillar/paas/docker/docker-002/main.sls
--- a/pillar/paas/docker/docker-002/main.sls
+++ b/pillar/paas/docker/docker-002/main.sls
@@ -156,6 +156,7 @@
mysql_link: acquisitariat
skip_container: True
config_managed: True
+ anubis_instance: devcentral
# Private instance for Dereckson
river_sector:
@@ -307,3 +308,8 @@
app:
title: Nasqueron Photos
max_album_length: 16
+
+ anubis:
+ devcentral:
+ socket: /run/anubis/devcentral.sock
+ policies_file: /usr/local/etc/anubis/devcentral.yaml
diff --git a/roles/paas-docker/anubis.sls b/roles/paas-docker/anubis.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis.sls
@@ -0,0 +1,42 @@
+# Doba Gui
+# Salt — Anubis AI Firewall
+
+/etc/anubis:
+ file.directory:
+ - user: root
+ - group: root
+ - mode: 755
+ - makedirs: True
+
+{% for instance, config in pillar.get('anubis_instances', {}).items() %}
+anubis_config_{{ instance }}:
+ file.managed:
+ - name: /etc/anubis/{{ instance }}.env
+ - source: salt://roles/paas-docker/anubis/files/env.j2
+ - template: jinja
+ - user: root
+ - group: root
+ - mode: 600
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+
+anubis_policy_{{ instance }}:
+ file.managed:
+ - name: /etc/anubis/{{ instance }}.botPolicies.yaml
+ - source: salt://roles/paas-docker/anubis/files/policies.yaml.j2
+ - template: jinja
+ - user: root
+ - group: root
+ - mode: 644
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+
+anubis@{{ instance }}:
+ service.running:
+ - enable: True
+ - watch:
+ - file: anubis_config_{{ instance }}
+ - file: anubis_policy_{{ instance }}
+{% endfor %}
diff --git a/roles/paas-docker/anubis/files/env.j2 b/roles/paas-docker/anubis/files/env.j2
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/env.j2
@@ -0,0 +1,19 @@
+# Doba Gui
+# Anubis Configuration Template
+
+BIND=/run/anubis/{{ instance }}.sock
+BIND_NETWORK=unix
+SOCKET_MODE=0666
+TARGET={{ config.target }}
+POLICY_FNAME=/etc/anubis/{{ instance }}.botPolicies.yaml
+DIFFICULTY={{ config.difficulty }}
+COOKIE_DOMAIN={{ config.domain }}
+REDIRECT_DOMAINS={{ config.domain }}
+
+COOKIE_HMAC_KEY={{ config.cookie_hmac_key }}
+JWT_HMAC_KEY={{ config.jwt_hmac_key }}
+
+WORKERS=4
+LOG_LEVEL=info
+METRICS_BIND=127.0.0.1:{{ config.metrics_port }}
+SERVE_ROBOTS_TXT=0
diff --git a/roles/paas-docker/anubis/files/policies.yaml.j2 b/roles/paas-docker/anubis/files/policies.yaml.j2
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/policies.yaml.j2
@@ -0,0 +1,27 @@
+# Doba Gui
+# Anubis Bot Policies Template
+
+bots:
+ - name: allow-internal
+ action: ALLOW
+ remote_addresses:
+ - "127.0.0.1/32"
+ - "::1/128"
+ - "172.27.27.0/24"
+ - name: allow-phabricator-files
+ action: ALLOW
+ path_regex: "^/file/(data|info|download|proxy|xform|transform)/"
+ - name: allow-diffusion
+ action: ALLOW
+ path_regex: "^/diffusion/"
+ - name: allow-static-assets
+ action: ALLOW
+ path_regex: "\\.(css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot|map|webp|webm)$"
+ - name: challenge-llm-scrapers
+ action: CHALLENGE
+ user_agent_regex: "(?i)(gpt|claude|anthropic|openai|chatgpt|bard|gemini|perplexity|cohere|ai2bot|ccbot|omgili)"
+ difficulty: 5
+ - name: default
+ action: CHALLENGE
+ user_agent_regex: ".*"
+ difficulty: {{ config.difficulty }}
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -43,7 +43,11 @@
proxy_redirect off;
location / {
+{%- if args.get('anubis_instance') %}
+ proxy_pass http://unix:/run/anubis/{{ args['anubis_instance'] }}.sock;
+{%- else %}
proxy_pass http://localhost:{{ app_port }};
+{%- endif %}
}
location ~ ^/maniphest/task/create {
diff --git a/scripts/fix_anubis_devcentral.sh b/scripts/fix_anubis_devcentral.sh
new file mode 100644
--- /dev/null
+++ b/scripts/fix_anubis_devcentral.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+# Doba Gui
+# Correction et déploiement Anubis pour DevCentral
+
+echo "=========================================="
+echo "CORRECTION ANUBIS DEVCENTRAL"
+echo "=========================================="
+
+echo "[1] Arrêt de l'instance Anubis devcentral..."
