Add more configuration files and templates

2023-03-11 18:18:27 +01:00 · 2023-03-11 18:18:27 +01:00 · ee907705a8
parent 0b862e9110
commit ee907705a8
16 changed files with 213 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,16 @@
 Nginx
 =====

-Diese Rolle dient zur grundlegenden Einrichtung von Nginx.
+Role to install Nginx.
+
+## Variables
+
+| Name | Default | Notes |
+|--|--|--|
+| `nginx_port` | `80` | Listen port for Nginx |
+| `nginx_package_name` | `nginx-full` | Name of the Debian package to install |
+| `nginx_bad_client_ip` | | List of IP address to deny access |
+| `nginx_type` | | `gateway` for a Reverse Proxy, `standalone` for a frontend webserver, `backend` for a backend webserver (behind a Reverse Proxy) |
+| `dhparam_path` | `/etc/ssl/private/dhparam.pem` | Path to dhparam file |
+
+
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -0,0 +1 @@
+dhparam_path: /etc/ssl/private/dhparam.pem
--- a/files/add_headers.cof
+++ b/files/add_headers.cof
@ -0,0 +1,7 @@
+# Managed by Ansible
+
+add_header Referrer-Policy $referrerpolicy;
+add_header Strict-Transport-Security $sts;
+add_header X-Content-Type-Options $xcontentoptions;
+add_header X-XSS-Protection $xxssprotection;
+add_header X-Frame-Options $xframeoptions;
--- a/files/letsencrypt.conf
+++ b/files/letsencrypt.conf
@ -0,0 +1,6 @@
+# Managed by Ansible
+
+location /.well-known/acme-challenge {
+    default_type "text/plain";
+    alias /var/lib/dehydrated/acme-challenges/;
+}
--- a/files/request_limits.conf
+++ b/files/request_limits.conf
@ -0,0 +1,7 @@
+# Managed by Ansible
+
+limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=wordpress:10m rate=10r/m;
+limit_req_zone $server_name zone=perserver:10m rate=20r/m;
+limit_req_status 444;
+limit_conn_zone $binary_remote_addr zone=addr:10m;
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,10 +1,10 @@
 galaxy_info:
-  author: systemausfall.org
-  description: Ersteinrichtung von Nginx
+  author: Sense.Lab e.V. admins
+  description: Installation of Nginx
  company: Sense.Lab e.V.
  license: GPLv3
-  min_ansible_version: 2.9
+  min_ansible_version: "2.9"
  platforms:
    - name: Debian
      version:
-        - Bullseye
+        - bullseye
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -0,0 +1,37 @@
+---
+- name: "Configuration | Copy main configuration"
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: 0644
+  notify: reload nginx
+
+- name: "Configuration | Copy configuration snippets"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/snippets/{{ item }}"
+    mode: 0644
+  loop:
+    - add_headers.conf
+    - letsentcrypt.conf
+  notify: reload nginx
+
+- name: "Configuration | Copy configuration templates"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/nginx/conf.d/{{ item }}"
+    mode: 0644
+  loop:
+    - bad_clients.conf
+    - reverse_proxy.conf
+    - ssl.conf
+  notify: reload nginx
+  when: nginx_type is 'gateway' or nginx_type is 'standalone'
+
+- name: "Configuration | Copy request limit configuration"
+  ansible.builtin.copy:
+    src: request_limits.conf
+    dest: /etc/nginx/conf.d/
+    mode: 0644
+  notify: reload nginx
+  when: nginx_type is 'gateway' or nginx_type is 'standalone'
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -1,6 +1,12 @@
 ---
- import_tasks: packages.yml
+- name: "Install packages"
+  ansible.builtin.import_tasks: packages.yml
  tags: packages

- import_tasks: monitoring.yml
+- name: "Configure"
+  ansible.builtin.import_tasks: configure.yml
+  tags: configure
+
+- name: "Enable monitoring"
+  ansible.builtin.import_tasks: monitoring.yml
  tags: monitoring
--- a/tasks/monitoring.yml
+++ b/tasks/monitoring.yml
@ -1,6 +1,6 @@
 ---
- name: "monitoring | Aktiviere Munin-Plugin"
-  file:
+- name: "Monitoring | Enable Munin plugin"
+  ansible.builtin.file:
    src: "/usr/share/munin/plugins/nginx_{{ item }}"
    dest: "/etc/munin/plugins/nginx_{{ item }}"
    state: link
@ -8,22 +8,26 @@
    - request
    - status
  notify: restart munin-node
+  when: "'munin-node' in ansible_facts.packages"

- name: "monitoring | Kopiere Datei für lokale Statusausgabe"
-  template:
+- name: "Monitoring | Copy statistics configuration file"
+  ansible.builtin.template:
    src: local-statistics.j2
    dest: /etc/nginx/sites-available/local-statistics
+    mode: 0644
  notify: reload nginx

- name: "monitoring | Aktiviere Lokale Status-Ausgabe"
-  file:
+- name: "Monitoring | Enable local statistics"
+  ansible.builtin.file:
    src: /etc/nginx/sites-available/local-statistics
    dest: /etc/nginx/sites-enabled/local-statistics
    state: link
  notify: reload nginx

- name: "monitoring | Kopiere Monit-Überwachung"
-  template:
+- name: "Monitoring | Copy Monit configuration"
+  ansible.builtin.template:
    src: monit.j2
    dest: /etc/monit/conf-enabled/nginx
+    mode: 0644
  notify: reload monit
+  when: "'monit' in ansible_facts.packages"
--- a/tasks/packages.yml
+++ b/tasks/packages.yml
@ -1,6 +1,10 @@
 ---
- name: "packages | Installiere Debian-Pakete"
-  apt:
+- name: "Packages | Get installed packages"
+  ansible.builtin.package_facts:
+    manager: apt
+
+- name: "Packages | Install deb packages"
+  ansible.builtin.apt:
    pkg:
      - liblwp-useragent-determined-perl
-      - "{{ nginx.version | default('nginx-full') }}"
+      - "{{ nginx_package_name | default('nginx-full') }}"
--- a/templates/bad_clients.conf.j2
+++ b/templates/bad_clients.conf.j2
@ -0,0 +1,7 @@
+# Managed by Ansible
+
+{% if nginx_bad_client_ip is defined %}
+{% for client in nginx_bad_client_ip %}
+deny {{ client }};
+{% endfor %}
+{% endif %}
--- a/templates/local-statistics.j2
+++ b/templates/local-statistics.j2
@ -1,9 +1,5 @@
 server {
-{% if inventory_hostname == "sl-nextcloud.kahlo" %}
-    listen 127.0.0.1:81;
-{% else %}
-    listen 127.0.0.1;
-{% endif %}
+    listen 127.0.0.1:{{ nginx_port | default(80) }};
    server_name localhost;
    location /nginx_status {
        stub_status on;
--- a/templates/monit.j2
+++ b/templates/monit.j2
@ -4,5 +4,5 @@ check process nginx with pidfile /var/run/nginx.pid
  group webserver
  start program = "/usr/sbin/service nginx start"
  stop program = "/usr/sbin/service nginx stop"
-  if failed host 127.0.0.1 port {{ nginx.port |default(80) }} for 3 cycles then restart
+  if failed host 127.0.0.1 port {{ nginx_port | default(80) }} for 3 cycles then restart
  if 5 restarts with 5 cycles then timeout
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@ -0,0 +1,58 @@
+# Managed by Ansible
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 768;
+    multi_accept on;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    map_hash_max_size 4096;
+    map_hash_bucket_size 128;
+
+    server_names_hash_bucket_size 128;
+
+    client_max_body_size 0;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Logging Settings
+    ##
+    log_format noip '0.0.0.0 - $remote_user [$time_local]  '
+        '"$host" "$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" "$request_time" seconds';
+
+    #access_log /var/log/nginx/access.log noip if=$log_ip;
+    access_log off;
+
+    error_log /var/log/nginx/error.log;
+
+
+    ##
+    # Gzip Settings
+    ##
+    gzip off;
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
--- a/templates/revers2_proxy.conf.j2
+++ b/templates/revers2_proxy.conf.j2
@ -0,0 +1,22 @@
+# Managed by Ansible
+
+proxy_http_version      1.1;
+proxy_set_header        Host $host;
+proxy_set_header        X-Real-IP $remote_addr;
+proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header        X-Forwarded-Host $host;
+proxy_set_header        X-Forwarded-Proto $scheme;
+#proxy_set_header       X-HTTPS-Protocol $ssl_protocol;
+#proxy_set_header       Accept ""; # Problems with Redmine, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810144
+proxy_set_header        Connection "";
+#proxy_set_header       Referer "";
+
+#proxy_cache            STATIC;
+proxy_cache_valid       200 301 302 4h;
+proxy_cache_valid       404 10m;
+proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
+proxy_buffering         off;
+
+proxy_connect_timeout   600;
+proxy_send_timeout      600;
+proxy_read_timeout      600;
--- a/templates/ssl.conf.j2
+++ b/templates/ssl.conf.j2
@ -0,0 +1,22 @@
+# Managed by Ansible
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+ssl_ecdh_curve secp384r1;
+
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_dhparam {{ dhparam_path }};
+
+# Security Headers
+# Add secure header values if not set upstream
+map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;}
+map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; }
+map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;}
+map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";}
+map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}