finish up migration of bugs to be behind loadbalancer (#479)

- No longer need to pull a Lets Encrypt cert on the host - Disable 80/443 nginx hosts - Remove dummy nginx host for fetching mail.roundup-tracker.org lets encrypt certificate - Turn down the public facing ports - Use internal TLS certificate for postfix Along the way: - also closes firewall for 80/443 on planet
python · Aug 26, 2024 · 87e9f09 · 87e9f09
1 parent a91106b
commit 87e9f09
Show file tree

Hide file tree

Showing 9 changed files with 3 additions and 161 deletions.
diff --git a/pillar/base/firewall/bugs.sls b/pillar/base/firewall/bugs.sls
@@ -1,12 +1,6 @@
 {% include "networking.sls" %}
 
 firewall:
-  http:
-    port: 80
-  https:
-    port: 443
-  smtp:
-    port: 25
   frontend-bugs:
     port: 9000:9002
     source: *psf_internal_network

diff --git a/pillar/dev/top.sls b/pillar/dev/top.sls
@@ -67,7 +67,6 @@ base:
   'planet':
     - match: nodegroup
     - planet
-    - firewall.http
     - firewall.planet
 
   'salt-master':

diff --git a/pillar/prod/top.sls b/pillar/prod/top.sls
@@ -101,7 +101,6 @@ base:
   'planet':
     - match: nodegroup
     - planet
-    - firewall.http
     - firewall.planet
 
   'pythontest':

diff --git a/salt/bugs/config/nginx.conf.jinja b/salt/bugs/config/nginx.conf.jinja
@@ -12,72 +12,6 @@ upstream tracker-{{ tracker }} {
 
 include conf.d/tracker-extras/upstreams-{{ tracker }}*.conf;
 
-server {
-  listen 80;
-  server_name {{ server_name }};
-
-  location /.well-known/acme-challenge/ {
-      alias /etc/lego/.well-known/acme-challenge/;
-      try_files $uri =404;
-  }
-
-  location / {
-    return 301 https://$http_host$request_uri;
-  }
-}
-
-server {
-  listen 443 ssl;
-  server_name {{ server_name }};
-  include mime.types;
-
-  # By default use the snakeoil certificate...
-  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-
-  # If lego has done it's thing ang pulled a certificate from LetsEncrypt,
-  # we'll use that! This will take precedence over the above ssl_certificate
-  # and ssl_certificate_key directives.
-  include conf.d/lego.conf*;
-
-  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-  add_header X-Frame-Options "sameorigin";
-  add_header X-Xss-Protection "1; mode=block";
-  add_header X-Content-Type-Options "nosniff";
-  add_header X-Permitted-Cross-Domain-Policies "none";
-
-  error_log /var/log/nginx/roundup-{{ tracker }}.error.log;
-  access_log /var/log/nginx/roundup-{{ tracker }}.access.log timed_combined_{{ tracker }};
-
-  root /srv/roundup/trackers/{{ tracker }}/;
-
-  include conf.d/tracker-extras/{{ tracker }}*.conf;
-
-  gzip              on;
-  gzip_http_version 1.1;
-  gzip_proxied      any;
-  gzip_min_length   500;
-  gzip_comp_level   6;  # default comp_level is 1
-  gzip_disable      msie6;
-  gzip_types        text/plain text/css
-                    text/xml application/xml
-                    text/javascript application/javascript
-                    text/json application/json;
-
-  location /@@file/ {
-    rewrite ^/@@file/(.*) /html/$1 break;
-    expires 1h;
-  }
-
-  location / {
-    limit_req zone=limit-{{ tracker }} burst=5 nodelay;
-    proxy_pass http://tracker-{{ tracker }}/;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  }
-}
-
 server {
   listen {{ port }} ssl;
   server_name {{ server_name }};

diff --git a/salt/bugs/config/postfix/main.cf b/salt/bugs/config/postfix/main.cf
@@ -24,8 +24,8 @@ compatibility_level = 3.6
 
 
 # TLS parameters
-smtpd_tls_cert_file=/etc/lego/certificates/{{ grains['fqdn'] }}.crt
-smtpd_tls_key_file=/etc/lego/certificates/{{ grains['fqdn'] }}.key
+smtpd_tls_cert_file=ssl_certificate /etc/ssl/private/bugs.psf.io.pem;
+smtpd_tls_key_file=etc/ssl/private/bugs.psf.io.pem;
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs

diff --git a/salt/bugs/config/roundup/tracker-upstreams.conf b/salt/bugs/config/roundup/tracker-upstreams.conf
diff --git a/salt/bugs/init.sls b/salt/bugs/init.sls
@@ -1,34 +1,8 @@
 
 include:
   - bugs.postgresql
-  - tls.lego
   - nginx
 
-lego_bootstrap:
-  cmd.run:
-    - name: /usr/local/bin/lego -a --email="infrastructure-staff@python.org" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['bugs']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --path /etc/lego --key-type ec256 run
-    - creates: /etc/lego/certificates/{{ grains['fqdn'] }}.json
-    - require:
-      - archive: lego_extract
-
-lego_renew:
-  cron.present:
-    - name: /usr/bin/sudo -u nginx /usr/local/bin/lego -a --email="infrastructure-staff@python.org" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['bugs']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --http.webroot /etc/lego --path /etc/lego --key-type ec256  renew --days 30 && /usr/sbin/service nginx reload && /usr/sbin/service postfix reload
-    - identifier: roundup_lego_renew
-    - hour: 0
-    - minute: random
-
-lego_config:
-  file.managed:
-    - name: /etc/nginx/conf.d/lego.conf
-    - source: salt://tls/config/lego.conf.jinja
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: "0644"
-    - require:
-      - cmd: lego_bootstrap
-
 roundup-deps:
   pkg.installed:
     - pkgs:
@@ -163,7 +137,6 @@ tracker-nginx-extras:
     - template: jinja
     - require:
       - pkg: roundup-deps
-      - cmd: lego_bootstrap
 
 /etc/postfix/master.cf:
   file.managed:
@@ -174,7 +147,6 @@ tracker-nginx-extras:
     - template: jinja
     - require:
       - pkg: roundup-deps
-      - cmd: lego_bootstrap
 
 /etc/postfix/virtual:
   file.managed:
@@ -222,6 +194,7 @@ postfix:
       - file: /etc/postfix/master.cf
       - file: /etc/postfix/virtual
       - file: /etc/postfix/reject_recipients
+      - file: /etc/ssl/private/*.pem
 
 {# We can extend this for smtps/submission later #}
 {% for (port, service) in [(20025, "smtp")] %}

diff --git a/salt/bugs/jython.sls b/salt/bugs/jython.sls
@@ -1,8 +0,0 @@
-#tracker-jython-summary:
-#   cron.present:
-#     - name: /srv/roundup/env/bin/python2.7 /srv/roundup/trackers/cpython/scripts/roundup-summary /srv/roundup/trackers/jython --mail jython-dev@lists.sourceforge.net
-#     - identifier: roundup_tracker_jython_summary
-#     - user: roundup
-#     - dayweek: 5
-#     - hour: 18
-#     - minute: 5

diff --git a/salt/bugs/roundup.sls b/salt/bugs/roundup.sls
@@ -1,8 +0,0 @@
-tracker-roundup-nginx-extras-upstreams:
-  file.managed:
-    - name: /etc/nginx/conf.d/tracker-extras/upstreams-roundup.conf
-    - source: salt://bugs/config/roundup/tracker-upstreams.conf
-    - user: root
-    - group: root
-    - require:
-      - file: tracker-nginx-extras