From 30e39eca310e74bd8bb5c6f70fb5054b8f575e4a Mon Sep 17 00:00:00 2001
From: baldo <baldo@toppoint.de>
Date: Sat, 29 Aug 2015 23:44:14 +0200
Subject: [PATCH] nginx und ffnord.net-Webseite

---
 .../files/etc/nginx/include/no_dotfiles.conf  |  7 ++
 .../files/etc/nginx/include/no_logging.conf   |  7 ++
 .../files/etc/nginx/include/no_symlinks.conf  |  1 +
 roles/nginx/files/etc/nginx/nginx.conf        | 84 +++++++++++++++++++
 roles/nginx/handlers/main.yml                 |  3 +
 roles/nginx/tasks/main.yml                    | 36 ++++++++
 .../etc/nginx/sites-available/ffnord.net      | 13 +++
 roles/website/ffnord/handlers/main.yml        |  3 +
 roles/website/ffnord/meta/main.yml            |  3 +
 roles/website/ffnord/tasks/main.yml           | 26 ++++++
 services.yml                                  |  1 +
 11 files changed, 184 insertions(+)
 create mode 100644 roles/nginx/files/etc/nginx/include/no_dotfiles.conf
 create mode 100644 roles/nginx/files/etc/nginx/include/no_logging.conf
 create mode 100644 roles/nginx/files/etc/nginx/include/no_symlinks.conf
 create mode 100644 roles/nginx/files/etc/nginx/nginx.conf
 create mode 100644 roles/nginx/handlers/main.yml
 create mode 100644 roles/nginx/tasks/main.yml
 create mode 100644 roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net
 create mode 100644 roles/website/ffnord/handlers/main.yml
 create mode 100644 roles/website/ffnord/meta/main.yml
 create mode 100644 roles/website/ffnord/tasks/main.yml

diff --git a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf b/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
new file mode 100644
index 0000000..4c26b8c
--- /dev/null
+++ b/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
@@ -0,0 +1,7 @@
+# Do not serve dotfiles.
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
diff --git a/roles/nginx/files/etc/nginx/include/no_logging.conf b/roles/nginx/files/etc/nginx/include/no_logging.conf
new file mode 100644
index 0000000..ed0e771
--- /dev/null
+++ b/roles/nginx/files/etc/nginx/include/no_logging.conf
@@ -0,0 +1,7 @@
+# Deaktiviert Logging
+
+access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
+
+# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
+# So stellen wir sicher, dass keine IPs geloggt werden.
+error_log /dev/null crit;
diff --git a/roles/nginx/files/etc/nginx/include/no_symlinks.conf b/roles/nginx/files/etc/nginx/include/no_symlinks.conf
new file mode 100644
index 0000000..12a2b2a
--- /dev/null
+++ b/roles/nginx/files/etc/nginx/include/no_symlinks.conf
@@ -0,0 +1 @@
+disable_symlinks on from=$document_root;
diff --git a/roles/nginx/files/etc/nginx/nginx.conf b/roles/nginx/files/etc/nginx/nginx.conf
new file mode 100644
index 0000000..c24c023
--- /dev/null
+++ b/roles/nginx/files/etc/nginx/nginx.conf
@@ -0,0 +1,84 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        include /etc/nginx/include/no_logging.conf;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+        gzip_disable "msie6";
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+# 
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..92971d2
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart nginx
+  service: name=nginx state=restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..290e42c
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: be sure nginx is installed
+  apt: name=nginx state=latest
+  tags: nginx
+
+- name: copy includes
+  copy: >
+    src=etc/nginx/include
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: remove default site
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+    - /var/www/html
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: configure nginx
+  copy: >
+    src=etc/nginx/nginx.conf
+    dest=/etc/nginx/nginx.conf
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
diff --git a/roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net b/roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net
new file mode 100644
index 0000000..69793f2
--- /dev/null
+++ b/roles/website/ffnord/files/etc/nginx/sites-available/ffnord.net
@@ -0,0 +1,13 @@
+server {
+    include /etc/nginx/include/no_logging.conf;
+    include /etc/nginx/include/no_dotfiles.conf;
+    include /etc/nginx/include/no_symlinks.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name ffnord.net www.ffnord.net nord.freifunk.net;
+
+    root /var/www/ffnord.net/site;
+}
+
diff --git a/roles/website/ffnord/handlers/main.yml b/roles/website/ffnord/handlers/main.yml
new file mode 100644
index 0000000..934dccb
--- /dev/null
+++ b/roles/website/ffnord/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: reload ffnord
+  service: name=nginx state=reloaded
diff --git a/roles/website/ffnord/meta/main.yml b/roles/website/ffnord/meta/main.yml
new file mode 100644
index 0000000..e3d1763
--- /dev/null
+++ b/roles/website/ffnord/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: nginx }
diff --git a/roles/website/ffnord/tasks/main.yml b/roles/website/ffnord/tasks/main.yml
new file mode 100644
index 0000000..9c517c8
--- /dev/null
+++ b/roles/website/ffnord/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: configure ffnord.net site
+  copy: >
+    src=etc/nginx/sites-available/ffnord.net
+    dest=/etc/nginx/sites-available/ffnord.net
+    owner=root
+    group=root
+    mode=0644
+  notify: reload ffnord
+  tags: nginx
+
+- name: enable ffnord.net site
+  file: >
+    src=/etc/nginx/sites-available/ffnord.net
+    dest=/etc/nginx/sites-enabled/ffnord.net
+    owner=root
+    group=root
+    mode=0644
+    state=link
+  notify: reload ffnord
+  tags: nginx
+
+- name: clone ffnord.net repository
+  git: repo=https://github.com/ffnord/ffnord.net.git dest=/var/www/ffnord.net
+  tags: nginx
+
diff --git a/services.yml b/services.yml
index fa24abc..78ebf29 100644
--- a/services.yml
+++ b/services.yml
@@ -2,4 +2,5 @@
 - hosts: services
   roles:
     - ntp-server
+    - website/ffnord