From 309105d948525aa57551f39c0a6855272004bb91 Mon Sep 17 00:00:00 2001 From: Mephisto Date: Tue, 24 Nov 2020 18:22:03 +0100 Subject: [PATCH] Add NGINX Role tailored for stateserver usage --- host_vars/stats.regensburg.freifunk.net | 2 ++ roles/web_stats/handlers/main.yml | 7 +++++ roles/web_stats/meta/main.yml | 5 ++++ roles/web_stats/tasks/main.yml | 26 ++++++++++++++++++ roles/web_stats/templates/certs.j2 | 15 +++++++++++ roles/web_stats/templates/vhost.j2 | 36 +++++++++++++++++++++++++ site.yml | 1 + 7 files changed, 92 insertions(+) create mode 100644 roles/web_stats/handlers/main.yml create mode 100644 roles/web_stats/meta/main.yml create mode 100644 roles/web_stats/tasks/main.yml create mode 100644 roles/web_stats/templates/certs.j2 create mode 100644 roles/web_stats/templates/vhost.j2 diff --git a/host_vars/stats.regensburg.freifunk.net b/host_vars/stats.regensburg.freifunk.net index 5132d99..8a16921 100644 --- a/host_vars/stats.regensburg.freifunk.net +++ b/host_vars/stats.regensburg.freifunk.net @@ -19,6 +19,8 @@ yanic_database_delete_after: 720d yanic_dbc_repondd_enable: false +nginx_ssl: true + yanic_influxdb: - enable: true host: http://127.0.0.1:8086 diff --git a/roles/web_stats/handlers/main.yml b/roles/web_stats/handlers/main.yml new file mode 100644 index 0000000..ff936dd --- /dev/null +++ b/roles/web_stats/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run acertmgr + command: /usr/bin/acertmgr diff --git a/roles/web_stats/meta/main.yml b/roles/web_stats/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/web_stats/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/web_stats/tasks/main.yml b/roles/web_stats/tasks/main.yml new file mode 100644 index 0000000..fe734a8 --- /dev/null +++ b/roles/web_stats/tasks/main.yml @@ -0,0 +1,26 @@ +--- + +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key + -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt + -days 730 -subj "/CN={{ ansible_fqdn }}" + creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt + notify: Restart nginx + +- name: Create web content directory + file: path=/var/www/html state=directory mode=0755 + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}.conf + notify: Run acertmgr + +- name: Configure vhosts + template: src=vhost.j2 dest=/etc/nginx/sites-available/www + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link + notify: Restart nginx diff --git a/roles/web_stats/templates/certs.j2 b/roles/web_stats/templates/certs.j2 new file mode 100644 index 0000000..406db07 --- /dev/null +++ b/roles/web_stats/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ ansible_fqdn }}: +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/web_stats/templates/vhost.j2 b/roles/web_stats/templates/vhost.j2 new file mode 100644 index 0000000..3a5b5a0 --- /dev/null +++ b/roles/web_stats/templates/vhost.j2 @@ -0,0 +1,36 @@ +server { + listen 80; + listen [::]:80; + + proxy_set_header X-Forwarded-For $remote_addr; + + server_name _; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + root /var/www/html; + +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + proxy_set_header X-Forwarded-For $remote_addr; + + server_name {{ ansible_fqdn }}; + + ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key; + ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt; + + root /var/www/html; + + location / { + proxy_pass http://localhost:3000/ + } + location /meshviewer { + alias /var/www/html/meshviewer; + } +} diff --git a/site.yml b/site.yml index 714bd40..6730ab0 100644 --- a/site.yml +++ b/site.yml @@ -37,6 +37,7 @@ - influxdb - grafana - yanic + - web_stats - name: Setup name servers hosts: ns1.regensburg.freifunk.net