prepare some work on nginx for api

2018-11-28 21:58:00 +01:00 · 2018-11-28 21:58:00 +01:00 · c7e61f33a1
commit c7e61f33a1
parent 4ddbee05de
12 changed files with 218 additions and 0 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -0,0 +1,9 @@
+---
+api_domain: api2.gempir.com
+email: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65373739353434323038366266343639376262633166356330336339396664326264343334633864
+          6164633261343062623666613536343265663038343330360a313637663739343464396133366565
+          35666538386231343533333231646131383734663834663039636235313237636366343535376366
+          3438353430666537630a323338663565366439353163646435633738653563393330613064363163
+          66356363623063373532626262343361663933623132653162633034396131623038
--- a/ansible/hosts
+++ b/ansible/hosts
@ -0,0 +1,2 @@
+[main]
+apollo.gempir.com
--- a/ansible/playbook.retry
+++ b/ansible/playbook.retry
@ -0,0 +1 @@
+eros.logs.tv
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@ -0,0 +1,18 @@
+---
+- name: Provision hosts for logstv
+  hosts: all
+  remote_user: root
+  
+  roles:
+    - {role: 'common', tags: ['common']}
+    - {role: 'geerlingguy.docker', tags: ['docker']}
+    - {role: 'traefik', tags: ['traefik']}
+    - {role: 'portainer', tags: ['portainer']}
+    - {role: 'bot', tags: ['bot']}
+
+  handlers:
+    - name: restart ufw
+      service: name=ufw state=restarted
+
+    - name: Reload systemd daemon
+      command: systemctl daemon-reload
--- a/ansible/roles/bot/tasks/main.yml
+++ b/ansible/roles/bot/tasks/main.yml
@ -0,0 +1,16 @@
+---
+- name: create directory
+  file:
+    path: /var/twitch_logs
+    state: directory
+    owner: root
+    group: docker
+    mode: 0740
+
+- name: create channels file
+  template:
+    src: templates/channels.j2
+    dest: /var/logstv_channels
+    owner: root
+    group: docker
+    mode: 0640
--- a/ansible/roles/bot/templates/channels.j2
+++ b/ansible/roles/bot/templates/channels.j2
@ -0,0 +1,5 @@
+gempir
+pajlada
+forsen
+nymn
+nani
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@ -0,0 +1,16 @@
+---
+- name: update and upgrade apt packages
+  become: true
+  apt:
+    upgrade: yes
+    update_cache: yes
+    cache_valid_time: 86400 #One day
+
+- name: install apt-transport-https
+  apt: name=apt-transport-https state=present
+
+- name: install htop
+  apt: name=htop state=present
+
+- name: install ufw firewall
+  include: ufw.yml
--- a/ansible/roles/common/tasks/ufw.yml
+++ b/ansible/roles/common/tasks/ufw.yml
@ -0,0 +1,28 @@
+---
+- name: Install ufw
+  apt: package=ufw state=present
+
+- name: Configure ufw defaults
+  ufw: direction={{ item.direction }} policy={{ item.policy }}
+  with_items:
+    - { direction: 'incoming', policy: 'deny' }
+    - { direction: 'outgoing', policy: 'allow' }
+  notify:
+    - restart ufw
+
+- name: Configure ufw rules
+  ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
+  with_items:
+    - { rule: 'limit', port: '{{ ssh_port | default("22") }}', proto: 'tcp' }
+    - { rule: 'allow', port: '80', proto: 'tcp' }
+    - { rule: 'allow', port: '443', proto: 'tcp' }
+  notify:
+    - restart ufw
+
+- name: Enable ufw logging
+  ufw: logging=on
+  notify:
+    - restart ufw
+
+- name: Enable ufw
+  ufw: state=enabled
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@ -0,0 +1,52 @@
+---
+  - name: Upgrade system
+    apt: upgrade=dist update_cache=yes
+
+  - name: Install nginx
+    apt: name=nginx state=latest
+
+  - name: install letsencrypt
+    apt: name=letsencrypt state=latest
+
+  - name: create letsencrypt directory
+    file: name=/var/www/letsencrypt state=directory
+
+  - name: Remove default nginx config
+    file: name=/etc/nginx/sites-enabled/default state=absent
+
+  - name: Install system nginx config
+    template:
+      src: templates/nginx.conf.j2
+      dest: /etc/nginx/nginx.conf
+
+  - name: Install nginx site for api
+    template:
+      src: templates/api.j2
+      dest: /etc/nginx/sites-enabled/api
+
+  - name: Reload nginx to activate letsencrypt site
+    service: name=nginx state=restarted
+
+  - name: Create letsencrypt certificate
+    shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ api_domain }} --agree-tos -d {{ api_domain }}
+    args:
+      creates: /etc/letsencrypt/live/{{ api_domain }}
+
+  - name: Generate dhparams
+    shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+    args:
+      creates: /etc/nginx/dhparams.pem
+
+  - name: Install nginx site for api
+    template:
+      src: templates/api.le.j2
+      dest: /etc/nginx/sites-enabled/api_le
+
+  - name: Reload nginx to activate specified site
+    service: name=nginx state=restarted
+
+  - name: Add letsencrypt cronjob for cert renewal
+    cron:
+      name: letsencrypt_renewal
+      special_time: weekly
+      job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ email }} --agree-tos -d {{ api_domain }} && service nginx reload
--- a/ansible/roles/nginx/templates/api.j2
+++ b/ansible/roles/nginx/templates/api.j2
@ -0,0 +1,15 @@
+server_tokens off;
+
+server {
+    listen 80 default_server;
+    server_name {{ api_domain }};
+
+    location /.well-known/acme-challenge {
+        root /var/www/letsencrypt;
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}
--- a/ansible/roles/nginx/templates/api.le.j2
+++ b/ansible/roles/nginx/templates/api.le.j2
@ -0,0 +1,21 @@
+server {
+    listen 443 ssl default deferred;
+    server_name {{ api_domain }};
+
+    ssl on;
+    ssl_certificate         /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{{ api_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem;
+
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_dhparam /etc/nginx/dhparams.pem;
+
+    location / {
+		    proxy_pass http://127.0.0.1:8010;
+  	}
+}
--- a/ansible/roles/nginx/templates/nginx.conf.j2
+++ b/ansible/roles/nginx/templates/nginx.conf.j2
@ -0,0 +1,35 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 2000;
+}
+
+http {
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    proxy_connect_timeout       600;
+    proxy_send_timeout          600;
+    proxy_read_timeout          600;
+    send_timeout                600;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    gzip on;
+    gzip_disable "msie6";
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}