Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3746492
D2381.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
19 KB
Referenced Files
None
Subscribers
None
D2381.diff
View Options
diff --git a/PORTS b/PORTS
--- a/PORTS
+++ b/PORTS
@@ -37,4 +37,5 @@
39080 Cachet HTTP
41080 ACME DNS server HTTP
42080 Jenkins HTTP - CI
+ 43080 Hauk
50000 Jenkins master's port for JNLP-based Jenkins agents - CD
diff --git a/pillar/paas/docker.sls b/pillar/paas/docker.sls
--- a/pillar/paas/docker.sls
+++ b/pillar/paas/docker.sls
@@ -66,6 +66,9 @@
- library/sentry
- tianon/exim4
+ # Hauk
+ - bilde2910/hauk
+
# -------------------------------------------------------------
# Networks
#
@@ -430,6 +433,13 @@
title: Nasqueron Photos
max_album_length: 16
+ # Hauk
+ hauk:
+ hauk:
+ app_port: 43080
+ host: geo.nasqueron.org
+ api_entry_point: /hauk
+
# Sentry
# The Sentry instance uses a Redis and a PostgreSQL instance,
# declared above.
diff --git a/roles/paas-docker/containers/files/hauk/config.php.jinja b/roles/paas-docker/containers/files/hauk/config.php.jinja
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/hauk/config.php.jinja
@@ -0,0 +1,282 @@
+<?php
+
+const CONFIG = [
+
+// The type of storage backend Hauk will use. Valid values include:
+// MEMCACHED, REDIS
+//
+// For MEMCACHED, you need either the `memcached` or `memcache` extensions
+// enabled in PHP.
+//
+// For REDIS, you need `redis` extension enabled. Note that `redis` depends on
+// `igbinary`, so if you get an error that a redis extension was not found, even
+// though you enabled `redis`, you may have to also install and enable
+// `igbinary` in PHP.
+"storage_backend" => MEMCACHED,
+
+/*----------------------------------------------------------------------------*\
+| MEMCACHED SPECIFIC SETTINGS |
+\*----------------------------------------------------------------------------*/
+
+// Connection to memcached for data storage. To connect via UNIX socket instead
+// of TCP, set host to 'unix:///path/to/memcached.sock' and port to 0.
+"memcached_host" => 'localhost',
+"memcached_port" => 11211,
+
+// If you use SASL authentication, change both `memcached_binary` and
+// `memcached_use_sasl` to true, and enter your SASL username and password.
+// Note: SASL authentication is only supported in the PHP `memcached` extension!
+// If you are using `memcache` and need SASL, consider switching to `memcached`.
+"memcached_binary" => false,
+"memcached_use_sasl" => false,
+"memcached_sasl_user" => "",
+"memcached_sasl_pass" => "",
+
+// A prefix to use for all variables sent to memcached. Useful if you have a
+// shared memcached instance or run multiple instances of Hauk.
+"memcached_prefix" => 'hauk',
+
+/*----------------------------------------------------------------------------*\
+| REDIS SPECIFIC SETTINGS |
+\*----------------------------------------------------------------------------*/
+
+// Connection to Redis for data storage. To connect via UNIX socket instead of
+// TCP, set host to '/path/to/redis.sock'.
+"redis_host" => 'localhost',
+"redis_port" => 6379,
+
+// If you use password authentication in Redis, set `redis_use_auth` to true and
+// enter the password in `redis_auth`.
+"redis_use_auth" => false,
+"redis_auth" => '',
+
+// A prefix to use for all variables sent to Redis. Useful if you have a shared
+// Redis instance or run multiple instances of Hauk.
+"redis_prefix" => 'hauk',
+
+/*----------------------------------------------------------------------------*\
+| AUTHENTICATION |
+\*----------------------------------------------------------------------------*/
+
+// Users must be authenticated to use the Hauk server. The default
+// authentication method is using a static server password that is shared by all
+// users, without the need for a username. You can, however, use other
+// authentication methods. Valid values here include:
+//
+// - PASSWORD: Use a static, shared server password for everyone
+// - HTPASSWD: Require a username and separate password for each user
+// - LDAP: Authenticate users against an LDAP server
+"auth_method" => PASSWORD,
+
+/*----------------------------------------------------------------------------*\
+| PASSWORD AUTHENTICATION |
+\*----------------------------------------------------------------------------*/
+
+// A hashed password that is required for creating sessions and posting location
+// data to Hauk. To generate this value on the terminal:
+// - MD5 (insecure!): openssl passwd -1
+// - bcrypt (secure): htpasswd -nBC 10 "" | tail -c +2
+"password_hash" => '$2y$10$4ZP1iY8A3dZygXoPgsXYV.S3gHzBbiT9nSfONjhWrvMxVPkcFq1Ka',
+// Default value above is empty string (no password) and is VERY INSECURE.
