nginx + certbot yo

README.md

@@ -1,15 +1,14 @@
-# silicone
+## Silicone
 Un angolo ragionato per facilitare la messa in opera di servizi autogestiti di prossimità
 
-## Come si usa
+#### Come si usa
-Si imposta il proprio inventory (inventory.yml) e il proprio playbook
+Si imposta il proprio inventory (inventory.yml) e il proprio playbook (infra.yml) 
-(infra.yml) 
 
   
-## Password
+#### Password
 Per le password si usa pass, il path usato e' specificato nell'inventory 
 
 
-## Creare nuovi ruoli:
+#### Creare nuovi ruoli:
 Ci sono varie possibilità, si può usare docker o vagrant, sono dentro
 `dev/`, per docker c'e' un README.md

infra.yml

@@ -1,31 +1,36 @@
 ---
+## FRONTEND
+- name: Frontend
+  hosts: frontend
+  roles: ['stable/common', 'stable/nginx']
+  vars_files: vars/frontend.yml
+  tags: frontend
 
-## ETHERPAD
+# ETHERPAD
 - name: Etherpad
   hosts: paddone
-  roles:
+  tags: etherpad
-    - role: stable/common
+  roles: ['stable/common', 'stable/etherpad']
-    - role: stable/etherpad
+  vars_files: vars/etherpad.yml
-  vars_files:
-    - vars/etherpad.yml
 
 
-## CICLES
+# CICLES
 - name: Cicles
   hosts: cicles
-  roles:
+  tags: cicles
-    - role: stable/common
+  roles: ['stable/common', 'stable/goploader']
-    - role: stable/goploader
 
 
-## GANCIO
+# GANCIO
 - name: Gancio
   hosts: gancio
-  roles:
+  tags: gancio
-    - role: stable/common
+  roles: ['stable/common', 'stable/gancio']
-    - role: stable/gancio
+  vars_files: vars/gancio.yml
-  vars_files:
-    - vars/gancio.yml
 
-
+# TEST
-## MASTODON
+- name: Test
+  hosts: test
+  roles: ['stable/common', 'stable/nginx']
+  tags: test
+  vars_files: vars/frontend.yml

inventory.yml

@@ -7,6 +7,14 @@ cicles:
 gancio:
   hosts: 192.168.199.106
 
+frontend:
+  hosts: 172.172.0.3
+
+test:
+  hosts: jolly.roger
+  vars:
+    ansible_user: debian
+
 all:
   vars:
     passwordstore_path: cisti.org/ansible

roles/nginx/tasks/main.ml

@@ -1,32 +0,0 @@
----
-- name: Install NGINX
-  become: yes
-  apt:
-    name: nginx
-
-- name: Disable NGINX Default Virtual Host
-  become: yes
-  file:
-    src: /etc/nginx/sites-enabled/default
-    state: unlink
-
-- name: Configure Reverse Proxies
-  become: yes
-  template:
-    src: reverse_proxy.conf
-    dest: /etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf
-  with_dict: "{{ proxies }}"
-
-- name: Link NGINX Reverse Proxies
-  file:
-    src: "/etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf"
-    dest: "/etc/nginx/sites-enabled/reverse_proxy_{{item.key}}.conf"
-    state: link
-  with_dict: "{{ proxies }}"
-
-- name: Make sure NGINX Service is running
-  become: yes
-  service:
-    name: nginx
-    state: restarted
-    enabled: yes

roles/stable/common/tasks/main.yml

@@ -2,10 +2,11 @@
 - name: Update apt cache if needed
   become: yes
   apt:
-    update_cache=yes
+    update_cache: yes
-    cache_valid_time=3600
+    cache_valid_time: 3600
 
 - name: Install generic deps
+  become: yes
   apt:
     pkg:
       - git
@@ -13,17 +14,20 @@
       - acl
 
 - name: Add Backports Repository
+  become: yes
   apt_repository:
     repo: deb http://deb.debian.org/debian buster-backports main contrib non-free
     state: present
     update_cache: yes
 
 - name: Install Unattended Upgrades
+  become: yes
   apt:
     pkg:
       - unattended-upgrades
 
 - name: Activate Unattented Upgrades
+  become: yes
   copy:
     src: 20auto-upgrades
     dest: /etc/apt/apt.conf.d/20auto-upgrades

roles/stable/etherpad/meta/main.yml

@@ -12,11 +12,9 @@ dependencies:
       password: "{{ database_password }}"
       database: etherpad
 
-  # install caddy and configure it as reverse proxy
+  # install certbot nginx and configure it as reverse proxy
-  # - role: caddy
+  # - role: stable/nginx
   #   when: with_nginx | bool
   #   vars:
-  #     caddy_config: |
+  #     with_certbot: true
-  #       {{hostname}}
+  #     proxy_pass: http://
-  #       encode gzip
-  #       reverse_proxy localhost:31337

roles/stable/etherpad/tasks/postgresql.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install postgresql
   apt:
-    pkg: 
+    pkg:
       - postgresql
       - python3-psycopg2
 

roles/stable/gancio/meta/main.yml

@@ -2,11 +2,11 @@
 dependencies:
 
   # install nodejs
-  - role: nodejs
+  - role: stable/nodejs
 
   # install postgres
   # and create an gancio user and db
-  - role: postgresql
+  - role: stable/postgresql
     vars:
       username: gancio
       password: "{{ database_password }}"

roles/stable/gancio/tasks/main.yml

@@ -21,7 +21,7 @@
     global: yes
     production: yes
     state: present
-  
+
 - name: Copy settings
   template:
     src: config.json.j2
@@ -36,4 +36,4 @@
   shell: pm2 start gancio -- start --config config.json
   args:
     chdir: /srv/gancio
-  ignore_errors: yes
+  ignore_errors: yes

roles/stable/nginx/tasks/certbot.yml

@@ -0,0 +1,22 @@
+---
+- name: Install snapd
+  become: yes
+  apt:
+    pkg: ['snapd']
+  
+- name: Install snap core
+  become: yes
+  snap:
+    name: core
+
+- name: Install cerbot via snap
+  become: yes
+  snap:
+    name: certbot
+    classic: yes
+
+- name: Generate certificate if needed
+  become: yes
+  command: certbot-auto --nginx --non-interactive --agree-tos
+      --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
+      --email {{certbot_email}}

roles/stable/nginx/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Install NGINX
+  become: yes
+  apt:
+    name: nginx
+
+- name: Configure Reverse Proxies
+  become: yes
+  template:
+    src: reverse_proxy.conf.j2
+    dest: /etc/nginx/sites-available/{{item.server_name}}.conf
+  loop: "{{ servers }}"
+
+- name: Link NGINX Reverse Proxies
+  become: yes
+  file:
+    src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
+    dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
+    state: link
+  loop: "{{ servers }}"
+  
+- name: Make sure NGINX Service is running
+  become: yes
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
+
+- name: Run Certbot if needed
+  include: certbot.yml
+  when: with_certbot | bool

roles/stable/nginx/templates/default.j2

@@ -0,0 +1,19 @@
+
+	# cache
+	# proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=1g;
+  keepalive 30;
+
+	# redirect all http traffic to https
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+		server_name _;
+		return 301 https://$host$request_uri;
+	}
+
+	# enable proxy websocket
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      close;
+	}
+

roles/stable/nginx/templates/reverse_proxy.conf.j2

@@ -0,0 +1,33 @@
+# nginx ssl file
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{item.server_name}};
+
+  keepalive_timeout 200;
+  {{item.custom_config | default('') | indent(2)}}
+
+  location / {
+    proxy_pass {{item.proxy_pass}};
+    proxy_http_version 1.1;
+
+    # hide client ip to backend
+    proxy_set_header X-Real-IP         42.42.42.42;
+
+    # set host 
+    proxy_set_header Host              $host;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host  $host;
+    proxy_set_header X-Forwarded-Port  $server_port;
+
+    # upgrade websocket
+    proxy_set_header Upgrade           $http_upgrade;
+    proxy_set_header Connection        "upgrade";
+
+    # cache
+    # proxy_cache {{item.server_name}}
+  }
+}
+

vars/frontend.yml

@@ -0,0 +1,14 @@
+---
+with_certbot: true
+certbot_email: info@cisti.org
+servers:
+  - cicles:
+    server_name: antani.cisti.org
+    proxy_pass: http://192.168.199.105:8080
+    custom_config: |
+      sendfile             on;
+      client_max_body_size 80m;
+
+  - gancio:
+    server_name: sblinda.cisti.org
+    proxy_pass: http://192.168.199.104:8000