Page MenuHomeDevCentral
Files F25332096

D3908.id10583.diff
No OneTemporary
Actions

D3908.id10583.diff
View Options

diff --git a/GIDs b/GIDs
--- a/GIDs
+++ b/GIDs
@@ -16,3 +16,4 @@
9002 deploy
9003 web
9018 rhyne-wyse
+9019 anubis
diff --git a/UIDs b/UIDs
--- a/UIDs
+++ b/UIDs
@@ -13,6 +13,7 @@
9001 salt
9002 deploy
9018 rhyne-wyse
+9019 anubis
8900 zr LEGACY
# Web app
diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -7,6 +7,7 @@
'lib': '/usr/lib',
'libexec': '/usr/libexec',
'man': '/usr/share/man',
+ 'run': '/run',
'sbin': '/usr/sbin',
'share': '/usr/share',
},
@@ -18,6 +19,7 @@
'lib': '/usr/local/lib',
'libexec': '/usr/local/libexec',
'man': '/usr/local/share/man',
+ 'run': '/var/run',
'sbin': '/usr/local/sbin',
'share': '/usr/local/share',
},
diff --git a/pillar/paas/docker/docker-002/main.sls b/pillar/paas/docker/docker-002/main.sls
--- a/pillar/paas/docker/docker-002/main.sls
+++ b/pillar/paas/docker/docker-002/main.sls
@@ -156,6 +156,7 @@
mysql_link: acquisitariat
skip_container: True
config_managed: True
+ anubis_instance: devcentral
# Private instance for Dereckson
river_sector:
@@ -307,3 +308,11 @@
app:
title: Nasqueron Photos
max_album_length: 16
+
+anubis_instances:
+ devcentral:
+ socket: /run/anubis/devcentral.sock
+ metrics_socket: /run/anubis/devcentral-metrics.sock
+ target:
+ service: phabricator
+ container: devcentral
diff --git a/pillar/paas/docker/dwellers/orbeon.sls b/pillar/paas/docker/dwellers/orbeon.sls
--- a/pillar/paas/docker/dwellers/orbeon.sls
+++ b/pillar/paas/docker/dwellers/orbeon.sls
@@ -41,3 +41,11 @@
apps:
- nasqueron-join
- nasqueron-requests
+
+anubis_instances:
+ orbeon:
+ socket: /run/anubis/orbeon.sock
+ metrics_socket: /run/anubis/orbeon-metrics.sock
+ target:
+ service: orbeon
+ container: nasqueron_forms
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/anubis/account.sls
copy from roles/paas-docker/init.sls
copy to roles/paas-docker/anubis/account.sls
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/anubis/account.sls
@@ -1,25 +1,28 @@
# -------------------------------------------------------------
-# Salt — Provision Docker engine
+# Salt — Anubis
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2018-09-13
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
-include:
- - .kernel
- - .salt
- - .docker
- - .containers
- - .systemd-unit
- - .systemd-timers
- - .wwwroot-502
- - .wwwroot-content
- - .nginx
- - .monitoring
- - .wrappers
-{% if salt['node.has']('flags:install_docker_devel_tools') %}
- - .devel
-{% endif %}
+anubis_group:
+ group.present:
+ - name: anubis
+ - gid: 9019
+
+anubis_user:
+ user.present:
+ - name: anubis
+ - uid: 9019
+ - shell: /sbin/nologin
+ - groups:
+ - anubis
+ - system: True
+ - require:
+ - group: anubis_group
+
+{{ dirs.run }}/anubis:
+ file.directory:
+ - user: anubis
diff --git a/roles/paas-docker/anubis/config.sls b/roles/paas-docker/anubis/config.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/config.sls
@@ -0,0 +1,68 @@
+# -------------------------------------------------------------
+# Salt — Anubis (WAF/Reverse Proxy)
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+
+# -------------------------------------------------------------
+# Global configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/anubis/private.key:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/private.key
+ - template: jinja
+ - context:
+ key: {{ salt["credentials.get_password"]("anubis/" + grains["id"]) }}
+ - user: anubis
+ - group: anubis
+ - mode: 400
+ - makedirs: True
+
+{{ dirs.etc }}/anubis/policies.yaml:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/policies.yaml
+ - user: root
+ - group: anubis
+ - mode: 644
+ - makedirs: True
+
+# -------------------------------------------------------------
+# Per-instance configuration and service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for instance, config in salt["pillar.get"]("anubis_instances", {}).items() %}
+
+{{ dirs.etc }}/anubis/{{ instance }}/instance.env:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/instance.env
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+ - user: root
+ - group: anubis
+ - mode: 644
+ - makedirs: True
+
+# e.g. systemctl status anubis@devcentral
+
+/etc/systemd/system/anubis@{{ instance }}.service:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/anubis.service
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+
+anubis@{{ instance }}:
+ service.running:
+ - enable: True
+ - watch:
+ - file: anubis_{{ instance }}_config
+ - file: {{ dirs.etc }}/anubis/policies.yaml
+ - file: {{ dirs.etc }}/anubis/private.key
+
+{% endfor %}
diff --git a/roles/paas-docker/anubis/files/anubis.service b/roles/paas-docker/anubis/files/anubis.service
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/anubis.service
@@ -0,0 +1,29 @@
+# -------------------------------------------------------------
+# Anubis — {{ instance }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/anubis.service
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+[Unit]
