aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjaseg <code@jaseg.net>2019-06-26 16:41:45 +0900
committerjaseg <git@jaseg.net>2019-06-26 16:41:45 +0900
commit297cfc071e2d3e68dd137139db2c0a2c48611443 (patch)
treeecf4b7b8f00fe06d4ba4b87ed6deb5e49dba909b
parenta2d4afc7dfe278dacc64b5177ff993267c909685 (diff)
downloadinfra-297cfc071e2d3e68dd137139db2c0a2c48611443.tar.gz
infra-297cfc071e2d3e68dd137139db2c0a2c48611443.tar.bz2
infra-297cfc071e2d3e68dd137139db2c0a2c48611443.zip
Misc changes. Move up to fedora 30, add gerbolyze, secure download
-rw-r--r--inventory.yml1
-rw-r--r--nginx.conf80
-rw-r--r--nginx_nossl.conf7
-rw-r--r--playbook.yml15
-rw-r--r--secure_download.cfg.j21
-rw-r--r--setup_secure_download.yml57
-rw-r--r--setup_webserver.yml15
-rw-r--r--tmpfiles-secure-download.conf.j21
-rw-r--r--uwsgi-secure-download.ini10
9 files changed, 161 insertions, 26 deletions
diff --git a/inventory.yml b/inventory.yml
index 34e2e99..ea577e3 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -5,3 +5,4 @@ all:
ansible_host: wendelstein.jaseg.net
ansible_ssh_identity_file: ~/.ssh/id_ed25519
ansible_user: root
+ ansible_python_interpreter: /usr/bin/python3
diff --git a/nginx.conf b/nginx.conf
index 6344904..1f44981 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -51,36 +51,86 @@ http {
ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
+ include /etc/letsencrypt/options-ssl-nginx.conf;
- ssl_stapling on;
- ssl_stapling_verify on;
+ ssl_stapling on;
+ ssl_stapling_verify on;
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
- add_header Strict-Transport-Security "max-age=86400";
+ add_header Strict-Transport-Security "max-age=86400";
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
- location ^~ /static/ {
- root /var/lib/gerboweb;
- }
+ location ^~ /static/ {
+ root /var/lib/gerboweb;
+ }
+
+ location / {
+ include uwsgi_params;
+ uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
+ }
+
+ error_page 404 /404.html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
+ }
+ }
+
+ server {
+ listen 80;
+ listen [::]:80;
+ server_name blog.jaseg.net blog.jaseg.net;
+ return 301 https://$host$request_uri;
+ }
+
+ server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name blog.jaseg.net blog.jaseg.net;
+ root /usr/share/nginx/html;
+
+ ssl_certificate "/etc/letsencrypt/live/blog.jaseg.net/fullchain.pem";
+ ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.net/privkey.pem";
+ ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ resolver 67.207.67.2 67.207.67.3 valid=300s;
+ resolver_timeout 10s;
+
+ add_header Strict-Transport-Security "max-age=86400";
+
+ # Load configuration files for the default server block.
+ include /etc/nginx/default.d/*.conf;
location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
+ root /var/www/blog.jaseg.net;
+ }
+
+ location /d/ {
+ rewrite ^/d/(.*)$ /$1 break;
+ include uwsgi_params;
+ uwsgi_pass unix:/run/uwsgi/secure-download.socket;
}
error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
+ location = /40x.html {
+ root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
+ location = /50x.html {
+ root /usr/share/nginx/html;
}
}
diff --git a/nginx_nossl.conf b/nginx_nossl.conf
index 0ecd1cb..8d5a5a5 100644
--- a/nginx_nossl.conf
+++ b/nginx_nossl.conf
@@ -41,5 +41,12 @@ http {
server_name gerbolyze.jaseg.net;
return 301 https://$host$request_uri;
}
+
+ server {
+ listen 80;
+ listen [::]:80;
+ server_name blog.jaseg.net;
+ return 301 https://$host$request_uri;
+ }
}
diff --git a/playbook.yml b/playbook.yml
index 1c694d5..afea884 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -12,7 +12,7 @@
- name: Install host requisites
dnf:
- name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services
+ name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex
state: latest
