Home Explore Help
Register Sign In
six
/
infra
forked from cisti/infra
1
0
Fork 0
Files
Browse Source

nginx + certbot yo

les 3 years ago
parent
6b3c732ec2
commit
af0dda2f9d
14 changed files with 170 additions and 69 deletions
Split View Show Diff Stats
  1. 5 6
      README.md
  2. 23 18
      infra.yml
  3. 8 0
      inventory.yml
  4. 0 32
      roles/nginx/tasks/main.ml
  5. 6 2
      roles/stable/common/tasks/main.yml
  6. 4 6
      roles/stable/etherpad/meta/main.yml
  7. 1 1
      roles/stable/etherpad/tasks/postgresql.yml
  8. 2 2
      roles/stable/gancio/meta/main.yml
  9. 2 2
      roles/stable/gancio/tasks/main.yml
  10. 22 0
      roles/stable/nginx/tasks/certbot.yml
  11. 31 0
      roles/stable/nginx/tasks/main.yml
  12. 19 0
      roles/stable/nginx/templates/default.j2
  13. 33 0
      roles/stable/nginx/templates/reverse_proxy.conf.j2
  14. 14 0
      vars/frontend.yml

+ 5 - 6
README.md
View File 

@@ -1,15 +1,14 @@
 
-# silicone
 
+## Silicone
 
 Un angolo ragionato per facilitare la messa in opera di servizi autogestiti di prossimità
 
 
-## Come si usa
 
-Si imposta il proprio inventory (inventory.yml) e il proprio playbook
 
-(infra.yml) 
+#### Come si usa
 
+Si imposta il proprio inventory (inventory.yml) e il proprio playbook (infra.yml) 
 
   
-## Password
 
+#### Password
 
 Per le password si usa pass, il path usato e' specificato nell'inventory 
 
 
-## Creare nuovi ruoli:
 
+#### Creare nuovi ruoli:
 
 Ci sono varie possibilità, si può usare docker o vagrant, sono dentro
 
 `dev/`, per docker c'e' un README.md

+ 23 - 18
infra.yml
View File 

@@ -1,31 +1,36 @@
 
 ---
 
+## FRONTEND
 
+- name: Frontend
 
+  hosts: frontend
 
+  roles: ['stable/common', 'stable/nginx']
 
+  vars_files: vars/frontend.yml
 
+  tags: frontend
 
 
-## ETHERPAD
 
+# ETHERPAD
 
 - name: Etherpad
 
   hosts: paddone
 
-  roles:
 
-    - role: stable/common
 
-    - role: stable/etherpad
 
-  vars_files:
 
-    - vars/etherpad.yml
 
+  tags: etherpad
 
+  roles: ['stable/common', 'stable/etherpad']
 
+  vars_files: vars/etherpad.yml
 
 
 
-## CICLES
 
+# CICLES
 
 - name: Cicles
 
   hosts: cicles
 
-  roles:
 
-    - role: stable/common
 
-    - role: stable/goploader
 
+  tags: cicles
 
+  roles: ['stable/common', 'stable/goploader']
 
 
 
-## GANCIO
 
+# GANCIO
 
 - name: Gancio
 
   hosts: gancio
 
-  roles:
 
-    - role: stable/common
 
-    - role: stable/gancio
 
-  vars_files:
 
-    - vars/gancio.yml
 
+  tags: gancio
 
+  roles: ['stable/common', 'stable/gancio']
 
+  vars_files: vars/gancio.yml
 
 
-
 
-## MASTODON
 
+# TEST
 
+- name: Test
 
+  hosts: test
 
+  roles: ['stable/common', 'stable/nginx']
 
+  tags: test
 
+  vars_files: vars/frontend.yml

+ 8 - 0
inventory.yml
View File 

@@ -7,6 +7,14 @@ cicles:
 
 gancio:
 
   hosts: 192.168.199.106
 
 
+frontend:
 
+  hosts: 172.172.0.3
 
+
 
+test:
 
+  hosts: jolly.roger
 
+  vars:
 
