WIP: generiek nginx role
This commit is contained in:
parent
ea3b17ef2d
commit
8df1cba71c
14 changed files with 278 additions and 15 deletions
|
@ -1,2 +1,2 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
|
||||
|
|
|
@ -6,22 +6,25 @@ notify_email: bestuur@bitlair.nl
|
|||
acme_bootstrap_certs: no
|
||||
trusted_ranges:
|
||||
# localhost
|
||||
- { v: ipv4, cidr: 127.0.0.1/8 }
|
||||
- { v: ipv4, cidr: "127.0.0.1/8" }
|
||||
- { v: ipv6, cidr: "::1" }
|
||||
# rf1928
|
||||
- { v: ipv4, cidr: 10.0.0.0/8 }
|
||||
- { v: ipv4, cidr: 172.16.0.0/12 }
|
||||
- { v: ipv4, cidr: 192.168.0.0/16 }
|
||||
- { v: ipv4, cidr: "10.0.0.0/8" }
|
||||
- { v: ipv4, cidr: "172.16.0.0/12" }
|
||||
- { v: ipv4, cidr: "192.168.0.0/16" }
|
||||
# v6 local
|
||||
- { v: ipv6, cidr: "fe80::/10" }
|
||||
# vihamij
|
||||
- { v: ipv4, cidr: 45.88.49.140 }
|
||||
- { v: ipv4, cidr: "45.88.49.140" }
|
||||
# eventinfra
|
||||
- { v: ipv4, cidr: 204.2.64.0/20 }
|
||||
|
||||
- { v: ipv4, cidr: 100.64.0.0/10 }
|
||||
- { v: ipv4, cidr: 185.205.52.194/32 }
|
||||
- { v: ipv4, cidr: "204.2.64.0/20" }
|
||||
# bitlair
|
||||
- { v: ipv4, cidr: "100.64.0.0/10" }
|
||||
- { v: ipv4, cidr: "185.205.52.194/32" }
|
||||
- { v: ipv6, cidr: "2a02:166b:92::/48" }
|
||||
# foobar
|
||||
- { v: ipv4, cidr: "31.187.251.213/32" }
|
||||
- { v: ipv6, cidr: "2a0e:5700:4:2::/64" }
|
||||
|
||||
root_access:
|
||||
- ak
|
||||
|
|
|
@ -40,3 +40,9 @@ prometheus_scrape_configs:
|
|||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: "{{ blackbox_exporter_web_listen_address }}"
|
||||
|
||||
nginx_sites:
|
||||
- server_name: "dashboard.bitlair.nl"
|
||||
localproxy: "9000"
|
||||
snippets:
|
||||
- "prometheus-nginx.j2"
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
- hosts: monitoring
|
||||
roles:
|
||||
- common
|
||||
- acme
|
||||
- monitoring
|
||||
- { role: "common", tags: [ "common" ] }
|
||||
- { role: "acme", tags: [ "acme" ] }
|
||||
- { role: "nginx", tags: [ "nginx" ] }
|
||||
- { role: "monitoring", tags: [ "monitoring" ] }
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
owner: "{{ item.owner | default('root') }}"
|
||||
group: "{{ item.group | default('root') }}"
|
||||
mode: "{{ item.mode | default('0640') }}"
|
||||
notify: "{{ item.notify | default([]) }}"
|
||||
notify: "{{ item.notify | default([]) }}"
|
||||
with_items:
|
||||
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
|
||||
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
- { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
|
||||
- { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
|
||||
- { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
|
||||
register: aptconfig
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
tags:
|
||||
|
@ -56,6 +57,8 @@
|
|||
|
||||
- name: Install standard packages
|
||||
ansible.builtin.apt:
|
||||
cache_valid_time: 3600
|
||||
update_cache: "{{ aptconfig.changed | bool | default(false) }}"
|
||||
pkg:
|
||||
- curl
|
||||
- fzf
|
||||
|
|
16
roles/nginx/defaults/main.yaml
Normal file
16
roles/nginx/defaults/main.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
nginx_package: "nginx-light"
|
||||
nginx_user: "www-data"
|
||||
nginx_modules_dir: "/etc/nginx/modules-enabled"
|
||||
|
||||
|
||||
nginx_tls_version: "TLSv1.2 TLSv1.3"
|
||||
nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
|
||||
nginx_tls_curve: "prime256v1:secp384r1"
|
||||
nginx_tls_cache_size: "10m"
|
||||
nginx_tls_session_timeout: "1h"
|
||||
nginx_ssl_stapling: "on"
|
||||
nginx_ssl_stapling_verify: "on"
|
||||
nginx_wk_acme: "/var/lib/dehydrated/acme-challenges"
|
||||
|
11
roles/nginx/handlers/main.yaml
Normal file
11
roles/nginx/handlers/main.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Reload nginx
|
||||
ansible.builtin.systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
enabled: true
|
||||
listen: "Reload app-services"
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
|
80
roles/nginx/tasks/main.yaml
Normal file
80
roles/nginx/tasks/main.yaml
Normal file
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
|
||||
- name: Install nginx base package
|
||||
ansible.builtin.apt:
|
||||
name: "{{ nginx_package }}"
|
||||
state: present
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
|
||||
- name: Create sites-available / sites-enabled directories
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: "{{ item.path }}"
|
||||
owner: "{{ item.owner | default('root') }}"
|
||||
group: "{{ item.group | default('root') }}"
|
||||
mode: "{{ item.mode | default('0755') }}"
|
||||
with_items:
|
||||
- { path: "/etc/nginx/sites-available" }
|
||||
- { path: "/etc/nginx/sites-enabled" }
|
||||
notify: Reload nginx
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
|
||||
- name: Template default nginx config files
|
||||
ansible.builtin.template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner | default('root') }}"
|
||||
group: "{{ item.group | default('root') }}"
|
||||
mode: "{{ item.mode | default('0644') }}"
|
||||
force: "{{ item.force | default('yes') }}"
|
||||
backup: true
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
|
||||
- { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
|
||||
- { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
|
||||
# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
|
||||
# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
|
||||
# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
|
||||
notify: "{{ item.notify | default(omit) }}"
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
|
||||
- name: Template site-specific configs
|
||||
ansible.builtin.template:
|
||||
src: "site.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
|
||||
owner: "{{ site.owner | default('root') }}"
|
||||
group: "{{ site.group | default('root') }}"
|
||||
mode: "{{ site.mode | default('0644') }}"
|
||||
force: "{{ site.force | default('yes') }}"
|
||||
backup: true
|
||||
loop: "{{ nginx_sites }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
label: "{{ site.server_name }}"
|
||||
notify: Reload nginx
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
tags:
|
||||
- nginxextra
|
||||
- nginx_site
|
||||
|
||||
- name: Enable nginx sites
|
||||
ansible.builtin.file:
|
||||
src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
|
||||
path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
|
||||
state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
|
||||
mode: "0644"
|
||||
loop: "{{ nginx_sites }}"
|
||||
loop_control:
|
||||
loop_var: site
|
||||
label: "{{ site.server_name }}"
|
||||
notify: Reload nginx
|
||||
when:
|
||||
- nginx_sites is defined
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
|
37
roles/nginx/templates/default.j2
Normal file
37
roles/nginx/templates/default.j2
Normal file
|
@ -0,0 +1,37 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80
|
||||
|
||||
server_name {{ inventory_hostname }};
|
||||
|
||||
# Accept ACME-Challenges over http
|
||||
location ^~ /.well-known/acme-challenge/ {
|
||||
alias {{ nginx_wk_acme }}/;
|
||||
}
|
||||
|
||||
# Block .ht files
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Redirect everything to https by default
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /server_status {
|
||||
# Enable Nginx stats
|
||||
stub_status on;
|
||||
# Only allow access from localhost
|
||||
allow 127.0.0.1;
|
||||
# Other request should be denied
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
|
||||
{% for line in nginx_default_extra | default([]) %}
|
||||
{{ line }}
|
||||
{% endfor %}
|
||||
|
35
roles/nginx/templates/etc-nginx.conf.j2
Normal file
35
roles/nginx/templates/etc-nginx.conf.j2
Normal file
|
@ -0,0 +1,35 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
user {{ nginx_user }};
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
worker_rlimit_nofile 16384;
|
||||
include {{ nginx_modules_dir }}/*.conf;
|
||||
|
||||
http {
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Default nginx log format with $request time added
|
||||
log_format bitlair '$remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $request_time';
|
||||
access_log /var/log/nginx/access.log bitlair;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
{% for line in nginx_http_extra | default([]) %}
|
||||
{{ line }}
|
||||
{% endfor %}
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
36
roles/nginx/templates/site.conf.j2
Normal file
36
roles/nginx/templates/site.conf.j2
Normal file
|
@ -0,0 +1,36 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
|
||||
|
||||
include /etc/nginx/tls_params;
|
||||
ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
|
||||
ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem;
|
||||
|
||||
location ~ /\.ht {
|
||||
deny all;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair;
|
||||
error_log /var/log/nginx/{{ site.server_name }}.error.log;
|
||||
|
||||
{% if site.localproxy is defined %}
|
||||
location / {
|
||||
proxy_pass http://localhost:{{ site.localproxy }}/;
|
||||
include proxy_params;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
# Include snippets
|
||||
{% for file in site.snippets | default([]) %}
|
||||
{% include "../../../snippets/" . file %}
|
||||
{% endif %}
|
||||
|
||||
# Per site configuration
|
||||
{% for line in site.config | default([]) %}
|
||||
{{ line }}
|
||||
{% endfor %}
|
||||
}
|
22
roles/nginx/templates/tls_params.j2
Normal file
22
roles/nginx/templates/tls_params.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
ssl_session_timeout {{ nginx_tls_session_timeout }};
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }};
|
||||
|
||||
ssl_protocols {{ nginx_tls_version }};
|
||||
ssl_ciphers {{ nginx_tls_cipherlist }};
|
||||
ssl_ecdh_curve {{ nginx_tls_curve }};
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
add_header X-Frame-Options "sameorigin";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-Robots-Tag noindex;
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling {{ nginx_ssl_stapling }};
|
||||
ssl_stapling_verify {{ nginx_ssl_stapling_verify }};
|
||||
|
13
snippets/prometheus-nginx.j2
Normal file
13
snippets/prometheus-nginx.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
# dashboard nginx config snippet
|
||||
|
||||
location /prometheus/ {
|
||||
proxy_pass http://localhost:9090/prometheus/;
|
||||
include proxy_params;
|
||||
|
||||
{% for host in bitlair_ip_whitelist %}
|
||||
allow {{ host }};
|
||||
{% endif %}
|
||||
allow "127.0.0.0/8"
|
||||
allow "::1";
|
||||
deny all;
|
||||
}
|
Loading…
Add table
Reference in a new issue