+// Trust me, you really should change this unless you intentionally want a
+// public instance that anyone in the world can use freely.
+//
+// Also note that users have the option to save the server password locally on
+// their devices using a "Remember password" checkbox. If they choose to do so,
+// the password will be stored in plain text (unhashed) on their devices. You
+// are encouraged to generate a random password to prevent risks associated with
+// credential reuse, should the password somehow be leaked from their devices.
+
+/*----------------------------------------------------------------------------*\
+| HTPASSWD AUTHENTICATION |
+\*----------------------------------------------------------------------------*/
+
+// A file that contains a pairing between users and hashed passwords. To
+// generate this file on the terminal:
+// - htpasswd -cBC 10 /etc/hauk/users.htpasswd <username>
+// To add additional users to an existing file:
+// - htpasswd -BC 10 /etc/hauk/users.htpasswd <username>
+"htpasswd_path" => '/etc/hauk/users.htpasswd',
+
+/*----------------------------------------------------------------------------*\
+| LDAP AUTHENTICATION |
+\*----------------------------------------------------------------------------*/
+
+// URI that points to the LDAP server. Use "ldap://" for unencrypted LDAP as
+// well as when using StartTLS, use "ldaps://" for regular LDAP over TLS. Port
+// number is typically 389 (ldap) or 636 (ldaps).
+"ldap_uri" => 'ldaps://ldap.example.com:636',
+
+// Whether or not you wish to use StartTLS. StartTLS cannot be used in
+// combination with `ldaps`.
+"ldap_start_tls" => false,
+
+// Base DN to search for users.
+"ldap_base_dn" => 'ou=People,dc=example,dc=com',
+
+// DN to bind to to perform user search. This should ideally be a read-only
+// account as the password is stored in plain-text in this config file.
+"ldap_bind_dn" => 'cn=admin,dc=example,dc=com',
+"ldap_bind_pass" => 'Adm1nP4ssw0rd',
+
+// A filter that finds the user trying to authenticate. %s is substituted with
+// the username provided by the user in the app.
+//
+// You can also use this to restrict access to Hauk to only authorized users if
+// you do not wish to grant all LDAP users permission to use your Hauk instance.
+// For example, (&(uid=%s)(memberOf=cn=HaukUsers,ou=Groups,dc=example,dc=com))
+// will only let the user connect if they are part of the "HaukUsers" group in
+// the "Groups" OU.
+"ldap_user_filter" => '(uid=%s)',
+
+/*----------------------------------------------------------------------------*\
+| GENERAL SETTINGS |
+\*----------------------------------------------------------------------------*/
+
+// Hauk v1.4 and on allows you to request a custom link ID instead of having the
+// server randomly generate one. Custom links can use characters A-Z, a-z, 0-9,
+// - (dash), and _ (underscore). If you want to disallow the option to request
+// custom links, set this to false.
+//
+// If a user requests particular custom link that is already in use, that user
+// will not have their request honored and will get a randomly generated link
+// instead.
+"allow_link_req" => true,
+
+// If you want certain links to only be usable by some users, you can reserve
+// them here. The following example reserves https://example.com/?WheresAlice
+// for user "alice" only, and reserves https://example.com/?TheRealBob
+// for use by both "bob" and "charlie".
+//
+// If you use Tasker or another automation platform to automatically start
+// sharing to a specific link ID, it's a good idea to specify it here so that
+// others cannot use it while you are inactive.
+//
+// Note that for this setting to have any effect, you have to specify an
+// auth_method that requires both a username and a password, such as HTPASSWD.
+"reserved_links" => [
+ 'WheresAlice' => ['alice'],
+ 'TheRealBob' => ['bob', 'charlie'],
+],
+
+// If you want to enable pre-approved custom links only, you can choose to
+// enable reservation whitelist mode. If this setting is set to true, custom
+// link IDs will only be accepted if they are present in the reserved_links
+// array above - requests to share to other links than those in the array will
+// not be honored.
