From 8df1cba71c4984f42a4657c31558090b6a92e2a7 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 21:43:53 +0200 Subject: [PATCH 1/7] WIP: generiek nginx role --- authorized_keys/foobar.keys | 4 +- group_vars/all.yaml | 21 ++++--- group_vars/monitoring.yaml | 6 ++ monitoring.yaml | 7 ++- roles/acme/tasks/main.yaml | 2 +- roles/common/tasks/main.yaml | 3 + roles/nginx/defaults/main.yaml | 16 +++++ roles/nginx/handlers/main.yaml | 11 ++++ roles/nginx/tasks/main.yaml | 80 +++++++++++++++++++++++++ roles/nginx/templates/default.j2 | 37 ++++++++++++ roles/nginx/templates/etc-nginx.conf.j2 | 35 +++++++++++ roles/nginx/templates/site.conf.j2 | 36 +++++++++++ roles/nginx/templates/tls_params.j2 | 22 +++++++ snippets/prometheus-nginx.j2 | 13 ++++ 14 files changed, 278 insertions(+), 15 deletions(-) create mode 100644 roles/nginx/defaults/main.yaml create mode 100644 roles/nginx/handlers/main.yaml create mode 100644 roles/nginx/tasks/main.yaml create mode 100644 roles/nginx/templates/default.j2 create mode 100644 roles/nginx/templates/etc-nginx.conf.j2 create mode 100644 roles/nginx/templates/site.conf.j2 create mode 100644 roles/nginx/templates/tls_params.j2 create mode 100644 snippets/prometheus-nginx.j2 diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys index 6493dc3..f7fac20 100644 --- a/authorized_keys/foobar.keys +++ b/authorized_keys/foobar.keys @@ -1,2 +1,2 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 diff --git a/group_vars/all.yaml b/group_vars/all.yaml index bdafa45..fd209d8 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -6,22 +6,25 @@ notify_email: bestuur@bitlair.nl acme_bootstrap_certs: no trusted_ranges: # localhost - - { v: ipv4, cidr: 127.0.0.1/8 } + - { v: ipv4, cidr: "127.0.0.1/8" } - { v: ipv6, cidr: "::1" } # rf1928 - - { v: ipv4, cidr: 10.0.0.0/8 } - - { v: ipv4, cidr: 172.16.0.0/12 } - - { v: ipv4, cidr: 192.168.0.0/16 } + - { v: ipv4, cidr: "10.0.0.0/8" } + - { v: ipv4, cidr: "172.16.0.0/12" } + - { v: ipv4, cidr: "192.168.0.0/16" } # v6 local - { v: ipv6, cidr: "fe80::/10" } # vihamij - - { v: ipv4, cidr: 45.88.49.140 } + - { v: ipv4, cidr: "45.88.49.140" } # eventinfra - - { v: ipv4, cidr: 204.2.64.0/20 } - - - { v: ipv4, cidr: 100.64.0.0/10 } - - { v: ipv4, cidr: 185.205.52.194/32 } + - { v: ipv4, cidr: "204.2.64.0/20" } + # bitlair + - { v: ipv4, cidr: "100.64.0.0/10" } + - { v: ipv4, cidr: "185.205.52.194/32" } - { v: ipv6, cidr: "2a02:166b:92::/48" } + # foobar + - { v: ipv4, cidr: "31.187.251.213/32" } + - { v: ipv6, cidr: "2a0e:5700:4:2::/64" } root_access: - ak diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index b692290..51d9b97 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -40,3 +40,9 @@ prometheus_scrape_configs: target_label: instance - target_label: __address__ replacement: "{{ blackbox_exporter_web_listen_address }}" + +nginx_sites: + - server_name: "dashboard.bitlair.nl" + localproxy: "9000" + snippets: + - "prometheus-nginx.j2" diff --git a/monitoring.yaml b/monitoring.yaml index 9ad8623..9e05df0 100644 --- a/monitoring.yaml +++ b/monitoring.yaml @@ -2,6 +2,7 @@ - hosts: monitoring roles: - - common - - acme - - monitoring + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "monitoring", tags: [ "monitoring" ] } diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 229f566..0be3133 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -23,7 +23,7 @@ owner: "{{ item.owner | default('root') }}" group: "{{ item.group | default('root') }}" mode: "{{ item.mode | default('0640') }}" - notify: "{{ item.notify | default([]) }}" + notify: "{{ item.notify | default([]) }}" with_items: - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' } - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' } diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 10ce3a1..d20da44 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -18,6 +18,7 @@ - { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } + register: aptconfig when: - ansible_os_family == "Debian" tags: @@ -56,6 +57,8 @@ - name: Install standard packages ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: "{{ aptconfig.changed | bool | default(false) }}" pkg: - curl - fzf diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml new file mode 100644 index 0000000..b9e4710 --- /dev/null +++ b/roles/nginx/defaults/main.yaml @@ -0,0 +1,16 @@ +--- + +nginx_package: "nginx-light" +nginx_user: "www-data" +nginx_modules_dir: "/etc/nginx/modules-enabled" + + +nginx_tls_version: "TLSv1.2 TLSv1.3" +nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" +nginx_tls_curve: "prime256v1:secp384r1" +nginx_tls_cache_size: "10m" +nginx_tls_session_timeout: "1h" +nginx_ssl_stapling: "on" +nginx_ssl_stapling_verify: "on" +nginx_wk_acme: "/var/lib/dehydrated/acme-challenges" + diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml new file mode 100644 index 0000000..e9738d0 --- /dev/null +++ b/roles/nginx/handlers/main.yaml @@ -0,0 +1,11 @@ +--- + +- name: Reload nginx + ansible.builtin.systemd: + name: nginx + state: reloaded + enabled: true + listen: "Reload app-services" + when: + - nginx_sites is defined + diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..78f6f9b --- /dev/null +++ b/roles/nginx/tasks/main.yaml @@ -0,0 +1,80 @@ +--- + +- name: Install nginx base package + ansible.builtin.apt: + name: "{{ nginx_package }}" + state: present + when: + - nginx_sites is defined + +- name: Create sites-available / sites-enabled directories + ansible.builtin.file: + state: directory + path: "{{ item.path }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0755') }}" + with_items: + - { path: "/etc/nginx/sites-available" } + - { path: "/etc/nginx/sites-enabled" } + notify: Reload nginx + when: + - nginx_sites is defined + +- name: Template default nginx config files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0644') }}" + force: "{{ item.force | default('yes') }}" + backup: true + loop_control: + label: "{{ item.dest }}" + with_items: + - { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" } + - { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" } + - { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" } +# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" } +# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' } +# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" } + notify: "{{ item.notify | default(omit) }}" + when: + - nginx_sites is defined + +- name: Template site-specific configs + ansible.builtin.template: + src: "site.conf.j2" + dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf" + owner: "{{ site.owner | default('root') }}" + group: "{{ site.group | default('root') }}" + mode: "{{ site.mode | default('0644') }}" + force: "{{ site.force | default('yes') }}" + backup: true + loop: "{{ nginx_sites }}" + loop_control: + loop_var: site + label: "{{ site.server_name }}" + notify: Reload nginx + when: + - nginx_sites is defined + tags: + - nginxextra + - nginx_site + +- name: Enable nginx sites + ansible.builtin.file: + src: "/etc/nginx/sites-available/{{ site.server_name }}.conf" + path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf" + state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}" + mode: "0644" + loop: "{{ nginx_sites }}" + loop_control: + loop_var: site + label: "{{ site.server_name }}" + notify: Reload nginx + when: + - nginx_sites is defined + ignore_errors: "{{ ansible_check_mode }}" + diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 new file mode 100644 index 0000000..b417134 --- /dev/null +++ b/roles/nginx/templates/default.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} + +server { + listen 80 default_server; + listen [::]:80 + + server_name {{ inventory_hostname }}; + + # Accept ACME-Challenges over http + location ^~ /.well-known/acme-challenge/ { + alias {{ nginx_wk_acme }}/; + } + + # Block .ht files + location ~ /\.ht { + deny all; + } + + # Redirect everything to https by default + location / { + return 301 https://$host$request_uri; + } + + location /server_status { + # Enable Nginx stats + stub_status on; + # Only allow access from localhost + allow 127.0.0.1; + # Other request should be denied + deny all; + } +} + +{% for line in nginx_default_extra | default([]) %} +{{ line }} +{% endfor %} + diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2 new file mode 100644 index 0000000..b4d4d7a --- /dev/null +++ b/roles/nginx/templates/etc-nginx.conf.j2 @@ -0,0 +1,35 @@ +# {{ ansible_managed }} + +user {{ nginx_user }}; +worker_processes auto; +pid /run/nginx.pid; +worker_rlimit_nofile 16384; +include {{ nginx_modules_dir }}/*.conf; + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Default nginx log format with $request time added + log_format bitlair '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" $request_time'; + access_log /var/log/nginx/access.log bitlair; + + gzip on; + gzip_disable "msie6"; + +{% for line in nginx_http_extra | default([]) %} + {{ line }} +{% endfor %} + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 new file mode 100644 index 0000000..09e4e0c --- /dev/null +++ b/roles/nginx/templates/site.conf.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; + + include /etc/nginx/tls_params; + ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem; + + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair; + error_log /var/log/nginx/{{ site.server_name }}.error.log; + +{% if site.localproxy is defined %} + location / { + proxy_pass http://localhost:{{ site.localproxy }}/; + include proxy_params; + } +{% endif %} + + # Include snippets +{% for file in site.snippets | default([]) %} +{% include "../../../snippets/" . file %} +{% endif %} + + # Per site configuration +{% for line in site.config | default([]) %} + {{ line }} +{% endfor %} +} diff --git a/roles/nginx/templates/tls_params.j2 b/roles/nginx/templates/tls_params.j2 new file mode 100644 index 0000000..7abe3b6 --- /dev/null +++ b/roles/nginx/templates/tls_params.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} + +ssl_session_timeout {{ nginx_tls_session_timeout }}; +ssl_session_tickets off; + +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }}; + +ssl_protocols {{ nginx_tls_version }}; +ssl_ciphers {{ nginx_tls_cipherlist }}; +ssl_ecdh_curve {{ nginx_tls_curve }}; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +add_header X-Frame-Options "sameorigin"; +add_header X-Content-Type-Options "nosniff"; +add_header X-Robots-Tag noindex; + +# OCSP stapling +ssl_stapling {{ nginx_ssl_stapling }}; +ssl_stapling_verify {{ nginx_ssl_stapling_verify }}; + diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2 new file mode 100644 index 0000000..a38e527 --- /dev/null +++ b/snippets/prometheus-nginx.j2 @@ -0,0 +1,13 @@ +# dashboard nginx config snippet + +location /prometheus/ { + proxy_pass http://localhost:9090/prometheus/; + include proxy_params; + +{% for host in bitlair_ip_whitelist %} + allow {{ host }}; +{% endif %} + allow "127.0.0.0/8" + allow "::1"; + deny all; +} From c783601fa94363b10cd2046be1cb954e9081abb1 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 21:58:41 +0200 Subject: [PATCH 2/7] Working config for dashboard / prometheus / grafana --- roles/nginx/templates/etc-nginx.conf.j2 | 4 ++++ roles/nginx/templates/site.conf.j2 | 6 +++--- roles/nginx/templates/snippets | 1 + snippets/prometheus-nginx.j2 | 8 ++++---- 4 files changed, 12 insertions(+), 7 deletions(-) create mode 120000 roles/nginx/templates/snippets diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2 index b4d4d7a..3ef2e52 100644 --- a/roles/nginx/templates/etc-nginx.conf.j2 +++ b/roles/nginx/templates/etc-nginx.conf.j2 @@ -6,6 +6,10 @@ pid /run/nginx.pid; worker_rlimit_nofile 16384; include {{ nginx_modules_dir }}/*.conf; +events { + worker_connections 768; +} + http { sendfile on; tcp_nopush on; diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 09e4e0c..f0fec0c 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -8,7 +8,7 @@ server { include /etc/nginx/tls_params; ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem; location ~ /\.ht { deny all; @@ -26,8 +26,8 @@ server { # Include snippets {% for file in site.snippets | default([]) %} -{% include "../../../snippets/" . file %} -{% endif %} +{% include "snippets/" ~ file %} +{% endfor %} # Per site configuration {% for line in site.config | default([]) %} diff --git a/roles/nginx/templates/snippets