From 297cfc071e2d3e68dd137139db2c0a2c48611443 Mon Sep 17 00:00:00 2001
From: jaseg <code@jaseg.net>
Date: Wed, 26 Jun 2019 16:41:45 +0900
Subject: Misc changes. Move up to fedora 30, add gerbolyze, secure download

---
 inventory.yml                    |  1 +
 nginx.conf                       | 80 ++++++++++++++++++++++++++++++++--------
 nginx_nossl.conf                 |  7 ++++
 playbook.yml                     | 15 +++-----
 secure_download.cfg.j2           |  1 +
 setup_secure_download.yml        | 57 ++++++++++++++++++++++++++++
 setup_webserver.yml              | 15 +++++++-
 tmpfiles-secure-download.conf.j2 |  1 +
 uwsgi-secure-download.ini        | 10 +++++
 9 files changed, 161 insertions(+), 26 deletions(-)
 create mode 100644 secure_download.cfg.j2
 create mode 100644 setup_secure_download.yml
 create mode 100644 tmpfiles-secure-download.conf.j2
 create mode 100644 uwsgi-secure-download.ini

diff --git a/inventory.yml b/inventory.yml
index 34e2e99..ea577e3 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -5,3 +5,4 @@ all:
       ansible_host: wendelstein.jaseg.net
       ansible_ssh_identity_file: ~/.ssh/id_ed25519
       ansible_user: root
+      ansible_python_interpreter: /usr/bin/python3
diff --git a/nginx.conf b/nginx.conf
index 6344904..1f44981 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -51,36 +51,86 @@ http {
         ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
         ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
         ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
-	include /etc/letsencrypt/options-ssl-nginx.conf;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
 
-	ssl_stapling on;
-	ssl_stapling_verify on;
+        ssl_stapling on;
+        ssl_stapling_verify on;
 
-	resolver 67.207.67.2 67.207.67.3 valid=300s;
-	resolver_timeout 10s;
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
 
-	add_header Strict-Transport-Security "max-age=86400";
+        add_header Strict-Transport-Security "max-age=86400";
 
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
 
-	location ^~ /static/ {
-	      root /var/lib/gerboweb;
-	}
+        location ^~ /static/ {
+              root /var/lib/gerboweb;
+        }
+
+        location / {
+              include uwsgi_params;
+              uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
+        }
+    }
+
+    server {
+        listen       80;
+        listen       [::]:80;
+        server_name  blog.jaseg.net blog.jaseg.net;
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  blog.jaseg.net blog.jaseg.net;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/blog.jaseg.net/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.net/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
 
         location / {
-	      include uwsgi_params;
-	      uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
+            root /var/www/blog.jaseg.net;
+        }
+
+        location /d/ {
+            rewrite ^/d/(.*)$ /$1 break;
+            include uwsgi_params;
+            uwsgi_pass unix:/run/uwsgi/secure-download.socket;
         }
 
         error_page 404 /404.html;
-	location = /40x.html {
-	    root         /usr/share/nginx/html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
         }
 
         error_page 500 502 503 504 /50x.html;
-	location = /50x.html {
-	    root         /usr/share/nginx/html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
         }
     }
 
diff --git a/nginx_nossl.conf b/nginx_nossl.conf
index 0ecd1cb..8d5a5a5 100644
--- a/nginx_nossl.conf
+++ b/nginx_nossl.conf
@@ -41,5 +41,12 @@ http {
         server_name  gerbolyze.jaseg.net;
         return 301 https://$host$request_uri;
     }
+
+    server {
+        listen       80;
+        listen       [::]:80;
+        server_name  blog.jaseg.net;
+        return 301 https://$host$request_uri;
+    }
 }
 
diff --git a/playbook.yml b/playbook.yml
index 1c694d5..afea884 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -12,7 +12,7 @@
 
     - name: Install host requisites
       dnf:
-          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services
+          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex
           state: latest
 
     - name: Disable password-based root login
@@ -28,18 +28,10 @@
           state: restarted
       when: disable_root_pw_ssh is changed
 
-    - name: Create iptables firewall config dir
-      file:
-        path: /etc/iptables
-        state: directory
-        owner: root
-        group: root
-        mode: 0775
-
     - name: Configure iptables firewall service
       copy:
         src: iptables.rules
-        dest: /etc/iptables/iptables.rules
+        dest: /etc/sysconfig/iptables
         owner: root
         group: root
         mode: 0664
@@ -65,3 +57,6 @@
 
