diff --git a/group_vars/ffhh b/group_vars/ffhh deleted file mode 100644 index b9c8ee3..0000000 --- a/group_vars/ffhh +++ /dev/null @@ -1,4 +0,0 @@ ---- -ffhh: - prefix4: 10.112.0.0/18 - prefix6: 2a03:2267::/64 diff --git a/group_vars/ffhh.yml b/group_vars/ffhh.yml new file mode 100644 index 0000000..c83fe1c --- /dev/null +++ b/group_vars/ffhh.yml @@ -0,0 +1,4 @@ +--- +ffhh: + prefix4: 10.112.0.0/18 + prefix6: 2a03:2267::/64 diff --git a/group_vars/web.yml b/group_vars/web.yml new file mode 100644 index 0000000..a585282 --- /dev/null +++ b/group_vars/web.yml @@ -0,0 +1,12 @@ +--- +web: + ssl: + hamburg_freifunk_net: + cert: /etc/ssl/certs/hamburg.freifunk.net.crt + key: /etc/ssl/private/hamburg.freifunk.net.key + dhparam: /etc/ssl/dhparam/hamburg.freifunk.net.dh + + wildcard_hamburg_freifunk_net: + cert: /etc/ssl/certs/WILDCARD.hamburg.freifunk.net.crt + key: /etc/ssl/private/WILDCARD.hamburg.freifunk.net.key + dhparam: /etc/ssl/dhparam/WILDCARD.hamburg.freifunk.net.dh diff --git a/roles/nginx/files/etc/nginx/include/listing.conf b/roles/nginx/files/etc/nginx/include/listing.conf deleted file mode 100644 index d161622..0000000 --- a/roles/nginx/files/etc/nginx/include/listing.conf +++ /dev/null @@ -1,5 +0,0 @@ -location / { - autoindex on; - autoindex_exact_size on; - autoindex_localtime off; -} diff --git a/roles/nginx/files/etc/nginx/include/no_symlinks.conf b/roles/nginx/files/etc/nginx/include/no_symlinks.conf deleted file mode 100644 index 12a2b2a..0000000 --- a/roles/nginx/files/etc/nginx/include/no_symlinks.conf +++ /dev/null @@ -1 +0,0 @@ -disable_symlinks on from=$document_root; diff --git a/roles/nginx/files/etc/nginx/nginx.conf b/roles/nginx/files/etc/nginx/nginx.conf deleted file mode 100644 index c24c023..0000000 --- a/roles/nginx/files/etc/nginx/nginx.conf +++ /dev/null @@ -1,84 +0,0 @@ -user www-data; -worker_processes 4; -pid /run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - include /etc/nginx/include/no_logging.conf; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index 290e42c..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: be sure nginx is installed - apt: name=nginx state=latest - tags: nginx - -- name: copy includes - copy: > - src=etc/nginx/include - dest=/etc/nginx - mode=0644 - owner=root - group=root - notify: - - restart nginx - tags: nginx - -- name: remove default site - file: path={{ item }} state=absent - with_items: - - /etc/nginx/sites-available/default - - /etc/nginx/sites-enabled/default - - /var/www/html - notify: - - restart nginx - tags: nginx - -- name: configure nginx - copy: > - src=etc/nginx/nginx.conf - dest=/etc/nginx/nginx.conf - mode=0644 - owner=root - group=root - notify: - - restart nginx - tags: nginx diff --git a/roles/web-server/base/files/etc/nginx/include/listing.conf b/roles/web-server/base/files/etc/nginx/include/listing.conf new file mode 100644 index 0000000..7e9062c --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/include/listing.conf @@ -0,0 +1,13 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Directory-Listing für den Host aktivieren. + +location / { + autoindex on; + autoindex_exact_size on; + autoindex_localtime off; +} diff --git a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf b/roles/web-server/base/files/etc/nginx/include/no_dotfiles.conf similarity index 55% rename from roles/nginx/files/etc/nginx/include/no_dotfiles.conf rename to roles/web-server/base/files/etc/nginx/include/no_dotfiles.conf index 4c26b8c..3e449d0 100644 --- a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf +++ b/roles/web-server/base/files/etc/nginx/include/no_dotfiles.conf @@ -1,4 +1,11 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + # Do not serve dotfiles. + location ~ /\. { deny all; access_log off; diff --git a/roles/nginx/files/etc/nginx/include/no_logging.conf b/roles/web-server/base/files/etc/nginx/include/no_logging.conf similarity index 79% rename from roles/nginx/files/etc/nginx/include/no_logging.conf rename to roles/web-server/base/files/etc/nginx/include/no_logging.conf index ed0e771..a16df03 100644 --- a/roles/nginx/files/etc/nginx/include/no_logging.conf +++ b/roles/web-server/base/files/etc/nginx/include/no_logging.conf @@ -1,3 +1,9 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + # Deaktiviert Logging access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen. diff --git a/roles/web-server/base/files/etc/nginx/include/no_symlinks.conf b/roles/web-server/base/files/etc/nginx/include/no_symlinks.conf new file mode 100644 index 0000000..fb62624 --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/include/no_symlinks.conf @@ -0,0 +1,9 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Keine Symlinks erlauben. + +disable_symlinks on from=$document_root; diff --git a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite new file mode 100644 index 0000000..aef70f8 --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite @@ -0,0 +1,8 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Generischer Rewrite von HTTP nach HTTPS +rewrite ^ https://$server_name$request_uri? permanent; diff --git a/roles/web-server/base/files/etc/nginx/include/ssl_common.conf b/roles/web-server/base/files/etc/nginx/include/ssl_common.conf new file mode 100644 index 0000000..8f4f71c --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/include/ssl_common.conf @@ -0,0 +1,15 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Basis Konfiguration für SSL. Wird von allen vhosts includet. + +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; + +# Only strong ciphers in PFS mode +ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/roles/web-server/base/files/etc/nginx/nginx.conf b/roles/web-server/base/files/etc/nginx/nginx.conf new file mode 100644 index 0000000..503dd32 --- /dev/null +++ b/roles/web-server/base/files/etc/nginx/nginx.conf @@ -0,0 +1,67 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +user www-data; +worker_processes 4; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + include /etc/nginx/include/no_logging.conf; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/web-server/base/handlers/main.yml b/roles/web-server/base/handlers/main.yml new file mode 100644 index 0000000..92971d2 --- /dev/null +++ b/roles/web-server/base/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nginx + service: name=nginx state=restarted diff --git a/roles/web-server/base/tasks/main.yml b/roles/web-server/base/tasks/main.yml new file mode 100644 index 0000000..71ebaad --- /dev/null +++ b/roles/web-server/base/tasks/main.yml @@ -0,0 +1,84 @@ +--- +#- name: be sure nginx is installed +# apt: name=nginx state=latest +# tags: nginx + +- name: check ssl directories exist an have correct permissions + file: > + path="{{ item.path }}" + mode="{{ item.mode }}" + state=directory + with_items: + - { path: "/etc/ssl", mode: "0755" } + - { path: "/etc/ssl/certs", mode: "0755" } + - { path: "/etc/ssl/dhparam", mode: "0755" } + - { path: "/etc/ssl/private", mode: "0700" } + tags: + - nginx + - ssl + +- name: generate dhparams if those do not exist yet (can take a while) + command: "openssl dhparam -out {{ item }} 2048 creates={{ item }}" + with_items: "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}" + tags: + - nginx + - ssl + +- name: check certificates exist and have correct permissions + file: > + path="{{ item }}" + mode="0400" + state=file + with_flattened: + - "{{ web.ssl.values() | map(attribute = 'cert') | list }}" + - "{{ web.ssl.values() | map(attribute = 'key') | list }}" + - "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}" + tags: + - nginx + - ssl + +#- name: copy includes +# copy: > +# src=etc/nginx/include +# dest=/etc/nginx +# mode=0644 +# owner=root +# group=root +# notify: +# - restart nginx +# tags: nginx +# +#- name: apply templates +# template: > +# src="etc/nginx/{{ item }}.j2" +# dest="/etc/nginx/{{ item }}" +# mode=0644 +# owner=root +# group=root +# items: +# - include/ssl_wildcard.conf +# - include/ssl_hamburg.freifunk.net.conf +# notify: +# - restart nginx +# tags: nginx +# +#- name: remove default site +# file: path={{ item }} state=absent +# with_items: +# - /etc/nginx/sites-available/default +# - /etc/nginx/sites-enabled/default +# - /var/www/html +# notify: +# - restart nginx +# tags: nginx +# +#- name: configure nginx +# copy: > +# src=etc/nginx/nginx.conf +# dest=/etc/nginx/nginx.conf +# mode=0644 +# owner=root +# group=root +# notify: +# - restart nginx +# tags: nginx diff --git a/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 b/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 new file mode 100644 index 0000000..f6070e5 --- /dev/null +++ b/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 @@ -0,0 +1,13 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat. + +ssl_certificate {{ web.ssl.hamburg_freifunk_net.cert }}; +ssl_certificate_key {{ web.ssl.hamburg_freifunk_net.key }}; +ssl_dhparam {{ web.ssl.hamburg_freifunk_net.dhparam }}; + +include /etc/nginx/include/ssl_common.conf; diff --git a/roles/web-server/base/templates/etc/nginx/include/ssl_wildcard.conf.j2 b/roles/web-server/base/templates/etc/nginx/include/ssl_wildcard.conf.j2 new file mode 100644 index 0000000..fed0f64 --- /dev/null +++ b/roles/web-server/base/templates/etc/nginx/include/ssl_wildcard.conf.j2 @@ -0,0 +1,13 @@ +# +# ACTHUNG: +# +# Wird via Ansible konfiguriert. Bitte nicht manuell ändern! +# + +# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat. + +ssl_certificate {{ web.ssl.wildcard_hamburg_freifunk_net.cert }}; +ssl_certificate_key {{ web.ssl.wildcard_hamburg_freifunk_net.key }}; +ssl_dhparam {{ web.ssl.wildcard_hamburg_freifunk_net.dhparam }}; + +include /etc/nginx/include/ssl_common.conf; diff --git a/roles/nginx/handlers/main.yml b/roles/web-server/updates/handlers/main.yml similarity index 100% rename from roles/nginx/handlers/main.yml rename to roles/web-server/updates/handlers/main.yml diff --git a/roles/website/ffnord/handlers/main.yml b/roles/website/ffnord/handlers/main.yml deleted file mode 100644 index 811526f..0000000 --- a/roles/website/ffnord/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml" diff --git a/roles/website/ffnord/meta/main.yml b/roles/website/ffnord/meta/main.yml deleted file mode 100644 index f6688f0..0000000 --- a/roles/website/ffnord/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: nginx - diff --git a/roles/website/ffnord/tasks/main.yml b/roles/website/ffnord/tasks/main.yml deleted file mode 100644 index a1aa3cb..0000000 --- a/roles/website/ffnord/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml" - vars: - site: ffnord_site - domains: - - ffnord.net - - www.ffnord.net - - nord.freifunk.net - ports: - - { number: 80, ssl: false } - document_root: { path: /var/www/ffnord/site/site, create: false } - listing: false - -- name: clone ffnord.net repository - git: repo=https://github.com/ffnord/ffnord.net.git dest=/var/www/ffnord/site - tags: - - nginx - - website - - ffnord - diff --git a/roles/website/includes/base-static/handlers/main.yml b/roles/website/includes/base-static/handlers/main.yml deleted file mode 100644 index 90b14cc..0000000 --- a/roles/website/includes/base-static/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/nginx/handlers/main.yml" diff --git a/roles/website/includes/base-static/tasks/main.yml b/roles/website/includes/base-static/tasks/main.yml deleted file mode 100644 index 9f98f5c..0000000 --- a/roles/website/includes/base-static/tasks/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: configure {{ site }} site - template: > - src=site.j2 - dest=/etc/nginx/sites-available/{{ site }} - owner=root - group=root - mode=0644 - notify: reload nginx config - tags: - - nginx - - website - - "{{ site }}" - -- name: create {{ site }} root - file: path={{ document_root.path }} state=directory owner=www-data group=www-data mode=0755 - when: document_root.create - tags: - - nginx - - website - - "{{ site }}" - -- name: enable {{ site }} site - file: > - src=/etc/nginx/sites-available/{{ site }} - dest=/etc/nginx/sites-enabled/{{ site }} - owner=root - group=root - mode=0644 - state=link - notify: reload nginx config - tags: - - nginx - - website - - "{{ site }}" - diff --git a/roles/website/includes/base-static/templates/site.j2 b/roles/website/includes/base-static/templates/site.j2 deleted file mode 100644 index fbff97a..0000000 --- a/roles/website/includes/base-static/templates/site.j2 +++ /dev/null @@ -1,19 +0,0 @@ -{% for port in ports %} -server { - include /etc/nginx/include/no_logging.conf; - include /etc/nginx/include/no_dotfiles.conf; - include /etc/nginx/include/no_symlinks.conf; - - {% if listing %} - include /etc/nginx/include/listing.conf; - {% endif %} - - listen {{port.number}}{% if port.ssl %} ssl{% endif %}; - listen [::]:{{port.number}}{% if port.ssl %} ssl{% endif %}; - - server_name {{ domains | join(" ") }}; - - root {{ document_root.path }}; -} - -{% endfor %} diff --git a/roles/website/media/handlers/main.yml b/roles/website/media/handlers/main.yml deleted file mode 100644 index 811526f..0000000 --- a/roles/website/media/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml" diff --git a/roles/website/media/meta/main.yml b/roles/website/media/meta/main.yml deleted file mode 100644 index f6688f0..0000000 --- a/roles/website/media/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: nginx - diff --git a/roles/website/media/tasks/main.yml b/roles/website/media/tasks/main.yml deleted file mode 100644 index 54d4c57..0000000 --- a/roles/website/media/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml" - vars: - site: ffhh_media - domains: - - media.services.ffhh - - media.hamburg.freifunk.net - ports: - - { number: 80, ssl: false } - - { number: 443, ssl: true } - document_root: { path: /var/www/ffhh/media, create: true } - listing: true - diff --git a/roles/website/meta/handlers/main.yml b/roles/website/meta/handlers/main.yml deleted file mode 100644 index 811526f..0000000 --- a/roles/website/meta/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml" diff --git a/roles/website/meta/meta/main.yml b/roles/website/meta/meta/main.yml deleted file mode 100644 index f6688f0..0000000 --- a/roles/website/meta/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: nginx - diff --git a/roles/website/meta/tasks/main.yml b/roles/website/meta/tasks/main.yml deleted file mode 100644 index 775d260..0000000 --- a/roles/website/meta/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml" - vars: - site: ffhh_meta - domains: - - meta.hamburg.freifunk.net - ports: - - { number: 80, ssl: false } - - { number: 443, ssl: true } - document_root: { path: /var/www/ffhh/meta, create: true } - listing: true - diff --git a/site.yml b/site.yml index 9e24286..681aa6b 100644 --- a/site.yml +++ b/site.yml @@ -6,3 +6,12 @@ - hosts: ntp roles: - ntp-server + +# Webhosts +- hosts: web + roles: + - web-server/base + +#- hosts: srv02 +# roles: +# - web-server/updates diff --git a/srv02.inventory b/srv02.inventory index c3001d0..e80b3d0 100644 --- a/srv02.inventory +++ b/srv02.inventory @@ -1,9 +1,10 @@ srv02 ansible_ssh_host=srv02.hamburg.freifunk.net -[ntp] -srv02 - [ffhh] srv02 +[ntp] +srv02 +[web] +srv02