freifunk/ansible-config
8
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nginx-Setup WIP

Browse source
This commit is contained in:
baldo 2015-11-14 17:15:39 +01:00
parent 96fa7430e6
commit ed703884ec
33 changed files with 267 additions and 253 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
group_vars/ffhh
View file

@ -1,4 +0,0 @@
---
ffhh:
prefix4: 10.112.0.0/18
prefix6: 2a03:2267::/64

4
group_vars/ffhh.yml Normal file
View file

@ -0,0 +1,4 @@
---
ffhh:
prefix4: 10.112.0.0/18
prefix6: 2a03:2267::/64

12
group_vars/web.yml Normal file
View file

@ -0,0 +1,12 @@
---
web:
ssl:
hamburg_freifunk_net:
cert: /etc/ssl/certs/hamburg.freifunk.net.crt
key: /etc/ssl/private/hamburg.freifunk.net.key
dhparam: /etc/ssl/dhparam/hamburg.freifunk.net.dh
wildcard_hamburg_freifunk_net:
cert: /etc/ssl/certs/WILDCARD.hamburg.freifunk.net.crt
key: /etc/ssl/private/WILDCARD.hamburg.freifunk.net.key
dhparam: /etc/ssl/dhparam/WILDCARD.hamburg.freifunk.net.dh

5
roles/nginx/files/etc/nginx/include/listing.conf
View file

@ -1,5 +0,0 @@
location / {
autoindex on;
autoindex_exact_size on;
autoindex_localtime off;
}

1
roles/nginx/files/etc/nginx/include/no_symlinks.conf
View file

@ -1 +0,0 @@
disable_symlinks on from=$document_root;

84
roles/nginx/files/etc/nginx/nginx.conf
View file

@ -1,84 +0,0 @@
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
include /etc/nginx/include/no_logging.conf;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

36
roles/nginx/tasks/main.yml
View file

@ -1,36 +0,0 @@
---
- name: be sure nginx is installed
apt: name=nginx state=latest
tags: nginx
- name: copy includes
copy: >
src=etc/nginx/include
dest=/etc/nginx
mode=0644
owner=root
group=root
notify:
- restart nginx
tags: nginx
- name: remove default site
file: path={{ item }} state=absent
with_items:
- /etc/nginx/sites-available/default
- /etc/nginx/sites-enabled/default
- /var/www/html
notify:
- restart nginx
tags: nginx
- name: configure nginx
copy: >
src=etc/nginx/nginx.conf
dest=/etc/nginx/nginx.conf
mode=0644
owner=root
group=root
notify:
- restart nginx
tags: nginx

13
roles/web-server/base/files/etc/nginx/include/listing.conf Normal file
View file

@ -0,0 +1,13 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Directory-Listing für den Host aktivieren.
location / {
autoindex on;
autoindex_exact_size on;
autoindex_localtime off;
}

7
roles/nginx/files/etc/nginx/include/no_dotfiles.conf → roles/web-server/base/files/etc/nginx/include/no_dotfiles.conf
View file

@ -1,4 +1,11 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Do not serve dotfiles. # Do not serve dotfiles.
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; access_log off;

6
roles/nginx/files/etc/nginx/include/no_logging.conf → roles/web-server/base/files/etc/nginx/include/no_logging.conf
View file

@ -1,3 +1,9 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Deaktiviert Logging # Deaktiviert Logging
access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen. access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.

9
roles/web-server/base/files/etc/nginx/include/no_symlinks.conf Normal file
View file

@ -0,0 +1,9 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Keine Symlinks erlauben.
disable_symlinks on from=$document_root;

8
roles/web-server/base/files/etc/nginx/include/ssl.rewrite Normal file
View file

@ -0,0 +1,8 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Generischer Rewrite von HTTP nach HTTPS
rewrite ^ https://$server_name$request_uri? permanent;

15
roles/web-server/base/files/etc/nginx/include/ssl_common.conf Normal file
View file

@ -0,0 +1,15 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Basis Konfiguration für SSL. Wird von allen vhosts includet.
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Only strong ciphers in PFS mode
ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

67
roles/web-server/base/files/etc/nginx/nginx.conf Normal file
View file

@ -0,0 +1,67 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
include /etc/nginx/include/no_logging.conf;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

3
roles/web-server/base/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: restart nginx
service: name=nginx state=restarted

84
roles/web-server/base/tasks/main.yml Normal file
View file

@ -0,0 +1,84 @@
---
#- name: be sure nginx is installed
# apt: name=nginx state=latest
# tags: nginx
- name: check ssl directories exist an have correct permissions
file: >
path="{{ item.path }}"
mode="{{ item.mode }}"
state=directory
with_items:
- { path: "/etc/ssl", mode: "0755" }
- { path: "/etc/ssl/certs", mode: "0755" }
- { path: "/etc/ssl/dhparam", mode: "0755" }
- { path: "/etc/ssl/private", mode: "0700" }
tags:
- nginx
- ssl
- name: generate dhparams if those do not exist yet (can take a while)
command: "openssl dhparam -out {{ item }} 2048 creates={{ item }}"
with_items: "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}"
tags:
- nginx
- ssl
- name: check certificates exist and have correct permissions
file: >
path="{{ item }}"
mode="0400"
state=file
with_flattened:
- "{{ web.ssl.values() | map(attribute = 'cert') | list }}"
- "{{ web.ssl.values() | map(attribute = 'key') | list }}"
- "{{ web.ssl.values() | map(attribute = 'dhparam') | list }}"
tags:
- nginx
- ssl
#- name: copy includes
# copy: >
# src=etc/nginx/include
# dest=/etc/nginx
# mode=0644
# owner=root
# group=root
# notify:
# - restart nginx
# tags: nginx
#
#- name: apply templates
# template: >
# src="etc/nginx/{{ item }}.j2"
# dest="/etc/nginx/{{ item }}"
# mode=0644
# owner=root
# group=root
# items:
# - include/ssl_wildcard.conf
# - include/ssl_hamburg.freifunk.net.conf
# notify:
# - restart nginx
# tags: nginx
#
#- name: remove default site
# file: path={{ item }} state=absent
# with_items:
# - /etc/nginx/sites-available/default
# - /etc/nginx/sites-enabled/default
# - /var/www/html
# notify:
# - restart nginx
# tags: nginx
#
#- name: configure nginx
# copy: >
# src=etc/nginx/nginx.conf
# dest=/etc/nginx/nginx.conf
# mode=0644
# owner=root
# group=root
# notify:
# - restart nginx
# tags: nginx

13
roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 Normal file
View file

@ -0,0 +1,13 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
ssl_certificate {{ web.ssl.hamburg_freifunk_net.cert }};
ssl_certificate_key {{ web.ssl.hamburg_freifunk_net.key }};
ssl_dhparam {{ web.ssl.hamburg_freifunk_net.dhparam }};
include /etc/nginx/include/ssl_common.conf;

13
roles/web-server/base/templates/etc/nginx/include/ssl_wildcard.conf.j2 Normal file
View file

@ -0,0 +1,13 @@
#
# ACTHUNG:
#
# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
#
# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
ssl_certificate {{ web.ssl.wildcard_hamburg_freifunk_net.cert }};
ssl_certificate_key {{ web.ssl.wildcard_hamburg_freifunk_net.key }};
ssl_dhparam {{ web.ssl.wildcard_hamburg_freifunk_net.dhparam }};
include /etc/nginx/include/ssl_common.conf;

0
roles/nginx/handlers/main.yml → roles/web-server/updates/handlers/main.yml
View file

2
roles/website/ffnord/handlers/main.yml
View file

@ -1,2 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml"

4
roles/website/ffnord/meta/main.yml
View file

@ -1,4 +0,0 @@
---
dependencies:
- role: nginx

20
roles/website/ffnord/tasks/main.yml
View file

@ -1,20 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml"
vars:
site: ffnord_site
domains:
- ffnord.net
- www.ffnord.net
- nord.freifunk.net
ports:
- { number: 80, ssl: false }
document_root: { path: /var/www/ffnord/site/site, create: false }
listing: false
- name: clone ffnord.net repository
git: repo=https://github.com/ffnord/ffnord.net.git dest=/var/www/ffnord/site
tags:
- nginx
- website
- ffnord

2
roles/website/includes/base-static/handlers/main.yml
View file

@ -1,2 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/nginx/handlers/main.yml"

36
roles/website/includes/base-static/tasks/main.yml
View file

@ -1,36 +0,0 @@
---
- name: configure {{ site }} site
template: >
src=site.j2
dest=/etc/nginx/sites-available/{{ site }}
owner=root
group=root
mode=0644
notify: reload nginx config
tags:
- nginx
- website
- "{{ site }}"
- name: create {{ site }} root
file: path={{ document_root.path }} state=directory owner=www-data group=www-data mode=0755
when: document_root.create
tags:
- nginx
- website
- "{{ site }}"
- name: enable {{ site }} site
file: >
src=/etc/nginx/sites-available/{{ site }}
dest=/etc/nginx/sites-enabled/{{ site }}
owner=root
group=root
mode=0644
state=link
notify: reload nginx config
tags:
- nginx
- website
- "{{ site }}"

19
roles/website/includes/base-static/templates/site.j2
View file

@ -1,19 +0,0 @@
{% for port in ports %}
server {
include /etc/nginx/include/no_logging.conf;
include /etc/nginx/include/no_dotfiles.conf;
include /etc/nginx/include/no_symlinks.conf;
{% if listing %}
include /etc/nginx/include/listing.conf;
{% endif %}
listen {{port.number}}{% if port.ssl %} ssl{% endif %};
listen [::]:{{port.number}}{% if port.ssl %} ssl{% endif %};
server_name {{ domains | join(" ") }};
root {{ document_root.path }};
}
{% endfor %}

2
roles/website/media/handlers/main.yml
View file

@ -1,2 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml"

4
roles/website/media/meta/main.yml
View file

@ -1,4 +0,0 @@
---
dependencies:
- role: nginx

13
roles/website/media/tasks/main.yml
View file

@ -1,13 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml"
vars:
site: ffhh_media
domains:
- media.services.ffhh
- media.hamburg.freifunk.net
ports:
- { number: 80, ssl: false }
- { number: 443, ssl: true }
document_root: { path: /var/www/ffhh/media, create: true }
listing: true

2
roles/website/meta/handlers/main.yml
View file

@ -1,2 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml"

4
roles/website/meta/meta/main.yml
View file

@ -1,4 +0,0 @@
---
dependencies:
- role: nginx

12
roles/website/meta/tasks/main.yml
View file

@ -1,12 +0,0 @@
---
- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml"
vars:
site: ffhh_meta
domains:
- meta.hamburg.freifunk.net
ports:
- { number: 80, ssl: false }
- { number: 443, ssl: true }
document_root: { path: /var/www/ffhh/meta, create: true }
listing: true

9
site.yml
View file

@ -6,3 +6,12 @@
- hosts: ntp - hosts: ntp
roles: roles:
- ntp-server - ntp-server
# Webhosts
- hosts: web
roles:
- web-server/base
#- hosts: srv02
# roles:
# - web-server/updates

7
srv02.inventory
View file

@ -1,9 +1,10 @@
srv02 ansible_ssh_host=srv02.hamburg.freifunk.net srv02 ansible_ssh_host=srv02.hamburg.freifunk.net
[ntp]
srv02
[ffhh] [ffhh]
srv02 srv02
[ntp]
srv02
[web]
srv02