jaseg/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Misc changes. Move up to fedora 30, add gerbolyze, secure download

Browse source
This commit is contained in:
jaseg 2019-06-26 16:41:45 +09:00 committed by jaseg
parent a2d4afc7df
commit 297cfc071e
9 changed files with 161 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

1
inventory.yml
View file

@ -5,3 +5,4 @@ all:
ansible_host: wendelstein.jaseg.net ansible_host: wendelstein.jaseg.net
ansible_ssh_identity_file: ~/.ssh/id_ed25519 ansible_ssh_identity_file: ~/.ssh/id_ed25519
ansible_user: root ansible_user: root
ansible_python_interpreter: /usr/bin/python3

80
nginx.conf
View file

@ -51,36 +51,86 @@ http {
ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem"; ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem"; ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf; include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver 67.207.67.2 67.207.67.3 valid=300s; resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s; resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=86400"; add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block. # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; include /etc/nginx/default.d/*.conf;
location ^~ /static/ { location ^~ /static/ {
root /var/lib/gerboweb; root /var/lib/gerboweb;
} }
location / { location / {
include uwsgi_params; include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/gerboweb.socket; uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
} }
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
}
}
server {
listen 80;
listen [::]:80;
server_name blog.jaseg.net blog.jaseg.net;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.jaseg.net blog.jaseg.net;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/blog.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_stapling on;
ssl_stapling_verify on;
resolver 67.207.67.2 67.207.67.3 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
root /var/www/blog.jaseg.net;
}
location /d/ {
rewrite ^/d/(.*)$ /$1 break;
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/secure-download.socket;
}
error_page 404 /404.html;
location = /40x.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
} }
} }

7
nginx_nossl.conf
View file

@ -41,5 +41,12 @@ http {
server_name gerbolyze.jaseg.net; server_name gerbolyze.jaseg.net;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server {
listen 80;
listen [::]:80;
server_name blog.jaseg.net;
return 301 https://$host$request_uri;
}
} }

15
playbook.yml
View file

@ -12,7 +12,7 @@
- name: Install host requisites - name: Install host requisites
dnf: dnf:
name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex
state: latest state: latest
- name: Disable password-based root login - name: Disable password-based root login
@ -28,18 +28,10 @@
state: restarted state: restarted
when: disable_root_pw_ssh is changed when: disable_root_pw_ssh is changed
- name: Create iptables firewall config dir
file:
path: /etc/iptables
state: directory
owner: root
group: root
mode: 0775
- name: Configure iptables firewall service - name: Configure iptables firewall service
copy: copy:
src: iptables.rules src: iptables.rules
dest: /etc/iptables/iptables.rules dest: /etc/sysconfig/iptables
owner: root owner: root
group: root group: root
mode: 0664 mode: 0664
@ -65,3 +57,6 @@
- name: Setup clippy - name: Setup clippy
include_tasks: setup_clippy.yml include_tasks: setup_clippy.yml
- name: Setup secure download
include_tasks: setup_secure_download.yml

1
secure_download.cfg.j2 Normal file
View file

@ -0,0 +1 @@
SERVE_PATH="{{secure_download_dir}}"

57
setup_secure_download.yml Normal file
View file

@ -0,0 +1,57 @@
---
- name: Set local facts
set_fact:
secure_download_dir: /var/cache/secure_download
- name: Copy webapp sources
synchronize:
# FIXME: make this path configurable
src: ~/secure_download/
dest: /var/lib/secure_download/
group: no
owner: no
- name: Create secure download worker user and group
user:
name: uwsgi-secure-download
create_home: no
group: uwsgi
password: '!'
shell: /sbin/nologin
system: yes
- name: Template webapp config
template:
src: secure_download.cfg.j2
dest: /var/lib/secure_download/secure_download_prod.cfg
owner: uwsgi-secure-download
group: root
mode: 0660
- name: Copy uwsgi config
copy:
src: uwsgi-secure-download.ini
dest: /etc/uwsgi.d/secure-download.ini
owner: uwsgi-secure-download
group: uwsgi
mode: 440
- name: Enable uwsgi systemd socket
systemd:
daemon-reload: yes
name: uwsgi-app@secure-download.socket
enabled: yes
- name: Copy server dir tmpfiles.d config
template:
src: tmpfiles-secure-download.conf.j2
dest: /etc/tmpfiles.d/secure-download.conf
owner: root
group: root
mode: 0644
register: sec_dl_tmpfiles_config
- name: Kick systemd tmpfiles service to create serve dir
command: systemd-tmpfiles --create
when: sec_dl_tmpfiles_config is changed

15
setup_webserver.yml
View file

@ -9,6 +9,14 @@
groups: uwsgi groups: uwsgi
append: yes append: yes
- name: Create blog.jaseg.net content dir
file:
path: /var/www/blog.jaseg.net
state: directory
owner: nginx
group: nginx
mode: 0550
- name: Copy uwsgi systemd socket config - name: Copy uwsgi systemd socket config
copy: copy:
src: uwsgi-app@.socket src: uwsgi-app@.socket
@ -30,11 +38,16 @@
enabled: yes enabled: yes
state: restarted state: restarted
- name: Create letsencrypt certificate - name: Create letsencrypt certificate for gerbolyze.jaseg.net
command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
args: args:
creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
- name: Create letsencrypt certificate for blog.jaseg.net
command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
args:
creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
- name: Copy final nginx config - name: Copy final nginx config
copy: copy:
src: nginx.conf src: nginx.conf

1
tmpfiles-secure-download.conf.j2 Normal file
View file

@ -0,0 +1 @@
d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d

10
uwsgi-secure-download.ini Normal file
View file

@ -0,0 +1,10 @@
[uwsgi]
master = True
cheap = True
die-on-idle = False
manage-script-name = True
plugins = python3
chdir = /var/lib/secure_download
mount = /=server:app
env = SECURE_DOWNLOAD_SETTINGS=secure_download_prod.cfg