+sudo systemctl stop anubis@devcentral
+echo "✓ Arrêtée"
+
+echo "[2] Génération des clés HMAC..."
+COOKIE_KEY=$(openssl rand -base64 32)
+JWT_KEY=$(openssl rand -base64 32)
+echo "✓ Clés générées"
+
+echo "[3] Création de la configuration corrigée..."
+sudo tee /etc/anubis/devcentral.env > /dev/null << EOF
+BIND=/run/anubis/devcentral.sock
+BIND_NETWORK=unix
+SOCKET_MODE=0666
+TARGET=http://localhost:48080
+POLICY_FNAME=/etc/anubis/devcentral.botPolicies.yaml
+DIFFICULTY=3
+COOKIE_DOMAIN=devcentral.nasqueron.org
+REDIRECT_DOMAINS=devcentral.nasqueron.org
+COOKIE_HMAC_KEY=$COOKIE_KEY
+JWT_HMAC_KEY=$JWT_KEY
+WORKERS=4
+LOG_LEVEL=info
+METRICS_BIND=127.0.0.1:9096
+SERVE_ROBOTS_TXT=0
+EOF
+echo "✓ Configuration créée"
+
+echo "[4] Création des politiques bot..."
+sudo tee /etc/anubis/devcentral.botPolicies.yaml > /dev/null << 'EOF_POLICY'
+bots:
+ - name: allow-internal
+ action: ALLOW
+ remote_addresses:
+ - "127.0.0.1/32"
+ - "::1/128"
+ - "172.27.27.0/24"
+ - name: allow-phabricator-files
+ action: ALLOW
+ path_regex: "^/file/(data|info|download|proxy|xform|transform)/"
+ - name: allow-diffusion
+ action: ALLOW
+ path_regex: "^/diffusion/"
+ - name: allow-static-assets
+ action: ALLOW
+ path_regex: "\\.(css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot|map|webp|webm)$"
+ - name: challenge-llm-scrapers
+ action: CHALLENGE
+ user_agent_regex: "(?i)(gpt|claude|anthropic|openai|chatgpt|bard|gemini|perplexity|cohere|ai2bot|ccbot|omgili)"
+ difficulty: 5
+ - name: default
+ action: CHALLENGE
+ user_agent_regex: ".*"
+ difficulty: 3
+EOF_POLICY
+echo "✓ Politiques créées"
+
+echo "[5] Vérification des répertoires..."
+sudo mkdir -p /run/anubis /var/lib/anubis
+sudo chown nginx:nginx /run/anubis /var/lib/anubis 2>/dev/null || sudo chown www-data:www-data /run/anubis /var/lib/anubis
+sudo chmod 755 /run/anubis /var/lib/anubis
+echo "✓ Répertoires OK"
+
+echo "[6] Démarrage d'Anubis..."
+sudo systemctl daemon-reload
+sudo systemctl start anubis@devcentral
+sleep 2
+echo "✓ Démarré"
+
+echo "[9] Vérification du socket..."
+if [ -S /run/anubis/devcentral.sock ]; then
+ ls -la /run/anubis/devcentral.sock
+ echo "✓ Socket créé avec succès"
+else
+ echo "✗ Socket non trouvé"
+ exit 1
+fi

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 8, 04:09 (19 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3432555
Default Alt Text
D3908.id10126.diff (6 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator