bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Releases Activity

Compare commits

base: bitlair:44a122575d51a375218de69cea18be3956c08bae
Branches Tags
bitlair:main
bitlair:linting
..
compare: bitlair:0ab35571b92ecc21e4698031b6ad0f5d3144a389
Branches Tags
bitlair:main
bitlair:linting

No commits in common. "44a122575d51a375218de69cea18be3956c08bae" and "0ab35571b92ecc21e4698031b6ad0f5d3144a389" have entirely different histories.
44a122575d ... 0ab35571b9

46 changed files with 232 additions and 631 deletions
Show stats Expand all files Collapse all files

4
authorized_keys/foobar.keys
View file

@ -1,2 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C

6
bank.yaml
View file

@ -1,8 +1,8 @@
--- ---
- hosts: bank - hosts: bank
roles:
- common
- bank
vars: vars:
bank_revbank_git: https://github.com/bitlair/revbank.git bank_revbank_git: https://github.com/bitlair/revbank.git
roles:
- { role: "common", tags: [ "common" ] }
- { role: "bank", tags: [ "bank" ] }

6
bar.yaml
View file

@ -4,6 +4,6 @@
vars: vars:
raspi_rotate_display: "2" raspi_rotate_display: "2"
roles: roles:
- { role: "raspi", tags: [ "raspi" ] } - raspi
- { role: "common", tags: [ "common" ] } - common
- { role: "bank-terminal", tags: [ "bank-terminal" ] } - bank-terminal

4
bitlair.yaml
View file

@ -26,13 +26,11 @@
- hosts: git - hosts: git
roles: roles:
- { role: "acme", tags: [ "acme" ] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "git-server", tags: [ "git-server" ] } - { role: "git-server", tags: [ "git-server" ] }
- hosts: monitoring - hosts: monitoring
roles: roles:
- { role: "acme", tags: [ "acme" ] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "monitoring", tags: [ "monitoring" ] } - { role: "monitoring", tags: [ "monitoring" ] }
- hosts: mqtt - hosts: mqtt
@ -48,7 +46,6 @@
- hosts: pad - hosts: pad
roles: roles:
- { role: "acme", tags: [ "acme" ] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "etherpad", tags: [ "etherpad" ] } - { role: "etherpad", tags: [ "etherpad" ] }
- hosts: services - hosts: services
@ -58,5 +55,4 @@
- hosts: wiki - hosts: wiki
roles: roles:
- { role: "acme", tags: [ "acme" ] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "www", tags: [ "www" ] } - { role: "www", tags: [ "www" ] }

2
common.yaml
View file

@ -3,4 +3,4 @@
- hosts: debian - hosts: debian
gather_facts: true gather_facts: true
roles: roles:
- { role: "common", tags: [ "common" ] } - common

4
fotos.yaml
View file

@ -2,5 +2,5 @@
- hosts: fotos - hosts: fotos
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "photos", tags: [ "photos" ] } - photos

4
git-ci.yaml
View file

@ -2,5 +2,5 @@
- hosts: git-ci - hosts: git-ci
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "git-ci", tags: [ "git-ci" ] } - git-ci

7
git.yaml
View file

@ -2,7 +2,6 @@
- hosts: git - hosts: git
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "nginx", tags: [ "nginx" ] } - git-server
- { role: "git-server", tags: [ "git-server" ] }

21
group_vars/all.yaml
View file

@ -6,25 +6,22 @@ notify_email: bestuur@bitlair.nl
acme_bootstrap_certs: no acme_bootstrap_certs: no
trusted_ranges: trusted_ranges:
# localhost # localhost
- { v: ipv4, cidr: "127.0.0.1/8" } - { v: ipv4, cidr: 127.0.0.1/8 }
- { v: ipv6, cidr: "::1" } - { v: ipv6, cidr: "::1" }
# rf1928 # rf1928
- { v: ipv4, cidr: "10.0.0.0/8" } - { v: ipv4, cidr: 10.0.0.0/8 }
- { v: ipv4, cidr: "172.16.0.0/12" } - { v: ipv4, cidr: 172.16.0.0/12 }
- { v: ipv4, cidr: "192.168.0.0/16" } - { v: ipv4, cidr: 192.168.0.0/16 }
# v6 local # v6 local
- { v: ipv6, cidr: "fe80::/10" } - { v: ipv6, cidr: "fe80::/10" }
# vihamij # vihamij
- { v: ipv4, cidr: "45.88.49.140" } - { v: ipv4, cidr: 45.88.49.140 }
# eventinfra # eventinfra
- { v: ipv4, cidr: "204.2.64.0/20" } - { v: ipv4, cidr: 204.2.64.0/20 }
# bitlair
- { v: ipv4, cidr: "100.64.0.0/10" } - { v: ipv4, cidr: 100.64.0.0/10 }
- { v: ipv4, cidr: "185.205.52.194/32" } - { v: ipv4, cidr: 185.205.52.194/32 }
- { v: ipv6, cidr: "2a02:166b:92::/48" } - { v: ipv6, cidr: "2a02:166b:92::/48" }
# foobar
- { v: ipv4, cidr: "31.187.251.213/32" }
- { v: ipv6, cidr: "2a0e:5700:4:2::/64" }
root_access: root_access:
- ak - ak

10
group_vars/git.yaml
View file

@ -1,15 +1,5 @@
---
acme_domains: acme_domains:
- "{{ git_server_domain }}" - "{{ git_server_domain }}"
git_server_domain: git.bitlair.nl git_server_domain: git.bitlair.nl
git_server_title: Gitlair git_server_title: Gitlair
git_server_bootstrap_cert: no git_server_bootstrap_cert: no
nginx_client_max_body_size: 4G
nginx_sites:
- server_name: "git.bitlair.nl"
localproxy: "9001"
snippets:
- "forgejo-nginx.j2"

6
group_vars/monitoring.yaml
View file

@ -40,9 +40,3 @@ prometheus_scrape_configs:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: "{{ blackbox_exporter_web_listen_address }}" replacement: "{{ blackbox_exporter_web_listen_address }}"
nginx_sites:
- server_name: "dashboard.bitlair.nl"
localproxy: "9000"
snippets:
- "prometheus-nginx.j2"

2
group_vars/music.yaml
View file

@ -5,8 +5,6 @@ root_access:
- foobar - foobar
- polyfloyd - polyfloyd
nginx_client_max_body_size: 512M
music_domain: music.bitlair.nl music_domain: music.bitlair.nl
acme_san_domains: acme_san_domains:
- [ music.bitlair.nl ] - [ music.bitlair.nl ]

6
group_vars/pad.yaml
View file

@ -1,7 +1 @@
---
etherpad_domain: pad.bitlair.nl etherpad_domain: pad.bitlair.nl
nginx_sites:
- server_name: "pad.bitlair.nl"
localproxy: "9001"

21
group_vars/wiki.yaml
View file

@ -1,21 +0,0 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]
nginx_sites:
- server_name: "bitlair.nl"
server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
snippets:
- "mqtt2web-nginx.j2"
- "spaceapi-nginx.j2"
- "www-nginx.j2"
- server_name: "bitair.nl"
server_alias: "www.bitair.nl"
snippets:
- "bitair-nginx.j2"
- server_name: "ravespace.nl"
server_alias: "www.ravespace.nl"
snippets:
- "ravespace-nginx.j2"

5
group_vars/www.yaml Normal file
View file

@ -0,0 +1,5 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]

7
monitoring.yaml
View file

@ -2,7 +2,6 @@
- hosts: monitoring - hosts: monitoring
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "nginx", tags: [ "nginx" ] } - monitoring
- { role: "monitoring", tags: [ "monitoring" ] }

4
mqtt-internal.yaml
View file

@ -2,5 +2,5 @@
- hosts: mqtt - hosts: mqtt
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] } - mqtt-internal

9
music.yaml
View file

@ -2,8 +2,7 @@
- hosts: music - hosts: music
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "go", tags: [ "go" ] } - go
# - { role: "nginx", tags: [ "nginx" ] } - music
- { role: "music", tags: [ "music" ] }

7
pad.yaml
View file

@ -5,7 +5,6 @@
acme_san_domains: acme_san_domains:
- [ pad.bitlair.nl ] - [ pad.bitlair.nl ]
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "nginx", tags: [ "nginx" ] } - etherpad
- { role: "etherpad", tags: [ "etherpad" ] }

2
roles/acme/tasks/main.yaml
View file

@ -23,7 +23,7 @@
owner: "{{ item.owner | default('root') }}" owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}" group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
notify: "{{ item.notify | default([]) }}" notify: "{{ item.notify | default([]) }}"
with_items: with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' } - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' } - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }

3
roles/common/tasks/main.yaml
View file

@ -18,7 +18,6 @@
- { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
- { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
- { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
register: aptconfig
when: when:
- ansible_os_family == "Debian" - ansible_os_family == "Debian"
tags: tags:
@ -57,8 +56,6 @@
- name: Install standard packages - name: Install standard packages
ansible.builtin.apt: ansible.builtin.apt:
cache_valid_time: 3600
update_cache: "{{ aptconfig.changed | bool | default(false) }}"
pkg: pkg:
- curl - curl
- fzf - fzf

245
roles/etherpad/tasks/main.yaml
View file

@ -1,141 +1,140 @@
--- ---
- tags: etherpad
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies - name: Install dependencies
ansible.builtin.apt: ansible.builtin.apt:
state: present name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
pkg:
- gpg
- postgresql
- python3-psycopg2
- apt-transport-https
- name: Import nodesource signing key - name: Import nodesource signing key
ansible.builtin.shell: ansible.builtin.shell:
cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-o /usr/share/keyrings/nodesource.gpg -o /usr/share/keyrings/nodesource.gpg
args: args:
creates: /usr/share/keyrings/nodesource.gpg creates: /usr/share/keyrings/nodesource.gpg
notify: apt update notify: apt update
- name: Install nodesource source list - name: Install nodesource source list
ansible.builtin.template: ansible.builtin.template:
src: nodesource.list src: nodesource.list
dest: /etc/apt/sources.list.d/nodesource.list dest: /etc/apt/sources.list.d/nodesource.list
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: apt update notify: apt update
- name: Install nodejs apt preference - name: Install nodejs apt preference
ansible.builtin.template: ansible.builtin.template:
src: nodejs-apt-pref src: nodejs-apt-pref
dest: /etc/apt/preferences.d/nodejs dest: /etc/apt/preferences.d/nodejs
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: apt update notify: apt update
- ansible.builtin.meta: flush_handlers - ansible.builtin.meta: flush_handlers
- name: Install nodejs - name: Install nodejs
ansible.builtin.apt: ansible.builtin.apt:
name: nodejs name: nodejs
- name: Add database user - name: Add database user
become: true become: true
become_method: su become_method: su
become_user: postgres become_user: postgres
no_log: yes no_log: yes
community.postgresql.postgresql_user: community.postgresql.postgresql_user:
name: etherpad name: etherpad
password: "{{ etherpad_db_password }}" password: "{{ etherpad_db_password }}"
- name: Add database - name: Add database
become: true become: true
become_method: su become_method: su
become_user: postgres become_user: postgres
community.postgresql.postgresql_db: community.postgresql.postgresql_db:
name: "{{ etherpad_db_name }}" name: "{{ etherpad_db_name }}"
owner: "{{ etherpad_db_user }}" owner: "{{ etherpad_db_user }}"
- name: Add etherpad user - name: Add etherpad user
ansible.builtin.user: ansible.builtin.user:
name: etherpad name: etherpad
home: /var/lib/etherpad home: /var/lib/etherpad
- name: Create log file - name: Create log file
ansible.builtin.file: ansible.builtin.file:
path: /var/log/etherpad.log path: /var/log/etherpad.log
state: touch state: touch
owner: etherpad owner: etherpad
group: etherpad group: etherpad
mode: 0644 mode: 0644
- name: Create source directory - name: Create source directory
ansible.builtin.file: ansible.builtin.file:
path: /opt/etherpad path: /opt/etherpad
state: directory state: directory
owner: etherpad owner: etherpad
group: etherpad group: etherpad
mode: 0755 mode: 0755
- name: Clone etherpad source - name: Clone etherpad source
become: yes become: yes
become_method: su become_method: su
become_user: etherpad become_user: etherpad
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/ether/etherpad-lite.git repo: https://github.com/ether/etherpad-lite.git
version: master version: master
dest: /opt/etherpad dest: /opt/etherpad
accept_hostkey: yes accept_hostkey: yes
notify: restart etherpad notify: restart etherpad
- name: Install etherpad config - name: Install etherpad config
ansible.builtin.template: ansible.builtin.template:
src: settings.json src: settings.json
dest: /opt/etherpad/settings.json dest: /opt/etherpad/settings.json
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: restart etherpad notify: restart etherpad
- name: Install etherpad service - name: Install etherpad service
ansible.builtin.template: ansible.builtin.template:
src: etherpad.service src: etherpad.service
dest: /etc/systemd/system/etherpad.service dest: /etc/systemd/system/etherpad.service
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: restart etherpad notify: restart etherpad
- name: Start etherpad - name: Start etherpad
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
name: etherpad name: etherpad
state: started state: started
enabled: yes enabled: yes
- name: Install nginx config - name: Install nginx config
ansible.builtin.template: ansible.builtin.template:
src: nginx-site.conf src: nginx-site.conf
dest: /etc/nginx/sites-enabled/etherpad dest: /etc/nginx/sites-enabled/etherpad
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: reload nginx notify: reload nginx
- name: Allow HTTP and HTTPS - name: Allow HTTP and HTTPS
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
destination_port: "{{ item.port }}" destination_port: "{{ item.port }}"
ctstate: NEW ctstate: NEW
jump: ACCEPT jump: ACCEPT
ip_version: "{{ item.ip }}" ip_version: "{{ item.ip }}"
action: insert action: insert
with_items: with_items:
- { ip: ipv4, port: 80 } - { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 } - { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 } - { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 } - { ip: ipv6, port: 443 }
notify: persist iptables notify: persist iptables

2
roles/git-server/tasks/main.yaml
View file

@ -1,4 +1,6 @@
--- ---
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies - name: Install dependencies
ansible.builtin.apt: ansible.builtin.apt:

3
roles/monitoring/tasks/main.yaml
View file

@ -2,6 +2,9 @@
- name: monitoring - name: monitoring
tags: monitoring tags: monitoring
block: block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install nginx site - name: Install nginx site
ansible.builtin.template: ansible.builtin.template:
src: nginx-site.conf src: nginx-site.conf

58
roles/mqtt-internal/tasks/main.yaml
View file

@ -1,32 +1,34 @@
--- ---
- name: mqtt-internal
tags: mqtt_internal
block:
- name: Install dependencies
ansible.builtin.apt:
name:
- mosquitto
- avahi-daemon
- name: Install dependencies - name: Install bambulab cafile
ansible.builtin.apt: # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
name: ansible.builtin.copy:
- mosquitto dest: "{{ mqtt_bambulab_cafile }}"
- avahi-daemon content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
- name: Install bambulab cafile - name: Configure Mosquitto
# openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' ansible.builtin.template:
ansible.builtin.copy: src: "{{ item }}"
dest: "{{ mqtt_bambulab_cafile }}" dest: "/etc/mosquitto/conf.d/{{ item }}"
content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}" owner: root
group: root
mode: 0644
notify: restart mosquitto
with_items:
- bambulab.conf
- internal.conf
- public-bridge.conf
- name: Configure Mosquitto - name: Start mosquitto
ansible.builtin.template: ansible.builtin.systemd:
src: "{{ item }}" name: mosquitto
dest: "/etc/mosquitto/conf.d/{{ item }}" state: started
owner: root enabled: yes
group: root
mode: 0644
notify: restart mosquitto
with_items:
- bambulab.conf
- internal.conf
- public-bridge.conf
- name: Start mosquitto
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: yes

2
roles/music/tasks/main.yaml
View file

@ -17,6 +17,8 @@
- tags: music - tags: music
block: block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install nginx config - name: Install nginx config
ansible.builtin.template: ansible.builtin.template:

17
roles/nginx/defaults/main.yaml
View file

@ -1,17 +0,0 @@
---
nginx_package: "nginx-light"
nginx_user: "www-data"
nginx_modules_dir: "/etc/nginx/modules-enabled"
nginx_tls_version: "TLSv1.2 TLSv1.3"
nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
nginx_tls_curve: "prime256v1:secp384r1"
nginx_tls_cache_size: "10m"
nginx_tls_session_timeout: "1h"
nginx_ssl_stapling: "on"
nginx_ssl_stapling_verify: "on"
nginx_wk_acme: "/var/lib/dehydrated/acme-challenges"
nginx_client_max_body_size: "32m"

11
roles/nginx/handlers/main.yaml
View file

@ -1,11 +0,0 @@
---
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
enabled: true
listen: "Reload app-services"
when:
- nginx_sites is defined

80
roles/nginx/tasks/main.yaml
View file

@ -1,80 +0,0 @@
---
- name: Install nginx base package
ansible.builtin.apt:
name: "{{ nginx_package }}"
state: present
when:
- nginx_sites is defined
- name: Create sites-available / sites-enabled directories
ansible.builtin.file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0755') }}"
with_items:
- { path: "/etc/nginx/sites-available" }
- { path: "/etc/nginx/sites-enabled" }
notify: Reload nginx
when:
- nginx_sites is defined
- name: Template default nginx config files
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0644') }}"
force: "{{ item.force | default('yes') }}"
backup: true
loop_control:
label: "{{ item.dest }}"
with_items:
- { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
- { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
- { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
notify: "{{ item.notify | default(omit) }}"
when:
- nginx_sites is defined
- name: Template site-specific configs
ansible.builtin.template:
src: "site.conf.j2"
dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
owner: "{{ site.owner | default('root') }}"
group: "{{ site.group | default('root') }}"
mode: "{{ site.mode | default('0644') }}"
force: "{{ site.force | default('yes') }}"
backup: true
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
tags:
- nginxextra
- nginx_site
- name: Enable nginx sites
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
mode: "0644"
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
ignore_errors: "{{ ansible_check_mode }}"

37
roles/nginx/templates/default.j2
View file

@ -1,37 +0,0 @@
# {{ ansible_managed }}
server {
listen 80 default_server;
listen [::]:80
server_name {{ inventory_hostname }};
# Accept ACME-Challenges over http
location ^~ /.well-known/acme-challenge/ {
alias {{ nginx_wk_acme }}/;
}
# Block .ht files
location ~ /\.ht {
deny all;
}
# Redirect everything to https by default
location / {
return 301 https://$host$request_uri;
}
location /server_status {
# Enable Nginx stats
stub_status on;
# Only allow access from localhost
allow 127.0.0.1;
# Other request should be denied
deny all;
}
}
{% for line in nginx_default_extra | default([]) %}
{{ line }}
{% endfor %}

39
roles/nginx/templates/etc-nginx.conf.j2
View file

@ -1,39 +0,0 @@
# {{ ansible_managed }}
user {{ nginx_user }};
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 16384;
include {{ nginx_modules_dir }}/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Default nginx log format with $request time added
log_format bitlair '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
access_log /var/log/nginx/access.log bitlair;
gzip on;
gzip_disable "msie6";
{% for line in nginx_http_extra | default([]) %}
{{ line }}
{% endfor %}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

38
roles/nginx/templates/site.conf.j2
View file

@ -1,38 +0,0 @@
# {{ ansible_managed }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
include /etc/nginx/tls_params;
ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
client_max_body_size {{ nginx_client_max_body_size }};
location ~ /\.ht {
deny all;
}
access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair;
error_log /var/log/nginx/{{ site.server_name }}.error.log;
{% if site.localproxy is defined %}
location / {
proxy_pass http://localhost:{{ site.localproxy }}/;
include proxy_params;
}
{% endif %}
# Include snippets
{% for file in site.snippets | default([]) %}
{% include "snippets/" ~ file %}
{% endfor %}
# Per site configuration
{% for line in site.config | default([]) %}
{{ line }}
{% endfor %}
}

1
roles/nginx/templates/snippets
View file

@ -1 +0,0 @@
../../../snippets/

22
roles/nginx/templates/tls_params.j2
View file

@ -1,22 +0,0 @@
# {{ ansible_managed }}
ssl_session_timeout {{ nginx_tls_session_timeout }};
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }};
ssl_protocols {{ nginx_tls_version }};
ssl_ciphers {{ nginx_tls_cipherlist }};
ssl_ecdh_curve {{ nginx_tls_curve }};
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "sameorigin";
add_header X-Content-Type-Options "nosniff";
add_header X-Robots-Tag noindex;
# OCSP stapling
ssl_stapling {{ nginx_ssl_stapling }};
ssl_stapling_verify {{ nginx_ssl_stapling_verify }};

