Initial working commit

2020-09-24 21:06:56 -04:00
commit e0abdbe506
32 changed files with 430 additions and 0 deletions
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+ci_server_email: bastian@bdebyl.net
+ci_server_name: ci.bdebyl.net
+
+deps: [
+  certbot,
+  certbot-nginx,
+  nginx
+]
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ b/ansible/roles/http/files/nginx/nginx.conf
@@ -0,0 +1,36 @@
+user http;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  include       mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile        on;
+  #tcp_nopush     on;
+
+  keepalive_timeout 65;
+
+  gzip on;
+  gzip_disable "mise6";
+
+  add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";
+
+  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
+
+  include etc/nginx/sites-enabled/*.conf;
+}
--- a/ansible/roles/http/handlers/main.yml
+++ b/ansible/roles/http/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart_nginx
+  become: true
+  service:
+    name: nginx
+    state: restarted
--- a/ansible/roles/http/meta/main.yml
+++ b/ansible/roles/http/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common
--- a/ansible/roles/http/tasks/cron.yml
+++ b/ansible/roles/http/tasks/cron.yml
@@ -0,0 +1,10 @@
+---
+- cron: renew certbot ssl certificate weekly
+  cron:
+    name: ci_bdebyl_net_renewal
+    special_time: weekly
+    job: |
+      certbot --renew certonly --webroot --webroot-path=/srv/http \
+      -m {{ ci_server_email }} --agree-tos \
+      -d {{ ci_server_name }}
+  tags: never
--- a/ansible/roles/http/tasks/deps.yml
+++ b/ansible/roles/http/tasks/deps.yml
@@ -0,0 +1,7 @@
+---
+- name: install http dependencies
+  become: true
+  pacman:
+    name: "{{ deps }}"
+    state: present
+  tags: deps
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -0,0 +1,56 @@
+---
+- name: setup nginx base configuration
+  become: true
+  copy:
+    src: files/nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+  notify: restart_nginx
+  tags: http
+
+- name: setup nginx directories
+  become: true
+  file:
+    path: "/etc/nginx/{{ item }}"
+    state: directory
+  with_items:
+    - sites-enabled
+    - sites-available
+  tags: http
+
+- name: chown http user home
+  become: true
+  file:
+    path: /srv/http
+    owner: http
+    group: http
+    recurse: true
+  tags: http
+
+- name: touch nginx logs, enable jail
+  become: true
+  file:
+    path: "/var/log/nginx/error.log"
+    state: file
+  notify: restart_fail2ban
+  tags: http, security
+
+- name: template nginx http sites-available
+  become: true
+  template:
+    src: "templates/nginx/sites/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  with_items:
+    - "{{ ci_server_name }}.http.conf"
+  notify: restart_nginx
+  tags: http
+
+- name: enable desired nginx http sites
+  become: true
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  with_items:
+    - "{{ ci_server_name }}.http.conf"
+  notify: restart_nginx
+  tags: http
--- a/ansible/roles/http/tasks/main.yml
+++ b/ansible/roles/http/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- import_tasks: deps.yml
+- import_tasks: http.yml
+- import_tasks: ssl.yml
--- a/ansible/roles/http/tasks/ssl.yml
+++ b/ansible/roles/http/tasks/ssl.yml
@@ -0,0 +1,59 @@
+---
+- name: flush existing nginx https enabled sites
+  become: true
+  file:
+    path: "/etc/nginx/sites-enabled/{{ item }}"
+    state: absent
+  with_items:
+    - "{{ ci_server_name }}.https.conf"
+  notify: restart_nginx
+  tags: ssl
+
+- meta: flush_handlers
+  tags: ssl
+
+- name: generate openssl dhparam for nginx
+  become: true
+  command: |
+    openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
+  args:
+    creates: /etc/ssl/certs/dhparam.pem
+  tags: ssl
+
+- name: create ssl certificate for ci server
+  become: true
+  command: |
+    certbot certonly --webroot --webroot-path=/srv/http \
+    -m {{ ci_server_email }} --agree-tos \
+    -d {{ ci_server_name }}
+  args:
+    creates: "/etc/letsencrypt/live/{{ ci_server_name }}"
+  tags: ssl
+
+- name: check if certbot certificate was created
+  become: true
+  stat:
+    path: "/etc/letsencrypt/live/{{ ci_server_name }}"
+  register: stat_result
+  tags: ssl
+
+- name: template nginx https sites-available
+  become: true
+  template:
+    src: "templates/nginx/sites/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  with_items:
+    - "{{ ci_server_name }}.https.conf"
+  tags: ssl
+
+- name: enable desired nginx https sites
+  become: true
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  with_items:
+    - "{{ ci_server_name }}.https.conf"
+  notify: restart_nginx
+  when: stat_result.stat.exists
+  tags: ssl
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
@@ -0,0 +1,14 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name {{ ci_server_name }};
+
+	location /.well-known {
+		root /srv/http;
+		try_files $uri $uri/ =404;
+	}
+
+  location / {
+	  return 301 https://$host$request_uri;
+  }
+}
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -0,0 +1,35 @@
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name {{ ci_server_name }};
+
+  add_header              Strict-Transport-Security max-age=6307200;
+
+	ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+	ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/ssl/certs/dhparam.pem;
+
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 1d;
+  ssl_session_tickets off;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers off;
+
+	location / {
+		proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $http_post;
+
+    proxy_pass http://127.0.0.1:4242;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_buffering off;
+
+    chunked_transfer_encoding off;
+	}
+}