diff options
-rw-r--r-- | nginx_nossl.conf | 45 | ||||
-rw-r--r-- | playbook.yml | 93 | ||||
-rw-r--r-- | tmpfiles-gerboweb.conf | 2 |
3 files changed, 115 insertions, 25 deletions
diff --git a/nginx_nossl.conf b/nginx_nossl.conf new file mode 100644 index 0000000..0ecd1cb --- /dev/null +++ b/nginx_nossl.conf @@ -0,0 +1,45 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name gerbolyze.jaseg.net; + return 301 https://$host$request_uri; + } +} + diff --git a/playbook.yml b/playbook.yml index 9753df6..a0ff505 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,6 +1,33 @@ - name: Gerbolyze container setup playbook - hosts: all + hosts: wendelstein tasks: + - name: Set hostname + hostname: + name: wendelstein.jaseg.net + + - name: Install common admin tools + dnf: + name: htop,tmux,fish,mosh,neovim + state: latest + + - name: Install host requisites + dnf: + name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python + state: latest + + - name: Disable password-based root login + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + line: 'PermitRootLogin without-password' + register: disable_root_pw_ssh + + - name: Restart sshd + systemd: + name: sshd + state: restarted + when: disable_root_pw_ssh is changed + - name: Create container image file command: truncate -s 4G /var/cache/gerbolyze_container.img args: @@ -14,11 +41,6 @@ checksum: sha256:865c8a25312b663e724923eecf0dfc626f4cd621e2cfcb19eafc69a4fc666756 when: create_container is changed - - name: Install host requisites - dnf: - name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx - state: latest - - name: Create container image filesystem filesystem: dev: /var/cache/gerbolyze_container.img @@ -88,9 +110,9 @@ group: no owner: no - - name: Copy nginx config + - name: Copy first stage nginx config copy: - src: nginx.conf + src: nginx_nossl.conf dest: /etc/nginx/nginx.conf - name: Create uwsgi worker user and group @@ -136,22 +158,33 @@ state: permissive policy: targeted - - name: Create letsencrypt certificate - command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net - args: - creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem - - - name: Enable certbot renewal timer - systemd: - name: certbot-renew.timer - enabled: yes - - name: Enable uwsgi systemd socket systemd: daemon-reload: yes name: uwsgi-app@gerboweb.socket enabled: yes + - name: Copy gerboweb cache dir tmpfiles.d config + copy: + src: tmpfiles-gerboweb.conf + dest: /etc/tmpfiles.d/gerboweb.conf + owner: root + group: root + mode: 0644 + register: tmpfiles_config + + - name: Kick systemd tmpfiles service to create cache dir + command: systemd-tmpfiles --create + when: tmpfiles_config is changed + + - name: Create job queue db + file: + path: /var/cache/gerboweb/job_queue.sqlite3 + owner: root + group: uwsgi + mode: 0660 + state: touch + - name: Enable and launch job processor systemd: name: gerboweb-job-processor.service @@ -164,11 +197,23 @@ enabled: yes state: restarted - - name: Copy gerboweb cache dir tmpfiles.d config + - name: Create letsencrypt certificate + command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net + args: + creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem + + - name: Copy final nginx config copy: - src: tmpfiles-gerboweb.conf - dest: /etc/tmpfiles.d/gerboweb.conf - owner: root - group: root - mode: 0644 + src: nginx.conf + dest: /etc/nginx/nginx.conf + + - name: Restart nginx to load new cert + systemd: + name: nginx.service + state: restarted + + - name: Enable certbot renewal timer + systemd: + name: certbot-renew.timer + enabled: yes diff --git a/tmpfiles-gerboweb.conf b/tmpfiles-gerboweb.conf index 33264cf..1f11122 100644 --- a/tmpfiles-gerboweb.conf +++ b/tmpfiles-gerboweb.conf @@ -1 +1 @@ -d /var/cache/gerboweb 760 uwsgi-gerboweb uwsgi 2d +d /var/cache/gerboweb 770 uwsgi-gerboweb uwsgi 2d |