+    ansible_user: debian
 
+
 
 all:
 
   vars:
 
     passwordstore_path: cisti.org/ansible

+ 0 - 32
roles/nginx/tasks/main.ml
View File 

@@ -1,32 +0,0 @@
 
----
 
-- name: Install NGINX
 
-  become: yes
 
-  apt:
 
-    name: nginx
 
-
 
-- name: Disable NGINX Default Virtual Host
 
-  become: yes
 
-  file:
 
-    src: /etc/nginx/sites-enabled/default
 
-    state: unlink
 
-
 
-- name: Configure Reverse Proxies
 
-  become: yes
 
-  template:
 
-    src: reverse_proxy.conf
 
-    dest: /etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf
 
-  with_dict: "{{ proxies }}"
 
-
 
-- name: Link NGINX Reverse Proxies
 
-  file:
 
-    src: "/etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf"
 
-    dest: "/etc/nginx/sites-enabled/reverse_proxy_{{item.key}}.conf"
 
-    state: link
 
-  with_dict: "{{ proxies }}"
 
-
 
-- name: Make sure NGINX Service is running
 
-  become: yes
 
-  service:
 
-    name: nginx
 
-    state: restarted
 
-    enabled: yes

+ 6 - 2
roles/stable/common/tasks/main.yml
View File 

@@ -2,10 +2,11 @@
 
 - name: Update apt cache if needed
 
   become: yes
 
   apt:
 
-    update_cache=yes
 
-    cache_valid_time=3600
 
+    update_cache: yes
 
+    cache_valid_time: 3600
 
 
 - name: Install generic deps
 
+  become: yes
 
   apt:
 
     pkg:
 
       - git
 
@@ -13,17 +14,20 @@
 
       - acl
 
 
 - name: Add Backports Repository
 
+  become: yes
 
   apt_repository:
 
     repo: deb http://deb.debian.org/debian buster-backports main contrib non-free
 
     state: present
 
     update_cache: yes
 
 
 - name: Install Unattended Upgrades
 
+  become: yes
 
   apt:
 
     pkg:
 
       - unattended-upgrades
 
 
 - name: Activate Unattented Upgrades
 
+  become: yes
 
   copy:
 
     src: 20auto-upgrades
 
     dest: /etc/apt/apt.conf.d/20auto-upgrades

+ 4 - 6
roles/stable/etherpad/meta/main.yml
View File 

@@ -12,11 +12,9 @@ dependencies:
 
       password: "{{ database_password }}"
 
       database: etherpad
 
 
-  # install caddy and configure it as reverse proxy
 
-  # - role: caddy
 
+  # install certbot nginx and configure it as reverse proxy
 
+  # - role: stable/nginx
 
   #   when: with_nginx | bool
 
   #   vars:
 
-  #     caddy_config: |
 
-  #       {{hostname}}
 
-  #       encode gzip
 
-  #       reverse_proxy localhost:31337
 
+  #     with_certbot: true
 
+  #     proxy_pass: http://

+ 1 - 1
roles/stable/etherpad/tasks/postgresql.yml
View File 

@@ -1,7 +1,7 @@
 
 ---
 
 - name: Install postgresql
 
   apt:
 
-    pkg: 
+    pkg:
 
       - postgresql
 
       - python3-psycopg2

+ 2 - 2
roles/stable/gancio/meta/main.yml
View File 

@@ -2,11 +2,11 @@
 
 dependencies:
 
 
   # install nodejs
 
-  - role: nodejs
 
+  - role: stable/nodejs
 
 
   # install postgres
 
   # and create an gancio user and db
 
-  - role: postgresql
 
+  - role: stable/postgresql
 
     vars:
 
       username: gancio
 
       password: "{{ database_password }}"

+ 2 - 2
roles/stable/gancio/tasks/main.yml
View File 

@@ -21,7 +21,7 @@
 
     global: yes
 
     production: yes
 
     state: present
 
-  
+
 
 - name: Copy settings
 
   template:
 
     src: config.json.j2
 
@@ -36,4 +36,4 @@
 
   shell: pm2 start gancio -- start --config config.json
 
   args:
 
     chdir: /srv/gancio
 
-  ignore_errors: yes
 
+  ignore_errors: yes

+ 22 - 0
roles/stable/nginx/tasks/certbot.yml
View File 

@@ -0,0 +1,22 @@
 
+---
 
+- name: Install snapd
 
+  become: yes
 
+  apt:
 
+    pkg: ['snapd']
 
+  
+- name: Install snap core
 
+  become: yes
 
+  snap:
 
+    name: core
 
+
 
+- name: Install cerbot via snap
 
+  become: yes
 
+  snap:
 
+    name: certbot
 
+    classic: yes
 
+
 
+- name: Generate certificate if needed
 
+  become: yes
 
+  command: certbot-auto --nginx --non-interactive --agree-tos
 
+      --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
 
+      --email {{certbot_email}}

+ 31 - 0
roles/stable/nginx/tasks/main.yml
View File 

@@ -0,0 +1,31 @@
 
+---
 
+- name: Install NGINX
 
+  become: yes
 
+  apt:
 
+    name: nginx
 
+
 
+- name: Configure Reverse Proxies
 
+  become: yes
 
+  template:
 
+    src: reverse_proxy.conf.j2
 
+    dest: /etc/nginx/sites-available/{{item.server_name}}.conf
 
+  loop: "{{ servers }}"
 
+
 
+- name: Link NGINX Reverse Proxies
 
+  become: yes
 
+  file:
 
+    src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
 
+    dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
 
+    state: link
 
+  loop: "{{ servers }}"
 
+  
+- name: Make sure NGINX Service is running
 
+  become: yes
 
+  service:
 
+    name: nginx
 
+    state: restarted
 
+    enabled: yes
 
+
 
+- name: Run Certbot if needed
 
+  include: certbot.yml
 
+  when: with_certbot | bool

+ 19 - 0
roles/stable/nginx/templates/default.j2
View File 

@@ -0,0 +1,19 @@
 
+
 
+	# cache
 
+	# proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=1g;
 
+  keepalive 30;
 
+
 
+	# redirect all http traffic to https
 
+	server {
 
+		listen 80 default_server;
 
+		listen [::]:80 default_server;
 
+		server_name _;
 
+		return 301 https://$host$request_uri;
 
+	}
 
+
 
+	# enable proxy websocket
 
+	map $http_upgrade $connection_upgrade {
 
+		default upgrade;
 
+		''      close;
 
+	}
 
+

+ 33 - 0
roles/stable/nginx/templates/reverse_proxy.conf.j2
View File 

@@ -0,0 +1,33 @@
 
+# nginx ssl file
 
+
 
+server {
 
+  listen 80;
 
+  listen [::]:80;
 
+  server_name {{item.server_name}};
 
+
 
+  keepalive_timeout 200;
 
+  {{item.custom_config | default('') | indent(2)}}
 
+
 
+  location / {
 
+    proxy_pass {{item.proxy_pass}};
 
+    proxy_http_version 1.1;
 
+
 
+    # hide client ip to backend
 
+    proxy_set_header X-Real-IP         42.42.42.42;
 
+
 
+    # set host 
+    proxy_set_header Host              $host;
 
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
 
+    proxy_set_header X-Forwarded-Proto $scheme;
 
+    proxy_set_header X-Forwarded-Host  $host;
 
+    proxy_set_header X-Forwarded-Port  $server_port;
 
+
 
+    # upgrade websocket
 
+    proxy_set_header Upgrade           $http_upgrade;
 
+    proxy_set_header Connection        "upgrade";
 
+
 
+    # cache
 
+    # proxy_cache {{item.server_name}}
 
+  }
 
+}
 
+

+ 14 - 0
vars/frontend.yml
View File 

@@ -0,0 +1,14 @@
 
+---
 
+with_certbot: true
 
+certbot_email: info@cisti.org
 
+servers:
 
+  - cicles:
 
+    server_name: antani.cisti.org
 
+    proxy_pass: http://192.168.199.105:8080
 
+    custom_config: |
 
+      sendfile             on;
 
+      client_max_body_size 80m;
 
+
 
+  - gancio:
 
+    server_name: sblinda.cisti.org
 
+    proxy_pass: http://192.168.199.104:8000