nginx und ffnord.net-Webseite

2015-08-29 23:44:14 +02:00 · 2015-08-29 23:44:14 +02:00 · 30e39eca31
parent 3df8b2a1ea
commit 30e39eca31
11 changed files with 184 additions and 0 deletions
--- a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
+++ b/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
@ -0,0 +1,7 @@
+# Do not serve dotfiles.
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
--- a/roles/nginx/files/etc/nginx/include/no_logging.conf
+++ b/roles/nginx/files/etc/nginx/include/no_logging.conf
@ -0,0 +1,7 @@
+# Deaktiviert Logging
+
+access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
+
+# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
+# So stellen wir sicher, dass keine IPs geloggt werden.
+error_log /dev/null crit;
--- a/roles/nginx/files/etc/nginx/include/no_symlinks.conf
+++ b/roles/nginx/files/etc/nginx/include/no_symlinks.conf
@ -0,0 +1 @@
+disable_symlinks on from=$document_root;
--- a/roles/nginx/files/etc/nginx/nginx.conf
+++ b/roles/nginx/files/etc/nginx/nginx.conf
@ -0,0 +1,84 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        include /etc/nginx/include/no_logging.conf;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+        gzip_disable "msie6";
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+# 
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: restart nginx
+  service: name=nginx state=restarted
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,36 @@
+---
+- name: be sure nginx is installed
+  apt: name=nginx state=latest
+  tags: nginx
+
+- name: copy includes
+  copy: >
+    src=etc/nginx/include
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: remove default site
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+    - /var/www/html
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: configure nginx
+  copy: >
+    src=etc/nginx/nginx.conf
+    dest=/etc/nginx/nginx.conf
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
--- a/roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net
+++ b/roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net
@ -0,0 +1,13 @@
+server {
+    include /etc/nginx/include/no_logging.conf;
+    include /etc/nginx/include/no_dotfiles.conf;
+    include /etc/nginx/include/no_symlinks.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name ffnord.net www.ffnord.net nord.freifunk.net;
+
+    root /var/www/ffnord.net/site;
+}
+
--- a/roles/website/ffnord/handlers/main.yml
+++ b/roles/website/ffnord/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: reload ffnord
+  service: name=nginx state=reloaded
--- a/roles/website/ffnord/meta/main.yml
+++ b/roles/website/ffnord/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: nginx }
--- a/roles/website/ffnord/tasks/main.yml
+++ b/roles/website/ffnord/tasks/main.yml
@ -0,0 +1,26 @@
+---
+- name: configure ffnord.net site
+  copy: >
+    src=etc/nginx/sites-available/ffnord.net
+    dest=/etc/nginx/sites-available/ffnord.net
+    owner=root
+    group=root
+    mode=0644
+  notify: reload ffnord
+  tags: nginx
+
+- name: enable ffnord.net site
+  file: >
+    src=/etc/nginx/sites-available/ffnord.net
+    dest=/etc/nginx/sites-enabled/ffnord.net
+    owner=root
+    group=root
+    mode=0644
+    state=link
+  notify: reload ffnord
+  tags: nginx
+
+- name: clone ffnord.net repository
+  git: repo=https://github.com/ffnord/ffnord.net.git dest=/var/www/ffnord.net
+  tags: nginx
+
--- a/services.yml
+++ b/services.yml
@ -2,4 +2,5 @@
 - hosts: services
  roles:
    - ntp-server
+    - website/ffnord