     - name: Setup clippy
       include_tasks: setup_clippy.yml
+
+    - name: Setup secure download
+      include_tasks: setup_secure_download.yml
diff --git a/secure_download.cfg.j2 b/secure_download.cfg.j2
new file mode 100644
index 0000000..36d86c1
--- /dev/null
+++ b/secure_download.cfg.j2
@@ -0,0 +1 @@
+SERVE_PATH="{{secure_download_dir}}"
diff --git a/setup_secure_download.yml b/setup_secure_download.yml
new file mode 100644
index 0000000..aa94a53
--- /dev/null
+++ b/setup_secure_download.yml
@@ -0,0 +1,57 @@
+---
+- name: Set local facts
+  set_fact:
+    secure_download_dir: /var/cache/secure_download
+
+- name: Copy webapp sources
+  synchronize:
+    # FIXME: make this path configurable
+      src: ~/secure_download/
+      dest: /var/lib/secure_download/
+      group: no
+      owner: no
+
+- name: Create secure download worker user and group
+  user:
+      name: uwsgi-secure-download
+      create_home: no
+      group: uwsgi
+      password: '!'
+      shell: /sbin/nologin
+      system: yes
+
+- name: Template webapp config
+  template:
+    src: secure_download.cfg.j2
+    dest: /var/lib/secure_download/secure_download_prod.cfg
+    owner: uwsgi-secure-download
+    group: root
+    mode: 0660
+
+- name: Copy uwsgi config
+  copy:
+      src: uwsgi-secure-download.ini
+      dest: /etc/uwsgi.d/secure-download.ini
+      owner: uwsgi-secure-download
+      group: uwsgi
+      mode: 440
+
+- name: Enable uwsgi systemd socket
+  systemd:
+      daemon-reload: yes
+      name: uwsgi-app@secure-download.socket
+      enabled: yes
+
+- name: Copy server dir tmpfiles.d config
+  template:
+      src: tmpfiles-secure-download.conf.j2
+      dest: /etc/tmpfiles.d/secure-download.conf
+      owner: root
+      group: root
+      mode: 0644
+  register: sec_dl_tmpfiles_config
+
+- name: Kick systemd tmpfiles service to create serve dir
+  command: systemd-tmpfiles --create
+  when: sec_dl_tmpfiles_config is changed
+
diff --git a/setup_webserver.yml b/setup_webserver.yml
index 7dc65c5..ea821d8 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -9,6 +9,14 @@
       groups: uwsgi
       append: yes
 
+- name: Create blog.jaseg.net content dir
+  file:
+    path: /var/www/blog.jaseg.net
+    state: directory
+    owner: nginx
+    group: nginx
+    mode: 0550
+
 - name: Copy uwsgi systemd socket config
   copy:
       src: uwsgi-app@.socket
@@ -30,11 +38,16 @@
       enabled: yes
       state: restarted
 
-- name: Create letsencrypt certificate
+- name: Create letsencrypt certificate for gerbolyze.jaseg.net
   command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
   args:
       creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
 
+- name: Create letsencrypt certificate for blog.jaseg.net
+  command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
+  args:
+      creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
+
 - name: Copy final nginx config
   copy:
       src: nginx.conf
diff --git a/tmpfiles-secure-download.conf.j2 b/tmpfiles-secure-download.conf.j2
new file mode 100644
index 0000000..84d7add
--- /dev/null
+++ b/tmpfiles-secure-download.conf.j2
@@ -0,0 +1 @@
+d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d
diff --git a/uwsgi-secure-download.ini b/uwsgi-secure-download.ini
new file mode 100644
index 0000000..5f999fc
--- /dev/null
+++ b/uwsgi-secure-download.ini
@@ -0,0 +1,10 @@
+[uwsgi]
+master = True
+cheap = True
+die-on-idle = False
+manage-script-name = True
+plugins = python3
+chdir = /var/lib/secure_download
+mount = /=server:app
+env = SECURE_DOWNLOAD_SETTINGS=secure_download_prod.cfg
+
-- 
cgit