b/roles/nginx/templates/snippets new file mode 120000 index 0000000..ce62fd7 --- /dev/null +++ b/roles/nginx/templates/snippets @@ -0,0 +1 @@ +../../../snippets/ \ No newline at end of file diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2 index a38e527..ca8ed55 100644 --- a/snippets/prometheus-nginx.j2 +++ b/snippets/prometheus-nginx.j2 @@ -4,10 +4,10 @@ location /prometheus/ { proxy_pass http://localhost:9090/prometheus/; include proxy_params; -{% for host in bitlair_ip_whitelist %} - allow {{ host }}; -{% endif %} - allow "127.0.0.0/8" +{% for host in trusted_ranges | default([]) %} + allow {{ host.cidr }}; +{% endfor %} + allow "127.0.0.0/8"; allow "::1"; deny all; } From 792f2749b68e17654e1fe5734183b84d10f9839e Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 20:55:48 +0200 Subject: [PATCH 3/7] Cleanup --- bank.yaml | 6 +-- bar.yaml | 6 +-- bitlair.yaml | 2 + group_vars/wiki.yaml | 21 ++++++++ group_vars/www.yaml | 5 -- mqtt-internal.yaml | 4 +- music.yaml | 9 ++-- pad.yaml | 7 +-- roles/etherpad/tasks/main.yaml | 3 -- roles/git-server/tasks/main.yaml | 2 - roles/monitoring/tasks/main.yaml | 3 -- roles/music/tasks/main.yaml | 2 - roles/www/tasks/mediawiki.yaml | 3 -- snippets/bitair-nginx.j2 | 2 + snippets/common-nginx.yaml | 18 ------- snippets/mqtt2web-nginx.j2 | 11 ++++ snippets/ravespace-nginx.j2 | 2 + snippets/spaceapi-nginx.j2 | 8 +++ snippets/www-nginx.j2 | 89 ++++++++++++++++++++++++++++++++ wiki.yaml | 8 +++ www.yaml | 7 --- 21 files changed, 160 insertions(+), 58 deletions(-) create mode 100644 group_vars/wiki.yaml delete mode 100644 group_vars/www.yaml create mode 100644 snippets/bitair-nginx.j2 delete mode 100644 snippets/common-nginx.yaml create mode 100644 snippets/mqtt2web-nginx.j2 create mode 100644 snippets/ravespace-nginx.j2 create mode 100644 snippets/spaceapi-nginx.j2 create mode 100644 snippets/www-nginx.j2 create mode 100644 wiki.yaml delete mode 100644 www.yaml diff --git a/bank.yaml b/bank.yaml index 43c92b7..837d27b 100644 --- a/bank.yaml +++ b/bank.yaml @@ -1,8 +1,8 @@ --- - hosts: bank - roles: - - common - - bank vars: bank_revbank_git: https://github.com/bitlair/revbank.git + roles: + - { role: "common", tags: [ "common" ] } + - { role: "bank", tags: [ "bank" ] } diff --git a/bar.yaml b/bar.yaml index 5752cc3..919a4d8 100644 --- a/bar.yaml +++ b/bar.yaml @@ -4,6 +4,6 @@ vars: raspi_rotate_display: "2" roles: - - raspi - - common - - bank-terminal + - { role: "raspi", tags: [ "raspi" ] } + - { role: "common", tags: [ "common" ] } + - { role: "bank-terminal", tags: [ "bank-terminal" ] } diff --git a/bitlair.yaml b/bitlair.yaml index ec019e7..71e06f0 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -31,6 +31,7 @@ - hosts: monitoring roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "monitoring", tags: [ "monitoring" ] } - hosts: mqtt @@ -55,4 +56,5 @@ - hosts: wiki roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "www", tags: [ "www" ] } diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml new file mode 100644 index 0000000..e9a1937 --- /dev/null +++ b/group_vars/wiki.yaml @@ -0,0 +1,21 @@ +acme_bootstrap_certs: yes +acme_san_domains: + - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] + - [ bitair.nl ] + - [ ravespace.nl ] + +nginx_sites: + - server_name: "bitlair.nl" + server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl" + snippets: + - "mqtt2web-nginx.j2" + - "spaceapi-nginx.j2" + - "www-nginx.j2" + - server_name: "bitair.nl" + server_alias: "www.bitair.nl" + snippets: + - "bitair-nginx.j2" + - server_name: "ravespace.nl" + server_alias: "www.ravespace.nl" + snippets: + - "ravespace-nginx.j2" diff --git a/group_vars/www.yaml b/group_vars/www.yaml deleted file mode 100644 index e1db9d5..0000000 --- a/group_vars/www.yaml +++ /dev/null @@ -1,5 +0,0 @@ -acme_bootstrap_certs: yes -acme_san_domains: - - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] - - [ bitair.nl ] - - [ ravespace.nl ] diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml index bdf76a8..4e106e0 100644 --- a/mqtt-internal.yaml +++ b/mqtt-internal.yaml @@ -2,5 +2,5 @@ - hosts: mqtt roles: - - common - - mqtt-internal + - { role: "common", tags: [ "common" ] } + - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] } diff --git a/music.yaml b/music.yaml index d12226c..e4ea70b 100644 --- a/music.yaml +++ b/music.yaml @@ -2,7 +2,8 @@ - hosts: music roles: - - common - - acme - - go - - music + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "go", tags: [ "go" ] } +# - { role: "nginx", tags: [ "nginx" ] } + - { role: "music", tags: [ "music" ] } diff --git a/pad.yaml b/pad.yaml index 90d227e..d9dc92f 100644 --- a/pad.yaml +++ b/pad.yaml @@ -5,6 +5,7 @@ acme_san_domains: - [ pad.bitlair.nl ] roles: - - common - - acme - - etherpad + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } +# - { role: "nginx", tags: [ "nginx" ] } + - { role: "etherpad", tags: [ "etherpad" ] } diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 2afe1f6..851cc02 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -1,9 +1,6 @@ --- - tags: etherpad block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install dependencies ansible.builtin.apt: name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ] diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index 4a5bb3c..c5fb328 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -1,6 +1,4 @@ --- -- ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - name: Install dependencies ansible.builtin.apt: diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index a13313c..398bb5f 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -2,9 +2,6 @@ - name: monitoring tags: monitoring block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install nginx site ansible.builtin.template: src: nginx-site.conf diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml index e91f146..cad6eb9 100644 --- a/roles/music/tasks/main.yaml +++ b/roles/music/tasks/main.yaml @@ -17,8 +17,6 @@ - tags: music block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - name: Install nginx config ansible.builtin.template: diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index 52dfccf..3835eeb 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -4,9 +4,6 @@ name: php-fpm state: present -- ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install security.txt ansible.builtin.template: src: security.txt diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2 new file mode 100644 index 0000000..bfb75d6 --- /dev/null +++ b/snippets/bitair-nginx.j2 @@ -0,0 +1,2 @@ +root /opt/bitair.nl/; +index index.html; diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml deleted file mode 100644 index 98aa02b..0000000 --- a/snippets/common-nginx.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Install nginx - apt: - name: nginx - state: present - -- name: Disable nginx server_tokens - lineinfile: - path: /etc/nginx/nginx.conf - line: "\tserver_tokens off;" - regexp: "server_tokens" - notify: reload nginx - -- name: Clear default nginx site - file: - state: absent - path: /etc/nginx/sites-enabled/default - notify: reload nginx diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2 new file mode 100644 index 0000000..f719780 --- /dev/null +++ b/snippets/mqtt2web-nginx.j2 @@ -0,0 +1,11 @@ +# mqtt2web nginx config snippet + +location /mqtt/ { + proxy_pass http://localhost:8080/mqtt; + include proxy_params; + proxy_buffering off; + proxy_cache off; + proxy_http_version 1.1; + proxy_set_header Connection ''; + chunked_transfer_encoding off; +} diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2 new file mode 100644 index 0000000..492f366 --- /dev/null +++ b/snippets/ravespace-nginx.j2 @@ -0,0 +1,2 @@ +root /opt/ravespace.nl/; +index index.html; diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2 new file mode 100644 index 0000000..ba6829a --- /dev/null +++ b/snippets/spaceapi-nginx.j2 @@ -0,0 +1,8 @@ +# spaceapi nginx config snippet + +location = /statejson { + proxy_pass http://localhost:8888; + include proxy_params; + add_header 'Access-Control-Allow-Origin' '*'; +} + diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2 new file mode 100644 index 0000000..1ff42a9 --- /dev/null +++ b/snippets/www-nginx.j2 @@ -0,0 +1,89 @@ +root /opt/mediawiki-1.41.1/; + +# Photo gallery +location = /fotos { + return 302 $scheme://bitlair.nl/fotos/; +} + +location ~* ^/fotos/(.