nginx + certbot yo
This commit is contained in:
parent
6b3c732ec2
commit
af0dda2f9d
14 changed files with 170 additions and 69 deletions
11
README.md
11
README.md
|
@ -1,15 +1,14 @@
|
|||
# silicone
|
||||
## Silicone
|
||||
Un angolo ragionato per facilitare la messa in opera di servizi autogestiti di prossimità
|
||||
|
||||
## Come si usa
|
||||
Si imposta il proprio inventory (inventory.yml) e il proprio playbook
|
||||
(infra.yml)
|
||||
#### Come si usa
|
||||
Si imposta il proprio inventory (inventory.yml) e il proprio playbook (infra.yml)
|
||||
|
||||
|
||||
## Password
|
||||
#### Password
|
||||
Per le password si usa pass, il path usato e' specificato nell'inventory
|
||||
|
||||
|
||||
## Creare nuovi ruoli:
|
||||
#### Creare nuovi ruoli:
|
||||
Ci sono varie possibilità, si può usare docker o vagrant, sono dentro
|
||||
`dev/`, per docker c'e' un README.md
|
||||
|
|
41
infra.yml
41
infra.yml
|
@ -1,31 +1,36 @@
|
|||
---
|
||||
## FRONTEND
|
||||
- name: Frontend
|
||||
hosts: frontend
|
||||
roles: ['stable/common', 'stable/nginx']
|
||||
vars_files: vars/frontend.yml
|
||||
tags: frontend
|
||||
|
||||
## ETHERPAD
|
||||
# ETHERPAD
|
||||
- name: Etherpad
|
||||
hosts: paddone
|
||||
roles:
|
||||
- role: stable/common
|
||||
- role: stable/etherpad
|
||||
vars_files:
|
||||
- vars/etherpad.yml
|
||||
tags: etherpad
|
||||
roles: ['stable/common', 'stable/etherpad']
|
||||
vars_files: vars/etherpad.yml
|
||||
|
||||
|
||||
## CICLES
|
||||
# CICLES
|
||||
- name: Cicles
|
||||
hosts: cicles
|
||||
roles:
|
||||
- role: stable/common
|
||||
- role: stable/goploader
|
||||
tags: cicles
|
||||
roles: ['stable/common', 'stable/goploader']
|
||||
|
||||
|
||||
## GANCIO
|
||||
# GANCIO
|
||||
- name: Gancio
|
||||
hosts: gancio
|
||||
roles:
|
||||
- role: stable/common
|
||||
- role: stable/gancio
|
||||
vars_files:
|
||||
- vars/gancio.yml
|
||||
tags: gancio
|
||||
roles: ['stable/common', 'stable/gancio']
|
||||
vars_files: vars/gancio.yml
|
||||
|
||||
|
||||
## MASTODON
|
||||
# TEST
|
||||
- name: Test
|
||||
hosts: test
|
||||
roles: ['stable/common', 'stable/nginx']
|
||||
tags: test
|
||||
vars_files: vars/frontend.yml
|
||||
|
|
|
@ -7,6 +7,14 @@ cicles:
|
|||
gancio:
|
||||
hosts: 192.168.199.106
|
||||
|
||||
frontend:
|
||||
hosts: 172.172.0.3
|
||||
|
||||
test:
|
||||
hosts: jolly.roger
|
||||
vars:
|
||||
ansible_user: debian
|
||||
|
||||
all:
|
||||
vars:
|
||||
passwordstore_path: cisti.org/ansible
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
- name: Install NGINX
|
||||
become: yes
|
||||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: Disable NGINX Default Virtual Host
|
||||
become: yes
|
||||
file:
|
||||
src: /etc/nginx/sites-enabled/default
|
||||
state: unlink
|
||||
|
||||
- name: Configure Reverse Proxies
|
||||
become: yes
|
||||
template:
|
||||
src: reverse_proxy.conf
|
||||
dest: /etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf
|
||||
with_dict: "{{ proxies }}"
|
||||
|
||||
- name: Link NGINX Reverse Proxies
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/reverse_proxy_{{item.key}}.conf"
|
||||
state: link
|
||||
with_dict: "{{ proxies }}"
|
||||
|
||||
- name: Make sure NGINX Service is running
|
||||
become: yes
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
enabled: yes
|
|
@ -2,10 +2,11 @@
|
|||
- name: Update apt cache if needed
|
||||
become: yes
|
||||
apt:
|
||||
update_cache=yes
|
||||
cache_valid_time=3600
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
|
||||
- name: Install generic deps
|
||||
become: yes
|
||||
apt:
|
||||
pkg:
|
||||
- git
|
||||
|
@ -13,17 +14,20 @@
|
|||
- acl
|
||||
|
||||
- name: Add Backports Repository
|
||||
become: yes
|
||||
apt_repository:
|
||||
repo: deb http://deb.debian.org/debian buster-backports main contrib non-free
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Install Unattended Upgrades
|
||||
become: yes
|
||||
apt:
|
||||
pkg:
|
||||
- unattended-upgrades
|
||||
|
||||
- name: Activate Unattented Upgrades
|
||||
become: yes
|
||||
copy:
|
||||
src: 20auto-upgrades
