forked from FF-RGB/ansible
searxng: new role
This commit is contained in:
parent
132b9651f2
commit
ca8470c12d
@ -75,6 +75,9 @@ pve_targets:
|
|||||||
- pve01.ffrgb
|
- pve01.ffrgb
|
||||||
- pve02.ffrgb
|
- pve02.ffrgb
|
||||||
|
|
||||||
|
searxng_domain: sx.regensburg.freifunk.net
|
||||||
|
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
|
||||||
|
|
||||||
site: ffrgb
|
site: ffrgb
|
||||||
site_domain: regensburg.freifunk.net
|
site_domain: regensburg.freifunk.net
|
||||||
|
|
||||||
|
1
hosts
1
hosts
@ -6,6 +6,7 @@ netbox.regensburg.freifunk.net
|
|||||||
ns1.regensburg.freifunk.net
|
ns1.regensburg.freifunk.net
|
||||||
resolver.regensburg.freifunk.net
|
resolver.regensburg.freifunk.net
|
||||||
stats.regensburg.freifunk.net
|
stats.regensburg.freifunk.net
|
||||||
|
sx.regensburg.freifunk.net
|
||||||
tiles.regensburg.freifunk.net
|
tiles.regensburg.freifunk.net
|
||||||
web.regensburg.freifunk.net
|
web.regensburg.freifunk.net
|
||||||
unms.ffrgb ansible_host=10.90.224.101
|
unms.ffrgb ansible_host=10.90.224.101
|
||||||
|
16
roles/searxng/handlers/main.yml
Normal file
16
roles/searxng/handlers/main.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Reload systemd
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
|
- name: Restart searxng
|
||||||
|
service: name=searxng state=restarted
|
||||||
|
|
||||||
|
- name: Restart searxng-reload
|
||||||
|
service: name=searxng-reload state=restarted
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /usr/bin/acertmgr
|
5
roles/searxng/meta/main.yml
Normal file
5
roles/searxng/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr }
|
||||||
|
- { role: nginx, nginx_ssl: True }
|
61
roles/searxng/tasks/main.yml
Normal file
61
roles/searxng/tasks/main.yml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- docker.io
|
||||||
|
- docker-compose
|
||||||
|
|
||||||
|
- name: Create searxng group
|
||||||
|
group: name=searxng
|
||||||
|
|
||||||
|
- name: Create searxng user
|
||||||
|
user:
|
||||||
|
name: searxng
|
||||||
|
home: /opt/searxng
|
||||||
|
shell: /bin/bash
|
||||||
|
group: searxng
|
||||||
|
groups: docker
|
||||||
|
|
||||||
|
- name: Configure searxng container
|
||||||
|
template: src=docker-compose.yml.j2 dest=/opt/searxng/docker-compose.yml
|
||||||
|
notify: Restart searxng
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ searxng_domain }}.key -out /etc/nginx/ssl/{{ searxng_domain }}.crt -days 730 -subj "/CN={{ searxng_domain }}" creates=/etc/nginx/ssl/{{ searxng_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for searxng
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ searxng_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/searxng
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/searxng dest=/etc/nginx/sites-enabled/searxng state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
# TODO config files inside /opt/searxng/searxng
|
||||||
|
|
||||||
|
- name: Systemd unit for searxng
|
||||||
|
template: src=searxng.service.j2 dest=/etc/systemd/system/searxng.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart searxng
|
||||||
|
|
||||||
|
- name: Systemd unit for searxng-reload
|
||||||
|
template: src=searxng-reload.{{ item }}.j2 dest=/etc/systemd/system/searxng-reload.{{ item }}
|
||||||
|
with_items:
|
||||||
|
- "service"
|
||||||
|
- "timer"
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart searxng-reload
|
||||||
|
|
||||||
|
- name: Start the searxng service
|
||||||
|
service: name=searxng state=started enabled=yes
|
||||||
|
|
||||||
|
- name: Enable auto update timer
|
||||||
|
service: name=searxng-reload.timer state=started enabled=yes
|
15
roles/searxng/templates/certs.j2
Normal file
15
roles/searxng/templates/certs.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
{{ searxng_domains }}:
|
||||||
|
- path: /etc/nginx/ssl/{{ searxng_domain }}.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/{{ searxng_domain }}.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
