diff --git a/fotos.yaml b/fotos.yaml new file mode 100644 index 0000000..e141485 --- /dev/null +++ b/fotos.yaml @@ -0,0 +1,5 @@ +--- +- hosts: fotos + roles: + - common + - photos diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 8f535da..99ceadd 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -13,3 +13,6 @@ trusted_ranges: - { v: ipv6, cidr: "fe80::/10" } - { v: ipv6, cidr: "2a02:166b:92::/64" } node_exporter: no + +mqtt_internal_host: mqtt.bitlair.nl +mqtt_public_host: bitlair.nl diff --git a/group_vars/mqtt_internal.yaml b/group_vars/mqtt_internal.yaml deleted file mode 100644 index 3ce5308..0000000 --- a/group_vars/mqtt_internal.yaml +++ /dev/null @@ -1 +0,0 @@ -mqtt_internal_public_host: bitlair.nl diff --git a/group_vars/www.yaml b/group_vars/www.yaml new file mode 100644 index 0000000..c98d077 --- /dev/null +++ b/group_vars/www.yaml @@ -0,0 +1,3 @@ +acme_bootstrap_certs: yes +acme_san_domains: + - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] diff --git a/hosts.yaml b/hosts.yaml index f1e919b..b7b9930 100644 --- a/hosts.yaml +++ b/hosts.yaml @@ -3,6 +3,9 @@ all: raspi: hosts: bank-pi.bitlair.nl: + kvm: + hosts: + kvm3.bitlair.nl: debian: children: bank: diff --git a/roles/common/tasks/apt-minimal.yaml b/roles/common/tasks/apt-minimal.yaml new file mode 100644 index 0000000..bc74ff6 --- /dev/null +++ b/roles/common/tasks/apt-minimal.yaml @@ -0,0 +1,8 @@ +--- +- name: Configure auto-upgrades + template: + src: apt-minimal + dest: /etc/apt/apt.conf.d/20minimal + owner: root + group: root + mode: 0644 diff --git a/roles/common/tasks/debian-upgrade.yaml b/roles/common/tasks/debian-upgrade.yaml new file mode 100644 index 0000000..241c60a --- /dev/null +++ b/roles/common/tasks/debian-upgrade.yaml @@ -0,0 +1,28 @@ +--- +- name: Install source list + template: + src: stable-sources.list + dest: /etc/apt/sources.list + owner: root + group: root + mode: 0644 + +- name: Remove backports + file: + path: /etc/apt/sources.list.d/backports.list + state: absent + +- name: update + apt: + update_cache: yes + +- name: full-upgrade + apt: + upgrade: full + +- name: Reboot + reboot: + +- name: autoremove + apt: + autoremove: yes diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 531894c..c504d3d 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -1,4 +1,8 @@ --- +- tags: [ debian-upgrade, never ] + import_tasks: debian-upgrade.yaml + when: ansible_facts['distribution_release'] != "bookworm" + - tags: debian_backports import_tasks: debian-backports.yaml diff --git a/roles/common/templates/apt-minimal b/roles/common/templates/apt-minimal new file mode 100644 index 0000000..452a6e6 --- /dev/null +++ b/roles/common/templates/apt-minimal @@ -0,0 +1,4 @@ +# Managed by Ansible + +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; diff --git a/roles/common/templates/stable-sources.list b/roles/common/templates/stable-sources.list new file mode 100644 index 0000000..95c2f9a --- /dev/null +++ b/roles/common/templates/stable-sources.list @@ -0,0 +1,8 @@ +deb http://deb.debian.org/debian bookworm main non-free-firmware +deb-src http://deb.debian.org/debian bookworm main non-free-firmware + +deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware +deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware + +deb http://deb.debian.org/debian bookworm-updates main non-free-firmware +deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware diff --git a/roles/mqtt-internal/templates/public-bridge.conf b/roles/mqtt-internal/templates/public-bridge.conf index 7b0494a..a30bcab 100644 --- a/roles/mqtt-internal/templates/public-bridge.conf +++ b/roles/mqtt-internal/templates/public-bridge.conf @@ -1,7 +1,7 @@ # Managed by Ansible connection public-bridge -address {{ mqtt_internal_public_host }} +address {{ mqtt_public_host }} topic bitlair/state out topic bitlair/state/djo out @@ -11,3 +11,4 @@ topic bitlair/wifi/+/online out topic bitlair/climate/# out topic bitlair/humidity/+ out topic bitlair/lasercutter/+ out +topic bitlair/photos out diff --git a/roles/music/templates/soundboard.yaml b/roles/music/templates/soundboard.yaml index 5ef917f..b253086 100644 --- a/roles/music/templates/soundboard.yaml +++ b/roles/music/templates/soundboard.yaml @@ -1,7 +1,7 @@ loglevel: INFO mqtt: - host: mqtt.bitlair.nl + host: {{ mqtt_internal_host }} sounds: directory: /opt/sounds diff --git a/roles/photos/defaults/main.yaml b/roles/photos/defaults/main.yaml new file mode 100644 index 0000000..88f66d6 --- /dev/null +++ b/roles/photos/defaults/main.yaml @@ -0,0 +1,3 @@ +photos_mqtt_host: "{{ mqtt_internal_host }}" +photos_mqtt_topic: bitlair/photos +photos_path: /opt/wip diff --git a/roles/photos/handlers/main.yaml b/roles/photos/handlers/main.yaml new file mode 100644 index 0000000..0d76217 --- /dev/null +++ b/roles/photos/handlers/main.yaml @@ -0,0 +1,12 @@ +--- +- name: restart photo-gallery + systemd: + name: photo-gallery + state: restarted + daemon_reload: true + +- name: restart photos2mqtt + systemd: + name: photos2mqtt + state: restarted + daemon_reload: true diff --git a/roles/photos/tasks/main.yaml b/roles/photos/tasks/main.yaml new file mode 100644 index 0000000..0450d03 --- /dev/null +++ b/roles/photos/tasks/main.yaml @@ -0,0 +1,6 @@ +--- +- tags: photos_gallery + import_tasks: photo-gallery.yaml + +- tags: photos_mqtt + import_tasks: photos2mqtt.yaml diff --git a/roles/photos/tasks/photo-gallery.yaml b/roles/photos/tasks/photo-gallery.yaml new file mode 100644 index 0000000..946b400 --- /dev/null +++ b/roles/photos/tasks/photo-gallery.yaml @@ -0,0 +1,24 @@ +--- +- name: Clone source + git: + repo: https://github.com/bitlair/photo-gallery.git + version: master + dest: /opt/photo-gallery + accept_hostkey: yes + notify: restart photo-gallery + +- name: Install photo-gallery service file + template: + src: photo-gallery.service + dest: /etc/systemd/system/photo-gallery.service + owner: root + group: root + mode: 0644 + notify: restart photo-gallery + +- name: Start photo-gallery + systemd: + name: photo-gallery + state: started + enabled: yes + daemon_reload: true diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml new file mode 100644 index 0000000..9b9b453 --- /dev/null +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -0,0 +1,34 @@ +--- +- name: Install dependencies + apt: + name: + - make + - liblinux-inotify2-perl + +- name: Install mqtt-simple + command: cpan Net::MQTT::Simple + +- name: Install photos2mqtt + template: + src: photos2mqtt.pl + dest: /opt/photos2mqtt.pl + owner: root + group: root + mode: 0755 + notify: restart photos2mqtt + +- name: Install photos2mqtt service file + template: + src: photos2mqtt.service + dest: /etc/systemd/system/photos2mqtt.service + owner: root + group: root + mode: 0644 + notify: restart photos2mqtt + +- name: Start photos2mqtt + systemd: + name: photos2mqtt + state: started + enabled: yes + daemon_reload: true diff --git a/roles/photos/templates/photo-gallery.service b/roles/photos/templates/photo-gallery.service new file mode 100644 index 0000000..df38be5 --- /dev/null +++ b/roles/photos/templates/photo-gallery.service @@ -0,0 +1,13 @@ +# Managed by Ansible + +[Unit] +Description=Gallery service +After=network.target + +[Service] +ExecStart=/usr/bin/node /opt/photo-gallery/server.js +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target diff --git a/roles/photos/templates/photos2mqtt.pl b/roles/photos/templates/photos2mqtt.pl new file mode 100644 index 0000000..87a42f5 --- /dev/null +++ b/roles/photos/templates/photos2mqtt.pl @@ -0,0 +1,55 @@ +#!/usr/bin/perl -w + +# Managed by Ansible + +use strict; +use Net::MQTT::Simple; +use Linux::Inotify2; +use POSIX qw(strftime); +use Time::HiRes qw(sleep time); + +my $path = "{{ photos_path }}"; +my $mqtt = Net::MQTT::Simple->new('{{ photos_mqtt_host }}'); + +my $inotify = new Linux::Inotify2 or die $!; +$inotify->blocking(0); + +sub today { + return strftime "%Y%m%d", localtime; +} + +sub watch_daydir { + my ($dn) = @_; + + print "Watching $dn\n"; + + $inotify->watch($dn, IN_CREATE, sub { + my $event = shift; + $inotify->watch($event->fullname, IN_CLOSE_WRITE, sub { + my $event = shift; + my $fn = $event->fullname; + unless ($fn =~ m[^\.|/\.]) { # skip hidden files + print "New file written: $fn\n"; + $mqtt->retain("{{ photos_mqtt_topic }}", $fn =~ s[^$path/][]r); + } + $event->w->cancel; + }); + }); +} + +print "Watching $path\n"; +$inotify->watch($path, IN_CREATE, sub { + my $event = shift; + my $dn = $event->fullname; + -d $dn or next; + + watch_daydir($dn); +}); + +watch_daydir("$path/" . today()); + +while (1) { + $mqtt->tick(.05); + $inotify->poll; + sleep .1; +} diff --git a/roles/photos/templates/photos2mqtt.service b/roles/photos/templates/photos2mqtt.service new file mode 100644 index 0000000..dbdb130 --- /dev/null +++ b/roles/photos/templates/photos2mqtt.service @@ -0,0 +1,16 @@ +# Managed by Ansible + +[Unit] +Description=Photos to MQTT +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/bin/perl /opt/photos2mqtt.pl +User=wip + +[Install] +WantedBy=multi-user.target + diff --git a/roles/services/handlers/main.yaml b/roles/services/handlers/main.yaml index ccb98cb..67870bf 100644 --- a/roles/services/handlers/main.yaml +++ b/roles/services/handlers/main.yaml @@ -13,6 +13,12 @@ state: restarted daemon_reload: true +- name: restart irc-photos + systemd: + name: irc-photos + state: restarted + daemon_reload: true + - name: restart discord-bot systemd: name: discord-bot diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 1f159bb..de74de0 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -4,7 +4,17 @@ name: - python3-paho-mqtt - python3-tz - # Not in apt, install manually: discord.py, discord_webhook + - virtualenv + +- name: Create virtualenv + command: virtualenv /opt/miflora_exporter/.venv + args: + creates: /var/lib/discord-bot/.venv + +- name: Install Python dependencies + shell: . .venv/bin/activate && pip install -r requirements.txt + args: + chdir: /var/lib/discord-bot - name: Clone source git: diff --git a/roles/services/tasks/ircbot.yaml b/roles/services/tasks/ircbot.yaml index d936c66..3a75eb4 100644 --- a/roles/services/tasks/ircbot.yaml +++ b/roles/services/tasks/ircbot.yaml @@ -28,3 +28,33 @@ state: started enabled: yes daemon_reload: true + +- name: Create helpers dir + file: + path: /var/lib/irc-helpers + state: directory + +- name: Install photos notification + template: + src: irc-photos.sh + dest: /var/lib/irc-helpers/photos.sh + owner: root + group: root + mode: 0755 + notify: restart irc-photos + +- name: Install photos notification service + template: + src: irc-photos.service + dest: /etc/systemd/system/irc-photos.service + owner: root + group: root + mode: 0644 + notify: restart irc-photos + +- name: Start irc-photos + systemd: + name: irc-photos + state: started + enabled: yes + daemon_reload: true diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 7cf0146..ca948f9 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -1,10 +1,14 @@ --- -- name: Install mqtt-simple - command: cpan Net::MQTT::Simple - name: Install dependencies apt: - name: [ php-cli, php-snmp ] + name: + - php-cli + - php-snmp + - make + +- name: Install mqtt-simple + command: cpan Net::MQTT::Simple - name: Add user user: diff --git a/roles/services/templates/discord-bot.service b/roles/services/templates/discord-bot.service index e022601..f93dbc7 100644 --- a/roles/services/templates/discord-bot.service +++ b/roles/services/templates/discord-bot.service @@ -8,8 +8,10 @@ After=network.target Type=simple Restart=on-failure RestartSec=10s -ExecStart=/var/lib/discord-bot/main.py +ExecStart=/var/lib/discord-bot/.venv/bin/python /var/lib/discord-bot/main.py DynamicUser=true +Environment="MQTT_HOST={{ mqtt_internal_host }}" +Environment="DISCORD_WEBHOOK_URL={{ discord_webhook_url }}" Environment="DISCORD_TOKEN={{ discord_token }}" [Install] diff --git a/roles/services/templates/irc-photos.service b/roles/services/templates/irc-photos.service new file mode 100644 index 0000000..2a6c73f --- /dev/null +++ b/roles/services/templates/irc-photos.service @@ -0,0 +1,16 @@ +# Managed by Ansible + +[Unit] +Description=Bitlair IRC photos notification +After=network.target +Requires=irc-bot.service + +[Service] +Type=simple +ExecStart=/bin/bash /var/lib/irc-helpers/photos.sh +Restart=on-failure +RestartSec=10s +DynamicUser=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/services/templates/irc-photos.sh b/roles/services/templates/irc-photos.sh new file mode 100644 index 0000000..a8d0911 --- /dev/null +++ b/roles/services/templates/irc-photos.sh @@ -0,0 +1,13 @@ +#!/bin/basho + +# Managed by Ansible + +set -eu +set -o pipefail + +mqtt-simple -h {{ mqtt_internal_host }} -s "bitlair/photos" | + while read event; do + path=$(echo $event | cut -d ' ' -f 2) + url="https://bitlair.nl/fotos/view/$path" + irc-say "WIP: $url" + done diff --git a/roles/services/templates/mastodon-spacestate-config.py b/roles/services/templates/mastodon-spacestate-config.py index fe30c15..1af7626 100644 --- a/roles/services/templates/mastodon-spacestate-config.py +++ b/roles/services/templates/mastodon-spacestate-config.py @@ -1,4 +1,4 @@ -mqtt_server = 'mqtt.bitlair.nl' +mqtt_server = '{{ mqtt_internal_host }}' mqtt_port = 1883 spacestate_topic = 'bitlair/state' diff --git a/roles/www/handlers/main.yaml b/roles/www/handlers/main.yaml new file mode 100644 index 0000000..745e9d7 --- /dev/null +++ b/roles/www/handlers/main.yaml @@ -0,0 +1,14 @@ +--- +- import_tasks: ../../common/handlers/main.yaml + +- name: restart spaceapi + systemd: + name: spaceapi + state: restarted + daemon_reload: true + +- name: restart mqtt2web + systemd: + name: mqtt2web + state: restarted + daemon_reload: true diff --git a/roles/www/tasks/calendar.yaml b/roles/www/tasks/calendar.yaml new file mode 100644 index 0000000..ea1a1f2 --- /dev/null +++ b/roles/www/tasks/calendar.yaml @@ -0,0 +1,24 @@ +--- +- name: Install dependencies + apt: + name: [ python3-requests, python3-icalendar ] + +- name: Clone source + git: + repo: https://github.com/bitlair/calendar-parser.git + version: main + dest: /usr/local/src/bitlair-calendar + accept_hostkey: yes + +- name: Create user + user: + name: bitlair-calendar + home: /var/lib/bitlair-calendar + +- name: Install cronjob + template: + src: calendar.cron + dest: /etc/cron.d/bitlair-calendar + owner: root + group: root + mode: 0644 diff --git a/roles/www/tasks/main.yaml b/roles/www/tasks/main.yaml new file mode 100644 index 0000000..32b52d1 --- /dev/null +++ b/roles/www/tasks/main.yaml @@ -0,0 +1,12 @@ +--- +- tags: www_calendar + import_tasks: calendar.yaml + +- tags: www_mediawiki + include_tasks: mediawiki.yaml + +- tags: www_mqtt + include_tasks: mqtt.yaml + +- tags: www_spaceapi + include_tasks: spaceapi.yaml diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml new file mode 100644 index 0000000..a0db277 --- /dev/null +++ b/roles/www/tasks/mediawiki.yaml @@ -0,0 +1,21 @@ +--- +- name: Install dependencies + apt: + name: + - php-fpm + +- name: Allow HTTP/HTTPS + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml new file mode 100644 index 0000000..1c9ed2a --- /dev/null +++ b/roles/www/tasks/mqtt.yaml @@ -0,0 +1,45 @@ +--- +- name: Install Mosquitto + apt: + name: mosquitto + +- name: Allow MQTT + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 1883 } + - { ip: ipv6, port: 1883 } + notify: persist iptables + +- name: Install mqtt-simple + command: cpan Net::MQTT::Simple + +- name: Clone mqtt2web source + git: + repo: https://github.com/bitlair/mqtt2web.git + version: master + dest: /opt/mqtt2web + accept_hostkey: yes + notify: restart mqtt2web + +- name: Install mqtt2web service file + template: + src: mqtt2web.service + dest: /etc/systemd/system/mqtt2web.service + owner: root + group: root + mode: 0644 + notify: restart mqtt2web + +- name: Enable mqtt2web + systemd: + name: mqtt2web + state: started + enabled: true + daemon_reload: true diff --git a/roles/www/tasks/spaceapi.yaml b/roles/www/tasks/spaceapi.yaml new file mode 100644 index 0000000..85fa72f --- /dev/null +++ b/roles/www/tasks/spaceapi.yaml @@ -0,0 +1,24 @@ +--- +- name: Clone spaceapi source + git: + repo: https://github.com/bitlair/spaceapi.git + version: master + dest: /opt/spaceapi + accept_hostkey: yes + notify: restart spaceapi + +- name: Install spaceapi service file + template: + src: spaceapi.service + dest: /etc/systemd/system/spaceapi.service + owner: root + group: root + mode: 0644 + notify: restart spaceapi + +- name: Enable spaceapi + systemd: + name: spaceapi + state: started + enabled: true + daemon_reload: true diff --git a/roles/www/templates/calendar.cron b/roles/www/templates/calendar.cron new file mode 100644 index 0000000..2f9d1da --- /dev/null +++ b/roles/www/templates/calendar.cron @@ -0,0 +1,6 @@ +# Managed by Ansible + +SHELL=/bin/sh +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + +42 * * * * bitlair-calendar /usr/local/src/bitlair-calendar/calendarparser.py /var/lib/bitlair-calendar/events.ics diff --git a/roles/www/templates/matrix-delegation.json b/roles/www/templates/matrix-delegation.json new file mode 100644 index 0000000..9a49cc7 --- /dev/null +++ b/roles/www/templates/matrix-delegation.json @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.bitlair.nl" +} diff --git a/roles/www/templates/mqtt2web.service b/roles/www/templates/mqtt2web.service new file mode 100644 index 0000000..ff0a989 --- /dev/null +++ b/roles/www/templates/mqtt2web.service @@ -0,0 +1,15 @@ +# Managed by Ansible + +[Unit] +Description=MQTT to Web +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/bin/perl /opt/mqtt2web/mqtt2web.pl +DynamicUser=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/www/templates/nginx-site.conf b/roles/www/templates/nginx-site.conf new file mode 100644 index 0000000..1076138 --- /dev/null +++ b/roles/www/templates/nginx-site.conf @@ -0,0 +1,131 @@ +# Managed by Ansible + +server { + listen 80 default_server; + listen 443 ssl default_server; + listen [::]:80 default_server; + listen [::]:443 ssl default_server; + + server_name bitlair.nl wiki.bitlair.nl www.bitlair.nl; + root /opt/bitlair-wiki/; + + {% if acme_bootstrap_certs %} + include "snippets/snakeoil.conf"; + {% else %} + ssl_certificate "/var/lib/dehydrated/certs/{{ www_domain }}/fullchain.pem"; + ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem"; + {% endif %} + + # SSL settings from https://cipherli.st/ - AK47 15 jan 2017 + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + client_max_body_size 32m; + client_body_timeout 60; + + index index.php; + + # mqtt2web + location = /mqtt { + proxy_pass http://localhost:8080/mqtt; + include proxy_params; + proxy_buffering off; + proxy_cache off; + proxy_http_version 1.1; + proxy_set_header Connection ''; + chunked_transfer_encoding off; + } + + # Space API + location = /statejson { + proxy_pass http://localhost:8888; + include proxy_params; + add_header 'Access-Control-Allow-Origin' '*'; + } + + # Photo gallery + location = /fotos { + return 302 $scheme://bitlair.nl/fotos/; + } + + location ~* ^/fotos/(.*)$ { + proxy_pass http://192.168.88.22:4567/$1$is_args$args; + } + + location ~ ^/state/(.+)$ { + alias /opt/spaceapi/assets/$1; + } + + location = /events.ics { + alias /var/lib/bitlair-calendar/events.ics; + } + + location ~ ^/(cache|maintenance|vendor|extensions)/ { + deny all; + } + + location = /api.php { + deny all; + } + + # Legacy space API stuff. + location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ { + root "/opt/legacy/"; + fastcgi_pass unix:/run/php/php-fpm.sock; + include fastcgi.conf; + } + + location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ { + root "/opt/legacy/"; + } + + location ~ ^/wp-content { + root "/opt/legacy/"; + } + + location = /statejson.php { + rewrite ^.+$ /statejson; + } + + + # Mediawiki + location / { + try_files $uri $uri/ @rewrite; + } + + location ~ \.php$ { + try_files $uri @rewrite; + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + location @rewrite { + rewrite ^/(.*)$ /index.php?title=$1$args; + } + + location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ { + try_files $uri @rewrite; + expires 1M; + } + + location = /_.gif { + expires max; + empty_gif; + } + + # Legacy: redirect old prefix. + location /Pages/ { + rewrite ^/Pages/(.*) https://$server_name/$1$args redirect; + } + + # Matrix realm delegation + location = /.well-known/matrix/server { + add_header "Content-Type" "application/json"; + add_header "Access-Control-Allow-Origin" "*"; + alias /opt/matrix-delegation.json; + } + + include "snippets/acme.conf"; +} diff --git a/roles/www/templates/spaceapi.service b/roles/www/templates/spaceapi.service new file mode 100644 index 0000000..ebb503b --- /dev/null +++ b/roles/www/templates/spaceapi.service @@ -0,0 +1,15 @@ +# Managed by Ansible + +[Unit] +Description=Space API +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/bin/python3 /opt/spaceapi/server.py +DynamicUser=true + +[Install] +WantedBy=multi-user.target