Add www role

group_vars/www.yaml

@@ -0,0 +1,3 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]

roles/www/handlers/main.yaml

@@ -0,0 +1,14 @@
+---
+- import_tasks: ../../common/handlers/main.yaml
+
+- name: restart spaceapi
+  systemd:
+    name: spaceapi
+    state: restarted
+    daemon_reload: true
+
+- name: restart mqtt2web
+  systemd:
+    name: mqtt2web
+    state: restarted
+    daemon_reload: true

roles/www/tasks/calendar.yaml

@@ -0,0 +1,24 @@
+---
+- name: Install dependencies
+  apt:
+    name: [ python3-requests, python3-icalendar ]
+
+- name: Clone source
+  git:
+    repo: https://github.com/bitlair/calendar-parser.git
+    version: main
+    dest: /usr/local/src/bitlair-calendar
+    accept_hostkey: yes
+
+- name: Create user
+  user:
+    name: bitlair-calendar
+    home: /var/lib/bitlair-calendar
+
+- name: Install cronjob
+  template:
+    src: calendar.cron
+    dest: /etc/cron.d/bitlair-calendar
+    owner: root
+    group: root
+    mode: 0644

roles/www/tasks/main.yaml

@@ -0,0 +1,12 @@
+---
+- tags: www_calendar
+  import_tasks: calendar.yaml
+
+- tags: www_mediawiki
+  include_tasks: mediawiki.yaml
+
+- tags: www_mqtt
+  include_tasks: mqtt.yaml
+
+- tags: www_spaceapi
+  include_tasks: spaceapi.yaml

roles/www/tasks/mediawiki.yaml

@@ -0,0 +1,21 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - php-fpm
+
+- name: Allow HTTP/HTTPS
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 80 }
+    - { ip: ipv4, port: 443 }
+    - { ip: ipv6, port: 80 }
+    - { ip: ipv6, port: 443 }
+  notify: persist iptables

roles/www/tasks/mqtt.yaml

@@ -0,0 +1,45 @@
+---
+- name: Install Mosquitto
+  apt:
+    name: mosquitto
+
+- name: Allow MQTT
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 1883 }
+    - { ip: ipv6, port: 1883 }
+  notify: persist iptables
+
+- name: Install mqtt-simple
+  command: cpan Net::MQTT::Simple
+
+- name: Clone mqtt2web source
+  git:
+    repo: https://github.com/bitlair/mqtt2web.git
+    version: master
+    dest: /opt/mqtt2web
+    accept_hostkey: yes
+  notify: restart mqtt2web
+
+- name: Install mqtt2web service file
+  template:
+    src: mqtt2web.service
+    dest: /etc/systemd/system/mqtt2web.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart mqtt2web
+
+- name: Enable mqtt2web
+  systemd:
+    name: mqtt2web
+    state: started
+    enabled: true
+    daemon_reload: true

roles/www/tasks/spaceapi.yaml

@@ -0,0 +1,24 @@
+---
+- name: Clone spaceapi source
+  git:
+    repo: https://github.com/bitlair/spaceapi.git
+    version: master
+    dest: /opt/spaceapi
+    accept_hostkey: yes
+  notify: restart spaceapi
+
+- name: Install spaceapi service file
+  template:
+    src: spaceapi.service
+    dest: /etc/systemd/system/spaceapi.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart spaceapi
+
+- name: Enable spaceapi
+  systemd:
+    name: spaceapi
+    state: started
+    enabled: true
+    daemon_reload: true

roles/www/templates/calendar.cron

@@ -0,0 +1,6 @@
+# Managed by Ansible
+
+SHELL=/bin/sh
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+
+42 * * * * bitlair-calendar /usr/local/src/bitlair-calendar/calendarparser.py /var/lib/bitlair-calendar/events.ics

roles/www/templates/matrix-delegation.json

@@ -0,0 +1,3 @@
+{
+    "m.server": "matrix.bitlair.nl"
+}

roles/www/templates/mqtt2web.service

@@ -0,0 +1,15 @@
+# Managed by Ansible
+
+[Unit]
+Description=MQTT to Web
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10s
+ExecStart=/usr/bin/perl /opt/mqtt2web/mqtt2web.pl
+DynamicUser=true
+
+[Install]
+WantedBy=multi-user.target

roles/www/templates/nginx-site.conf

@@ -0,0 +1,131 @@
+# Managed by Ansible
+
+server {
+    listen 80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:80 default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name bitlair.nl wiki.bitlair.nl www.bitlair.nl;
+    root /opt/bitlair-wiki/;
+
+    {% if acme_bootstrap_certs %}
+    include "snippets/snakeoil.conf";
+    {% else %}
+    ssl_certificate     "/var/lib/dehydrated/certs/{{ www_domain }}/fullchain.pem";
+    ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem";
+    {% endif %}
+
+    # SSL settings from https://cipherli.st/ - AK47 15 jan 2017
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+
+    client_max_body_size 32m;
+    client_body_timeout 60;
+
+    index index.php;
+
+    # mqtt2web
+    location = /mqtt {
+        proxy_pass http://localhost:8080/mqtt;
+        include proxy_params;
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_http_version 1.1;
+        proxy_set_header Connection '';
+        chunked_transfer_encoding off;
+    }
+
+    # Space API
+    location = /statejson {
+        proxy_pass http://localhost:8888;
+        include proxy_params;
+        add_header 'Access-Control-Allow-Origin' '*';
+    }
+
+    # Photo gallery
+    location = /fotos {
+        return 302 $scheme://bitlair.nl/fotos/;
+    }
+
+    location ~* ^/fotos/(.*)$ {
+        proxy_pass http://192.168.88.22:4567/$1$is_args$args;
+    }
+
+    location ~ ^/state/(.+)$ {
+        alias /opt/spaceapi/assets/$1;
+    }
+
+    location = /events.ics {
+        alias /var/lib/bitlair-calendar/events.ics;
+    }
+
+    location ~ ^/(cache|maintenance|vendor|extensions)/ {
+        deny all;
+    }
+
+    location = /api.php {
+        deny all;
+    }
+
+    # Legacy space API stuff.
+    location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
+        root "/opt/legacy/";
+        fastcgi_pass unix:/run/php/php-fpm.sock;
+        include fastcgi.conf;
+    }
+
+    location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
+        root "/opt/legacy/";
+    }
+
+    location ~ ^/wp-content {
+        root "/opt/legacy/";
+    }
+
+    location = /statejson.php {
+        rewrite ^.+$ /statejson;
+    }
+
+
+    # Mediawiki
+    location / {
+        try_files $uri $uri/ @rewrite;
+    }
+
+    location ~ \.php$ {
+        try_files $uri @rewrite;
+        fastcgi_pass unix:/run/php/php-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    location @rewrite {
+        rewrite ^/(.*)$ /index.php?title=$1$args;
+    }
+
+    location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
+        try_files $uri @rewrite;
+        expires 1M;
+    }
+
+    location = /_.gif {
+        expires max;
+        empty_gif;
+    }
+
+    # Legacy: redirect old prefix.
+    location /Pages/ {
+        rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
+    }
+
+    # Matrix realm delegation
+    location = /.well-known/matrix/server {
+        add_header "Content-Type" "application/json";
+        add_header "Access-Control-Allow-Origin" "*";
+        alias /opt/matrix-delegation.json;
+    }
+
+    include "snippets/acme.conf";
+}

roles/www/templates/spaceapi.service

@@ -0,0 +1,15 @@
+# Managed by Ansible
+
+[Unit]
+Description=Space API
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10s
+ExecStart=/usr/bin/python3 /opt/spaceapi/server.py
+DynamicUser=true
+
+[Install]
+WantedBy=multi-user.target