diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 6db469a..c76c13f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -75,6 +75,9 @@ pve_targets: - pve01.ffrgb - pve02.ffrgb +searxng_domain: sx.regensburg.freifunk.net +searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net + site: ffrgb site_domain: regensburg.freifunk.net diff --git a/hosts b/hosts index 5cba15d..c654495 100644 --- a/hosts +++ b/hosts @@ -6,6 +6,7 @@ netbox.regensburg.freifunk.net ns1.regensburg.freifunk.net resolver.regensburg.freifunk.net stats.regensburg.freifunk.net +sx.regensburg.freifunk.net tiles.regensburg.freifunk.net web.regensburg.freifunk.net unms.ffrgb ansible_host=10.90.224.101 diff --git a/roles/searxng/handlers/main.yml b/roles/searxng/handlers/main.yml new file mode 100644 index 0000000..c03eed0 --- /dev/null +++ b/roles/searxng/handlers/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Reload systemd + systemd: daemon_reload=yes + +- name: Restart searxng + service: name=searxng state=restarted + +- name: Restart searxng-reload + service: name=searxng-reload state=restarted + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run acertmgr + command: /usr/bin/acertmgr diff --git a/roles/searxng/meta/main.yml b/roles/searxng/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/searxng/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/searxng/tasks/main.yml b/roles/searxng/tasks/main.yml new file mode 100644 index 0000000..32e118c --- /dev/null +++ b/roles/searxng/tasks/main.yml @@ -0,0 +1,61 @@ +--- + +- name: Install packages + apt: + name: + - docker.io + - docker-compose + +- name: Create searxng group + group: name=searxng + +- name: Create searxng user + user: + name: searxng + home: /opt/searxng + shell: /bin/bash + group: searxng + groups: docker + +- name: Configure searxng container + template: src=docker-compose.yml.j2 dest=/opt/searxng/docker-compose.yml + notify: Restart searxng + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ searxng_domain }}.key -out /etc/nginx/ssl/{{ searxng_domain }}.crt -days 730 -subj "/CN={{ searxng_domain }}" creates=/etc/nginx/ssl/{{ searxng_domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager for searxng + template: src=certs.j2 dest=/etc/acertmgr/{{ searxng_domain }}.conf + notify: Run acertmgr + +- name: Configure vhost + template: src=vhost.j2 dest=/etc/nginx/sites-available/searxng + notify: Restart nginx + +- name: Enable vhost + file: src=/etc/nginx/sites-available/searxng dest=/etc/nginx/sites-enabled/searxng state=link + notify: Restart nginx + +# TODO config files inside /opt/searxng/searxng + +- name: Systemd unit for searxng + template: src=searxng.service.j2 dest=/etc/systemd/system/searxng.service + notify: + - Reload systemd + - Restart searxng + +- name: Systemd unit for searxng-reload + template: src=searxng-reload.{{ item }}.j2 dest=/etc/systemd/system/searxng-reload.{{ item }} + with_items: + - "service" + - "timer" + notify: + - Reload systemd + - Restart searxng-reload + +- name: Start the searxng service + service: name=searxng state=started enabled=yes + +- name: Enable auto update timer + service: name=searxng-reload.timer state=started enabled=yes diff --git a/roles/searxng/templates/certs.j2 b/roles/searxng/templates/certs.j2 new file mode 100644 index 0000000..208e5ee --- /dev/null +++ b/roles/searxng/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ searxng_domains }}: +- path: /etc/nginx/ssl/{{ searxng_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ searxng_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/searxng/templates/docker-compose.yml.j2 b/roles/searxng/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..d2ef70f --- /dev/null +++ b/roles/searxng/templates/docker-compose.yml.j2 @@ -0,0 +1,34 @@ +--- +version: "3.4" +services: + redis: + image: redis:alpine + tmpfs: + - /var/lib/redis + cap_drop: + - ALL + cap_add: + - SETGID + - SETUID + - DAC_OVERRIDE + + searxng: + image: searxng/searxng:latest + ports: + - "127.0.0.1:8000:8080" + volumes: + - ./searxng:/etc/searxng:rw + environment: + - SEARXNG_BASE_URL=https://{{ searxng_domain }}/ + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + - DAC_OVERRIDE + logging: + driver: "json-file" + options: + max-size: "1m" + max-file: "1" diff --git a/roles/searxng/templates/searxng-reload.service.j2 b/roles/searxng/templates/searxng-reload.service.j2 new file mode 100644 index 0000000..49fdc72 --- /dev/null +++ b/roles/searxng/templates/searxng-reload.service.j2 @@ -0,0 +1,7 @@ +[Unit] +Description=Refresh searxng images + +[Service] +Type=oneshot + +ExecStart=/bin/systemctl reload-or-restart searxng.service diff --git a/roles/searxng/templates/searxng-reload.timer.j2 b/roles/searxng/templates/searxng-reload.timer.j2 new file mode 100644 index 0000000..83e7a22 --- /dev/null +++ b/roles/searxng/templates/searxng-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Refresh searxng images +Requires=searxng.service +After=searxng.service + +[Timer] +OnCalendar=*:0/15 + +[Install] +WantedBy=timers.target diff --git a/roles/searxng/templates/searxng.service.j2 b/roles/searxng/templates/searxng.service.j2 new file mode 100644 index 0000000..e7520d9 --- /dev/null +++ b/roles/searxng/templates/searxng.service.j2 @@ -0,0 +1,34 @@ +[Unit] +Description=searxng service using docker compose +Requires=docker.service +After=docker.service +Before=nginx.service + +[Service] +Type=simple + +User=searxng +Group=searxng + +Restart=always +TimeoutStartSec=1200 + +WorkingDirectory=/opt/searxng + +# Make sure no old containers are running +ExecStartPre=/usr/bin/docker-compose down -v +# Update images +ExecStartPre=-/usr/bin/docker-compose pull --quiet + +# Compose up +ExecStart=/usr/bin/docker-compose up + +# Compose down, remove containers and volumes +ExecStop=/usr/bin/docker-compose down -v + +# Refresh on reload +ExecReload=-/usr/bin/docker-compose pull --quiet +ExecReload=/usr/bin/docker-compose up -d + +[Install] +WantedBy=multi-user.target diff --git a/roles/searxng/templates/vhost.j2 b/roles/searxng/templates/vhost.j2 new file mode 100644 index 0000000..6dab040 --- /dev/null +++ b/roles/searxng/templates/vhost.j2 @@ -0,0 +1,37 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ searxng_domains }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ searxng_domains }}; + + ssl_certificate_key /etc/nginx/ssl/{{ searxng_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ searxng_domain }}.crt; + + # set max upload size + client_max_body_size 8M; + + location / { + proxy_pass http://localhost:8000; + proxy_set_header Connection $http_connection; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/site.yml b/site.yml index 860e3d3..e7189fb 100644 --- a/site.yml +++ b/site.yml @@ -56,6 +56,11 @@ - speedtest - web_svc +- name: Setup searxng server + hosts: sx.regensburg.freifunk.net + roles: + - searxng + - name: Setup resolver hosts: resolver.regensburg.freifunk.net roles: