diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index aaab1ab..6699a2c 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -51,5 +51,14 @@ pve_targets: - pve01.ffrgb - pve02.ffrgb +rev_proxy: +- domain: tiles.regensburg.freifunk.net + aliases: + - 1.omt.regensburg.freifunk.net + - 2.omt.regensburg.freifunk.net + - 3.omt.regensburg.freifunk.net + - 4.omt.regensburg.freifunk.net + target: "http://10.90.224.104:8080" + site: ffrgb site_domain: regensburg.freifunk.net diff --git a/hosts b/hosts index 3f51b9c..43f6285 100644 --- a/hosts +++ b/hosts @@ -2,6 +2,7 @@ gw11.regensburg.freifunk.net gw21.regensburg.freifunk.net gw31.regensburg.freifunk.net +web.regensburg.freifunk.net stats.ffrgb ansible_host=10.90.224.100 unms.ffrgb ansible_host=10.90.224.101 unifi.ffrgb ansible_host=10.90.224.102 diff --git a/roles/web-svc/handlers/main.yml b/roles/web-svc/handlers/main.yml new file mode 100644 index 0000000..ff936dd --- /dev/null +++ b/roles/web-svc/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run acertmgr + command: /usr/bin/acertmgr diff --git a/roles/web-svc/meta/main.yml b/roles/web-svc/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/web-svc/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/web-svc/tasks/main.yml b/roles/web-svc/tasks/main.yml new file mode 100644 index 0000000..d777177 --- /dev/null +++ b/roles/web-svc/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Setup reverse proxy + include_tasks: reverse.yml + with_items: "{{ rev_proxy }}" + vars: + rev_domain: "{{ item.domain }}" + rev_aliases: "{{ item.aliases }}" + rev_target: "{{ item.target }}" diff --git a/roles/web-svc/tasks/reverse.yml b/roles/web-svc/tasks/reverse.yml new file mode 100644 index 0000000..9d6fef0 --- /dev/null +++ b/roles/web-svc/tasks/reverse.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ rev_domain }}.key -out /etc/nginx/ssl/{{ rev_domain }}.crt -days 730 -subj "/CN={{ rev_domain }}" creates=/etc/nginx/ssl/{{ rev_domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager + template: src=rev_certs.j2 dest=/etc/acertmgr/{{ rev_domain }}.conf + notify: Run acertmgr + +- name: Configure vhosts + template: src=rev_vhost.j2 dest=/etc/nginx/sites-available/{{ rev_domain }} + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/{{ rev_domain }} dest=/etc/nginx/sites-enabled/{{ rev_domain }} state=link + notify: Restart nginx diff --git a/roles/web-svc/templates/rev_certs.j2 b/roles/web-svc/templates/rev_certs.j2 new file mode 100644 index 0000000..a7d0067 --- /dev/null +++ b/roles/web-svc/templates/rev_certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}: +- path: /etc/nginx/ssl/{{ rev_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ rev_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/web-svc/templates/rev_vhost.j2 b/roles/web-svc/templates/rev_vhost.j2 new file mode 100644 index 0000000..d88b7d2 --- /dev/null +++ b/roles/web-svc/templates/rev_vhost.j2 @@ -0,0 +1,30 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}; + + ssl_certificate_key /etc/nginx/ssl/{{ rev_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ rev_domain }}.crt; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass {{ rev_target }}; + } +} diff --git a/site.yml b/site.yml index 7313015..7994a70 100644 --- a/site.yml +++ b/site.yml @@ -26,6 +26,11 @@ - yanic - web-gw +- name: Setup web service proxy + hosts: web.regensburg.freifunk.net + roles: + - web-svc + - name: Setup stats server hosts: stats.ffrgb roles: