Added nginx & uwsgi roles

.gitignore

@@ -0,0 +1 @@
+tests/

inventory.yml

@@ -0,0 +1 @@
+aperture-labs # Add an entry in your ~/.ssh/config

nginx.yml

@@ -0,0 +1,9 @@
+---
+- name: Update Nginx configuration
+  hosts: all
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  roles:
+    - nginx

roles/nginx/files/common.conf

@@ -0,0 +1,11 @@
+location ^~ /.well-known/acme-challenge {
+	alias /var/www/dehydrated;
+}
+
+if ($blockedagent) {
+	return 403;
+}
+
+if ($request_method !~ ^(GET|PUT|POST)$ ) {
+	return 444;
+}

roles/nginx/files/conf.d/blockuseragents.conf

@@ -0,0 +1,7 @@
+map $http_user_agent $blockedagent {
+    default         0;
+    ~*malicious     1;
+    ~*backdoor      1;
+    ~*crawler       1;
+    ~*spider        1;
+}

roles/nginx/files/conf.d/ddos.conf

@@ -0,0 +1,17 @@
+# Slow DDOS Protection
+
+client_body_timeout         10;
+client_header_timeout       10;
+keepalive_timeout           5 5;
+send_timeout                10;
+
+
+# DDOS Protection
+
+# Maximum request per IP // 100 per seconde
+limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
+limit_req zone=flood burst=100 nodelay;
+
+# Maximum Connection per IP // 100 per seconde
+limit_conn_zone $binary_remote_addr zone=ddos:10m;
+limit_conn ddos 100;

roles/nginx/files/conf.d/header.conf

@@ -0,0 +1,6 @@
+# Bad Header Protection
+add_header X-Frame-Options           SAMEORIGIN;
+add_header X-Content-Type-Options    nosniff;
+add_header X-XSS-Protection          "1; mode=block";
+add_header Referrer-Policy           "strict-origin-when-cross-origin";
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

roles/nginx/files/gzip.conf

@@ -0,0 +1,4 @@
+gzip		on;
+gzip_vary	on;
+gzip_types	*;
+gzip_min_length	1000;

roles/nginx/files/nginx.conf

@@ -0,0 +1,28 @@
+user http;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    multi_accept on;
+    use epoll;
+    worker_connections 256;
+}
+
+http {
+    index               index.html index.htm index.php;
+
+    server_tokens       off;
+
+    include             /etc/nginx/mime.types;
+    charset_types       text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+
+    types_hash_bucket_size 128;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}

roles/nginx/files/sites-available/000-default.conf

@@ -0,0 +1,22 @@
+server {
+
+    listen 127.0.0.1:8080;
+
+    access_log off;
+
+    location /nginx-status {
+        stub_status on;
+    }
+
+}
+
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	
+	server_name _;
+
+	include common.conf;
+
+	return 301 https://www.planet-casio.com;
+}

roles/nginx/files/sites-available/bible.conf

@@ -0,0 +1,51 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name bible.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/bible_access.log;
+	error_log /var/log/nginx/bible_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name bible.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/bible.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/bible.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/bible_access.log;
+	error_log /var/log/nginx/bible_error.log;
+
+	root /home/bible/www;
+
+	location / {
+		autoindex on;
+		charset utf8;
+		rewrite ^/casio(.*)$ /common/casio$1 permanent;
+		rewrite ^/hardware(.*)$ /common/hardware$1 permanent;
+		rewrite ^/renesas(.*)$ /common/renesas$1 permanent;
+		rewrite ^/misc(.*)$ /common/misc$1 permanent;
+		rewrite ^/user_manuals(.*)$ /common/user_manuals$1 permanent;
+	}
+
+	location /yatis/.git/ {
+		deny all;
+	}
+
+	location /cakeisalie5/websaves/graph100.com/forum/ {
+		charset ISO-8859;
+	}
+}

roles/nginx/files/sites-available/creativecalc.conf

@@ -0,0 +1,57 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name creativecalc.fr www.creativecalc.fr;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name creativecalc.fr;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	location / {
+		return 301 https://www.creativecalc.fr$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name www.creativecalc.fr;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/creativecalc.fr/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/creativecalc.fr/privkey.pem;
+
+	access_log /var/log/nginx/creativecalc_access.log;
+	error_log /var/log/nginx/creativecalc_error.log;
+
+	root /home/creativecalc/www;
+
+	location /assets/fonts {
+		expires 365d;
+	}
+}

roles/nginx/files/sites-available/gitea.conf

@@ -0,0 +1,41 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name gitea.planet-casio.com git.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/gitea_access.log;
+	error_log /var/log/nginx/gitea_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name gitea.planet-casio.com git.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/gitea.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/gitea.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/gitea_access.log;
+	error_log /var/log/nginx/gitea_error.log;
+
+	if ($http_host != "gitea.planet-casio.com") {
+                 rewrite ^ https://gitea.planet-casio.com$request_uri permanent;
+	}
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://127.0.0.1:3001;
+	}
+}

roles/nginx/files/sites-available/grafana.conf

@@ -0,0 +1,37 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name grafana.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/grafana_access.log;
+	error_log /var/log/nginx/grafana_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name grafana.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/grafana.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/grafana.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/grafana_access.log;
+	error_log /var/log/nginx/grafana_error.log;
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://127.0.0.1:3000;
+	}
+}

roles/nginx/files/sites-available/mumbleweb.conf

@@ -0,0 +1,47 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name mumble.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/mumbleweb_access.log;
+	error_log /var/log/nginx/mumbleweb_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl;
+	listen *:443 ssl;
+
+	server_name mumble.planet-casio.com;
+
+	include common.conf;
+	include ssl.conf;
+
+        ssl_certificate      /etc/dehydrated/certs/mumble.planet-casio.com/fullchain.pem;
+        ssl_certificate_key  /etc/dehydrated/certs/mumble.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/mumbleweb_access.log;
+	error_log /var/log/nginx/mumbleweb_error.log;
+
+	location / {
+		root /usr/local/lib/node_modules/mumble-web/dist;
+	}
+
+	location /client {
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_pass http://localhost:64737;
+	}
+}
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}

roles/nginx/files/sites-available/p7.conf

@@ -0,0 +1,42 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+	server_name p7.planet-casio.com;
+	
+	include common.conf;
+
+	access_log /var/log/nginx/p7_access.log;
+	error_log /var/log/nginx/p7_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+	server_name p7.planet-casio.com;
+	
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/p7.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/p7.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/p7_access.log;
+	error_log /var/log/nginx/p7_error.log;
+
+	root /home/p7/www;
+
+	location /pub {
+		alias /home/p7/pub;
+		autoindex on;
+	}
+
+	location / {
+		index fr.html;
+	}
+}

roles/nginx/files/sites-available/pc-dev.conf

@@ -0,0 +1,72 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+
+	include common.conf;
+
+	access_log /var/log/nginx/pc-dev_access.log;
+	error_log /var/log/nginx/pc-dev_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+#	server_name dev.planet-casio.com;
+	server_name v5.planet-casio.com;
+
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/pc-dev_access.log;
+	error_log /var/log/nginx/pc-dev_error.log;
+
+	root /home/pc-dev/www;
+
+	# Serve files from /static as static files
+	location /static {
+	alias /home/pc-dev/www/app/static;
+		try_files	$uri =404;
+		expires		7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve avatars
+	location /avatar {
+		root /home/pc-dev/data;
+		try_files	$uri /avatar/default_avatar.png =404;
+		expires 	max;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve files
+	location /fichiers {
+		alias /home/pc-dev/data/fichiers;
+		try_files	$uri =404;
+		expires 	7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Pass everything else to the application
+	location / {
+		try_files	@fake @application;
+	}
+
+	location @application {
+		include		uwsgi_params;
+		uwsgi_pass	unix:/run/uwsgi.pc-dev/socket;
+	}
+}

roles/nginx/files/sites-available/pc.conf

@@ -0,0 +1,72 @@
+server {
+	listen [::]:80;
+	listen *:80;
+
+#	server_name v5.planet-casio.com;
+	server_name www.planet-casio.com;
+
+	include common.conf;
+
+	access_log /var/log/nginx/pc_access.log;
+	error_log /var/log/nginx/pc_error.log;
+
+	location / {
+		return 301 https://$server_name$request_uri;
+	}
+}
+
+server {
+	listen [::]:443 ssl http2;
+	listen *:443 ssl http2;
+
+#	server_name v5.planet-casio.com;
+	server_name www.planet-casio.com;
+
+	include common.conf;
+	include ssl.conf;
+
+	ssl_certificate             /etc/dehydrated/certs/v5.planet-casio.com/fullchain.pem;
+	ssl_certificate_key         /etc/dehydrated/certs/v5.planet-casio.com/privkey.pem;
+
+	access_log /var/log/nginx/pc_access.log;
+	error_log /var/log/nginx/pc_error.log;
+
+	root /home/pc/www;
+
+	# Serve files from /static as static files
+	location /static {
+	alias /home/pc/www/app/static;
+		try_files	$uri =404;
+		expires		7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve avatars
+	location /avatar {
+		root /home/pc/data;
+		try_files	$uri /avatar/default_avatar.png =404;
+		expires 	max;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Serve files
+	location /fichiers {
+		alias /home/pc/data/fichiers;
+		try_files	$uri =404;
+		expires 	7d;
+		add_header	Cache-Control "public";
+		include		gzip.conf;
+	}
+
+	# Pass everything else to the application
+	location / {
+		try_files	@fake @application;
+	}
+
+	location @application {
+		include		uwsgi_params;
+		uwsgi_pass	unix:/run/uwsgi.pc/socket;
+	}
+}

