bank.yaml

@@ -1,8 +1,8 @@
 ---
 
 - hosts: bank
+  roles:
+    - common
+    - bank
   vars:
     bank_revbank_git: https://github.com/bitlair/revbank.git
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank", tags: [ "bank" ] }

bar.yaml

@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - { role: "raspi", tags: [ "raspi" ] }
+    - raspi
-    - { role: "common", tags: [ "common" ] }
+    - common
-    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
+    - bank-terminal

bitlair.yaml

@@ -31,7 +31,6 @@
 - hosts: monitoring
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }
 
 - hosts: mqtt
@@ -56,5 +55,4 @@
 - hosts: wiki
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "www", tags: [ "www" ] }

group_vars/pad.yaml

@@ -1,7 +1 @@
----
-
 etherpad_domain: pad.bitlair.nl
-
-nginx_sites:
-  - server_name: "pad.bitlair.nl"
-    localproxy: "9001"

group_vars/wiki.yaml

@@ -1,21 +0,0 @@
-acme_bootstrap_certs: yes
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]
-
-nginx_sites:
-  - server_name: "bitlair.nl"
-    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
-    snippets:
-      - "mqtt2web-nginx.j2"
-      - "spaceapi-nginx.j2"
-      - "www-nginx.j2"
-  - server_name: "bitair.nl"
-    server_alias: "www.bitair.nl"
-    snippets:
-      - "bitair-nginx.j2"
-  - server_name: "ravespace.nl"
-    server_alias: "www.ravespace.nl"
-    snippets:
-      - "ravespace-nginx.j2"

group_vars/www.yaml

@@ -0,0 +1,5 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]

mqtt-internal.yaml

@@ -2,5 +2,5 @@
 
 - hosts: mqtt
   roles:
-    - { role: "common", tags: [ "common" ] }
+    - common
-    - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] }
+    - mqtt-internal

music.yaml

@@ -2,8 +2,7 @@
 
 - hosts: music
   roles:
-    - { role: "common", tags: [ "common" ] }
+    - common
-    - { role: "acme", tags: [ "acme" ] }
+    - acme
-    - { role: "go", tags: [ "go" ] }
+    - go
-#    - { role: "nginx", tags: [ "nginx" ] }
+    - music
-    - { role: "music", tags: [ "music" ] }

pad.yaml

@@ -5,7 +5,6 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - { role: "common", tags: [ "common" ] }
+    - common
-    - { role: "acme", tags: [ "acme" ] }
+    - acme
-    - { role: "nginx", tags: [ "nginx" ] }
+    - etherpad
-    - { role: "etherpad", tags: [ "etherpad" ] }

roles/etherpad/tasks/main.yaml

@@ -1,6 +1,9 @@
 ---
 - tags: etherpad
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
     - name: Install dependencies
       ansible.builtin.apt:
         name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]

roles/git-server/tasks/main.yaml

@@ -1,4 +1,6 @@
 ---
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:

roles/monitoring/tasks/main.yaml

@@ -2,6 +2,9 @@
 - name: monitoring
   tags: monitoring
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
     - name: Install nginx site
       ansible.builtin.template:
         src: nginx-site.conf

roles/music/tasks/main.yaml

@@ -17,6 +17,8 @@
 
 - tags: music
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx config
       ansible.builtin.template:

roles/www/tasks/mediawiki.yaml

@@ -4,6 +4,9 @@
     name: php-fpm
     state: present
 
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
+
 - name: Install security.txt
   ansible.builtin.template:
     src: security.txt

snippets/bitair-nginx.j2

@@ -1,2 +0,0 @@
-root /opt/bitair.nl/;
-index index.html;

snippets/common-nginx.yaml

@@ -0,0 +1,18 @@
+---
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Disable nginx server_tokens
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    line: "\tserver_tokens off;"
+    regexp: "server_tokens"
+  notify: reload nginx
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx

snippets/mqtt2web-nginx.j2

@@ -1,11 +0,0 @@
-# mqtt2web nginx config snippet
-
-location /mqtt/ {
-        proxy_pass http://localhost:8080/mqtt;
-        include proxy_params;
-        proxy_buffering off;
-        proxy_cache off;
-        proxy_http_version 1.1;
-        proxy_set_header Connection '';
-        chunked_transfer_encoding off;
-}

snippets/ravespace-nginx.j2

@@ -1,2 +0,0 @@
-root /opt/ravespace.nl/;
-index index.html;

snippets/spaceapi-nginx.j2

@@ -1,8 +0,0 @@
-# spaceapi nginx config snippet
-
-location = /statejson {
-    proxy_pass http://localhost:8888;
-    include proxy_params;
-    add_header 'Access-Control-Allow-Origin' '*';
-}
-

snippets/www-nginx.j2

@@ -1,89 +0,0 @@
-root /opt/mediawiki-1.41.1/;
-
-# Photo gallery
-location = /fotos {
-    return 302 $scheme://bitlair.nl/fotos/;
-}
-
-location ~* ^/fotos/(.*)$ {
-    proxy_pass http://204.2.68.2:4567/$1$is_args$args;
-}
-
-location ~ ^/state/(.+)$ {
-    alias /opt/spaceapi/assets/$1;
-}
-
-location = /events.ics {
-    alias /var/lib/bitlair-calendar/events.ics;
-}
-
-location ~ ^/(cache|maintenance|vendor|extensions)/ {
-    deny all;
-}
-
-# Legacy space API stuff.
-location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
-    root "/opt/legacy/";
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    include fastcgi.conf;
-}
-
-location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
-    root "/opt/legacy/";
-}
-
-location ~ ^/wp-content {
-    root "/opt/legacy/";
-}
-
-location = /statejson.php {
-    rewrite ^.+$ /statejson;
-}
-
-# Mediawiki
-location / {
-    try_files $uri $uri/ @rewrite;
-}
-
-location ~ \.php$ {
-    try_files $uri @rewrite;
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    fastcgi_index index.php;
-    include fastcgi.conf;
-}
-
-location @rewrite {
-#    rewrite ^/(.*)$ /index.php;
-    rewrite ^/(.*)$ /index.php?title=$1$args;
-}
-
-location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
-    try_files $uri @rewrite;
-    expires 1M;
-}
-
-location = /_.gif {
-    expires max;
-    empty_gif;
-}
-
-#location /dumps {
-#    root /opt/bitlair-wiki/local;
-#    autoindex on;
-#}
-
-# Legacy: redirect old prefix.
-location /Pages/ {
-    rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
-}
-
-# Matrix realm delegation
-location = /.well-known/matrix/server {
-    add_header "Content-Type" "application/json";
-    add_header "Access-Control-Allow-Origin" "*";
-    alias /opt/matrix-delegation.json;
-}
-
-location = /.well-known/security.txt {
-    alias /opt/security.txt;
-}

wiki.yaml

@@ -1,8 +0,0 @@
----
-
-- hosts: wiki
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "www", tags: [ "www" ] }

www.yaml

@@ -0,0 +1,7 @@
+---
+
+- hosts: wiki
+  roles:
+    - common
+    - acme
+    - www