+"reserve_whitelist" => false,
+
+// The type of links to generate when making new links for shares. Can be any
+// of the following:
+//
+// | Link style | Example | No. of combinations | Avg. bruteforce time |
+// +----------------------------+---------------------------------------+-----------------------+-------------------------------+
+// | LINK_4_PLUS_4_UPPER_CASE | V8LQ-H2UM | 1.79 * 10^12 (34^8) | 28.3 years |
+// | LINK_4_PLUS_4_LOWER_CASE | qae3-ulna | 2.82 * 10^12 (36^8) | 44.7 years |
+// | LINK_4_PLUS_4_MIXED_CASE | HEq3-tgJ1 | 1.28 * 10^14 (58^8) | 2030 years |
+// | LINK_UUID_V4 | 09c8a3b1-e78f-48b1-a604-0da49e99cb5d | 5.32 * 10^36 (2^122) | 84.2 septillion years |
+// | LINK_16_HEX | 6cde14c4c6551b41 | 1.84 * 10^19 (2^64) | 292 million years |
+// | LINK_16_UPPER_CASE | WVHA2FNMRT9HSKJK | 3.19 * 10^24 (34^16) | 50.6 trillion years |
+// | LINK_16_LOWER_CASE | bdyslxszs14cj359 | 7.95 * 10^24 (36^16) | 126 trillion years |
+// | LINK_16_MIXED_CASE | 1Ayh2yUXDe3sdF3S | 1.64 * 10^28 (58^16) | 260 quadrillion years |
+// | LINK_32_HEX | 22adf21f11491ae8f3ae128e23a6782f | 3.40 * 10^38 (2^128) | 5.39 octillion years |
+// | LINK_32_UPPER_CASE | R88M1Z2KPL27XN8MF73KCRYPHJD4QQMT | 1.02 * 10^49 (34^32) | 161 undecillion years |
+// | LINK_32_LOWER_CASE | itgbolrbq1c02eot5o46c5wixhdrdb5m | 6.33 * 10^49 (36^32) | 1 duodecillion years |
+// | LINK_32_MIXED_CASE | qf5pqr2UKTUT6vREPPSTuqSKkCMojF17 | 2.69 * 10^56 (58^32) | 4.26 quattuordecillion years |
+//
+// For any MIXED_CASE variants, upper-case I and lower-case L will not appear
+// because they are visually very similar and are easily confused. For the same
+// reason, MIXED_CASE and UPPER_CASE variants will not generate 0 and O.
+//
+// The default value is LINK_4_PLUS_4_UPPER_CASE, which is still considered very
+// secure. The bruteforce times in the table below are the average time it would
+// take to find a valid sharing link, when there is one link active, at 1000
+// guesses per second. For the default setting, this means it would take almost
+// 45 years to find the link.
+//
+// This is assuming that the link is active 24/7 for that entire time. If you
+// only have a link active 2% of the time, it would take over 2200 years.
+//
+// At 1000 guesses per second, you will likely notice that your server is
+// noticeably slower and rapidly filling up with access logs.
+//
+// Very long links are also time-consuming to type, should you find yourself
+// in need of typing in a link manually on another computer. This is the reason
+// that short links are default.
+//
+// ---- PLEASE NOTE ----
+// This option is provided to you only because several people have requested it
+// as a convenience. You are free to change it, but you should know that
+// changing the default here gives you, for all intents and purposes, no
+// security advantage in practice.
+//
+"link_style" => LINK_4_PLUS_4_UPPER_CASE,
+
+// Leaflet tile URI template for the map frontend. Here are some examples:
+//
+// - OpenStreetMap directly:
+// https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
+// - Mapbox:
+// https://api.tiles.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}.png?access_token=YOUR_ACCESS_TOKEN
+// - Thunderforest:
+// https://{s}.tile.thunderforest.com/neighbourhood/{z}/{x}/{y}.png?apikey=YOUR_API_KEY
+// - Esri:
+// https://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/{z}/{y}/{x}
+// - OpenMapSurfer:
+// https://maps.heigit.org/openmapsurfer/tiles/roads/webmercator/{z}/{x}/{y}.png
+// - Hydda (OSM Sweden):
+// https://{s}.tile.openstreetmap.se/hydda/full/{z}/{x}/{y}.png
+//
+// Make sure you have permission to use the source you choose, and also use a
+// proper attribution for that provider.
+"map_tile_uri" => 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png',
+
+// Attribution HTML code to be displayed in the bottom right corner of the map.