roles/nginx/files/ssl.conf

@@ -0,0 +1,8 @@
+ssl_prefer_server_ciphers   on;
+ssl_protocols               TLSv1.3 TLSv1.2;
+ssl_ciphers                 'ECDHE+CHACHA20:ECDHE+AESGCM';
+ssl_session_cache           shared:SSL:10m;
+ssl_session_timeout         5m;
+ssl_dhparam                 /etc/ssl/ssl.dh/dhparam.pem;
+ssl_stapling                on;
+ssl_stapling_verify         on;

roles/nginx/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: "Install nginx"
+  pacman:
+    name: "nginx"
+    state: present
+
+- name: "Make configuration structure"
+  file:
+    path: "/etc/nginx/{{}}"
+    state: directory
+  loop:
+    - "conf.d"
+    - "sites-available"
+    - "sites-enabled"
+
+- name: "Copy common files"
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/nginx/'
+    owner: 'root'
+    mode: 0644
+  with_fileglob: '*.conf'
+
+- name: "Copy conf.d"
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/nginx/sites-available/'
+    owner: 'root'
+    mode: 0644
+  with_fileglob: 'conf.d/*.conf'
+
+- name: "Copy sites-available"
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/nginx/sites-available/'
+    owner: 'root'
+    mode: 0644
+  with_fileglob: 'sites-available/*.conf'
+
+- name: "Enable sites"
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
+    state: link
+  loop: "{{ sites_enabled }}"
+
+- name: "Restarting nginx"
+  service:
+    name: "nginx"
+    state: reloaded

roles/nginx/vars/main.yml

@@ -0,0 +1,9 @@
+sites_enabled:
+  - "000-default"
+  - "bible"
+  - "creativecalc"
+  - "gitea"
+  - "grafana"
+  - "mumbleweb"
+  - "p7"
+  - "pc-dev"

roles/uwsgi/files/pc-dev.ini

@@ -0,0 +1,9 @@
+[uwsgi]
+uid = pc-dev
+gid = pc-dev
+socket = /run/uwsgi.pc-dev/socket
+chmod-socket = 770
+manage-script-name = true
+mount = /=app:app
+master = true
+plugins = python

roles/uwsgi/files/pc.ini

@@ -0,0 +1,9 @@
+[uwsgi]
+uid = pc
+gid = pc
+socket = /run/uwsgi.pc/socket
+chmod-socket = 770
+manage-script-name = true
+mount = /=app:app
+master = true
+plugins = python

roles/uwsgi/files/uwsgi@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=uWSGI service unit
+After=syslog.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/%i.ini
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -INT $MAINPID
+Restart=always
+Type=notify
+StandardError=syslog
+NotifyAccess=all
+KillSignal=SIGQUIT
+WorkingDirectory=/home/%i/www/
+
+[Install]
+WantedBy=multi-user.target

roles/uwsgi/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: "Install uwsgi"
+  pacman:
+    name: "uwsgi"
+    state: present
+
+- name: "Copy ini files"
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/uwsgi/'
+    owner: 'root'
+    mode: 0644
+  with_fileglob: '*.ini'
+
+- name: "Copy systemd service"
+  copy:
+    src: '{{ item }}'
+    dest: '/etc/systemd/system/'
+    owner: 'root'
+    mode: 0644
+  with_fileglob: '*.service'
+
+- name: "Restarting uwsgi"
+  service:
+    name: "uwsgi@{{ item }}"
+    state: restarted
+  loop: "{{ environments }}"

roles/uwsgi/vars/main.yml

@@ -0,0 +1,2 @@
+environments:
+  - "pc-dev"

uwsgi.yml

@@ -0,0 +1,9 @@
+---
+- name: Update uwsgi configuration
+  hosts: all
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  roles:
+    - uwsgi