34
roles/searxng/templates/docker-compose.yml.j2
Normal file
34
roles/searxng/templates/docker-compose.yml.j2
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
version: "3.4"
|
||||||
|
services:
|
||||||
|
redis:
|
||||||
|
image: redis:alpine
|
||||||
|
tmpfs:
|
||||||
|
- /var/lib/redis
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
cap_add:
|
||||||
|
- SETGID
|
||||||
|
- SETUID
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
|
||||||
|
searxng:
|
||||||
|
image: searxng/searxng:latest
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:8000:8080"
|
||||||
|
volumes:
|
||||||
|
- ./searxng:/etc/searxng:rw
|
||||||
|
environment:
|
||||||
|
- SEARXNG_BASE_URL=https://{{ searxng_domain }}/
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
cap_add:
|
||||||
|
- CHOWN
|
||||||
|
- SETGID
|
||||||
|
- SETUID
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
logging:
|
||||||
|
driver: "json-file"
|
||||||
|
options:
|
||||||
|
max-size: "1m"
|
||||||
|
max-file: "1"
|
7
roles/searxng/templates/searxng-reload.service.j2
Normal file
7
roles/searxng/templates/searxng-reload.service.j2
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Refresh searxng images
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
|
||||||
|
ExecStart=/bin/systemctl reload-or-restart searxng.service
|
10
roles/searxng/templates/searxng-reload.timer.j2
Normal file
10
roles/searxng/templates/searxng-reload.timer.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Refresh searxng images
|
||||||
|
Requires=searxng.service
|
||||||
|
After=searxng.service
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=*:0/15
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
34
roles/searxng/templates/searxng.service.j2
Normal file
34
roles/searxng/templates/searxng.service.j2
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=searxng service using docker compose
|
||||||
|
Requires=docker.service
|
||||||
|
After=docker.service
|
||||||
|
Before=nginx.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
|
||||||
|
User=searxng
|
||||||
|
Group=searxng
|
||||||
|
|
||||||
|
Restart=always
|
||||||
|
TimeoutStartSec=1200
|
||||||
|
|
||||||
|
WorkingDirectory=/opt/searxng
|
||||||
|
|
||||||
|
# Make sure no old containers are running
|
||||||
|
ExecStartPre=/usr/bin/docker-compose down -v
|
||||||
|
# Update images
|
||||||
|
ExecStartPre=-/usr/bin/docker-compose pull --quiet
|
||||||
|
|
||||||
|
# Compose up
|
||||||
|
ExecStart=/usr/bin/docker-compose up
|
||||||
|
|
||||||
|
# Compose down, remove containers and volumes
|
||||||
|
ExecStop=/usr/bin/docker-compose down -v
|
||||||
|
|
||||||
|
# Refresh on reload
|
||||||
|
ExecReload=-/usr/bin/docker-compose pull --quiet
|
||||||
|
ExecReload=/usr/bin/docker-compose up -d
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
37
roles/searxng/templates/vhost.j2
Normal file
37
roles/searxng/templates/vhost.j2
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ searxng_domains }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ searxng_domains }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ searxng_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ searxng_domain }}.crt;
|
||||||
|
|
||||||
|
# set max upload size
|
||||||
|
client_max_body_size 8M;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8000;
|
||||||
|
proxy_set_header Connection $http_connection;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
5
site.yml
5
site.yml
@ -56,6 +56,11 @@
|
|||||||
- speedtest
|
- speedtest
|
||||||
- web_svc
|
- web_svc
|
||||||
|
|
||||||
|
- name: Setup searxng server
|
||||||
|
hosts: sx.regensburg.freifunk.net
|
||||||
|
roles:
|
||||||
|
- searxng
|
||||||
|
|
||||||
- name: Setup resolver
|
- name: Setup resolver
|
||||||
hosts: resolver.regensburg.freifunk.net
|
hosts: resolver.regensburg.freifunk.net
|
||||||
roles:
|
roles:
|
||||||
|
Loading…
Reference in New Issue
Block a user