diff --git a/.saltstack/master b/.saltstack/master deleted file mode 100644 index a8f23a125c1472bb2c720d747947d4fdce6eedfa..0000000000000000000000000000000000000000 --- a/.saltstack/master +++ /dev/null @@ -1 +0,0 @@ -auto_accept: True diff --git a/.saltstack/minion b/.saltstack/minion deleted file mode 100644 index 2792fe4874655685a425f312d53bd87074cd8a08..0000000000000000000000000000000000000000 --- a/.saltstack/minion +++ /dev/null @@ -1 +0,0 @@ -master: 10.0.0.5 diff --git a/.saltstack/pillar/postgrest.sls b/.saltstack/pillar/postgrest.sls deleted file mode 120000 index 837da91dd71cbc57b1d2a0a45e7613f778e3dc81..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/postgrest.sls +++ /dev/null @@ -1 +0,0 @@ -../../pillar.example \ No newline at end of file diff --git a/.saltstack/pillar/sslcert/cert.pem b/.saltstack/pillar/sslcert/cert.pem deleted file mode 100644 index 76afb154effad405769c028c5315586d42ee6568..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/sslcert/cert.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFuTCCA6GgAwIBAgIUcUudURLszmTKTnF9Q3W009BYOsQwDQYJKoZIhvcNAQEL -BQAwdjELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xETAPBgNV -BAcMCEhhbm5vdmVyMRwwGgYDVQQKDBNIb2Noc2NodWxlIEhhbm5vdmVyMR4wHAYD -VQQDDBVhcGl2Mi5wb3N0Z3Jlc3QubG9jYWwwHhcNMTkwNDA4MDkzNDMzWhcNMjkw -NDA1MDkzNDMzWjB2MQswCQYDVQQGEwJERTEWMBQGA1UECAwNTmllZGVyc2FjaHNl -bjERMA8GA1UEBwwISGFubm92ZXIxHDAaBgNVBAoME0hvY2hzY2h1bGUgSGFubm92 -ZXIxHjAcBgNVBAMMFWFwaXYyLnBvc3RncmVzdC5sb2NhbDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAObvehl12k5JFRDPZaHx8O4CiVXYfUbtg7m8Qq6+ -Ng4hINs0kUfOZxzd7NWCEZZw3OToRaPPEazoWkh852jD/tJ3iublpcTiZp9Kyg0S -o1J040sPyTZ+beic8kUEWtpKAyu9q0rln9+YsFfleZE1kt3RTXB6+xorLVxcUajw -IAAqBIISKyRIi9dGTJakir1QtyxPRWiKfNZ+Wwm4C7UBnGOUn2SjavxZPRP0wk57 -Eq7AwyyuDic9dMD5T/qaWiKUY0OzzP3OuM8evNyrAV8NarT9IiloG3TBh+qHKK5F -5p/DtgGOdW+Z+P4n1avdkfEdZETuLTcE8O6yUV+nGEGuWDPySpze4TWkf5DfFQCD -rtrtHXsDIDQhmCBhwK6Fxcby51rhtmd1FMOUx/T0GsngTCACJNJ8e8CKkNX387Jk -UcSHSUt/1wip4WCC1z7YuKMyMas12WRyN82NCeWT7lVbFGNVnGUjOulCJsMAYDZX -NLVs2SIBy6LDSOVeiCOvJWft5nkpnPtSEy7qaiufB2IMtv0TNzsmfJiGqzMCaQNt -sx0bgFQPA2dSF855/MIG01OszLdIs4W+sFxGQEWiJ28KiCgh0pr+0g7CWaac+0AE -U01iuaE7KaaV8NhzOtW9JQRo7SWhmiWF6VuN+YNgBlIePcg0fVxCIDg07tDT3l44 -2eY3AgMBAAGjPzA9MDsGA1UdEQQ0MDKCFWFwaXYyLnBvc3RncmVzdC5sb2NhbIIZ -aWNtc2NhY2hlLnBvc3RncmVzdC5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAgEApOJ4 -o0YwOvR534c9EvAKN4tiXgQKEmyjmdfS0741JH0t3gAhrEX6KVAX7Vf99x6CZcS1 -x+czf1my3EIZpwQolBEpf73Xtjppn1Y5GlEVb3S15pIW8Pglj262p3XtpzSlfq8v -mcYiC9JOaruseSIKc8xKuTmwgU8n6rQTKfMvg3wetTlgGji/GeD40+paGDSqtikP -E+pve0cgcQqDA3cYwT9LNvN2BGhi4KU9O0poSJYMqXR4ErzI+ZAxj82vkcsxmDba -T1tjvrmUscZ2LX2dIrgs/jbRSugQiPUmuhE0s4TJfLtJCPOnvPzDmiCf47oiOz+G -R6FJo/yDZr0tdS5RNoFZsngS/N6rbPkooQrfPfHVnlRHR3foUR2bJQp2PKxqqtLQ -ENjbdeLDQCqMDo0BMXvZvgGek4vA+W21FteqskTnOKU+Yv3sUTJVKHmxtTXciz6a -nmKCOYtTB+kHbNyz+ovGUZ/oRK4t8xwgpKL6c09OX7k/pvnb8VnYeUDLE1wfW+n4 -2o3fk+oiPkFU79g5u748ZGDE2U3Pl460hsAfV31QjERbSHr7DwVF7dpnE9jH+tu+ -/FWMLpovASWCdh9tDoR9XzonmF72E+gKcYww2M1GSGQQm/4oJYmNIlAZd8lEB4Wh -Gz30Lx+MReUNuzvChwap0oSq0axECnEsVPvRYUs= ------END CERTIFICATE----- diff --git a/.saltstack/pillar/sslcert/dhparam.pem b/.saltstack/pillar/sslcert/dhparam.pem deleted file mode 100644 index 1e0056f136cc5f7bb2476ed1dba68ef8fa74251f..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/sslcert/dhparam.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA9b8X8Plp+vLeVpQf8Nz2u9+lt8eF6BYj517XzJX8MsgPI1XU7dA4 -j75yitn1kd3R8q/PyTQgmbRdh54EfNEfiCnbY/2X+0c4L1rZqXx+GeUdAAXgjuye -LjA/zd0RprK6TOpIOYQ7MO4P35T8Ora8jDXvf/Q386vCRQ5fiuVR5+nH9R4KBi7H -iqM9N5dyhRNJIZZMeQ0T+zmeywazeicYszKunJqjQ0jZ1D+J1UUTHjH6/Lp1lVqA -kJHCWa7GkBOfROmYFjeJ3v5Hfjkry/uXtvVoVfFIUGA4dPoCBRLzfNAGMhPzx0Gr -kaW8ir0Mykld8mdgoCThKuHPhUnJ3wWamwIBAg== ------END DH PARAMETERS----- diff --git a/.saltstack/pillar/sslcert/key.pem b/.saltstack/pillar/sslcert/key.pem deleted file mode 100644 index 1c8cde8cd3b545f8fefc3e5001126764380c246e..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/sslcert/key.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDm73oZddpOSRUQ -z2Wh8fDuAolV2H1G7YO5vEKuvjYOISDbNJFHzmcc3ezVghGWcNzk6EWjzxGs6FpI -fOdow/7Sd4rm5aXE4mafSsoNEqNSdONLD8k2fm3onPJFBFraSgMrvatK5Z/fmLBX -5XmRNZLd0U1wevsaKy1cXFGo8CAAKgSCEiskSIvXRkyWpIq9ULcsT0VoinzWflsJ -uAu1AZxjlJ9ko2r8WT0T9MJOexKuwMMsrg4nPXTA+U/6mloilGNDs8z9zrjPHrzc -qwFfDWq0/SIpaBt0wYfqhyiuReafw7YBjnVvmfj+J9Wr3ZHxHWRE7i03BPDuslFf -pxhBrlgz8kqc3uE1pH+Q3xUAg67a7R17AyA0IZggYcCuhcXG8uda4bZndRTDlMf0 -9BrJ4EwgAiTSfHvAipDV9/OyZFHEh0lLf9cIqeFggtc+2LijMjGrNdlkcjfNjQnl -k+5VWxRjVZxlIzrpQibDAGA2VzS1bNkiAcuiw0jlXogjryVn7eZ5KZz7UhMu6mor -nwdiDLb9Ezc7JnyYhqszAmkDbbMdG4BUDwNnUhfOefzCBtNTrMy3SLOFvrBcRkBF -oidvCogoIdKa/tIOwlmmnPtABFNNYrmhOymmlfDYczrVvSUEaO0loZolhelbjfmD -YAZSHj3INH1cQiA4NO7Q095eONnmNwIDAQABAoICAAJp7F/JwI9i6ipz0H8h1T/X -nPHdwml0YBUX56aF7HC3Xe2MnhwfByrhEvGkW2S0J0rpNpkgt/GTuCXb0Fti+Q3g -G/6P1ey55RKzKGt8j2J0QE/viU3dgm6U/V9FTWHMtj3FzL2KquIeaXFxv5SJ99AD -uQh88JT0cJPvjxbx85Os3MEzSWomq/eDD5fffme+KTv4VCRklitzxKXUW6L3slfE -HOpjXuHmWOIVg9ZoKOjUsPWNmC5G0SqXMIPRCzIjVOpHPdRFTd80VgsEao5AyKW9 -o5bFNMxCnZYQ9ZbkuiVfWU6o24dgF58ocW5LcZQQl5S03JofnhkQmhMi3vkIxnk3 -cNy5lOob4OcVH8Mlc/TmMaSOhQgp6BVee90CV+mQLvrvpNWFnv0hBsneKfQwHrWa -Z3crGYEOKcxwemdZKhQokjoLjwuklwnEO/BOH0rkSHgCZ6z+G/KILZSjUMI8Ke4z -T8Hlss600QfPsxjMLkj67qI+p7o9NQAsSfHydrdV2e9Lzk+3rTUSNvrMfhsZENp8 -pfbeskreu+IGxpUi1WBTU7GlqYAUMSTkv/XcrfdhZOq+tKlmBaufSHMpGDnB1QGz -R/oSjO40rhdltmFSM+7T7U2KarOvnbW29ogaB/pgKzZsQoRHZIo3RQtglxq/mc6G -NRNYHG8Gv5NaYApzupGJAoIBAQD07Q0SGxaVYg09llbjKT6I3zrA/5ZYMHyL0iAj -G0ccTezl0KTDS+zVzzPQ7iqR+3L4Xj+cQJiqFYAhxMcuVtI1Y0Db6Zeua5r7ACns -2G2lw6E6ntk+LuqJ3ySlNU5lFdQzY5OeeVWNEjvWQ5eGZt5hTdDaLfO6L9ZBlHJR -eZ4CFvV0GnYPmvqGE/h48DnxkUDXHL/q52EaS2aD7BXLvrbSi1gLAvA5inWRgInv -Ci9RQT7A3wywl7Gi+HeLlMJgU35/IR9LaYrJGa/LDi3SGcw3gH0d/bPsAdjF9S3B -IFiPTwtn14OUiwsUQ6NC6mAu+U9MPT97XwBtkOGeuIQsYKPLAoIBAQDxYH1SU+C5 -h0rQpE67ZDfNzdqLh+HTxtYTgl25ZiSdN3g3CBS+TNs5lWI6yRSgko36Db2kjs/N -ef0pNVZBx6A7VM6NGLfAh/NlkV4l9ALhgP1SbHlYTugylnRbs5bfgljae6MBsJuy -MFKSCn7yCNP5YEXVx/Qy3X6/eiURLwpc8pbdpRTGDEsIAhttgdIV7vcYbmAT6FhN -EubIQem9ay8Vv+zvBKxHjs9q+BD8kW9XUpzsNZoPkMOx1CizBLcbiC1zuZKsrh53 -dQD73bxlVGav2Iu9aHPaXp5B6/BGu6SxyHxWjzsz9XHO0mkIX9YD/Qtmt98K2vQR -I5iFuYlpJjHFAoIBAAFCasvKCd6wx2KmsEGwx5qKk1HEvrArZ6iMZw/nJwF1QR+Z -aA99B3W+AAU2BFAF2/x895TFHEPbonIKAgAyABi4LvAyjk4eTYi24oBOSJoOnHih -snpIYXpeBGE5GfMZHqM5AtxQwWjdTCN464GMa95SOR22GMe/UTm7Gq9ikbZvCcoU -DMFdyaYA2kk86v9cANpaUn5RvEUXWCqbfy0yCNyiTMyZskSJertJzuvEwKOJU1pI -i1cpIIe3AV5dYHaAV2kt8WxA2a7ZC/deVkv7R/qNFZee41r2U3gJH7gbg3kRLfzV -td6ArIjpJCDG9cGoFIlO01G+FlF56j8Xsc5MnOsCggEAWBds5VTzWQKFTWwJx94l -d5i/P9kRk+anTmtvpTAgALizyPHMED+gan2YYffs7UVPR4koQxxTvpvcxuNOXadr -VPv4fgodVcjIDbNl9tf9DSu0SBaKmq4BlCTQxn7eeyfpIaOps/4udHOqTt5Bwjdy -lTqLgh/9gWrQzTTYvlK6p31pje6njDgEUiHivK56a8LQrzvpGJrdTxOs4j0b/yNV -Bc0LvZepAFygWlu6Z1L0nZvq5VISrceZhBb3243G/edPH0MEwryxJcuv1jvwe9K3 -v0l6hl/OmE2b2FcxU787th6DMlwHsUjMhjzIVGQViVMajBxi7GVIWdDx4yv5eESW -OQKCAQEA5OYP+oCi5mmuLHqQJzYetbq9wIg01gpQpKkQK5n2B/6A13IVxoBppd8p -+xH3UekLrTw7TymqAYKWYORap2vD3vjcUqOJ3AxXsiXX49Ook6Q6qHlL5Ynhxuob -pf0vvP8eRR+SGdueVfbcMHb3NjaOAoJKDlpee6bxYmDVOWWyIoQ42IaniOn9ar37 -hzxz0Xa2XsBcIc9quXtFcR/u7gGqXs+EjZPzdFirTUXywc0d3rPXDRlQvHDuedhn -gEo51PZ0A8srnCglRqm1oV2++meng89A5O48MEjgWlvhAcD2ck4ToChEmhWoZAxR -tJE4tKgPbG4Vctz6vNkdEkG5oAVYQQ== ------END PRIVATE KEY----- diff --git a/.saltstack/pillar/sslcert/new_cert.sh b/.saltstack/pillar/sslcert/new_cert.sh deleted file mode 100755 index 65d2af7aa0510812f9dce201157eef796c1130aa..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/sslcert/new_cert.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -openssl req -newkey rsa:4096 -x509 -keyout key.pem -new -out cert.pem -reqexts SAN -extensions SAN -days 3650 -nodes -subj "/C=DE/ST=Niedersachsen/L=Hannover/O=Hochschule Hannover/CN=apiv2.postgrest.local" -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:apiv2.postgrest.local,DNS:icmscache.postgrest.local")) -openssl dhparam -out dhparam.pem 2048 diff --git a/.saltstack/pillar/sslcert/postgrest.sls b/.saltstack/pillar/sslcert/postgrest.sls deleted file mode 100644 index dde8eb4f0135da66b192a58def6cfd0b6d6fe278..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/sslcert/postgrest.sls +++ /dev/null @@ -1,101 +0,0 @@ -sslcert: - postgrest: - fqdns: - - apiv2.postgrest.local - - icmscache.postgrest.local - key: | - -----BEGIN PRIVATE KEY----- - MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDm73oZddpOSRUQ - z2Wh8fDuAolV2H1G7YO5vEKuvjYOISDbNJFHzmcc3ezVghGWcNzk6EWjzxGs6FpI - fOdow/7Sd4rm5aXE4mafSsoNEqNSdONLD8k2fm3onPJFBFraSgMrvatK5Z/fmLBX - 5XmRNZLd0U1wevsaKy1cXFGo8CAAKgSCEiskSIvXRkyWpIq9ULcsT0VoinzWflsJ - uAu1AZxjlJ9ko2r8WT0T9MJOexKuwMMsrg4nPXTA+U/6mloilGNDs8z9zrjPHrzc - qwFfDWq0/SIpaBt0wYfqhyiuReafw7YBjnVvmfj+J9Wr3ZHxHWRE7i03BPDuslFf - pxhBrlgz8kqc3uE1pH+Q3xUAg67a7R17AyA0IZggYcCuhcXG8uda4bZndRTDlMf0 - 9BrJ4EwgAiTSfHvAipDV9/OyZFHEh0lLf9cIqeFggtc+2LijMjGrNdlkcjfNjQnl - k+5VWxRjVZxlIzrpQibDAGA2VzS1bNkiAcuiw0jlXogjryVn7eZ5KZz7UhMu6mor - nwdiDLb9Ezc7JnyYhqszAmkDbbMdG4BUDwNnUhfOefzCBtNTrMy3SLOFvrBcRkBF - oidvCogoIdKa/tIOwlmmnPtABFNNYrmhOymmlfDYczrVvSUEaO0loZolhelbjfmD - YAZSHj3INH1cQiA4NO7Q095eONnmNwIDAQABAoICAAJp7F/JwI9i6ipz0H8h1T/X - nPHdwml0YBUX56aF7HC3Xe2MnhwfByrhEvGkW2S0J0rpNpkgt/GTuCXb0Fti+Q3g - G/6P1ey55RKzKGt8j2J0QE/viU3dgm6U/V9FTWHMtj3FzL2KquIeaXFxv5SJ99AD - uQh88JT0cJPvjxbx85Os3MEzSWomq/eDD5fffme+KTv4VCRklitzxKXUW6L3slfE - HOpjXuHmWOIVg9ZoKOjUsPWNmC5G0SqXMIPRCzIjVOpHPdRFTd80VgsEao5AyKW9 - o5bFNMxCnZYQ9ZbkuiVfWU6o24dgF58ocW5LcZQQl5S03JofnhkQmhMi3vkIxnk3 - cNy5lOob4OcVH8Mlc/TmMaSOhQgp6BVee90CV+mQLvrvpNWFnv0hBsneKfQwHrWa - Z3crGYEOKcxwemdZKhQokjoLjwuklwnEO/BOH0rkSHgCZ6z+G/KILZSjUMI8Ke4z - T8Hlss600QfPsxjMLkj67qI+p7o9NQAsSfHydrdV2e9Lzk+3rTUSNvrMfhsZENp8 - pfbeskreu+IGxpUi1WBTU7GlqYAUMSTkv/XcrfdhZOq+tKlmBaufSHMpGDnB1QGz - R/oSjO40rhdltmFSM+7T7U2KarOvnbW29ogaB/pgKzZsQoRHZIo3RQtglxq/mc6G - NRNYHG8Gv5NaYApzupGJAoIBAQD07Q0SGxaVYg09llbjKT6I3zrA/5ZYMHyL0iAj - G0ccTezl0KTDS+zVzzPQ7iqR+3L4Xj+cQJiqFYAhxMcuVtI1Y0Db6Zeua5r7ACns - 2G2lw6E6ntk+LuqJ3ySlNU5lFdQzY5OeeVWNEjvWQ5eGZt5hTdDaLfO6L9ZBlHJR - eZ4CFvV0GnYPmvqGE/h48DnxkUDXHL/q52EaS2aD7BXLvrbSi1gLAvA5inWRgInv - Ci9RQT7A3wywl7Gi+HeLlMJgU35/IR9LaYrJGa/LDi3SGcw3gH0d/bPsAdjF9S3B - IFiPTwtn14OUiwsUQ6NC6mAu+U9MPT97XwBtkOGeuIQsYKPLAoIBAQDxYH1SU+C5 - h0rQpE67ZDfNzdqLh+HTxtYTgl25ZiSdN3g3CBS+TNs5lWI6yRSgko36Db2kjs/N - ef0pNVZBx6A7VM6NGLfAh/NlkV4l9ALhgP1SbHlYTugylnRbs5bfgljae6MBsJuy - MFKSCn7yCNP5YEXVx/Qy3X6/eiURLwpc8pbdpRTGDEsIAhttgdIV7vcYbmAT6FhN - EubIQem9ay8Vv+zvBKxHjs9q+BD8kW9XUpzsNZoPkMOx1CizBLcbiC1zuZKsrh53 - dQD73bxlVGav2Iu9aHPaXp5B6/BGu6SxyHxWjzsz9XHO0mkIX9YD/Qtmt98K2vQR - I5iFuYlpJjHFAoIBAAFCasvKCd6wx2KmsEGwx5qKk1HEvrArZ6iMZw/nJwF1QR+Z - aA99B3W+AAU2BFAF2/x895TFHEPbonIKAgAyABi4LvAyjk4eTYi24oBOSJoOnHih - snpIYXpeBGE5GfMZHqM5AtxQwWjdTCN464GMa95SOR22GMe/UTm7Gq9ikbZvCcoU - DMFdyaYA2kk86v9cANpaUn5RvEUXWCqbfy0yCNyiTMyZskSJertJzuvEwKOJU1pI - i1cpIIe3AV5dYHaAV2kt8WxA2a7ZC/deVkv7R/qNFZee41r2U3gJH7gbg3kRLfzV - td6ArIjpJCDG9cGoFIlO01G+FlF56j8Xsc5MnOsCggEAWBds5VTzWQKFTWwJx94l - d5i/P9kRk+anTmtvpTAgALizyPHMED+gan2YYffs7UVPR4koQxxTvpvcxuNOXadr - VPv4fgodVcjIDbNl9tf9DSu0SBaKmq4BlCTQxn7eeyfpIaOps/4udHOqTt5Bwjdy - lTqLgh/9gWrQzTTYvlK6p31pje6njDgEUiHivK56a8LQrzvpGJrdTxOs4j0b/yNV - Bc0LvZepAFygWlu6Z1L0nZvq5VISrceZhBb3243G/edPH0MEwryxJcuv1jvwe9K3 - v0l6hl/OmE2b2FcxU787th6DMlwHsUjMhjzIVGQViVMajBxi7GVIWdDx4yv5eESW - OQKCAQEA5OYP+oCi5mmuLHqQJzYetbq9wIg01gpQpKkQK5n2B/6A13IVxoBppd8p - +xH3UekLrTw7TymqAYKWYORap2vD3vjcUqOJ3AxXsiXX49Ook6Q6qHlL5Ynhxuob - pf0vvP8eRR+SGdueVfbcMHb3NjaOAoJKDlpee6bxYmDVOWWyIoQ42IaniOn9ar37 - hzxz0Xa2XsBcIc9quXtFcR/u7gGqXs+EjZPzdFirTUXywc0d3rPXDRlQvHDuedhn - gEo51PZ0A8srnCglRqm1oV2++meng89A5O48MEjgWlvhAcD2ck4ToChEmhWoZAxR - tJE4tKgPbG4Vctz6vNkdEkG5oAVYQQ== - -----END PRIVATE KEY----- - pem: | - -----BEGIN CERTIFICATE----- - MIIFuTCCA6GgAwIBAgIUcUudURLszmTKTnF9Q3W009BYOsQwDQYJKoZIhvcNAQEL - BQAwdjELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xETAPBgNV - BAcMCEhhbm5vdmVyMRwwGgYDVQQKDBNIb2Noc2NodWxlIEhhbm5vdmVyMR4wHAYD - VQQDDBVhcGl2Mi5wb3N0Z3Jlc3QubG9jYWwwHhcNMTkwNDA4MDkzNDMzWhcNMjkw - NDA1MDkzNDMzWjB2MQswCQYDVQQGEwJERTEWMBQGA1UECAwNTmllZGVyc2FjaHNl - bjERMA8GA1UEBwwISGFubm92ZXIxHDAaBgNVBAoME0hvY2hzY2h1bGUgSGFubm92 - ZXIxHjAcBgNVBAMMFWFwaXYyLnBvc3RncmVzdC5sb2NhbDCCAiIwDQYJKoZIhvcN - AQEBBQADggIPADCCAgoCggIBAObvehl12k5JFRDPZaHx8O4CiVXYfUbtg7m8Qq6+ - Ng4hINs0kUfOZxzd7NWCEZZw3OToRaPPEazoWkh852jD/tJ3iublpcTiZp9Kyg0S - o1J040sPyTZ+beic8kUEWtpKAyu9q0rln9+YsFfleZE1kt3RTXB6+xorLVxcUajw - IAAqBIISKyRIi9dGTJakir1QtyxPRWiKfNZ+Wwm4C7UBnGOUn2SjavxZPRP0wk57 - Eq7AwyyuDic9dMD5T/qaWiKUY0OzzP3OuM8evNyrAV8NarT9IiloG3TBh+qHKK5F - 5p/DtgGOdW+Z+P4n1avdkfEdZETuLTcE8O6yUV+nGEGuWDPySpze4TWkf5DfFQCD - rtrtHXsDIDQhmCBhwK6Fxcby51rhtmd1FMOUx/T0GsngTCACJNJ8e8CKkNX387Jk - UcSHSUt/1wip4WCC1z7YuKMyMas12WRyN82NCeWT7lVbFGNVnGUjOulCJsMAYDZX - NLVs2SIBy6LDSOVeiCOvJWft5nkpnPtSEy7qaiufB2IMtv0TNzsmfJiGqzMCaQNt - sx0bgFQPA2dSF855/MIG01OszLdIs4W+sFxGQEWiJ28KiCgh0pr+0g7CWaac+0AE - U01iuaE7KaaV8NhzOtW9JQRo7SWhmiWF6VuN+YNgBlIePcg0fVxCIDg07tDT3l44 - 2eY3AgMBAAGjPzA9MDsGA1UdEQQ0MDKCFWFwaXYyLnBvc3RncmVzdC5sb2NhbIIZ - aWNtc2NhY2hlLnBvc3RncmVzdC5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAgEApOJ4 - o0YwOvR534c9EvAKN4tiXgQKEmyjmdfS0741JH0t3gAhrEX6KVAX7Vf99x6CZcS1 - x+czf1my3EIZpwQolBEpf73Xtjppn1Y5GlEVb3S15pIW8Pglj262p3XtpzSlfq8v - mcYiC9JOaruseSIKc8xKuTmwgU8n6rQTKfMvg3wetTlgGji/GeD40+paGDSqtikP - E+pve0cgcQqDA3cYwT9LNvN2BGhi4KU9O0poSJYMqXR4ErzI+ZAxj82vkcsxmDba - T1tjvrmUscZ2LX2dIrgs/jbRSugQiPUmuhE0s4TJfLtJCPOnvPzDmiCf47oiOz+G - R6FJo/yDZr0tdS5RNoFZsngS/N6rbPkooQrfPfHVnlRHR3foUR2bJQp2PKxqqtLQ - ENjbdeLDQCqMDo0BMXvZvgGek4vA+W21FteqskTnOKU+Yv3sUTJVKHmxtTXciz6a - nmKCOYtTB+kHbNyz+ovGUZ/oRK4t8xwgpKL6c09OX7k/pvnb8VnYeUDLE1wfW+n4 - 2o3fk+oiPkFU79g5u748ZGDE2U3Pl460hsAfV31QjERbSHr7DwVF7dpnE9jH+tu+ - /FWMLpovASWCdh9tDoR9XzonmF72E+gKcYww2M1GSGQQm/4oJYmNIlAZd8lEB4Wh - Gz30Lx+MReUNuzvChwap0oSq0axECnEsVPvRYUs= - -----END CERTIFICATE----- - dhparam: | - -----BEGIN DH PARAMETERS----- - MIIBCAKCAQEA9b8X8Plp+vLeVpQf8Nz2u9+lt8eF6BYj517XzJX8MsgPI1XU7dA4 - j75yitn1kd3R8q/PyTQgmbRdh54EfNEfiCnbY/2X+0c4L1rZqXx+GeUdAAXgjuye - LjA/zd0RprK6TOpIOYQ7MO4P35T8Ora8jDXvf/Q386vCRQ5fiuVR5+nH9R4KBi7H - iqM9N5dyhRNJIZZMeQ0T+zmeywazeicYszKunJqjQ0jZ1D+J1UUTHjH6/Lp1lVqA - kJHCWa7GkBOfROmYFjeJ3v5Hfjkry/uXtvVoVfFIUGA4dPoCBRLzfNAGMhPzx0Gr - kaW8ir0Mykld8mdgoCThKuHPhUnJ3wWamwIBAg== - -----END DH PARAMETERS----- diff --git a/.saltstack/pillar/top.sls b/.saltstack/pillar/top.sls deleted file mode 100644 index 0d06fcbf2268355b5f9e82edc9aae1d8c146aa27..0000000000000000000000000000000000000000 --- a/.saltstack/pillar/top.sls +++ /dev/null @@ -1,4 +0,0 @@ -base: - postgrest*: - - sslcert.postgrest - - postgrest diff --git a/.saltstack/salt/postgrest b/.saltstack/salt/postgrest deleted file mode 120000 index 80c3ce9694b7813db6ae0e4cee1c30591b0a0637..0000000000000000000000000000000000000000 --- a/.saltstack/salt/postgrest +++ /dev/null @@ -1 +0,0 @@ -../../postgrest \ No newline at end of file diff --git a/.saltstack/salt/sslcert.sls b/.saltstack/salt/sslcert.sls deleted file mode 100644 index adfa0fde1830f01e91889a9cc8ab9c80392bbbb8..0000000000000000000000000000000000000000 --- a/.saltstack/salt/sslcert.sls +++ /dev/null @@ -1,59 +0,0 @@ -{% if salt['pillar.get']('sslcert') %} - -sslcert_create_dir: - file.directory: - - name: /root/certs/ - - user: root - - group: root - -{% for app_name, cert in salt['pillar.get']('sslcert').iteritems() %} - -sslcert_{{ app_name }}_pem: - file.managed: - - name: /root/certs/{{ app_name }}.pem - - user: root - - group: root - - mode: 600 - - show_diff: False - - contents_pillar: sslcert:{{ app_name }}:pem - - requires: - - file: sslcert_create_dir - -sslcert_{{ app_name }}_key: - file.managed: - - name: /root/certs/{{ app_name }}.key - - user: root - - group: root - - mode: 600 - - show_diff: False - - contents_pillar: sslcert:{{ app_name }}:key - - requires: - - file: sslcert_create_dir - -{% if cert.dhparam is defined %} -sslcert_{{ app_name }}_dhparam: - file.managed: - - name: /root/certs/{{ app_name }}.dhparam.pem - - user: root - - group: root - - mode: 600 - - show_diff: False - - contents_pillar: sslcert:{{ app_name }}:dhparam - - requires: - - file: sslcert_create_dir -{% endif %} - -{% if cert.client_ca is defined %} -ssl_cert_{{ app_name }}_client_ca: - file.managed: - - name: /root/certs/{{ app_name }}.client_ca.pem - - user: root - - group: root - - mode: 600 - - show_diff: False - - contents_pillar: sslcert:{{ app_name }}:client_ca - - requires: - - file: sslcert_create_dir -{% endif %} -{% endfor %} -{% endif %} diff --git a/.saltstack/salt/top.sls b/.saltstack/salt/top.sls deleted file mode 100644 index 079c7595a9d93dda4965de2480cdd51fd8f1962e..0000000000000000000000000000000000000000 --- a/.saltstack/salt/top.sls +++ /dev/null @@ -1,4 +0,0 @@ -base: - 'postgrest*': - - postgrest - - sslcert diff --git a/README.md b/README.md index ce8ed22f61c2ce86a63a9bd545dbd951c72f2c0e..396e19f6f2d977196c51d117478ac2fb3f92d596 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,13 @@ The postgrest-formula is used to deploy postgREST instances. Have a look at the pillar.example (which is used for testing as well) to get an idea of how it works. -**/srv/pillar/postgrest/your\_instance.sls:** +**/srv/pillar/postgrest/your_instance.sls:** ```yaml postgrest: your_instance: tag: v5.2.0 - hash: '5f564d1c6dfad2fd25d5394c2cae42ebe0d736342eba25742cd45d2cbf61cf38' + hash: "5f564d1c6dfad2fd25d5394c2cae42ebe0d736342eba25742cd45d2cbf61cf38" config: db-uri: "postgres://api_v2_authenticator@127.0.0.1/api_db" db-schema: "api_v2" @@ -23,7 +23,7 @@ postgrest: ```yaml base: - 'your_instance*': + "your_instance*": - postgrest.your_instance ``` @@ -40,6 +40,7 @@ base: `config`: This is postgREST specific configuration as explained [here](http://postgrest.org/en/stable/install.html#configuration) #### How do I know the `jwt-secret` though? + You don't. You generate it: `pwgen -sn 32` ## Development @@ -76,8 +77,4 @@ You can access your PostgREST instances at: ### nginx -This formula is capable of installing and configuring nginx. -Therefore you need to have an `nginx` block below your instance configuration as -you can see in `pillar.example`. -If you omit this block the formula does not care about nginx. -This is useful, if you want to use the nginx formula. +Use the nginx-formula to get an TLS terminating reverse proxy in front. diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index fcf48651a629e0c588f8b066df6b5707257ae94e..0000000000000000000000000000000000000000 --- a/Vagrantfile +++ /dev/null @@ -1,40 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - # salt master - config.vm.define "saltmaster" do |saltmaster_cfg| - saltmaster_cfg.vm.box = "debian/jessie64" - - saltmaster_cfg.vm.synced_folder ".saltstack/salt/", "/srv/salt", type: "rsync" - saltmaster_cfg.vm.synced_folder ".saltstack/pillar/", "/srv/pillar", type: "rsync" - - saltmaster_cfg.vm.hostname = "saltmaster" - saltmaster_cfg.vm.network "private_network", ip: "10.0.0.5" - saltmaster_cfg.vm.provision :salt do |salt| - salt.install_master = true - salt.no_minion = true - salt.master_config = ".saltstack/master" - end - end - - # postgrest test minion - (1..2).each do |i| - config.vm.define "postgrest-0#{i}" do |postgrest| - postgrest.vm.box = "debian/jessie64" - postgrest.vm.hostname = "postgrest-0#{i}" - postgrest.vm.network "forwarded_port", guest: 80, host: "800#{i}".to_i, host_ip:"127.0.0.1" - postgrest.vm.network "forwarded_port", guest: 443, host: "443#{i}".to_i, host_ip:"127.0.0.1" - postgrest.vm.network "private_network", type: "dhcp" - postgrest.vm.provision :salt do |salt| - salt.install_master = false - salt.minion_config = ".saltstack/minion" - salt.run_highstate = false - end - # Ensure these states are run in the correct order, highstating does not work here - postgrest.vm.provision "shell", inline: "salt-call state.sls sslcert,postgrest" - postgrest.vm.provision "shell", inline: "systemctl start api_v2-postgrest.service" - postgrest.vm.provision "shell", inline: "systemctl start icmscache-postgrest.service" - end - end -end diff --git a/pillar.example b/pillar.example index 029ca4b9079501781afe6a599f668cd1d65d4a31..252151129bf38f661b58e355284c8a6fb43b9d71 100644 --- a/pillar.example +++ b/pillar.example @@ -9,14 +9,6 @@ postgrest: jwt-secret: "aimi6fiep2ohPahqu6Jithahphai1aJe" db-anon-role: "api_v2_anonymous" - nginx: - ssl_cert_name: postgrest - http: false - https: true - redirect_to_https: true - fqdn: apiv2.postgrest.local - - icmscache: tag: v5.2.0 hash: '5f564d1c6dfad2fd25d5394c2cae42ebe0d736342eba25742cd45d2cbf61cf38' @@ -26,10 +18,3 @@ postgrest: jwt-secret: "aimi6fiep2ohPahqu6Jithahphai1aJe" db-anon-role: "icmscache_anonymous" server-port: 3001 - - nginx: - ssl_cert_name: postgrest - http: false - https: true - redirect_to_https: true - fqdn: icmscache.postgrest.local diff --git a/postgrest/init.sls b/postgrest/init.sls index 5af9fa9985e2dd94bb3e6f0b6e9335f9f72fcd6d..a7577b4dea9e217a0b9ab879b1f6354d770bf2e2 100644 --- a/postgrest/init.sls +++ b/postgrest/init.sls @@ -1,4 +1,3 @@ include: - postgrest.common - - postgrest.nginx - postgrest.postgrest diff --git a/postgrest/nginx.sls b/postgrest/nginx.sls deleted file mode 100644 index a03710362e35c50a8fb659abdb003ee134da07bc..0000000000000000000000000000000000000000 --- a/postgrest/nginx.sls +++ /dev/null @@ -1,36 +0,0 @@ -{% for instance_name, instance_conf in salt['pillar.get']("postgrest:instances").items() %} -{% if instance_conf.nginx is defined %} - -postgrest_nginx_package: - pkg.installed: - - pkgs: - - nginx - -postgrest_{{ instance_name }}_nginx_conf: - file.managed: - - name: /etc/nginx/sites-available/{{ instance_name }}.conf - - source: salt://postgrest/tpl/nginx.conf - - template: jinja - - context: - nginx_conf: {{ instance_conf.nginx }} - postgrest_port: {{ instance_conf.config.get('server-port', '3000') }} - instance_name: {{ instance_name }} - - mode: 644 - - user: root - - group: root - - require: - - pkg: postgrest_packages - -postgrest_{{ instance_name }}_nginx_enable: - file.symlink: - - name: /etc/nginx/sites-enabled/{{ instance_name }}.conf - - target: /etc/nginx/sites-available/{{ instance_name }}.conf - -postgrest_{{ instance_name }}_nginx_running: - service.running: - - name: nginx - - reload: True - - watch: - - file: /etc/nginx/sites-enabled/* -{% endif %} -{% endfor %} diff --git a/postgrest/tpl/nginx.conf b/postgrest/tpl/nginx.conf deleted file mode 100644 index e7e8acc310367447b0c415283d4b1e7e6d4de896..0000000000000000000000000000000000000000 --- a/postgrest/tpl/nginx.conf +++ /dev/null @@ -1,97 +0,0 @@ -# This file is written by salt. Don't even think about it. -upstream postgrest_{{ instance_name }} { - server 127.0.0.1:{{ postgrest_port }}; - keepalive 64; -} - -{% if nginx_conf.http or nginx_conf.redirect_to_https %} -server { - listen {{ nginx_conf.get('http_port', '80') }}; - server_name {{ nginx_conf.fqdn }}; - {% if nginx_conf.redirect_to_https %} - return 301 https://$server_name$request_uri; - {% elif nginx_conf.http %} - location / { - default_type application/json; - proxy_hide_header Content-Location; - add_header Content-Location /$upstream_http_content_location; - proxy_pass http://postgrest_{{ instance_name }}; - proxy_set_header X-Real-IP $remote_addr; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - {% endif %} -} -{% endif %} - -{% if nginx_conf.https %} -server { - server_name {{ nginx_conf.fqdn }}; - listen {{ nginx_conf.get('https_port', '443') }}; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - - ssl on; - ssl_certificate /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.fullchain.pem; - ssl_certificate_key /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.key; - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - ssl_dhparam /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.dhparam.pem; - {% if nginx_conf.client_ca is defined %} - ssl_verify_client on; - ssl_client_certificate /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name'), instance_name }} - {% endif %} - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - # don't send the nginx version number in error pages and Server header - server_tokens off; - # config to don't allow the browser to render the page inside an frame or iframe - # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking - # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri - # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options - add_header X-Frame-Options SAMEORIGIN; - - # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, - # to disable content-type sniffing on some browsers. - # https://www.owasp.org/index.php/List_of_useful_HTTP_headers - # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx - # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx - # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 - add_header X-Content-Type-Options nosniff; - - # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. - # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for - # this particular website if it was disabled by the user. - # https://www.owasp.org/index.php/List_of_useful_HTTP_headers - add_header X-XSS-Protection "1; mode=block"; - - # be as restrictive as possible - add_header Content_Security_Policy "default-src 'none'"; - - # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security - # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - - location / { - default_type application/json; - proxy_hide_header Content-Location; - add_header Content-Location /$upstream_http_content_location; - proxy_pass http://postgrest_{{ instance_name }}; - proxy_set_header X-Real-IP $remote_addr; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -{% endif %}