forked from FF-RGB/ansible
searxng: new role
This commit is contained in:
parent
132b9651f2
commit
ca8470c12d
@ -75,6 +75,9 @@ pve_targets:
|
||||
- pve01.ffrgb
|
||||
- pve02.ffrgb
|
||||
|
||||
searxng_domain: sx.regensburg.freifunk.net
|
||||
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
|
||||
|
||||
site: ffrgb
|
||||
site_domain: regensburg.freifunk.net
|
||||
|
||||
|
1
hosts
1
hosts
@ -6,6 +6,7 @@ netbox.regensburg.freifunk.net
|
||||
ns1.regensburg.freifunk.net
|
||||
resolver.regensburg.freifunk.net
|
||||
stats.regensburg.freifunk.net
|
||||
sx.regensburg.freifunk.net
|
||||
tiles.regensburg.freifunk.net
|
||||
web.regensburg.freifunk.net
|
||||
unms.ffrgb ansible_host=10.90.224.101
|
||||
|
16
roles/searxng/handlers/main.yml
Normal file
16
roles/searxng/handlers/main.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart searxng
|
||||
service: name=searxng state=restarted
|
||||
|
||||
- name: Restart searxng-reload
|
||||
service: name=searxng-reload state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
5
roles/searxng/meta/main.yml
Normal file
5
roles/searxng/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
61
roles/searxng/tasks/main.yml
Normal file
61
roles/searxng/tasks/main.yml
Normal file
@ -0,0 +1,61 @@
|
||||
---
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name:
|
||||
- docker.io
|
||||
- docker-compose
|
||||
|
||||
- name: Create searxng group
|
||||
group: name=searxng
|
||||
|
||||
- name: Create searxng user
|
||||
user:
|
||||
name: searxng
|
||||
home: /opt/searxng
|
||||
shell: /bin/bash
|
||||
group: searxng
|
||||
groups: docker
|
||||
|
||||
- name: Configure searxng container
|
||||
template: src=docker-compose.yml.j2 dest=/opt/searxng/docker-compose.yml
|
||||
notify: Restart searxng
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ searxng_domain }}.key -out /etc/nginx/ssl/{{ searxng_domain }}.crt -days 730 -subj "/CN={{ searxng_domain }}" creates=/etc/nginx/ssl/{{ searxng_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for searxng
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ searxng_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/searxng
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/searxng dest=/etc/nginx/sites-enabled/searxng state=link
|
||||
notify: Restart nginx
|
||||
|
||||
# TODO config files inside /opt/searxng/searxng
|
||||
|
||||
- name: Systemd unit for searxng
|
||||
template: src=searxng.service.j2 dest=/etc/systemd/system/searxng.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart searxng
|
||||
|
||||
- name: Systemd unit for searxng-reload
|
||||
template: src=searxng-reload.{{ item }}.j2 dest=/etc/systemd/system/searxng-reload.{{ item }}
|
||||
with_items:
|
||||
- "service"
|
||||
- "timer"
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart searxng-reload
|
||||
|
||||
- name: Start the searxng service
|
||||
service: name=searxng state=started enabled=yes
|
||||
|
||||
- name: Enable auto update timer
|
||||
service: name=searxng-reload.timer state=started enabled=yes
|
15
roles/searxng/templates/certs.j2
Normal file
15
roles/searxng/templates/certs.j2
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
{{ searxng_domains }}:
|
||||
- path: /etc/nginx/ssl/{{ searxng_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ searxng_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
34
roles/searxng/templates/docker-compose.yml.j2
Normal file
34
roles/searxng/templates/docker-compose.yml.j2
Normal file
@ -0,0 +1,34 @@
|
||||
---
|
||||
version: "3.4"
|
||||
services:
|
||||
redis:
|
||||
image: redis:alpine
|
||||
tmpfs:
|
||||
- /var/lib/redis
|
||||
cap_drop:
|
||||
- ALL
|
||||
cap_add:
|
||||
- SETGID
|
||||
- SETUID
|
||||
- DAC_OVERRIDE
|
||||
|
||||
searxng:
|
||||
image: searxng/searxng:latest
|
||||
ports:
|
||||
- "127.0.0.1:8000:8080"
|
||||
volumes:
|
||||
- ./searxng:/etc/searxng:rw
|
||||
environment:
|
||||
- SEARXNG_BASE_URL=https://{{ searxng_domain }}/
|
||||
cap_drop:
|
||||
- ALL
|
||||
cap_add:
|
||||
- CHOWN
|
||||
- SETGID
|
||||
- SETUID
|
||||
- DAC_OVERRIDE
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "1m"
|
||||
max-file: "1"
|
7
roles/searxng/templates/searxng-reload.service.j2
Normal file
7
roles/searxng/templates/searxng-reload.service.j2
Normal file
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Refresh searxng images
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
ExecStart=/bin/systemctl reload-or-restart searxng.service
|
10
roles/searxng/templates/searxng-reload.timer.j2
Normal file
10
roles/searxng/templates/searxng-reload.timer.j2
Normal file
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Refresh searxng images
|
||||
Requires=searxng.service
|
||||
After=searxng.service
|
||||
|
||||
[Timer]
|
||||
OnCalendar=*:0/15
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
34
roles/searxng/templates/searxng.service.j2
Normal file
34
roles/searxng/templates/searxng.service.j2
Normal file
@ -0,0 +1,34 @@
|
||||
[Unit]
|
||||
Description=searxng service using docker compose
|
||||
Requires=docker.service
|
||||
After=docker.service
|
||||
Before=nginx.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=searxng
|
||||
Group=searxng
|
||||
|
||||
Restart=always
|
||||
TimeoutStartSec=1200
|
||||
|
||||
WorkingDirectory=/opt/searxng
|
||||
|
||||
# Make sure no old containers are running
|
||||
ExecStartPre=/usr/bin/docker-compose down -v
|
||||
# Update images
|
||||
ExecStartPre=-/usr/bin/docker-compose pull --quiet
|
||||
|
||||
# Compose up
|
||||
ExecStart=/usr/bin/docker-compose up
|
||||
|
||||
# Compose down, remove containers and volumes
|
||||
ExecStop=/usr/bin/docker-compose down -v
|
||||
|
||||
# Refresh on reload
|
||||
ExecReload=-/usr/bin/docker-compose pull --quiet
|
||||
ExecReload=/usr/bin/docker-compose up -d
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
37
roles/searxng/templates/vhost.j2
Normal file
37
roles/searxng/templates/vhost.j2
Normal file
@ -0,0 +1,37 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ searxng_domains }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ searxng_domains }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ searxng_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ searxng_domain }}.crt;
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 8M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:8000;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user