prepare some work on nginx for api
This commit is contained in:
parent
4ddbee05de
commit
c7e61f33a1
12 changed files with 218 additions and 0 deletions
9
ansible/group_vars/all.yml
Executable file
9
ansible/group_vars/all.yml
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
api_domain: api2.gempir.com
|
||||||
|
email: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65373739353434323038366266343639376262633166356330336339396664326264343334633864
|
||||||
|
6164633261343062623666613536343265663038343330360a313637663739343464396133366565
|
||||||
|
35666538386231343533333231646131383734663834663039636235313237636366343535376366
|
||||||
|
3438353430666537630a323338663565366439353163646435633738653563393330613064363163
|
||||||
|
66356363623063373532626262343361663933623132653162633034396131623038
|
2
ansible/hosts
Executable file
2
ansible/hosts
Executable file
|
@ -0,0 +1,2 @@
|
||||||
|
[main]
|
||||||
|
apollo.gempir.com
|
1
ansible/playbook.retry
Executable file
1
ansible/playbook.retry
Executable file
|
@ -0,0 +1 @@
|
||||||
|
eros.logs.tv
|
18
ansible/playbook.yml
Executable file
18
ansible/playbook.yml
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: Provision hosts for logstv
|
||||||
|
hosts: all
|
||||||
|
remote_user: root
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- {role: 'common', tags: ['common']}
|
||||||
|
- {role: 'geerlingguy.docker', tags: ['docker']}
|
||||||
|
- {role: 'traefik', tags: ['traefik']}
|
||||||
|
- {role: 'portainer', tags: ['portainer']}
|
||||||
|
- {role: 'bot', tags: ['bot']}
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart ufw
|
||||||
|
service: name=ufw state=restarted
|
||||||
|
|
||||||
|
- name: Reload systemd daemon
|
||||||
|
command: systemctl daemon-reload
|
16
ansible/roles/bot/tasks/main.yml
Executable file
16
ansible/roles/bot/tasks/main.yml
Executable file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: create directory
|
||||||
|
file:
|
||||||
|
path: /var/twitch_logs
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: docker
|
||||||
|
mode: 0740
|
||||||
|
|
||||||
|
- name: create channels file
|
||||||
|
template:
|
||||||
|
src: templates/channels.j2
|
||||||
|
dest: /var/logstv_channels
|
||||||
|
owner: root
|
||||||
|
group: docker
|
||||||
|
mode: 0640
|
5
ansible/roles/bot/templates/channels.j2
Executable file
5
ansible/roles/bot/templates/channels.j2
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
gempir
|
||||||
|
pajlada
|
||||||
|
forsen
|
||||||
|
nymn
|
||||||
|
nani
|
16
ansible/roles/common/tasks/main.yml
Executable file
16
ansible/roles/common/tasks/main.yml
Executable file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: update and upgrade apt packages
|
||||||
|
become: true
|
||||||
|
apt:
|
||||||
|
upgrade: yes
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 86400 #One day
|
||||||
|
|
||||||
|
- name: install apt-transport-https
|
||||||
|
apt: name=apt-transport-https state=present
|
||||||
|
|
||||||
|
- name: install htop
|
||||||
|
apt: name=htop state=present
|
||||||
|
|
||||||
|
- name: install ufw firewall
|
||||||
|
include: ufw.yml
|
28
ansible/roles/common/tasks/ufw.yml
Executable file
28
ansible/roles/common/tasks/ufw.yml
Executable file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: Install ufw
|
||||||
|
apt: package=ufw state=present
|
||||||
|
|
||||||
|
- name: Configure ufw defaults
|
||||||
|
ufw: direction={{ item.direction }} policy={{ item.policy }}
|
||||||
|
with_items:
|
||||||
|
- { direction: 'incoming', policy: 'deny' }
|
||||||
|
- { direction: 'outgoing', policy: 'allow' }
|
||||||
|
notify:
|
||||||
|
- restart ufw
|
||||||
|
|
||||||
|
- name: Configure ufw rules
|
||||||
|
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
|
||||||
|
with_items:
|
||||||
|
- { rule: 'limit', port: '{{ ssh_port | default("22") }}', proto: 'tcp' }
|
||||||
|
- { rule: 'allow', port: '80', proto: 'tcp' }
|
||||||
|
- { rule: 'allow', port: '443', proto: 'tcp' }
|
||||||
|
notify:
|
||||||
|
- restart ufw
|
||||||
|
|
||||||
|
- name: Enable ufw logging
|
||||||
|
ufw: logging=on
|
||||||
|
notify:
|
||||||
|
- restart ufw
|
||||||
|
|
||||||
|
- name: Enable ufw
|
||||||
|
ufw: state=enabled
|
52
ansible/roles/nginx/tasks/main.yml
Normal file
52
ansible/roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
- name: Upgrade system
|
||||||
|
apt: upgrade=dist update_cache=yes
|
||||||
|
|
||||||
|
- name: Install nginx
|
||||||
|
apt: name=nginx state=latest
|
||||||
|
|
||||||
|
- name: install letsencrypt
|
||||||
|
apt: name=letsencrypt state=latest
|
||||||
|
|
||||||
|
- name: create letsencrypt directory
|
||||||
|
file: name=/var/www/letsencrypt state=directory
|
||||||
|
|
||||||
|
- name: Remove default nginx config
|
||||||
|
file: name=/etc/nginx/sites-enabled/default state=absent
|
||||||
|
|
||||||
|
- name: Install system nginx config
|
||||||
|
template:
|
||||||
|
src: templates/nginx.conf.j2
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
- name: Install nginx site for api
|
||||||
|
template:
|
||||||
|
src: templates/api.j2
|
||||||
|
dest: /etc/nginx/sites-enabled/api
|
||||||
|
|
||||||
|
- name: Reload nginx to activate letsencrypt site
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Create letsencrypt certificate
|
||||||
|
shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ api_domain }} --agree-tos -d {{ api_domain }}
|
||||||
|
args:
|
||||||
|
creates: /etc/letsencrypt/live/{{ api_domain }}
|
||||||
|
|
||||||
|
- name: Generate dhparams
|
||||||
|
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
|
||||||
|
args:
|
||||||
|
creates: /etc/nginx/dhparams.pem
|
||||||
|
|
||||||
|
- name: Install nginx site for api
|
||||||
|
template:
|
||||||
|
src: templates/api.le.j2
|
||||||
|
dest: /etc/nginx/sites-enabled/api_le
|
||||||
|
|
||||||
|
- name: Reload nginx to activate specified site
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Add letsencrypt cronjob for cert renewal
|
||||||
|
cron:
|
||||||
|
name: letsencrypt_renewal
|
||||||
|
special_time: weekly
|
||||||
|
job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ email }} --agree-tos -d {{ api_domain }} && service nginx reload
|
15
ansible/roles/nginx/templates/api.j2
Normal file
15
ansible/roles/nginx/templates/api.j2
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
server_name {{ api_domain }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
root /var/www/letsencrypt;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
rewrite ^ https://$host$request_uri? permanent;
|
||||||
|
}
|
||||||
|
}
|
21
ansible/roles/nginx/templates/api.le.j2
Normal file
21
ansible/roles/nginx/templates/api.le.j2
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl default deferred;
|
||||||
|
server_name {{ api_domain }};
|
||||||
|
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ api_domain }}/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ api_domain }}/fullchain.pem;
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8010;
|
||||||
|
}
|
||||||
|
}
|
35
ansible/roles/nginx/templates/nginx.conf.j2
Normal file
35
ansible/roles/nginx/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
user www-data;
|
||||||
|
worker_processes 4;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 2000;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
proxy_connect_timeout 600;
|
||||||
|
proxy_send_timeout 600;
|
||||||
|
proxy_read_timeout 600;
|
||||||
|
send_timeout 600;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
Loading…
Add table
Reference in a new issue