Page MenuHomeDevCentral
Files F24971573

D3908.id10492.diff
No OneTemporary
Actions

D3908.id10492.diff
View Options

diff --git a/pillar/paas/docker/docker-002/main.sls b/pillar/paas/docker/docker-002/main.sls
--- a/pillar/paas/docker/docker-002/main.sls
+++ b/pillar/paas/docker/docker-002/main.sls
@@ -156,6 +156,7 @@
mysql_link: acquisitariat
skip_container: True
config_managed: True
+ anubis_instance: devcentral
# Private instance for Dereckson
river_sector:
@@ -307,3 +308,12 @@
app:
title: Nasqueron Photos
max_album_length: 16
+
+ anubis_instances:
+ devcentral:
+ socket: /run/anubis/devcentral.sock
+ metrics_socket: /run/anubis/devcentral-metrics.sock
+ policies_file: /usr/local/etc/anubis/devcentral.yaml
+ target:
+ service: phabricator
+ container: devcentral
diff --git a/pillar/paas/docker/dwellers/orbeon.sls b/pillar/paas/docker/dwellers/orbeon.sls
--- a/pillar/paas/docker/dwellers/orbeon.sls
+++ b/pillar/paas/docker/dwellers/orbeon.sls
@@ -41,3 +41,12 @@
apps:
- nasqueron-join
- nasqueron-requests
+
+ anubis_instances:
+ orbeon:
+ socket: /run/anubis/orbeon.sock
+ metrics_socket: /run/anubis/orbeon-metrics.sock
+ policies_file: /usr/local/etc/anubis/orbeon.yaml
+ target:
+ service: orbeon
+ container: nasqueron_forms
diff --git a/roles/paas-docker/anubis/files/instance.env b/roles/paas-docker/anubis/files/instance.env
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/instance.env
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Anubis — Instance configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/instance.env
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+TARGET={{ config.target }}
+BIND={{ config.bind }}
+POLICY_FNAME=/usr/local/etc/anubis/policies.yaml
+METRICS_BIND={{ config.metrics_bind }}
+ED25519_PRIVATE_KEY_HEX_FILE=/usr/local/etc/anubis/{{ instance }}/private.key
+ANUBIS_DASHBOARD_KEY={{ salt['vault.read_secret']('secret/nasqueron/anubis/' ~ instance, 'dashboard_key') }}
diff --git a/roles/paas-docker/anubis/files/policies.yaml b/roles/paas-docker/anubis/files/policies.yaml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/policies.yaml
@@ -0,0 +1,133 @@
+# -------------------------------------------------------------
+# Anubis — Bot policies
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/policies.yaml
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# Anubis botPolicies.yaml
+# Reconiciliated with P390
+
+bots:
+ - import: (data)/bots/_deny-pathological.yaml
+ - import: (data)/bots/aggressive-brazilian-scrapers.yaml
+ - import: (data)/meta/ai-block-aggressive.yaml
+ - import: (data)/crawlers/_allow-good.yaml
+ - import: (data)/clients/x-firefox-ai.yaml
+ - import: (data)/common/keep-internet-working.yaml
+
+ - name: low-load-average
+ action: WEIGH
+ expression: load_15m <= 2.0
+ weight:
+ adjust: -10
+
+ - name: realistic-browser-catchall
+ expression:
+ all:
+ - '"User-Agent" in headers'
+ - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+ - '"Accept" in headers'
+ - '"Sec-Fetch-Dest" in headers'
+ - '"Sec-Fetch-Mode" in headers'
+ - '"Sec-Fetch-Site" in headers'
+ - '"Accept-Encoding" in headers'
+ - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+ - '"Accept-Language" in headers'
+ action: WEIGH
+ weight:
+ adjust: -10
+
+ - name: upgrade-insecure-requests
+ expression: '"Upgrade-Insecure-Requests" in headers'
+ action: WEIGH
+ weight:
+ adjust: -2
+
+ - name: chrome-is-proper
+ expression:
+ all:
+ - userAgent.contains("Chrome")
+ - '"Sec-Ch-Ua" in headers'
+ - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+ - '"Sec-Ch-Ua-Mobile" in headers'
+ - '"Sec-Ch-Ua-Platform" in headers'
+ action: WEIGH
+ weight:
+ adjust: -5
+
+ - name: should-have-accept
+ expression: '!("Accept" in headers)'
+ action: WEIGH
+ weight:
+ adjust: 5
+
+ - name: generic-browser
+ user_agent_regex: >-
+ Mozilla|Opera
+ action: WEIGH
+ weight:
+ adjust: 10
+
+dnsbl: false
+
+status_codes:
+ CHALLENGE: 200
+ DENY: 200
+
+store:
+ backend: memory
+ parameters: {}
+
+thresholds:
+ - name: minimal-suspicion
+ expression: weight <= 0
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: mild-suspicion
+ expression:
+ all:
+ - weight > 0
+ - weight < 10
+ action: CHALLENGE
+ challenge:
+ algorithm: metarefresh
+ difficulty: 1
+
+ - name: moderate-suspicion
+ expression:
+ all:
+ - weight >= 10
+ - weight < 20
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 2
+
+ - name: mild-proof-of-work
+ expression:
+ all:
+ - weight >= 20
+ - weight < 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: extreme-suspicion
+ expression: weight >= 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 6
diff --git a/roles/paas-docker/anubis/init.sls b/roles/paas-docker/anubis/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/init.sls
@@ -0,0 +1,39 @@
+# -------------------------------------------------------------
+# Salt — Anubis (WAF/Reverse Proxy)
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+/usr/local/etc/anubis/policies.yaml:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/policies.yaml
+ - user: root
+ - group: anubis
+ - mode: 644
+ - makedirs: True
+
+{% for instance, config in salt["pillar.get"]("anubis_instances", {}).items() %}
+
+anubis_{{ instance }}_config:
+ file.managed:
+ - name: /usr/local/etc/anubis/{{ instance }}/instance.env
+ - source: salt://roles/paas-docker/anubis/files/instance.env
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+ - user: root
+ - group: anubis
+ - mode: 640
+ - makedirs: True
+
+anubis_{{ instance }}_service:
+ service.running:
+ - name: anubis@{{ instance }}
+ - enable: True
+ - watch:
+ - file: anubis_{{ instance }}_config
+ - file: /usr/local/etc/anubis/policies.yaml
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -43,7 +43,11 @@
proxy_redirect off;
location / {
+{%- if args.get('anubis_instance') %}
+ proxy_pass http://127.0.0.1:{{ args["anubis_port"] }};
+{%- else %}
proxy_pass http://localhost:{{ app_port }};
+{%- endif %}
}
location ~ ^/maniphest/task/create {

File Metadata

Mime Type
text/plain
Expires
Mon, Mar 23, 09:05 (17 h, 1 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3555519
Default Alt Text
D3908.id10492.diff (7 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator