Add more configuration files and templates

This commit is contained in:
phil 2023-03-11 18:18:27 +01:00
parent 0b862e9110
commit ee907705a8
16 changed files with 213 additions and 24 deletions

View file

@ -1,4 +1,16 @@
Nginx
=====
Diese Rolle dient zur grundlegenden Einrichtung von Nginx.
Role to install Nginx.
## Variables
| Name | Default | Notes |
|--|--|--|
| `nginx_port` | `80` | Listen port for Nginx |
| `nginx_package_name` | `nginx-full` | Name of the Debian package to install |
| `nginx_bad_client_ip` | | List of IP address to deny access |
| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |

1
defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
dhparam_path: /etc/ssl/private/dhparam.pem

7
files/add_headers.cof Normal file
View file

@ -0,0 +1,7 @@
# Managed by Ansible
add_header Referrer-Policy $referrerpolicy;
add_header Strict-Transport-Security $sts;
add_header X-Content-Type-Options $xcontentoptions;
add_header X-XSS-Protection $xxssprotection;
add_header X-Frame-Options $xframeoptions;

6
files/letsencrypt.conf Normal file
View file

@ -0,0 +1,6 @@
# Managed by Ansible
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/lib/dehydrated/acme-challenges/;
}

View file

@ -0,0 +1,7 @@
# Managed by Ansible
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m;
limit_req_zone $server_name zone=perserver:10m rate=20r/m;
limit_req_status 444;
limit_conn_zone $binary_remote_addr zone=addr:10m;

View file

@ -1,10 +1,10 @@
galaxy_info:
author: systemausfall.org
description: Ersteinrichtung von Nginx
author: Sense.Lab e.V. admins
description: Installation of Nginx
company: Sense.Lab e.V.
license: GPLv3
min_ansible_version: 2.9
min_ansible_version: "2.9"
platforms:
- name: Debian
version:
- Bullseye
- bullseye

37
tasks/configure.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: "Configuration | Copy main configuration"
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: 0644
notify: reload nginx
- name: "Configuration | Copy configuration snippets"
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nginx/snippets/{{ item }}"
mode: 0644
loop:
- add_headers.conf
- letsentcrypt.conf
notify: reload nginx
- name: "Configuration | Copy configuration templates"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/nginx/conf.d/{{ item }}"
mode: 0644
loop:
- bad_clients.conf
- reverse_proxy.conf
- ssl.conf
notify: reload nginx
when: nginx_type is 'gateway' or nginx_type is 'standalone'
- name: "Configuration | Copy request limit configuration"
ansible.builtin.copy:
src: request_limits.conf
dest: /etc/nginx/conf.d/
mode: 0644
notify: reload nginx
when: nginx_type is 'gateway' or nginx_type is 'standalone'

View file

@ -1,6 +1,12 @@
---
- import_tasks: packages.yml
- name: "Install packages"
ansible.builtin.import_tasks: packages.yml
tags: packages
- import_tasks: monitoring.yml
- name: "Configure"
ansible.builtin.import_tasks: configure.yml
tags: configure
- name: "Enable monitoring"
ansible.builtin.import_tasks: monitoring.yml
tags: monitoring

View file

@ -1,6 +1,6 @@
---
- name: "monitoring | Aktiviere Munin-Plugin"
file:
- name: "Monitoring | Enable Munin plugin"
ansible.builtin.file:
src: "/usr/share/munin/plugins/nginx_{{ item }}"
dest: "/etc/munin/plugins/nginx_{{ item }}"
state: link
@ -8,22 +8,26 @@
- request
- status
notify: restart munin-node
when: "'munin-node' in ansible_facts.packages"
- name: "monitoring | Kopiere Datei für lokale Statusausgabe"
template:
- name: "Monitoring | Copy statistics configuration file"
ansible.builtin.template:
src: local-statistics.j2
dest: /etc/nginx/sites-available/local-statistics
mode: 0644
notify: reload nginx
- name: "monitoring | Aktiviere Lokale Status-Ausgabe"
file:
- name: "Monitoring | Enable local statistics"
ansible.builtin.file:
src: /etc/nginx/sites-available/local-statistics
dest: /etc/nginx/sites-enabled/local-statistics
state: link
notify: reload nginx
- name: "monitoring | Kopiere Monit-Überwachung"
template:
- name: "Monitoring | Copy Monit configuration"
ansible.builtin.template:
src: monit.j2
dest: /etc/monit/conf-enabled/nginx
mode: 0644
notify: reload monit
when: "'monit' in ansible_facts.packages"

View file

@ -1,6 +1,10 @@
---
- name: "packages | Installiere Debian-Pakete"
apt:
- name: "Packages | Get installed packages"
ansible.builtin.package_facts:
manager: apt
- name: "Packages | Install deb packages"
ansible.builtin.apt:
pkg:
- liblwp-useragent-determined-perl
- "{{ nginx.version | default('nginx-full') }}"
- "{{ nginx_package_name | default('nginx-full') }}"

View file

@ -0,0 +1,7 @@
# Managed by Ansible
{% if nginx_bad_client_ip is defined %}
{% for client in nginx_bad_client_ip %}
deny {{ client }};
{% endfor %}
{% endif %}

View file

@ -1,9 +1,5 @@
server {
{% if inventory_hostname == "sl-nextcloud.kahlo" %}
listen 127.0.0.1:81;
{% else %}
listen 127.0.0.1;
{% endif %}
listen 127.0.0.1:{{ nginx_port | default(80) }};
server_name localhost;
location /nginx_status {
stub_status on;

View file

@ -4,5 +4,5 @@ check process nginx with pidfile /var/run/nginx.pid
group webserver
start program = "/usr/sbin/service nginx start"
stop program = "/usr/sbin/service nginx stop"
if failed host 127.0.0.1 port {{ nginx.port |default(80) }} for 3 cycles then restart
if failed host 127.0.0.1 port {{ nginx_port | default(80) }} for 3 cycles then restart
if 5 restarts with 5 cycles then timeout

58
templates/nginx.conf.j2 Normal file
View file

@ -0,0 +1,58 @@
# Managed by Ansible
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
map_hash_max_size 4096;
map_hash_bucket_size 128;
server_names_hash_bucket_size 128;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
log_format noip '0.0.0.0 - $remote_user [$time_local] '
'"$host" "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$request_time" seconds';
#access_log /var/log/nginx/access.log noip if=$log_ip;
access_log off;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip off;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View file

@ -0,0 +1,22 @@
# Managed by Ansible
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-HTTPS-Protocol $ssl_protocol;
#proxy_set_header Accept ""; # Problems with Redmine, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810144
proxy_set_header Connection "";
#proxy_set_header Referer "";
#proxy_cache STATIC;
proxy_cache_valid 200 301 302 4h;
proxy_cache_valid 404 10m;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_buffering off;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;

22
templates/ssl.conf.j2 Normal file
View file

@ -0,0 +1,22 @@
# Managed by Ansible
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam {{ dhparam_path }};
# Security Headers
# Add secure header values if not set upstream
map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;}
map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; }
map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;}
map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";}
map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}