- name: Disable password-based root login
@@ -28,18 +28,10 @@
state: restarted
when: disable_root_pw_ssh is changed
- - name: Create iptables firewall config dir
- file:
- path: /etc/iptables
- state: directory
- owner: root
- group: root
- mode: 0775
-
- name: Configure iptables firewall service
copy:
src: iptables.rules
- dest: /etc/iptables/iptables.rules
+ dest: /etc/sysconfig/iptables
owner: root
group: root
mode: 0664
@@ -65,3 +57,6 @@
- name: Setup clippy
include_tasks: setup_clippy.yml
+
+ - name: Setup secure download
+ include_tasks: setup_secure_download.yml
diff --git a/secure_download.cfg.j2 b/secure_download.cfg.j2
new file mode 100644
index 0000000..36d86c1
--- /dev/null
+++ b/secure_download.cfg.j2
@@ -0,0 +1 @@
+SERVE_PATH="{{secure_download_dir}}"
diff --git a/setup_secure_download.yml b/setup_secure_download.yml
new file mode 100644
index 0000000..aa94a53
--- /dev/null
+++ b/setup_secure_download.yml
@@ -0,0 +1,57 @@
+---
+- name: Set local facts
+ set_fact:
+ secure_download_dir: /var/cache/secure_download
+
+- name: Copy webapp sources
+ synchronize:
+ # FIXME: make this path configurable
+ src: ~/secure_download/
+ dest: /var/lib/secure_download/
+ group: no
+ owner: no
+
+- name: Create secure download worker user and group
+ user:
+ name: uwsgi-secure-download
+ create_home: no
+ group: uwsgi
+ password: '!'
+ shell: /sbin/nologin
+ system: yes
+
+- name: Template webapp config
+ template:
+ src: secure_download.cfg.j2
+ dest: /var/lib/secure_download/secure_download_prod.cfg
+ owner: uwsgi-secure-download
+ group: root
+ mode: 0660
+
+- name: Copy uwsgi config
+ copy:
+ src: uwsgi-secure-download.ini
+ dest: /etc/uwsgi.d/secure-download.ini
+ owner: uwsgi-secure-download
+ group: uwsgi
+ mode: 440
+
+- name: Enable uwsgi systemd socket
+ systemd:
+ daemon-reload: yes
+ name: uwsgi-app@secure-download.socket
+ enabled: yes
+
+- name: Copy server dir tmpfiles.d config
+ template:
+ src: tmpfiles-secure-download.conf.j2
+ dest: /etc/tmpfiles.d/secure-download.conf
+ owner: root
+ group: root
+ mode: 0644
+ register: sec_dl_tmpfiles_config
+
+- name: Kick systemd tmpfiles service to create serve dir
+ command: systemd-tmpfiles --create
+ when: sec_dl_tmpfiles_config is changed
+
diff --git a/setup_webserver.yml b/setup_webserver.yml
index 7dc65c5..ea821d8 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -9,6 +9,14 @@
groups: uwsgi
append: yes
+- name: Create blog.jaseg.net content dir
+ file:
+ path: /var/www/blog.jaseg.net
+ state: directory
+ owner: nginx
+ group: nginx
+ mode: 0550
+
- name: Copy uwsgi systemd socket config
copy:
src: uwsgi-app@.socket
@@ -30,11 +38,16 @@
enabled: yes
state: restarted
-- name: Create letsencrypt certificate
+- name: Create letsencrypt certificate for gerbolyze.jaseg.net
command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
args:
creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
+- name: Create letsencrypt certificate for blog.jaseg.net
+ command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
+ args:
+ creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
+
- name: Copy final nginx config
copy:
src: nginx.conf
diff --git a/tmpfiles-secure-download.conf.j2 b/tmpfiles-secure-download.conf.j2
new file mode 100644
index 0000000..84d7add
--- /dev/null
+++ b/tmpfiles-secure-download.conf.j2
@@ -0,0 +1 @@
+d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d
diff --git a/uwsgi-secure-download.ini b/uwsgi-secure-download.ini
new file mode 100644
index 0000000..5f999fc
--- /dev/null
+++ b/uwsgi-secure-download.ini
@@ -0,0 +1,10 @@
+[uwsgi]
+master = True
+cheap = True
+die-on-idle = False
+manage-script-name = True
+plugins = python3
+chdir = /var/lib/secure_download
+mount = /=server:app
+env = SECURE_DOWNLOAD_SETTINGS=secure_download_prod.cfg
+