From cbcc0318f6fcaf8b41568c8f045243e92ee60bbb Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 2 Oct 2021 11:27:49 -0500 Subject: [PATCH 1/3] r/web/p-nextcloud: Set ProxyPreserveHost The Internet-facing reverse proxy needs to pass the correct Host header value in order for Nextcloud to correctly determine its own name. https://github.com/nextcloud/desktop/issues/1284 --- roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 b/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 index b17ca14..6db1d97 100644 --- a/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 +++ b/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 @@ -8,6 +8,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key SSLProxyEngine On ProxyRequests Off +ProxyPreserveHost On ProxyPass / https://cloud0.pyrocufflink.blue/ ProxyPassReverse / https://cloud0.pyrocufflink.blue/ From 347b5578c3d0cae85d1e773b36c23255ebbf8efe Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 16 Oct 2021 10:17:34 -0500 Subject: [PATCH 2/3] ci: lib: Skip remount if empty limit pattern Some playbooks apply only to hosts that do not have read-only root filesystems. For these, the `rw_limit` pattern will be empty. The *Remount R/W* and *Remount R/O* stages should be skipped when this is the case. --- vars/applyConfigPolicy.groovy | 43 ++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy index d134996..c16c15d 100644 --- a/vars/applyConfigPolicy.groovy +++ b/vars/applyConfigPolicy.groovy @@ -1,4 +1,5 @@ import groovy.transform.Field +import org.jenkinsci.plugins.pipeline.modeldefinition.Utils @Field def DOCKER_ARGS = '''\ @@ -52,15 +53,20 @@ def stageKinit() { def stageRemountRW(limit) { - stage('Remount R/W') { - ansiblePlaybook \ - playbook: 'remount.yml', - limit: limit, - become: true, - vaultCredentialsId: 'ansible-vault', - extraVars: [ - remount_state: 'rw', - ] + def STAGE_NAME = 'Remount R/W' + stage(STAGE_NAME) { + if (limit) { + ansiblePlaybook \ + playbook: 'remount.yml', + limit: limit, + become: true, + vaultCredentialsId: 'ansible-vault', + extraVars: [ + remount_state: 'rw', + ] + } else { + Utils.markStageSkippedForConditional(STAGE_NAME) + } } } @@ -80,13 +86,18 @@ def generateStages(stages) { } def stageRemountRO(limit) { - stage('Remount R/O') { - ansiblePlaybook \ - playbook: 'remount.yml', - limit: limit + ':!rw-root', - become: true, - vaultCredentialsId: 'ansible-vault', - extras: '--diff' + def STAGE_NAME = 'Remount R/W' + stage(STAGE_NAME) { + if (limit) { + ansiblePlaybook \ + playbook: 'remount.yml', + limit: limit + ':!rw-root', + become: true, + vaultCredentialsId: 'ansible-vault', + extras: '--diff' + } else { + Utils.markStageSkippedForConditional(STAGE_NAME) + } } } From c861d2f70a8afc84f8404dc0dffb32870365981c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 16 Oct 2021 10:20:01 -0500 Subject: [PATCH 3/3] ci: homeassistant: Remove hassdb playbook The `hassdb.yml` playbook is no longer used; the new Home Assistant deployment uses the built-in database again, since it is stored on NVMe instead of an SD card. Further, the current deployment is hosted by a machine with a single filesystem, which thus cannot be remounted read-only after applying policy. --- ci/homeassistant.jenkinsfile | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/ci/homeassistant.jenkinsfile b/ci/homeassistant.jenkinsfile index a9e03d0..65806e1 100644 --- a/ci/homeassistant.jenkinsfile +++ b/ci/homeassistant.jenkinsfile @@ -2,11 +2,8 @@ @Library('cfgpol')_ applyConfigPolicy( - 'home-assistant:hassdb', + null, [ - 'Home Assistant DB': [ - 'hassdb.yml' - ], 'Home Assistant': [ 'homeassistant.yml' ]