+Description=Anubis Web AI Firewall - {{ instance }}
+After=network.target
+
+[Service]
+Type=simple
+User=anubis
+Group=anubis
+ExecStart=/usr/bin/anubis
+Restart=always
+EnvironmentFile=/etc/anubis/{{ instance }}/instance.env
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/paas-docker/anubis/files/instance.env b/roles/paas-docker/anubis/files/instance.env
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/instance.env
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Anubis — Instance configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/instance.env
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+TARGET={{ config.target }}
+BIND={{ config.socket }}
+POLICY_FNAME={{ config.policies_file | default("/usr/local/etc/anubis/policies.yaml") }}
+METRICS_BIND={{ config.metrics_socket }}
+ED25519_PRIVATE_KEY_HEX_FILE=/etc/anubis/private.key
diff --git a/roles/paas-docker/anubis/files/policies.yaml b/roles/paas-docker/anubis/files/policies.yaml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/policies.yaml
@@ -0,0 +1,133 @@
+# -------------------------------------------------------------
+# Anubis — Bot policies
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/policies.yaml
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# Anubis botPolicies.yaml
+# Reconiciliated with P390
+
+bots:
+ - import: (data)/bots/_deny-pathological.yaml
+ - import: (data)/bots/aggressive-brazilian-scrapers.yaml
+ - import: (data)/meta/ai-block-aggressive.yaml
+ - import: (data)/crawlers/_allow-good.yaml
+ - import: (data)/clients/x-firefox-ai.yaml
+ - import: (data)/common/keep-internet-working.yaml
+
+ - name: low-load-average
+ action: WEIGH
+ expression: load_15m <= 2.0
+ weight:
+ adjust: -10
+
+ - name: realistic-browser-catchall
+ expression:
+ all:
+ - '"User-Agent" in headers'
+ - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+ - '"Accept" in headers'
+ - '"Sec-Fetch-Dest" in headers'
+ - '"Sec-Fetch-Mode" in headers'
+ - '"Sec-Fetch-Site" in headers'
+ - '"Accept-Encoding" in headers'
+ - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+ - '"Accept-Language" in headers'
+ action: WEIGH
+ weight:
+ adjust: -10
+
+ - name: upgrade-insecure-requests
+ expression: '"Upgrade-Insecure-Requests" in headers'
+ action: WEIGH
+ weight:
+ adjust: -2
+
+ - name: chrome-is-proper
+ expression:
+ all:
+ - userAgent.contains("Chrome")
+ - '"Sec-Ch-Ua" in headers'
+ - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+ - '"Sec-Ch-Ua-Mobile" in headers'
+ - '"Sec-Ch-Ua-Platform" in headers'
+ action: WEIGH
+ weight:
+ adjust: -5
+
+ - name: should-have-accept
+ expression: '!("Accept" in headers)'
+ action: WEIGH
+ weight:
+ adjust: 5
+
+ - name: generic-browser
+ user_agent_regex: >-
+ Mozilla|Opera
+ action: WEIGH
+ weight:
+ adjust: 10
+
+dnsbl: false
+
+status_codes:
+ CHALLENGE: 200
+ DENY: 200
+
+store:
+ backend: memory
+ parameters: {}
+
+thresholds:
+ - name: minimal-suspicion
+ expression: weight <= 0
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: mild-suspicion
+ expression:
+ all:
+ - weight > 0
+ - weight < 10
+ action: CHALLENGE
+ challenge:
+ algorithm: metarefresh
+ difficulty: 1
+
+ - name: moderate-suspicion
+ expression:
+ all:
+ - weight >= 10
+ - weight < 20
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 2
+
+ - name: mild-proof-of-work
+ expression:
+ all:
+ - weight >= 20
+ - weight < 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: extreme-suspicion
+ expression: weight >= 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 6
diff --git a/roles/paas-docker/anubis/files/private.key b/roles/paas-docker/anubis/files/private.key
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/private.key
@@ -0,0 +1 @@
+{{ key }}
diff --git a/roles/paas-docker/anubis/init.sls b/roles/paas-docker/anubis/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/init.sls
@@ -0,0 +1,11 @@
+# -------------------------------------------------------------
+# Salt — Anubis
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .account
+ - .software
+ - .config
diff --git a/roles/paas-docker/anubis/software.sls b/roles/paas-docker/anubis/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/software.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# Salt — Anubis
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+anubis:
+ pkg.installed
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/init.sls
@@ -17,6 +17,7 @@
- .systemd-timers
- .wwwroot-502
- .wwwroot-content
+ - .anubis
- .nginx
- .monitoring
- .wrappers
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -50,7 +50,11 @@
}
location / {
+{%- if args.get('anubis_instance') %}
+ proxy_pass http://127.0.0.1:{{ args["anubis_port"] }};
+{%- else %}
proxy_pass http://localhost:{{ app_port }};
+{%- endif %}
}
location ~ ^/maniphest/task/create {

File Metadata

Mime Type
text/plain
Expires
Fri, Apr 10, 22:50 (15 h, 46 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3613796
Default Alt Text
D3908.id10583.diff (13 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator