Add www role

This commit is contained in:
polyfloyd 2023-09-10 14:11:21 +02:00
parent 1bab3d478d
commit 03780abf01
12 changed files with 313 additions and 0 deletions

3
group_vars/www.yaml Normal file
View file

@ -0,0 +1,3 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]

View file

@ -0,0 +1,14 @@
---
- import_tasks: ../../common/handlers/main.yaml
- name: restart spaceapi
systemd:
name: spaceapi
state: restarted
daemon_reload: true
- name: restart mqtt2web
systemd:
name: mqtt2web
state: restarted
daemon_reload: true

View file

@ -0,0 +1,24 @@
---
- name: Install dependencies
apt:
name: [ python3-requests, python3-icalendar ]
- name: Clone source
git:
repo: https://github.com/bitlair/calendar-parser.git
version: main
dest: /usr/local/src/bitlair-calendar
accept_hostkey: yes
- name: Create user
user:
name: bitlair-calendar
home: /var/lib/bitlair-calendar
- name: Install cronjob
template:
src: calendar.cron
dest: /etc/cron.d/bitlair-calendar
owner: root
group: root
mode: 0644

12
roles/www/tasks/main.yaml Normal file
View file

@ -0,0 +1,12 @@
---
- tags: www_calendar
import_tasks: calendar.yaml
- tags: www_mediawiki
include_tasks: mediawiki.yaml
- tags: www_mqtt
include_tasks: mqtt.yaml
- tags: www_spaceapi
include_tasks: spaceapi.yaml

View file

@ -0,0 +1,21 @@
---
- name: Install dependencies
apt:
name:
- php-fpm
- name: Allow HTTP/HTTPS
iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables

45
roles/www/tasks/mqtt.yaml Normal file
View file

@ -0,0 +1,45 @@
---
- name: Install Mosquitto
apt:
name: mosquitto
- name: Allow MQTT
iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 1883 }
- { ip: ipv6, port: 1883 }
notify: persist iptables
- name: Install mqtt-simple
command: cpan Net::MQTT::Simple
- name: Clone mqtt2web source
git:
repo: https://github.com/bitlair/mqtt2web.git
version: master
dest: /opt/mqtt2web
accept_hostkey: yes
notify: restart mqtt2web
- name: Install mqtt2web service file
template:
src: mqtt2web.service
dest: /etc/systemd/system/mqtt2web.service
owner: root
group: root
mode: 0644
notify: restart mqtt2web
- name: Enable mqtt2web
systemd:
name: mqtt2web
state: started
enabled: true
daemon_reload: true

View file

@ -0,0 +1,24 @@
---
- name: Clone spaceapi source
git:
repo: https://github.com/bitlair/spaceapi.git
version: master
dest: /opt/spaceapi
accept_hostkey: yes
notify: restart spaceapi
- name: Install spaceapi service file
template:
src: spaceapi.service
dest: /etc/systemd/system/spaceapi.service
owner: root
group: root
mode: 0644
notify: restart spaceapi
- name: Enable spaceapi
systemd:
name: spaceapi
state: started
enabled: true
daemon_reload: true

View file

@ -0,0 +1,6 @@
# Managed by Ansible
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
42 * * * * bitlair-calendar /usr/local/src/bitlair-calendar/calendarparser.py /var/lib/bitlair-calendar/events.ics

View file

@ -0,0 +1,3 @@
{
"m.server": "matrix.bitlair.nl"
}

View file

@ -0,0 +1,15 @@
# Managed by Ansible
[Unit]
Description=MQTT to Web
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=10s
ExecStart=/usr/bin/perl /opt/mqtt2web/mqtt2web.pl
DynamicUser=true
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,131 @@
# Managed by Ansible
server {
listen 80 default_server;
listen 443 ssl default_server;
listen [::]:80 default_server;
listen [::]:443 ssl default_server;
server_name bitlair.nl wiki.bitlair.nl www.bitlair.nl;
root /opt/bitlair-wiki/;
{% if acme_bootstrap_certs %}
include "snippets/snakeoil.conf";
{% else %}
ssl_certificate "/var/lib/dehydrated/certs/{{ www_domain }}/fullchain.pem";
ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem";
{% endif %}
# SSL settings from https://cipherli.st/ - AK47 15 jan 2017
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
client_max_body_size 32m;
client_body_timeout 60;
index index.php;
# mqtt2web
location = /mqtt {
proxy_pass http://localhost:8080/mqtt;
include proxy_params;
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Connection '';
chunked_transfer_encoding off;
}
# Space API
location = /statejson {
proxy_pass http://localhost:8888;
include proxy_params;
add_header 'Access-Control-Allow-Origin' '*';
}
# Photo gallery
location = /fotos {
return 302 $scheme://bitlair.nl/fotos/;
}
location ~* ^/fotos/(.*)$ {
proxy_pass http://192.168.88.22:4567/$1$is_args$args;
}
location ~ ^/state/(.+)$ {
alias /opt/spaceapi/assets/$1;
}
location = /events.ics {
alias /var/lib/bitlair-calendar/events.ics;
}
location ~ ^/(cache|maintenance|vendor|extensions)/ {
deny all;
}
location = /api.php {
deny all;
}
# Legacy space API stuff.
location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
root "/opt/legacy/";
fastcgi_pass unix:/run/php/php-fpm.sock;
include fastcgi.conf;
}
location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
root "/opt/legacy/";
}
location ~ ^/wp-content {
root "/opt/legacy/";
}
location = /statejson.php {
rewrite ^.+$ /statejson;
}
# Mediawiki
location / {
try_files $uri $uri/ @rewrite;
}
location ~ \.php$ {
try_files $uri @rewrite;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location @rewrite {
rewrite ^/(.*)$ /index.php?title=$1$args;
}
location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
try_files $uri @rewrite;
expires 1M;
}
location = /_.gif {
expires max;
empty_gif;
}
# Legacy: redirect old prefix.
location /Pages/ {
rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
}
# Matrix realm delegation
location = /.well-known/matrix/server {
add_header "Content-Type" "application/json";
add_header "Access-Control-Allow-Origin" "*";
alias /opt/matrix-delegation.json;
}
include "snippets/acme.conf";
}

View file

@ -0,0 +1,15 @@
# Managed by Ansible
[Unit]
Description=Space API
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=10s
ExecStart=/usr/bin/python3 /opt/spaceapi/server.py
DynamicUser=true
[Install]
WantedBy=multi-user.target