From e5f2f505e8fe8455f17da46ef3d322809e2efa22 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Mon, 18 Mar 2024 17:49:43 -0400 Subject: [PATCH] add nginx role --- group_vars/nginx.yml | 3 ++ inventory | 3 ++ playbooks/deploy-nginx.yml | 6 +++ playbooks/roles/nginx/files/nginx.conf | 26 +++++++++++ playbooks/roles/nginx/handlers/main.yml | 12 +++++ playbooks/roles/nginx/tasks/main.yml | 44 +++++++++++++++++++ .../http.auth.hatecomputers.club.conf | 8 ++++ .../https.auth.hatecomputers.club.conf | 23 ++++++++++ 8 files changed, 125 insertions(+) create mode 100644 group_vars/nginx.yml create mode 100644 playbooks/deploy-nginx.yml create mode 100644 playbooks/roles/nginx/files/nginx.conf create mode 100644 playbooks/roles/nginx/handlers/main.yml create mode 100644 playbooks/roles/nginx/tasks/main.yml create mode 100644 playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf create mode 100644 playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml new file mode 100644 index 0000000..26f919f --- /dev/null +++ b/group_vars/nginx.yml @@ -0,0 +1,3 @@ +--- + +dh_params_src: https://ssl-config.mozilla.org/ffdhe2048.txt diff --git a/inventory b/inventory index 5aedd72..56faa32 100644 --- a/inventory +++ b/inventory @@ -9,3 +9,6 @@ fern.hatecomputers.club ansible_user=root ansible_connection=ssh [kanidm] fern.hatecomputers.club ansible_user=root ansible_connection=ssh + +[nginx] +fern.hatecomputers.club ansible_user=root ansible_connection=ssh diff --git a/playbooks/deploy-nginx.yml b/playbooks/deploy-nginx.yml new file mode 100644 index 0000000..95f747d --- /dev/null +++ b/playbooks/deploy-nginx.yml @@ -0,0 +1,6 @@ +--- + +- name: Nginx setup + hosts: nginx + roles: + - nginx diff --git a/playbooks/roles/nginx/files/nginx.conf b/playbooks/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..6ddd8ab --- /dev/null +++ b/playbooks/roles/nginx/files/nginx.conf @@ -0,0 +1,26 @@ +user www-data; +worker_processes 4; +pid /run/nginx.pid; + +events { + worker_connections 768; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + gzip_disable "msie6"; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/playbooks/roles/nginx/handlers/main.yml b/playbooks/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..2ce85ba --- /dev/null +++ b/playbooks/roles/nginx/handlers/main.yml @@ -0,0 +1,12 @@ +--- + +- name: Restart nginx + ansible.builtin.service: + name: nginx + state: restarted + enabled: true + +- name: Restart ufw + ansible.builtin.service: + name: ufw + state: restarted diff --git a/playbooks/roles/nginx/tasks/main.yml b/playbooks/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..b4cd6ed --- /dev/null +++ b/playbooks/roles/nginx/tasks/main.yml @@ -0,0 +1,44 @@ +--- + +- name: Allow http + community.general.ufw: + rule: allow + port: '80' + proto: tcp + +- name: Allow https + community.general.ufw: + rule: allow + port: '443' + proto: tcp + notify: + - Restart ufw + +- name: Install nginx + ansible.builtin.apt: + name: nginx + state: present + notify: + - Restart nginx + +- name: Download dhparams + ansible.builtin.get_url: + url: "{{ dh_params_src }}" + dest: /etc/nginx/dhparams.pem + mode: '0755' + +- name: Add system nginx config + ansible.builtin.copy: + src: nginx.conf + dest: /etc/nginx/nginx.conf + mode: '0755' + +- name: Copy nginx sites + ansible.builtin.template: + src: "{{ item }}" + dest: "/etc/nginx/sites-enabled/" + mode: '0755' + with_fileglob: + - "templates/{{ inventory_hostname }}/*.conf" + notify: + - Restart nginx diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf new file mode 100644 index 0000000..ac62557 --- /dev/null +++ b/playbooks/roles/nginx/templates/fern.hatecomputers.club/http.auth.hatecomputers.club.conf @@ -0,0 +1,8 @@ +server { + listen 80; + server_name auth.hatecomputers.club; + + location / { + rewrite ^ https://auth.hatecomputers.club$request_uri? permanent; + } +} diff --git a/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf b/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf new file mode 100644 index 0000000..30e7745 --- /dev/null +++ b/playbooks/roles/nginx/templates/fern.hatecomputers.club/https.auth.hatecomputers.club.conf @@ -0,0 +1,23 @@ +server { + server_name auth.hatecomputers.club; + listen 443 ssl; + + ssl_dhparam /etc/nginx/dhparams.pem; + + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + ssl_certificate /etc/letsencrypt/live/auth.hatecomputers.club/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auth.hatecomputers.club/privkey.pem; + + location / { + proxy_pass https://localhost:8443; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } +}