Automate light server

Co-authored-by: J <j@jsts.xyz>

playbooks/roles/add_apt_repository/meta/argument_specs.yml

@@ -0,0 +1,25 @@
+---
+argument_specs:
+  main:
+    short_description: Add a 3rd party apt repository to the system
+    options:
+      add_apt_repository__https_repo:
+        description: The repository URL uses HTTPS
+        required: true
+        type: bool
+      add_apt_repository__keyring_url:
+        description: URL to the repository's keyring
+        required: true
+        type: str
+      add_apt_repository__keyring_path:
+        description: Path where to store the keyring
+        required: true
+        type: str
+      add_apt_repository__repo:
+        description: The apt source line
+        required: true
+        type: str
+      add_apt_repository__filename:
+        description: Filename in /etc/apt/sources.list.d/
+        required: true
+        type: str

playbooks/roles/add_apt_repository/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Check OS family
+  ansible.builtin.fail:
+    msg: "Can only add apt repositories on Debian-based systems!"
+  when: ansible_facts.os_family != "Debian"
+- name: Install required apt packages for adding an apt repository
+  ansible.builtin.apt:
+    name:
+      - ca-certificates
+      - gnupg
+- name: Install apt-transport-https if https repository
+  ansible.builtin.apt:
+    name: apt-transport-https
+  when: add_apt_repository__https_repo
+- name: Add repository signing key to keychain
+  ansible.builtin.apt_key:
+    url: "{{ add_apt_repository__keyring_url }}"
+    keyring: "{{ add_apt_repository__keyring_path }}"
+    state: present
+- name: Add repository and update cache
+  ansible.builtin.apt_repository:
+    repo: "{{ add_apt_repository__repo }}"
+    filename: "{{ add_apt_repository__filename }}"

playbooks/roles/nginx/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Reload nginx
+  ansible.builtin.systemd:
+    service: nginx
+    state: reloaded

playbooks/roles/nginx/meta/argument_specs.yml

@@ -0,0 +1,20 @@
+---
+argument_specs:
+  main:
+    options:
+      nginx__enable_https_redirect:
+        description: Redirect HTTP traffic to HTTPS
+        type: bool
+        required: false
+      nginx__configs:
+        description: Configuration files to add to /etc/nginx/conf.d/
+        type: list
+        elements: dict
+        required: false
+        options:
+          name:
+            description: Name of the config file without file extension
+            type: str
+          content:
+            description: Content of the config file
+            type: str

playbooks/roles/nginx/meta/main.yml

@@ -0,0 +1,16 @@
+dependencies:
+  - role: distribution_check
+    vars:
+      distribution_check__supported_distributions:
+        - name: Debian
+          versions:
+            - "10"
+            - "11"
+  - role: add_apt_repository
+    vars:
+      add_apt_repository__https_repo: false
+      add_apt_repository__keyring_url: https://nginx.org/keys/nginx_signing.key
+      add_apt_repository__keyring_path: /usr/share/keyrings/nginx-archive-keyring.gpg
+      add_apt_repository__repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg]
+         http://nginx.org/packages/{{ ansible_facts.distribution | lower }} {{ ansible_facts.lsb.codename }} nginx
+      add_apt_repository__filename: nginx.list

playbooks/roles/nginx/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Setup up repository pinning
+  ansible.builtin.template:
+    src: 99nginx.j2
+    dest: /etc/apt/preferences.d/99nginx
+    mode: "0644"
+- name: Install nginx
+  ansible.builtin.apt:
+    update_cache: true
+    name: nginx
+    state: present
+- name: Delete default.conf
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
+  when: nginx__configs
+- name: Create nginx redirect.conf
+  ansible.builtin.template:
+    src: redirect.conf.j2
+    dest: /etc/nginx/conf.d/redirect.conf
+    mode: "0644"
+  when: nginx__enable_https_redirect is defined and nginx__enable_https_redirect
+- name: Create nginx tls.conf
+  ansible.builtin.template:
+    src: tls.conf.j2
+    dest: /etc/nginx/conf.d/tls.conf
+    mode: "0644"
+- name: Download dhparam file
+  ansible.builtin.get_url:
+    url: https://ssl-config.mozilla.org/ffdhe2048.txt
+    dest: /etc/nginx/dhparam.pem
+    mode: "0644"
+- name: Add user specified configs
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: /etc/nginx/conf.d/{{ item.name }}.conf
+    mode: "0644"
+  loop: "{{ nginx__configs }}"
+  notify: Reload nginx
+- name: Enable and start systemd service
+  ansible.builtin.systemd:
+    name: nginx.service
+    daemon_reload: true
+    enabled: true
+    state: started

playbooks/roles/nginx/templates/99nginx.j2

@@ -0,0 +1,4 @@
+Package: *
+Pin: origin nginx.org
+Pin: release o=nginx
+Pin-Priority: 900

playbooks/roles/nginx/templates/redirect.conf.j2

@@ -0,0 +1,9 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}

playbooks/roles/nginx/templates/tls.conf.j2

@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

playbooks/roles/ola/meta/argument_specs.yml

@@ -2,7 +2,21 @@
 argument_specs:
   main:
     options:
-      ola__enable_ftdi:
-        description: Enable FTDI USB DMX support
-        type: bool
+      ola__configs:
+        description: A list of ola configurations.
+        type: list
+        elements: dict
         required: true
+        options:
+          name:
+            description: >-
+              The name of the configuration file, where the configuration should
+              be deployed to. The file will be placed under `/etc/ola/` and
+              `.conf` will be appended to the given name. So in the end the path
+              will be like this: `/etc/ola/\{\ name \}\}.conf`.
+            type: str
+            required: true
+          content:
+            description: The content of the configuration.
+            type: str
+            required: true

playbooks/roles/ola/tasks/main.yml

@@ -1,13 +1,15 @@
 - name: Install ola
   ansible.builtin.apt:
     name: ola
-- name: Generate ola-ftdidmx.conf
-  ansible.builtin.template:
-    src: ola-ftdidmx.conf.j2
-    dest: /etc/ola/ola-ftdidmx.conf
-    mode: "0664"
+- name: Ensure all given configuraton files are deployed
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: /etc/ola/{{ item.name }}.conf
+    mode: 0644
     owner: olad
     group: olad
+  loop: "{{ ola__configs }}"
+  notify: Restart olad
 - name: Enable and start ola service
   ansible.builtin.systemd:
     name: olad.service