*)$ { + proxy_pass http://204.2.68.2:4567/$1$is_args$args; +} + +location ~ ^/state/(.+)$ { + alias /opt/spaceapi/assets/$1; +} + +location = /events.ics { + alias /var/lib/bitlair-calendar/events.ics; +} + +location ~ ^/(cache|maintenance|vendor|extensions)/ { + deny all; +} + +# Legacy space API stuff. +location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ { + root "/opt/legacy/"; + fastcgi_pass unix:/run/php/php-fpm.sock; + include fastcgi.conf; +} + +location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ { + root "/opt/legacy/"; +} + +location ~ ^/wp-content { + root "/opt/legacy/"; +} + +location = /statejson.php { + rewrite ^.+$ /statejson; +} + +# Mediawiki +location / { + try_files $uri $uri/ @rewrite; +} + +location ~ \.php$ { + try_files $uri @rewrite; + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; +} + +location @rewrite { +# rewrite ^/(.*)$ /index.php; + rewrite ^/(.*)$ /index.php?title=$1$args; +} + +location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ { + try_files $uri @rewrite; + expires 1M; +} + +location = /_.gif { + expires max; + empty_gif; +} + +#location /dumps { +# root /opt/bitlair-wiki/local; +# autoindex on; +#} + +# Legacy: redirect old prefix. +location /Pages/ { + rewrite ^/Pages/(.*) https://$server_name/$1$args redirect; +} + +# Matrix realm delegation +location = /.well-known/matrix/server { + add_header "Content-Type" "application/json"; + add_header "Access-Control-Allow-Origin" "*"; + alias /opt/matrix-delegation.json; +} + +location = /.well-known/security.txt { + alias /opt/security.txt; +} diff --git a/wiki.yaml b/wiki.yaml new file mode 100644 index 0000000..0a7dc96 --- /dev/null +++ b/wiki.yaml @@ -0,0 +1,8 @@ +--- + +- hosts: wiki + roles: + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "www", tags: [ "www" ] } diff --git a/www.yaml b/www.yaml deleted file mode 100644 index 6a66f2d..0000000 --- a/www.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- hosts: wiki - roles: - - common - - acme - - www From 980ec6c4f63653d707c2cb4977552b1506c9544b Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 21:06:43 +0200 Subject: [PATCH 4/7] pad to nginx role --- group_vars/pad.yaml | 6 ++++++ pad.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index b498398..1711b7d 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -1 +1,7 @@ +--- + etherpad_domain: pad.bitlair.nl + +nginx_sites: + - server_name: "pad.bitlair.nl" + localproxy: "9001" diff --git a/pad.yaml b/pad.yaml index d9dc92f..74638bf 100644 --- a/pad.yaml +++ b/pad.yaml @@ -7,5 +7,5 @@ roles: - { role: "common", tags: [ "common" ] } - { role: "acme", tags: [ "acme" ] } -# - { role: "nginx", tags: [ "nginx" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } From d0c1e4519650d17b8778923fc3f744e411c9c929 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 21:30:05 +0200 Subject: [PATCH 5/7] pad --- bitlair.yaml | 1 + roles/etherpad/tasks/main.yaml | 244 +++++++++++++++++---------------- 2 files changed, 125 insertions(+), 120 deletions(-) diff --git a/bitlair.yaml b/bitlair.yaml index 71e06f0..be65660 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -47,6 +47,7 @@ - hosts: pad roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } - hosts: services diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 851cc02..cebeca2 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -1,137 +1,141 @@ --- -- tags: etherpad - block: - - name: Install dependencies - ansible.builtin.apt: - name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ] - - name: Import nodesource signing key - ansible.builtin.shell: - cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor - -o /usr/share/keyrings/nodesource.gpg - args: - creates: /usr/share/keyrings/nodesource.gpg - notify: apt update +- name: Install dependencies + ansible.builtin.apt: + state: present + pkg: + - gpg + - postgresql + - python3-psycopg2 + - apt-transport-https - - name: Install nodesource source list - ansible.builtin.template: - src: nodesource.list - dest: /etc/apt/sources.list.d/nodesource.list - owner: root - group: root - mode: 0644 - notify: apt update +- name: Import nodesource signing key + ansible.builtin.shell: + cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor + -o /usr/share/keyrings/nodesource.gpg + args: + creates: /usr/share/keyrings/nodesource.gpg + notify: apt update - - name: Install nodejs apt preference - ansible.builtin.template: - src: nodejs-apt-pref - dest: /etc/apt/preferences.d/nodejs - owner: root - group: root - mode: 0644 - notify: apt update +- name: Install nodesource source list + ansible.builtin.template: + src: nodesource.list + dest: /etc/apt/sources.list.d/nodesource.list + owner: root + group: root + mode: 0644 + notify: apt update - - ansible.builtin.meta: flush_handlers +- name: Install nodejs apt preference + ansible.builtin.template: + src: nodejs-apt-pref + dest: /etc/apt/preferences.d/nodejs + owner: root + group: root + mode: 0644 + notify: apt update - - name: Install nodejs - ansible.builtin.apt: - name: nodejs +- ansible.builtin.meta: flush_handlers - - name: Add database user - become: true - become_method: su - become_user: postgres - no_log: yes - community.postgresql.postgresql_user: - name: etherpad - password: "{{ etherpad_db_password }}" +- name: Install nodejs + ansible.builtin.apt: + name: nodejs - - name: Add database - become: true - become_method: su - become_user: postgres - community.postgresql.postgresql_db: - name: "{{ etherpad_db_name }}" - owner: "{{ etherpad_db_user }}" +- name: Add database user + become: true + become_method: su + become_user: postgres + no_log: yes + community.postgresql.postgresql_user: + name: etherpad + password: "{{ etherpad_db_password }}" - - name: Add etherpad user - ansible.builtin.user: - name: etherpad - home: /var/lib/etherpad +- name: Add database + become: true + become_method: su + become_user: postgres + community.postgresql.postgresql_db: + name: "{{ etherpad_db_name }}" + owner: "{{ etherpad_db_user }}" - - name: Create log file - ansible.builtin.file: - path: /var/log/etherpad.log - state: touch - owner: etherpad - group: etherpad - mode: 0644 +- name: Add etherpad user + ansible.builtin.user: + name: etherpad + home: /var/lib/etherpad - - name: Create source directory - ansible.builtin.file: - path: /opt/etherpad - state: directory - owner: etherpad - group: etherpad - mode: 0755 +- name: Create log file + ansible.builtin.file: + path: /var/log/etherpad.log + state: touch + owner: etherpad + group: etherpad + mode: 0644 - - name: Clone etherpad source - become: yes - become_method: su - become_user: etherpad - ansible.builtin.git: - repo: https://github.com/ether/etherpad-lite.git - version: master - dest: /opt/etherpad - accept_hostkey: yes - notify: restart etherpad +- name: Create source directory + ansible.builtin.file: + path: /opt/etherpad + state: directory + owner: etherpad + group: etherpad + mode: 0755 - - name: Install etherpad config - ansible.builtin.template: - src: settings.json - dest: /opt/etherpad/settings.json - owner: root - group: root - mode: 0644 - notify: restart etherpad +- name: Clone etherpad source + become: yes + become_method: su + become_user: etherpad + ansible.builtin.git: + repo: https://github.com/ether/etherpad-lite.git + version: master + dest: /opt/etherpad + accept_hostkey: yes + notify: restart etherpad - - name: Install etherpad service - ansible.builtin.template: - src: etherpad.service - dest: /etc/systemd/system/etherpad.service - owner: root - group: root - mode: 0644 - notify: restart etherpad +- name: Install etherpad config + ansible.builtin.template: + src: settings.json + dest: /opt/etherpad/settings.json + owner: root + group: root + mode: 0644 + notify: restart etherpad - - name: Start etherpad - ansible.builtin.systemd: - daemon_reload: true - name: etherpad - state: started - enabled: yes +- name: Install etherpad service + ansible.builtin.template: + src: etherpad.service + dest: /etc/systemd/system/etherpad.service + owner: root + group: root + mode: 0644 + notify: restart etherpad - - name: Install nginx config - ansible.builtin.template: - src: nginx-site.conf - dest: /etc/nginx/sites-enabled/etherpad - owner: root - group: root - mode: 0644 - notify: reload nginx +- name: Start etherpad + ansible.builtin.systemd: + daemon_reload: true + name: etherpad + state: started + enabled: yes - - name: Allow HTTP and HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 80 } - - { ip: ipv4, port: 443 } - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables +- name: Install nginx config + ansible.builtin.template: + src: nginx-site.conf + dest: /etc/nginx/sites-enabled/etherpad + owner: root + group: root + mode: 0644 + notify: reload nginx + +- name: Allow HTTP and HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables From ecf68bd0cf48e31b2ef409e0d747d621c9343fa8 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 22:00:48 +0200 Subject: [PATCH 6/7] nginx role for git + music --- bitlair.yaml | 1 + git.yaml | 7 ++-- group_vars/git.yaml | 10 +++++ group_vars/music.yaml | 2 + roles/mqtt-internal/tasks/main.yaml | 58 ++++++++++++++--------------- roles/nginx/defaults/main.yaml | 1 + roles/nginx/templates/site.conf.j2 | 2 + snippets/forgejo-nginx.j2 | 3 ++ 8 files changed, 51 insertions(+), 33 deletions(-) create mode 100644 snippets/forgejo-nginx.j2 diff --git a/bitlair.yaml b/bitlair.yaml index be65660..1eed26c 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -26,6 +26,7 @@ - hosts: git roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "git-server", tags: [ "git-server" ] } - hosts: monitoring diff --git a/git.yaml b/git.yaml index 2161a4c..0ae1811 100644 --- a/git.yaml +++ b/git.yaml @@ -2,6 +2,7 @@ - hosts: git roles: - - common - - acme - - git-server + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "git-server", tags: [ "git-server" ] } diff --git a/group_vars/git.yaml b/group_vars/git.yaml index ed549a9..dd039b3 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -1,5 +1,15 @@ +--- + acme_domains: - "{{ git_server_domain }}" git_server_domain: git.bitlair.nl git_server_title: Gitlair git_server_bootstrap_cert: no + +nginx_client_max_body_size: 4G + +nginx_sites: + - server_name: "git.bitlair.nl" + localproxy: "9001" + snippets: + - "forgejo-nginx.j2" diff --git a/group_vars/music.yaml b/group_vars/music.yaml index ee9235b..8acdf4e 100644 --- a/group_vars/music.yaml +++ b/group_vars/music.yaml @@ -5,6 +5,8 @@ root_access: - foobar - polyfloyd +nginx_client_max_body_size: 512M + music_domain: music.bitlair.nl acme_san_domains: - [ music.bitlair.nl ] diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt-internal/tasks/main.yaml index 371671c..89f9064 100644 --- a/roles/mqtt-internal/tasks/main.yaml +++ b/roles/mqtt-internal/tasks/main.yaml @@ -1,34 +1,32 @@ --- -- name: mqtt-internal - tags: mqtt_internal - block: - - name: Install dependencies - ansible.builtin.apt: - name: - - mosquitto - - avahi-daemon - - name: Install bambulab cafile - # openssl s_client -showcerts -connect :8883 :8883 Date: Thu, 18 Jul 2024 22:02:33 +0200 Subject: [PATCH 7/7] Role-tags for other playbooks --- common.yaml | 2 +- fotos.yaml | 4 ++-- git-ci.yaml | 4 ++-- services.yaml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/common.yaml b/common.yaml index 3e0cb27..0cbfe1b 100644 --- a/common.yaml +++ b/common.yaml @@ -3,4 +3,4 @@ - hosts: debian gather_facts: true roles: - - common + - { role: "common", tags: [ "common" ] } diff --git a/fotos.yaml b/fotos.yaml index f0edd7b..7357e31 100644 --- a/fotos.yaml +++ b/fotos.yaml @@ -2,5 +2,5 @@ - hosts: fotos roles: - - common - - photos + - { role: "common", tags: [ "common" ] } + - { role: "photos", tags: [ "photos" ] } diff --git a/git-ci.yaml b/git-ci.yaml index fa9f7b7..711dac4 100644 --- a/git-ci.yaml +++ b/git-ci.yaml @@ -2,5 +2,5 @@ - hosts: git-ci roles: - - common - - git-ci + - { role: "common", tags: [ "common" ] } + - { role: "git-ci", tags: [ "git-ci" ] } diff --git a/services.yaml b/services.yaml index 2a1bd65..e66fc11 100644 --- a/services.yaml +++ b/services.yaml @@ -2,5 +2,5 @@ - hosts: services roles: - - common - - services + - { role: "common", tags: [ "common" ] } + - { role: "services", tags: [ "services" ] }