From 03780abf01643e586e0083927f402c219198f55b Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 10 Sep 2023 14:11:21 +0200 Subject: [PATCH] Add www role --- group_vars/www.yaml | 3 + roles/www/handlers/main.yaml | 14 +++ roles/www/tasks/calendar.yaml | 24 ++++ roles/www/tasks/main.yaml | 12 ++ roles/www/tasks/mediawiki.yaml | 21 ++++ roles/www/tasks/mqtt.yaml | 45 +++++++ roles/www/tasks/spaceapi.yaml | 24 ++++ roles/www/templates/calendar.cron | 6 + roles/www/templates/matrix-delegation.json | 3 + roles/www/templates/mqtt2web.service | 15 +++ roles/www/templates/nginx-site.conf | 131 +++++++++++++++++++++ roles/www/templates/spaceapi.service | 15 +++ 12 files changed, 313 insertions(+) create mode 100644 group_vars/www.yaml create mode 100644 roles/www/handlers/main.yaml create mode 100644 roles/www/tasks/calendar.yaml create mode 100644 roles/www/tasks/main.yaml create mode 100644 roles/www/tasks/mediawiki.yaml create mode 100644 roles/www/tasks/mqtt.yaml create mode 100644 roles/www/tasks/spaceapi.yaml create mode 100644 roles/www/templates/calendar.cron create mode 100644 roles/www/templates/matrix-delegation.json create mode 100644 roles/www/templates/mqtt2web.service create mode 100644 roles/www/templates/nginx-site.conf create mode 100644 roles/www/templates/spaceapi.service diff --git a/group_vars/www.yaml b/group_vars/www.yaml new file mode 100644 index 0000000..c98d077 --- /dev/null +++ b/group_vars/www.yaml @@ -0,0 +1,3 @@ +acme_bootstrap_certs: yes +acme_san_domains: + - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] diff --git a/roles/www/handlers/main.yaml b/roles/www/handlers/main.yaml new file mode 100644 index 0000000..745e9d7 --- /dev/null +++ b/roles/www/handlers/main.yaml @@ -0,0 +1,14 @@ +--- +- import_tasks: ../../common/handlers/main.yaml + +- name: restart spaceapi + systemd: + name: spaceapi + state: restarted + daemon_reload: true + +- name: restart mqtt2web + systemd: + name: mqtt2web + state: restarted + daemon_reload: true diff --git a/roles/www/tasks/calendar.yaml b/roles/www/tasks/calendar.yaml new file mode 100644 index 0000000..ea1a1f2 --- /dev/null +++ b/roles/www/tasks/calendar.yaml @@ -0,0 +1,24 @@ +--- +- name: Install dependencies + apt: + name: [ python3-requests, python3-icalendar ] + +- name: Clone source + git: + repo: https://github.com/bitlair/calendar-parser.git + version: main + dest: /usr/local/src/bitlair-calendar + accept_hostkey: yes + +- name: Create user + user: + name: bitlair-calendar + home: /var/lib/bitlair-calendar + +- name: Install cronjob + template: + src: calendar.cron + dest: /etc/cron.d/bitlair-calendar + owner: root + group: root + mode: 0644 diff --git a/roles/www/tasks/main.yaml b/roles/www/tasks/main.yaml new file mode 100644 index 0000000..32b52d1 --- /dev/null +++ b/roles/www/tasks/main.yaml @@ -0,0 +1,12 @@ +--- +- tags: www_calendar + import_tasks: calendar.yaml + +- tags: www_mediawiki + include_tasks: mediawiki.yaml + +- tags: www_mqtt + include_tasks: mqtt.yaml + +- tags: www_spaceapi + include_tasks: spaceapi.yaml diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml new file mode 100644 index 0000000..a0db277 --- /dev/null +++ b/roles/www/tasks/mediawiki.yaml @@ -0,0 +1,21 @@ +--- +- name: Install dependencies + apt: + name: + - php-fpm + +- name: Allow HTTP/HTTPS + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml new file mode 100644 index 0000000..1c9ed2a --- /dev/null +++ b/roles/www/tasks/mqtt.yaml @@ -0,0 +1,45 @@ +--- +- name: Install Mosquitto + apt: + name: mosquitto + +- name: Allow MQTT + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 1883 } + - { ip: ipv6, port: 1883 } + notify: persist iptables + +- name: Install mqtt-simple + command: cpan Net::MQTT::Simple + +- name: Clone mqtt2web source + git: + repo: https://github.com/bitlair/mqtt2web.git + version: master + dest: /opt/mqtt2web + accept_hostkey: yes + notify: restart mqtt2web + +- name: Install mqtt2web service file + template: + src: mqtt2web.service + dest: /etc/systemd/system/mqtt2web.service + owner: root + group: root + mode: 0644 + notify: restart mqtt2web + +- name: Enable mqtt2web + systemd: + name: mqtt2web + state: started + enabled: true + daemon_reload: true diff --git a/roles/www/tasks/spaceapi.yaml b/roles/www/tasks/spaceapi.yaml new file mode 100644 index 0000000..85fa72f --- /dev/null +++ b/roles/www/tasks/spaceapi.yaml @@ -0,0 +1,24 @@ +--- +- name: Clone spaceapi source + git: + repo: https://github.com/bitlair/spaceapi.git + version: master + dest: /opt/spaceapi + accept_hostkey: yes + notify: restart spaceapi + +- name: Install spaceapi service file + template: + src: spaceapi.service + dest: /etc/systemd/system/spaceapi.service + owner: root + group: root + mode: 0644 + notify: restart spaceapi + +- name: Enable spaceapi + systemd: + name: spaceapi + state: started + enabled: true + daemon_reload: true diff --git a/roles/www/templates/calendar.cron b/roles/www/templates/calendar.cron new file mode 100644 index 0000000..2f9d1da --- /dev/null +++ b/roles/www/templates/calendar.cron @@ -0,0 +1,6 @@ +# Managed by Ansible + +SHELL=/bin/sh +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + +42 * * * * bitlair-calendar /usr/local/src/bitlair-calendar/calendarparser.py /var/lib/bitlair-calendar/events.ics diff --git a/roles/www/templates/matrix-delegation.json b/roles/www/templates/matrix-delegation.json new file mode 100644 index 0000000..9a49cc7 --- /dev/null +++ b/roles/www/templates/matrix-delegation.json @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.bitlair.nl" +} diff --git a/roles/www/templates/mqtt2web.service b/roles/www/templates/mqtt2web.service new file mode 100644 index 0000000..ff0a989 --- /dev/null +++ b/roles/www/templates/mqtt2web.service @@ -0,0 +1,15 @@ +# Managed by Ansible + +[Unit] +Description=MQTT to Web +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/bin/perl /opt/mqtt2web/mqtt2web.pl +DynamicUser=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/www/templates/nginx-site.conf b/roles/www/templates/nginx-site.conf new file mode 100644 index 0000000..1076138 --- /dev/null +++ b/roles/www/templates/nginx-site.conf @@ -0,0 +1,131 @@ +# Managed by Ansible + +server { + listen 80 default_server; + listen 443 ssl default_server; + listen [::]:80 default_server; + listen [::]:443 ssl default_server; + + server_name bitlair.nl wiki.bitlair.nl www.bitlair.nl; + root /opt/bitlair-wiki/; + + {% if acme_bootstrap_certs %} + include "snippets/snakeoil.conf"; + {% else %} + ssl_certificate "/var/lib/dehydrated/certs/{{ www_domain }}/fullchain.pem"; + ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem"; + {% endif %} + + # SSL settings from https://cipherli.st/ - AK47 15 jan 2017 + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + client_max_body_size 32m; + client_body_timeout 60; + + index index.php; + + # mqtt2web + location = /mqtt { + proxy_pass http://localhost:8080/mqtt; + include proxy_params; + proxy_buffering off; + proxy_cache off; + proxy_http_version 1.1; + proxy_set_header Connection ''; + chunked_transfer_encoding off; + } + + # Space API + location = /statejson { + proxy_pass http://localhost:8888; + include proxy_params; + add_header 'Access-Control-Allow-Origin' '*'; + } + + # Photo gallery + location = /fotos { + return 302 $scheme://bitlair.nl/fotos/; + } + + location ~* ^/fotos/(.*)$ { + proxy_pass http://192.168.88.22:4567/$1$is_args$args; + } + + location ~ ^/state/(.+)$ { + alias /opt/spaceapi/assets/$1; + } + + location = /events.ics { + alias /var/lib/bitlair-calendar/events.ics; + } + + location ~ ^/(cache|maintenance|vendor|extensions)/ { + deny all; + } + + location = /api.php { + deny all; + } + + # Legacy space API stuff. + location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ { + root "/opt/legacy/"; + fastcgi_pass unix:/run/php/php-fpm.sock; + include fastcgi.conf; + } + + location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ { + root "/opt/legacy/"; + } + + location ~ ^/wp-content { + root "/opt/legacy/"; + } + + location = /statejson.php { + rewrite ^.+$ /statejson; + } + + + # Mediawiki + location / { + try_files $uri $uri/ @rewrite; + } + + location ~ \.php$ { + try_files $uri @rewrite; + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php?title=$1$args; + } + + location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ { + try_files $uri @rewrite; + expires 1M; + } + + location = /_.gif { + expires max; + empty_gif; + } + + # Legacy: redirect old prefix. + location /Pages/ { + rewrite ^/Pages/(.*) https://$server_name/$1$args redirect; + } + + # Matrix realm delegation + location = /.well-known/matrix/server { + add_header "Content-Type" "application/json"; + add_header "Access-Control-Allow-Origin" "*"; + alias /opt/matrix-delegation.json; + } + + include "snippets/acme.conf"; +} diff --git a/roles/www/templates/spaceapi.service b/roles/www/templates/spaceapi.service new file mode 100644 index 0000000..ebb503b --- /dev/null +++ b/roles/www/templates/spaceapi.service @@ -0,0 +1,15 @@ +# Managed by Ansible + +[Unit] +Description=Space API +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/bin/python3 /opt/spaceapi/server.py +DynamicUser=true + +[Install] +WantedBy=multi-user.target