Browse Source

Added nginx & uwsgi roles

master
Darks 10 months ago
commit
7b6ecefcdf
Signed by: Darks GPG Key ID: F61F10FA138E797C
27 changed files with 665 additions and 0 deletions
  1. +1
    -0
      .gitignore
  2. +1
    -0
      inventory.yml
  3. +9
    -0
      nginx.yml
  4. +11
    -0
      roles/nginx/files/common.conf
  5. +7
    -0
      roles/nginx/files/conf.d/blockuseragents.conf
  6. +17
    -0
      roles/nginx/files/conf.d/ddos.conf
  7. +6
    -0
      roles/nginx/files/conf.d/header.conf
  8. +4
    -0
      roles/nginx/files/gzip.conf
  9. +28
    -0
      roles/nginx/files/nginx.conf
  10. +22
    -0
      roles/nginx/files/sites-available/000-default.conf
  11. +51
    -0
      roles/nginx/files/sites-available/bible.conf
  12. +57
    -0
      roles/nginx/files/sites-available/creativecalc.conf
  13. +41
    -0
      roles/nginx/files/sites-available/gitea.conf
  14. +37
    -0
      roles/nginx/files/sites-available/grafana.conf
  15. +47
    -0
      roles/nginx/files/sites-available/mumbleweb.conf
  16. +42
    -0
      roles/nginx/files/sites-available/p7.conf
  17. +72
    -0
      roles/nginx/files/sites-available/pc-dev.conf
  18. +72
    -0
      roles/nginx/files/sites-available/pc.conf
  19. +8
    -0
      roles/nginx/files/ssl.conf
  20. +50
    -0
      roles/nginx/tasks/main.yml
  21. +9
    -0
      roles/nginx/vars/main.yml
  22. +9
    -0
      roles/uwsgi/files/pc-dev.ini
  23. +9
    -0
      roles/uwsgi/files/pc.ini
  24. +17
    -0
      roles/uwsgi/files/uwsgi@.service
  25. +27
    -0
      roles/uwsgi/tasks/main.yml
  26. +2
    -0
      roles/uwsgi/vars/main.yml
  27. +9
    -0
      uwsgi.yml

+ 1
- 0
.gitignore View File

@ -0,0 +1 @@
tests/

+ 1
- 0
inventory.yml View File

@ -0,0 +1 @@
aperture-labs # Add an entry in your ~/.ssh/config

+ 9
- 0
nginx.yml View File

@ -0,0 +1,9 @@
---
- name: Update Nginx configuration
hosts: all
become: yes
become_user: root
become_method: sudo
roles:
- nginx

+ 11
- 0
roles/nginx/files/common.conf View File

@ -0,0 +1,11 @@
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
if ($blockedagent) {
return 403;
}
if ($request_method !~ ^(GET|PUT|POST)$ ) {
return 444;
}

+ 7
- 0
roles/nginx/files/conf.d/blockuseragents.conf View File

@ -0,0 +1,7 @@
map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*backdoor 1;
~*crawler 1;
~*spider 1;
}

+ 17
- 0
roles/nginx/files/conf.d/ddos.conf View File

@ -0,0 +1,17 @@
# Slow DDOS Protection
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# DDOS Protection
# Maximum request per IP // 100 per seconde
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
# Maximum Connection per IP // 100 per seconde
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;

+ 6
- 0
roles/nginx/files/conf.d/header.conf View File

@ -0,0 +1,6 @@
# Bad Header Protection
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

+ 4
- 0
roles/nginx/files/gzip.conf View File

@ -0,0 +1,4 @@
gzip on;
gzip_vary on;
gzip_types *;
gzip_min_length 1000;

+ 28
- 0
roles/nginx/files/nginx.conf View File

@ -0,0 +1,28 @@
user http;
worker_processes auto;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
use epoll;
worker_connections 256;
}
http {
index index.html index.htm index.php;
server_tokens off;
include /etc/nginx/mime.types;
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_bucket_size 128;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

+ 22
- 0
roles/nginx/files/sites-available/000-default.conf View File

@ -0,0 +1,22 @@
server {
listen 127.0.0.1:8080;
access_log off;
location /nginx-status {
stub_status on;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
include common.conf;
return 301 https://www.planet-casio.com;
}

+ 51
- 0
roles/nginx/files/sites-available/bible.conf View File

@ -0,0 +1,51 @@
server {
listen [::]:80;
listen *:80;
server_name bible.planet-casio.com;
include common.conf;
access_log /var/log/nginx/bible_access.log;
error_log /var/log/nginx/bible_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name bible.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/bible.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/bible.planet-casio.com/privkey.pem;
access_log /var/log/nginx/bible_access.log;
error_log /var/log/nginx/bible_error.log;
root /home/bible/www;
location / {
autoindex on;
charset utf8;
rewrite ^/casio(.*)$ /common/casio$1 permanent;
rewrite ^/hardware(.*)$ /common/hardware$1 permanent;
rewrite ^/renesas(.*)$ /common/renesas$1 permanent;
rewrite ^/misc(.*)$ /common/misc$1 permanent;
rewrite ^/user_manuals(.*)$ /common/user_manuals$1 permanent;
}
location /yatis/.git/ {
deny all;
}
location /cakeisalie5/websaves/graph100.com/forum/ {
charset ISO-8859;
}
}

+ 57
- 0
roles/nginx/files/sites-available/creativecalc.conf View File

@ -0,0 +1,57 @@
server {
listen [::]:80;
listen *:80;
server_name creativecalc.fr www.creativecalc.fr;
include common.conf;
access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name creativecalc.fr;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;
location / {
return 301 https://www.creativecalc.fr$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name www.creativecalc.fr;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
access_log /var/log/nginx/creativecalc_access.log;
error_log /var/log/nginx/creativecalc_error.log;
root /home/creativecalc/www;
location /assets/fonts {
expires 365d;
}
}

+ 41
- 0
roles/nginx/files/sites-available/gitea.conf View File

@ -0,0 +1,41 @@
server {
listen [::]:80;
listen *:80;
server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name gitea.planet-casio.com git.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/gitea.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/gitea.planet-casio.com/privkey.pem;
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
if ($http_host != "gitea.planet-casio.com") {
rewrite ^ https://gitea.planet-casio.com$request_uri permanent;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3001;
}
}

+ 37
- 0
roles/nginx/files/sites-available/grafana.conf View File

@ -0,0 +1,37 @@
server {
listen [::]:80;
listen *:80;
server_name grafana.planet-casio.com;
include common.conf;
access_log /var/log/nginx/grafana_access.log;
error_log /var/log/nginx/grafana_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name grafana.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/grafana.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/grafana.planet-casio.com/privkey.pem;
access_log /var/log/nginx/grafana_access.log;
error_log /var/log/nginx/grafana_error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:3000;
}
}

+ 47
- 0
roles/nginx/files/sites-available/mumbleweb.conf View File

@ -0,0 +1,47 @@
server {
listen [::]:80;
listen *:80;
server_name mumble.planet-casio.com;
include common.conf;
access_log /var/log/nginx/mumbleweb_access.log;
error_log /var/log/nginx/mumbleweb_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl;
listen *:443 ssl;
server_name mumble.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;
access_log /var/log/nginx/mumbleweb_access.log;
error_log /var/log/nginx/mumbleweb_error.log;
location / {
root /usr/local/lib/node_modules/mumble-web/dist;
}
location /client {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://localhost:64737;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

+ 42
- 0
roles/nginx/files/sites-available/p7.conf View File

@ -0,0 +1,42 @@
server {
listen [::]:80;
listen *:80;
server_name p7.planet-casio.com;
include common.conf;
access_log /var/log/nginx/p7_access.log;
error_log /var/log/nginx/p7_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
server_name p7.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/p7.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/p7.planet-casio.com/privkey.pem;
access_log /var/log/nginx/p7_access.log;
error_log /var/log/nginx/p7_error.log;
root /home/p7/www;
location /pub {
alias /home/p7/pub;
autoindex on;
}
location / {
index fr.html;
}
}

+ 72
- 0
roles/nginx/files/sites-available/pc-dev.conf View File

@ -0,0 +1,72 @@
server {
listen [::]:80;
listen *:80;
# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;
include common.conf;
access_log /var/log/nginx/pc-dev_access.log;
error_log /var/log/nginx/pc-dev_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
# server_name dev.planet-casio.com;
server_name v5.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
access_log /var/log/nginx/pc-dev_access.log;
error_log /var/log/nginx/pc-dev_error.log;
root /home/pc-dev/www;
# Serve files from /static as static files
location /static {
alias /home/pc-dev/www/app/static;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}
# Serve avatars
location /avatar {
root /home/pc-dev/data;
try_files $uri /avatar/default_avatar.png =404;
expires max;
add_header Cache-Control "public";
include gzip.conf;
}
# Serve files
location /fichiers {
alias /home/pc-dev/data/fichiers;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}
# Pass everything else to the application
location / {
try_files @fake @application;
}
location @application {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi.pc-dev/socket;
}
}

+ 72
- 0
roles/nginx/files/sites-available/pc.conf View File

@ -0,0 +1,72 @@
server {
listen [::]:80;
listen *:80;
# server_name v5.planet-casio.com;
server_name www.planet-casio.com;
include common.conf;
access_log /var/log/nginx/pc_access.log;
error_log /var/log/nginx/pc_error.log;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen *:443 ssl http2;
# server_name v5.planet-casio.com;
server_name www.planet-casio.com;
include common.conf;
include ssl.conf;
ssl_certificate /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
access_log /var/log/nginx/pc_access.log;
error_log /var/log/nginx/pc_error.log;
root /home/pc/www;
# Serve files from /static as static files
location /static {
alias /home/pc/www/app/static;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}
# Serve avatars
location /avatar {
root /home/pc/data;
try_files $uri /avatar/default_avatar.png =404;
expires max;
add_header Cache-Control "public";
include gzip.conf;
}
# Serve files
location /fichiers {
alias /home/pc/data/fichiers;
try_files $uri =404;
expires 7d;
add_header Cache-Control "public";
include gzip.conf;
}
# Pass everything else to the application
location / {
try_files @fake @application;
}
location @application {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi.pc/socket;
}
}

+ 8
- 0
roles/nginx/files/ssl.conf View File

@ -0,0 +1,8 @@
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE+CHACHA20:ECDHE+AESGCM';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;

+ 50
- 0
roles/nginx/tasks/main.yml View File

@ -0,0 +1,50 @@
---
- name: "Install nginx"
pacman:
name: "nginx"
state: present
- name: "Make configuration structure"
file:
path: "/etc/nginx/{{}}"
state: directory
loop:
- "conf.d"
- "sites-available"
- "sites-enabled"
- name: "Copy common files"
copy:
src: '{{ item }}'
dest: '/etc/nginx/'
owner: 'root'
mode: 0644
with_fileglob: '*.conf'
- name: "Copy conf.d"
copy:
src: '{{ item }}'
dest: '/etc/nginx/sites-available/'
owner: 'root'
mode: 0644
with_fileglob: 'conf.d/*.conf'
- name: "Copy sites-available"
copy:
src: '{{ item }}'
dest: '/etc/nginx/sites-available/'
owner: 'root'
mode: 0644
with_fileglob: 'sites-available/*.conf'
- name: "Enable sites"
file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
state: link
loop: "{{ sites_enabled }}"
- name: "Restarting nginx"
service:
name: "nginx"
state: reloaded

+ 9
- 0
roles/nginx/vars/main.yml View File

@ -0,0 +1,9 @@
sites_enabled:
- "000-default"
- "bible"
- "creativecalc"
- "gitea"
- "grafana"
- "mumbleweb"
- "p7"
- "pc-dev"

+ 9
- 0
roles/uwsgi/files/pc-dev.ini View File

@ -0,0 +1,9 @@
[uwsgi]
uid = pc-dev
gid = pc-dev
socket = /run/uwsgi.pc-dev/socket
chmod-socket = 770
manage-script-name = true
mount = /=app:app
master = true
plugins = python

+ 9
- 0
roles/uwsgi/files/pc.ini View File

@ -0,0 +1,9 @@
[uwsgi]
uid = pc
gid = pc
socket = /run/uwsgi.pc/socket
chmod-socket = 770
manage-script-name = true
mount = /=app:app
master = true
plugins = python

+ 17
- 0
roles/uwsgi/files/uwsgi@.service View File

@ -0,0 +1,17 @@
[Unit]
Description=uWSGI service unit
After=syslog.target
[Service]
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/%i.ini
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -INT $MAINPID
Restart=always
Type=notify
StandardError=syslog
NotifyAccess=all
KillSignal=SIGQUIT
WorkingDirectory=/home/%i/www/
[Install]
WantedBy=multi-user.target

+ 27
- 0
roles/uwsgi/tasks/main.yml View File

@ -0,0 +1,27 @@
---
- name: "Install uwsgi"
pacman:
name: "uwsgi"
state: present
- name: "Copy ini files"
copy:
src: '{{ item }}'
dest: '/etc/uwsgi/'
owner: 'root'
mode: 0644
with_fileglob: '*.ini'
- name: "Copy systemd service"
copy:
src: '{{ item }}'
dest: '/etc/systemd/system/'
owner: 'root'
mode: 0644
with_fileglob: '*.service'
- name: "Restarting uwsgi"
service:
name: "uwsgi@{{ item }}"
state: restarted
loop: "{{ environments }}"

+ 2
- 0
roles/uwsgi/vars/main.yml View File

@ -0,0 +1,2 @@
environments:
- "pc-dev"

+ 9
- 0
uwsgi.yml View File

@ -0,0 +1,9 @@
---
- name: Update uwsgi configuration
hosts: all
become: yes
become_user: root
become_method: sudo
roles:
- uwsgi

Loading…
Cancel
Save