verglasz/soc-ops
0
0
Fork 0
forked from SUNET/soc-ops
Code Pull requests Activity

IntelMQ API.

Browse source
This commit is contained in:
Johan Björklund 2024-11-14 14:16:39 +01:00
parent 4fcd099e21
commit ff842b1989
Signed by untrusted user: bjorklund
GPG key ID: 5E8401339C7F5037
5 changed files with 172 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
global/overlay/etc/puppet/modules/soc/files/intelmq/api-config.json Normal file
View file

@ -0,0 +1,7 @@
{
"intelmq_ctl_cmd": ["sudo", "-u", "intelmq", "/opt/intelmq/venv/bin/intelmqctl"],
"allowed_path": "/opt/intelmq/var/lib/bots/",
"session_store": "/etc/intelmq/api-session.sqlite",
"session_duration": 86400,
"allow_origins": ["*"]
}

23
global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.service Normal file
View file

@ -0,0 +1,23 @@
[Unit]
Description=Gunicorn deamon to serve the IntelMQ API
Requires=intelmq-api.socket
After=network.target
[Service]
# To override settings path, use e.g.:
# Environment="INTELMQ_API_CONFIG=/etc/intelmq/api-config.json"
Environment="ROOT_PATH=/intelmq"
User=www-data
Group=www-data
RuntimeDirectory=gunicorn
WorkingDirectory=/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api
ExecStart=/opt/intelmq/venv/bin/gunicorn intelmq_api.main:app --workers 4 --worker-class uvicorn.workers.UvicornWorker --bind unix:intelmq_api.sock --log-level DEBUG
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=mixed
TimeoutStopSec=5
PrivateTmp=true
[Install]
WantedBy=multi-user.target

9
global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.socket Normal file
View file

@ -0,0 +1,9 @@
[Unit]
Description=The socket to handle IntelMQ API requests
[Socket]
ListenStream=/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock
SocketUser=www-data
[Install]
WantedBy=sockets.target

53
global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
View file

@ -1,5 +1,11 @@
class soc::intelmq( class soc::intelmq(
Optional[String] $tls_cert = undef,
Optional[String] $tls_chain = undef,
Optional[String] $tls_key = undef,
String $servername = $::fact['networking.fqdn'],
Boolean $use_snakeoil = false,
) { ) {
include sunet::systemd_reload
group { 'intelmq': group { 'intelmq':
ensure => present, ensure => present,
@ -88,4 +94,51 @@ class soc::intelmq(
notify => Service['apache2'], notify => Service['apache2'],
} }
file { '/etc/apache2/sites-available/intelmq-vhost.conf':
ensure => file,
template => 'soc/intelmq/intelmq-vhost.conf.erb'
}
file { '/etc/intelmq/api-config.json':
ensure => file,
owner => 'intelmq',
group => 'intelmq',
mode => '0444'
content => 'soc/intelmq/api-config.json',
}
file { 'api-session.sqlite':
ensure => 'present',
replace => 'no',
owner => 'intelmq',
group => 'www-data',
mode => '0660'
}
file { '/etc/systemd/system/intelmq-api.service':
ensure => file,
content => 'soc/intelmq/intelmq-api.service',
notify => [Class['sunet:systemd_reload'], Service['intelmq-api.service'],],
}
file { '/etc/systemd/system/intelmq-api.socket':
ensure => file,
content => 'soc/intelmq/intelmq-api.socket',
notify => [Class['sunet:systemd_reload'], Service['intelmq-api.socket'],],
}
service { 'intelmq-api.service':
ensure => running,
name => 'intelmq-api.service',
enabled => true,
hasrestart => true,
}
service { 'intelmq-api.socket':
ensure => running,
name => 'intelmq-api.socket',
enabled => true,
hasrestart => true,
}
} }

80
global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb Normal file
View file

@ -0,0 +1,80 @@
<VirtualHost *:80>
ServerName <%= @servername %>
ServerAdmin cert@cert.sunet.se
DocumentRoot /var/www/html
RewriteEngine On
RewriteRule ^(.*)$ https://<%= @servername %>/$1 [R,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @servername %>
ServerAdmin cert@cert.sunet.se
SSLEngine on
<% if @use_snakeoil -%>
SSLCertificateFile /etc/letsencrypt/live/intelmq-test.cert.sunet.se/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intelmq-test.cert.sunet.se/privkey.pem
<% else -%>
SSLCertificateFile <%= @tls_cert %>
SSLCertificateKeyFile <%= @tls_key %>
SSLCertificateChainFile <%= @tls_chain %>
<% end -%>
SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
Protocols h2 http/1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
Header always set Strict-Transport-Security "max-age=63072000"
<IfModule mod_proxy.c>
ProxyRequests Off
<Location "/api">
ProxyPass "http://127.0.0.1:8666/api"
ProxyPassReverse "http://127.0.0.1:8666/api"
Header always set X-DEBUG-PATH "/api"
</Location>
</IfModule>
# RewriteEngine on
# RewriteCond %{REQUEST_URI} !^/(index.html|static|api|intelmq-webinput)
# RewriteRule .* /index.html [PT]
DocumentRoot /opt/intelmq/www-fody
<Directory /opt/intelmq/www-fody>
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'"
Header set X-Content-Security-Policy "script-src 'self'"
</IfModule>
Require all granted
Options FollowSymLinks
</Directory>
Alias /intelmq-manager /usr/share/intelmq_manager/html/
<Directory /usr/share/intelmq_manager/html>
# AuthType Basic
# AuthName "IntelMQ"
# AuthBasicProvider file
# AuthUserFile /etc/apache2/htpasswd
# Require user sunetcert
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'"
Header set X-Content-Security-Policy "script-src 'self'"
</IfModule>
</Directory>
<Location /intelmq/>
ProxyPass unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
ProxyPassReverse unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>