From af0dda2f9d96327fdf1e2dfeb6742013ef3f4df2 Mon Sep 17 00:00:00 2001 From: les Date: Sat, 21 Nov 2020 23:42:08 +0100 Subject: [PATCH] nginx + certbot yo --- README.md | 11 +++-- infra.yml | 41 +++++++++++-------- inventory.yml | 8 ++++ roles/nginx/tasks/main.ml | 32 --------------- roles/stable/common/tasks/main.yml | 8 +++- roles/stable/etherpad/meta/main.yml | 10 ++--- roles/stable/etherpad/tasks/postgresql.yml | 2 +- roles/stable/gancio/meta/main.yml | 4 +- roles/stable/gancio/tasks/main.yml | 4 +- roles/stable/nginx/tasks/certbot.yml | 22 ++++++++++ roles/stable/nginx/tasks/main.yml | 31 ++++++++++++++ roles/stable/nginx/templates/default.j2 | 19 +++++++++ .../nginx/templates/reverse_proxy.conf.j2 | 33 +++++++++++++++ vars/frontend.yml | 14 +++++++ 14 files changed, 170 insertions(+), 69 deletions(-) delete mode 100644 roles/nginx/tasks/main.ml create mode 100644 roles/stable/nginx/tasks/certbot.yml create mode 100644 roles/stable/nginx/tasks/main.yml create mode 100644 roles/stable/nginx/templates/default.j2 create mode 100644 roles/stable/nginx/templates/reverse_proxy.conf.j2 create mode 100644 vars/frontend.yml diff --git a/README.md b/README.md index 9162e37..ca676b8 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,14 @@ -# silicone +## Silicone Un angolo ragionato per facilitare la messa in opera di servizi autogestiti di prossimità -## Come si usa -Si imposta il proprio inventory (inventory.yml) e il proprio playbook -(infra.yml) +#### Come si usa +Si imposta il proprio inventory (inventory.yml) e il proprio playbook (infra.yml) -## Password +#### Password Per le password si usa pass, il path usato e' specificato nell'inventory -## Creare nuovi ruoli: +#### Creare nuovi ruoli: Ci sono varie possibilità, si può usare docker o vagrant, sono dentro `dev/`, per docker c'e' un README.md diff --git a/infra.yml b/infra.yml index e73c3c9..01af316 100644 --- a/infra.yml +++ b/infra.yml @@ -1,31 +1,36 @@ --- +## FRONTEND +- name: Frontend + hosts: frontend + roles: ['stable/common', 'stable/nginx'] + vars_files: vars/frontend.yml + tags: frontend -## ETHERPAD +# ETHERPAD - name: Etherpad hosts: paddone - roles: - - role: stable/common - - role: stable/etherpad - vars_files: - - vars/etherpad.yml + tags: etherpad + roles: ['stable/common', 'stable/etherpad'] + vars_files: vars/etherpad.yml -## CICLES +# CICLES - name: Cicles hosts: cicles - roles: - - role: stable/common - - role: stable/goploader + tags: cicles + roles: ['stable/common', 'stable/goploader'] -## GANCIO +# GANCIO - name: Gancio hosts: gancio - roles: - - role: stable/common - - role: stable/gancio - vars_files: - - vars/gancio.yml + tags: gancio + roles: ['stable/common', 'stable/gancio'] + vars_files: vars/gancio.yml - -## MASTODON +# TEST +- name: Test + hosts: test + roles: ['stable/common', 'stable/nginx'] + tags: test + vars_files: vars/frontend.yml diff --git a/inventory.yml b/inventory.yml index ac7f75a..97f7b95 100644 --- a/inventory.yml +++ b/inventory.yml @@ -7,6 +7,14 @@ cicles: gancio: hosts: 192.168.199.106 +frontend: + hosts: 172.172.0.3 + +test: + hosts: jolly.roger + vars: + ansible_user: debian + all: vars: passwordstore_path: cisti.org/ansible diff --git a/roles/nginx/tasks/main.ml b/roles/nginx/tasks/main.ml deleted file mode 100644 index 50b5b34..0000000 --- a/roles/nginx/tasks/main.ml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Install NGINX - become: yes - apt: - name: nginx - -- name: Disable NGINX Default Virtual Host - become: yes - file: - src: /etc/nginx/sites-enabled/default - state: unlink - -- name: Configure Reverse Proxies - become: yes - template: - src: reverse_proxy.conf - dest: /etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf - with_dict: "{{ proxies }}" - -- name: Link NGINX Reverse Proxies - file: - src: "/etc/nginx/sites-available/reverse_proxy_{{item.key}}.conf" - dest: "/etc/nginx/sites-enabled/reverse_proxy_{{item.key}}.conf" - state: link - with_dict: "{{ proxies }}" - -- name: Make sure NGINX Service is running - become: yes - service: - name: nginx - state: restarted - enabled: yes diff --git a/roles/stable/common/tasks/main.yml b/roles/stable/common/tasks/main.yml index f5abe3b..4df2d8f 100644 --- a/roles/stable/common/tasks/main.yml +++ b/roles/stable/common/tasks/main.yml @@ -2,10 +2,11 @@ - name: Update apt cache if needed become: yes apt: - update_cache=yes - cache_valid_time=3600 + update_cache: yes + cache_valid_time: 3600 - name: Install generic deps + become: yes apt: pkg: - git @@ -13,17 +14,20 @@ - acl - name: Add Backports Repository + become: yes apt_repository: repo: deb http://deb.debian.org/debian buster-backports main contrib non-free state: present update_cache: yes - name: Install Unattended Upgrades + become: yes apt: pkg: - unattended-upgrades - name: Activate Unattented Upgrades + become: yes copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades diff --git a/roles/stable/etherpad/meta/main.yml b/roles/stable/etherpad/meta/main.yml index 09c58df..2b11771 100644 --- a/roles/stable/etherpad/meta/main.yml +++ b/roles/stable/etherpad/meta/main.yml @@ -12,11 +12,9 @@ dependencies: password: "{{ database_password }}" database: etherpad - # install caddy and configure it as reverse proxy - # - role: caddy + # install certbot nginx and configure it as reverse proxy + # - role: stable/nginx # when: with_nginx | bool # vars: - # caddy_config: | - # {{hostname}} - # encode gzip - # reverse_proxy localhost:31337 \ No newline at end of file + # with_certbot: true + # proxy_pass: http:// \ No newline at end of file diff --git a/roles/stable/etherpad/tasks/postgresql.yml b/roles/stable/etherpad/tasks/postgresql.yml index 8e1f34c..c34246a 100644 --- a/roles/stable/etherpad/tasks/postgresql.yml +++ b/roles/stable/etherpad/tasks/postgresql.yml @@ -1,7 +1,7 @@ --- - name: Install postgresql apt: - pkg: + pkg: - postgresql - python3-psycopg2 diff --git a/roles/stable/gancio/meta/main.yml b/roles/stable/gancio/meta/main.yml index d263422..a7704fd 100644 --- a/roles/stable/gancio/meta/main.yml +++ b/roles/stable/gancio/meta/main.yml @@ -2,11 +2,11 @@ dependencies: # install nodejs - - role: nodejs + - role: stable/nodejs # install postgres # and create an gancio user and db - - role: postgresql + - role: stable/postgresql vars: username: gancio password: "{{ database_password }}" diff --git a/roles/stable/gancio/tasks/main.yml b/roles/stable/gancio/tasks/main.yml index 33f3ffe..739f285 100644 --- a/roles/stable/gancio/tasks/main.yml +++ b/roles/stable/gancio/tasks/main.yml @@ -21,7 +21,7 @@ global: yes production: yes state: present - + - name: Copy settings template: src: config.json.j2 @@ -36,4 +36,4 @@ shell: pm2 start gancio -- start --config config.json args: chdir: /srv/gancio - ignore_errors: yes \ No newline at end of file + ignore_errors: yes diff --git a/roles/stable/nginx/tasks/certbot.yml b/roles/stable/nginx/tasks/certbot.yml new file mode 100644 index 0000000..f0d938f --- /dev/null +++ b/roles/stable/nginx/tasks/certbot.yml @@ -0,0 +1,22 @@ +--- +- name: Install snapd + become: yes + apt: + pkg: ['snapd'] + +- name: Install snap core + become: yes + snap: + name: core + +- name: Install cerbot via snap + become: yes + snap: + name: certbot + classic: yes + +- name: Generate certificate if needed + become: yes + command: certbot-auto --nginx --non-interactive --agree-tos + --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }} + --email {{certbot_email}} diff --git a/roles/stable/nginx/tasks/main.yml b/roles/stable/nginx/tasks/main.yml new file mode 100644 index 0000000..60b7d0d --- /dev/null +++ b/roles/stable/nginx/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Install NGINX + become: yes + apt: + name: nginx + +- name: Configure Reverse Proxies + become: yes + template: + src: reverse_proxy.conf.j2 + dest: /etc/nginx/sites-available/{{item.server_name}}.conf + loop: "{{ servers }}" + +- name: Link NGINX Reverse Proxies + become: yes + file: + src: "/etc/nginx/sites-available/{{item.server_name}}.conf" + dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" + state: link + loop: "{{ servers }}" + +- name: Make sure NGINX Service is running + become: yes + service: + name: nginx + state: restarted + enabled: yes + +- name: Run Certbot if needed + include: certbot.yml + when: with_certbot | bool diff --git a/roles/stable/nginx/templates/default.j2 b/roles/stable/nginx/templates/default.j2 new file mode 100644 index 0000000..77e496a --- /dev/null +++ b/roles/stable/nginx/templates/default.j2 @@ -0,0 +1,19 @@ + + # cache + # proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; + keepalive 30; + + # redirect all http traffic to https + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + # enable proxy websocket + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + diff --git a/roles/stable/nginx/templates/reverse_proxy.conf.j2 b/roles/stable/nginx/templates/reverse_proxy.conf.j2 new file mode 100644 index 0000000..6bfcf6b --- /dev/null +++ b/roles/stable/nginx/templates/reverse_proxy.conf.j2 @@ -0,0 +1,33 @@ +# nginx ssl file + +server { + listen 80; + listen [::]:80; + server_name {{item.server_name}}; + + keepalive_timeout 200; + {{item.custom_config | default('') | indent(2)}} + + location / { + proxy_pass {{item.proxy_pass}}; + proxy_http_version 1.1; + + # hide client ip to backend + proxy_set_header X-Real-IP 42.42.42.42; + + # set host + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # upgrade websocket + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # cache + # proxy_cache {{item.server_name}} + } +} + diff --git a/vars/frontend.yml b/vars/frontend.yml new file mode 100644 index 0000000..6f05c2b --- /dev/null +++ b/vars/frontend.yml @@ -0,0 +1,14 @@ +--- +with_certbot: true +certbot_email: info@cisti.org +servers: + - cicles: + server_name: antani.cisti.org + proxy_pass: http://192.168.199.105:8080 + custom_config: | + sendfile on; + client_max_body_size 80m; + + - gancio: + server_name: sblinda.cisti.org + proxy_pass: http://192.168.199.104:8000