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
|
|
|
@ -12,11 +12,9 @@ dependencies:
|
|||
password: "{{ database_password }}"
|
||||
database: etherpad
|
||||
|
||||
# install caddy and configure it as reverse proxy
|
||||
# - role: caddy
|
||||
# install certbot nginx and configure it as reverse proxy
|
||||
# - role: stable/nginx
|
||||
# when: with_nginx | bool
|
||||
# vars:
|
||||
# caddy_config: |
|
||||
# {{hostname}}
|
||||
# encode gzip
|
||||
# reverse_proxy localhost:31337
|
||||
# with_certbot: true
|
||||
# proxy_pass: http://
|
|
@ -2,11 +2,11 @@
|
|||
dependencies:
|
||||
|
||||
# install nodejs
|
||||
- role: nodejs
|
||||
- role: stable/nodejs
|
||||
|
||||
# install postgres
|
||||
# and create an gancio user and db
|
||||
- role: postgresql
|
||||
- role: stable/postgresql
|
||||
vars:
|
||||
username: gancio
|
||||
password: "{{ database_password }}"
|
||||
|
|
22
roles/stable/nginx/tasks/certbot.yml
Normal file
22
roles/stable/nginx/tasks/certbot.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: Install snapd
|
||||
become: yes
|
||||
apt:
|
||||
pkg: ['snapd']
|
||||
|
||||
- name: Install snap core
|
||||
become: yes
|
||||
snap:
|
||||
name: core
|
||||
|
||||
- name: Install cerbot via snap
|
||||
become: yes
|
||||
snap:
|
||||
name: certbot
|
||||
classic: yes
|
||||
|
||||
- name: Generate certificate if needed
|
||||
become: yes
|
||||
command: certbot-auto --nginx --non-interactive --agree-tos
|
||||
--domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
|
||||
--email {{certbot_email}}
|
31
roles/stable/nginx/tasks/main.yml
Normal file
31
roles/stable/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- name: Install NGINX
|
||||
become: yes
|
||||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: Configure Reverse Proxies
|
||||
become: yes
|
||||
template:
|
||||
src: reverse_proxy.conf.j2
|
||||
dest: /etc/nginx/sites-available/{{item.server_name}}.conf
|
||||
loop: "{{ servers }}"
|
||||
|
||||
- name: Link NGINX Reverse Proxies
|
||||
become: yes
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
|
||||
state: link
|
||||
loop: "{{ servers }}"
|
||||
|
||||
- name: Make sure NGINX Service is running
|
||||
become: yes
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
enabled: yes
|
||||
|
||||
- name: Run Certbot if needed
|
||||
include: certbot.yml
|
||||
when: with_certbot | bool
|
19
roles/stable/nginx/templates/default.j2
Normal file
19
roles/stable/nginx/templates/default.j2
Normal file
|
@ -0,0 +1,19 @@
|
|||
|
||||
# cache
|
||||
# proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
|
||||
keepalive 30;
|
||||
|
||||
# redirect all http traffic to https
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# enable proxy websocket
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
33
roles/stable/nginx/templates/reverse_proxy.conf.j2
Normal file
33
roles/stable/nginx/templates/reverse_proxy.conf.j2
Normal file
|
@ -0,0 +1,33 @@
|
|||
# nginx ssl file
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{item.server_name}};
|
||||
|
||||
keepalive_timeout 200;
|
||||
{{item.custom_config | default('') | indent(2)}}
|
||||
|
||||
location / {
|
||||
proxy_pass {{item.proxy_pass}};
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# hide client ip to backend
|
||||
proxy_set_header X-Real-IP 42.42.42.42;
|
||||
|
||||
# set host
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
|
||||
# upgrade websocket
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# cache
|
||||
# proxy_cache {{item.server_name}}
|
||||
}
|
||||
}
|
||||
|
14
vars/frontend.yml
Normal file
14
vars/frontend.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
with_certbot: true
|
||||
certbot_email: info@cisti.org
|
||||
servers:
|
||||
- cicles:
|
||||
server_name: antani.cisti.org
|
||||
proxy_pass: http://192.168.199.105:8080
|
||||
custom_config: |
|
||||
sendfile on;
|
||||
client_max_body_size 80m;
|
||||
|
||||
- gancio:
|
||||
server_name: sblinda.cisti.org
|
||||
proxy_pass: http://192.168.199.104:8000
|
Loading…
Reference in a new issue