3
roles/www/tasks/mediawiki.yaml
View file

@ -4,6 +4,9 @@
name: php-fpm name: php-fpm
state: present state: present
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install security.txt - name: Install security.txt
ansible.builtin.template: ansible.builtin.template:
src: security.txt src: security.txt

4
services.yaml
View file

@ -2,5 +2,5 @@
- hosts: services - hosts: services
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "services", tags: [ "services" ] } - services

2
snippets/bitair-nginx.j2
View file

@ -1,2 +0,0 @@
root /opt/bitair.nl/;
index index.html;

18
snippets/common-nginx.yaml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Install nginx
apt:
name: nginx
state: present
- name: Disable nginx server_tokens
lineinfile:
path: /etc/nginx/nginx.conf
line: "\tserver_tokens off;"
regexp: "server_tokens"
notify: reload nginx
- name: Clear default nginx site
file:
state: absent
path: /etc/nginx/sites-enabled/default
notify: reload nginx

3
snippets/forgejo-nginx.j2
View file

@ -1,3 +0,0 @@
location ~* \.keys$ {
deny all;
}

11
snippets/mqtt2web-nginx.j2
View file

@ -1,11 +0,0 @@
# mqtt2web nginx config snippet
location /mqtt/ {
proxy_pass http://localhost:8080/mqtt;
include proxy_params;
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Connection '';
chunked_transfer_encoding off;
}

13
snippets/prometheus-nginx.j2
View file

@ -1,13 +0,0 @@
# dashboard nginx config snippet
location /prometheus/ {
proxy_pass http://localhost:9090/prometheus/;
include proxy_params;
{% for host in trusted_ranges | default([]) %}
allow {{ host.cidr }};
{% endfor %}
allow "127.0.0.0/8";
allow "::1";
deny all;
}

2
snippets/ravespace-nginx.j2
View file

@ -1,2 +0,0 @@
root /opt/ravespace.nl/;
index index.html;

8
snippets/spaceapi-nginx.j2
View file

@ -1,8 +0,0 @@
# spaceapi nginx config snippet
location = /statejson {
proxy_pass http://localhost:8888;
include proxy_params;
add_header 'Access-Control-Allow-Origin' '*';
}

89
snippets/www-nginx.j2
View file

@ -1,89 +0,0 @@
root /opt/mediawiki-1.41.1/;
# Photo gallery
location = /fotos {
return 302 $scheme://bitlair.nl/fotos/;
}
location ~* ^/fotos/(.*)$ {
proxy_pass http://204.2.68.2:4567/$1$is_args$args;
}
location ~ ^/state/(.+)$ {
alias /opt/spaceapi/assets/$1;
}
location = /events.ics {
alias /var/lib/bitlair-calendar/events.ics;
}
location ~ ^/(cache|maintenance|vendor|extensions)/ {
deny all;
}
# Legacy space API stuff.
location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
root "/opt/legacy/";
fastcgi_pass unix:/run/php/php-fpm.sock;
include fastcgi.conf;
}
location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
root "/opt/legacy/";
}
location ~ ^/wp-content {
root "/opt/legacy/";
}
location = /statejson.php {
rewrite ^.+$ /statejson;
}
# Mediawiki
location / {
try_files $uri $uri/ @rewrite;
}
location ~ \.php$ {
try_files $uri @rewrite;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location @rewrite {
# rewrite ^/(.*)$ /index.php;
rewrite ^/(.*)$ /index.php?title=$1$args;
}
location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
try_files $uri @rewrite;
expires 1M;
}
location = /_.gif {
expires max;
empty_gif;
}
#location /dumps {
# root /opt/bitlair-wiki/local;
# autoindex on;
#}
# Legacy: redirect old prefix.
location /Pages/ {
rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
}
# Matrix realm delegation
location = /.well-known/matrix/server {
add_header "Content-Type" "application/json";
add_header "Access-Control-Allow-Origin" "*";
alias /opt/matrix-delegation.json;
}
location = /.well-known/security.txt {
alias /opt/security.txt;
}

8
wiki.yaml
View file

@ -1,8 +0,0 @@
---
- hosts: wiki
roles:
- { role: "common", tags: [ "common" ] }
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "www", tags: [ "www" ] }

7
www.yaml Normal file
View file

@ -0,0 +1,7 @@
---
- hosts: wiki
roles:
- common
- acme
- www