+// The default value is suitable for OpenStreetMap tiles.
+"map_attribution" => 'Map data © <a href="https://www.openstreetmap.org/">OpenStreetMap</a> contributors, <a href="https://creativecommons.org/licenses/by-sa/2.0/">CC-BY-SA</a>',
+
+// Default and maximum zoom levels allowed on the map (0-20), higher value means
+// closer zooming.
+"default_zoom" => 14,
+"max_zoom" => 19,
+
+// Maximum duration of a single location share, in seconds.
+"max_duration" => 86400,
+
+// Minimum time between each location update, in seconds.
+"min_interval" => 1,
+
+// The time that should pass without any location updates received, in seconds,
+// before the user is marked "offline" on the map.
+"offline_timeout" => 30,
+
+// The timeout in seconds for map update requests from the map view. If a web
+// request takes this long without a response, the map viewer is considered
+// offline and will get a warning notifying them that they have lost their
+// network connection.
+"request_timeout" => 10,
+
+// Maximum number of data points stored for each share before old points are
+// deleted. Map clients will see up to this amount of data points when they load
+// the page.
+"max_cached_pts" => 3,
+
+// Maximum number of data points that may be visible on the map at any time.
+// This is used to draw trails behind the current location map marker. Higher
+// values will show longer trails, but may reduce performance.
+"max_shown_pts" => 100,
+
+// Number of seconds of data that should be used to calculate velocity.
+"v_data_points" => 2,
+
+// The color of the marker trails. HTML color name or #rrggbb hex color code.
+"trail_color" => '#d80037',
+
+// The unit of measurement of velocity. Valid are:
+// KILOMETERS_PER_HOUR, MILES_PER_HOUR, METERS_PER_SECOND
+"velocity_unit" => KILOMETERS_PER_HOUR,
+
+// The publicly accessible URL to reach Hauk, with trailing slash.
+"public_url" => '{{ url }}'
+
+];
diff --git a/roles/paas-docker/containers/hauk.sls b/roles/paas-docker/containers/hauk.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/hauk.sls
@@ -0,0 +1,57 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2021-07-30
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+{% set containers = pillar['docker_containers'][grains['id']] %}
+
+{% for instance, container in containers['hauk'].items() %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/hauk/{{ instance }}:
+ file.directory:
+ - user: 9001
+ - makedirs: True
+
+/srv/hauk/{{ instance }}/config.php:
+ file.managed:
+ - source: salt:///roles/paas-docker/containers/files/hauk/config.php.jinja
+ - template: jinja
+ - mode: 644
+ - context:
+ url: https://{{ container['host'] }}{{ container['api_entry_point'] }}/
+
+{% if has_selinux %}
+selinux_context_{{ instance }}_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/hauk/{{ instance }}
+ - sel_type: container_file_t
+
+selinux_context_{{ instance }}_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/hauk/{{ instance }}
+{% endif %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: bilde2910/hauk
+ - binds: /srv/hauk/{{ instance }}:/etc/hauk
+ - ports:
+ - 80
+ - port_bindings:
+ - {{ container['app_port'] }}:80
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/hauk.conf b/roles/paas-docker/nginx/files/vhosts/hauk.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/hauk.conf
@@ -0,0 +1,56 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Author: Sébastien Santoro aka Dereckson
+# Created: 2021-07-30
+# Source file: roles/paas-docker/nginx/files/vhosts/hauk.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Application - {{ fqdn }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ add_header Referrer-Policy same-origin always;
+ add_header X-Frame-Options DENY always;
+ add_header X-Content-Type-Options nosniff always;
+ add_header X-XSS-Protection "1; mode=block" always;
+ add_header X-Robots-Tag "noindex, nofollow" always;
+
+ include includes/letsencrypt;
+
+ location {{ args['api_entry_point'] }}/ {
+ rewrite ^{{ args['api_entry_point'] }}(/.*)$ $1 break;
+ proxy_redirect off;
+
+ proxy_pass http://localhost:{{ app_port }};
+ include includes/proxy_params;
+ }
+
+ root /var/wwwroot-502/_default;
+ error_page 502 /502.html;
+ location /502.html {}
+}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Nov 16, 21:43 (21 h, 23 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2246274
Default Alt Text
D2381.diff (19 KB)
Attached To
Mode
D2381: Provision Hauk
Attached
Detach File
Event Timeline
Log In to Comment