Added: Nginx configuration & signed X509 certs installation

2024-05-21 14:30:56 +02:00 · 2024-05-21 14:30:56 +02:00 · db7fa4b8f7
commit db7fa4b8f7
parent e0314da734
6 changed files with 147 additions and 7 deletions
--- a/playbooks/02-xmpp-server.yaml
+++ b/playbooks/02-xmpp-server.yaml
@ -60,11 +60,9 @@
    - name: "Ensure movim database is present and accessible"
      ansible.builtin.include_tasks:
        file: tasks/chat/database.yml
-
    - name: "Ensure movim version is installed - v{{ movim.version }}"
      ansible.builtin.include_tasks:
        file: tasks/chat/movim.yml
-
    - name: "Ensure ejabberd is configured"
      ansible.builtin.include_tasks:
        file: tasks/chat/ejabberd.yml
@ -72,7 +70,3 @@
    - name: "Ensure nginx is configured"
      ansible.builtin.include_tasks:
        file: tasks/chat/nginx.yml
-
-    - name: "Ensure X512 certs are presents"
-      ansible.builtin.include_tasks:
-        file: tasks/chat/tls.yml
--- a/playbooks/tasks/chat/movim.yml
+++ b/playbooks/tasks/chat/movim.yml
@ -132,6 +132,17 @@
    mode: "644"
    create: true

+- name: Ensure demon caches directory exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ www.user }}"
+    group: "{{ www.group }}"
+    mode: "755"
+    state: directory
+  with_items:
+    - "{{ movim.path }}/cache"
+    - "{{ movim.path }}/public/cache"
+
 - name: Reload SystemD daemon
  ansible.builtin.shell:
    argv:
--- a/playbooks/tasks/chat/nginx.yml
+++ b/playbooks/tasks/chat/nginx.yml
@ -0,0 +1,76 @@
+---
+- name: disable access logs
+  ansible.builtin.blockinfile:
+    path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf"
+    block: |
+      access_log off;
+    create: true
+
+- name: Create auto redirect to TLS
+  ansible.builtin.blockinfile:
+    path: "{{ nginx.paths.sites_available }}/redirect_to_https"
+    block: |
+      server {
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+      }
+    create: true
+
+- name: Disable movim website
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
+    state: absent
+
+- name: Disable auto redirect to TLS
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
+    state: absent
+
+- name: Enable default website
+  ansible.builtin.file:
+    dest: "{{ nginx.paths.sites_enabled }}/default"
+    src: "{{ nginx.paths.sites_available }}/default"
+    state: link
+
+- name: Install X509 certificates
+  ansible.builtin.command:
+    argv:
+      - certbot
+      - certonly
+      - --agree-tos
+      - -m psotmaster@trans13nrv.eu.org
+      - --nginx
+      - -d
+      - "{{ movim.domain }}"
+    creates: "/etc/letsencrypt/live/{{ movim.domain }}/privkey.pem"
+
+- name: Disable default website
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/default"
+    state: absent
+
+- name: Create movim website
+  ansible.builtin.template:
+    dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
+    src: tasks/chat/templates/movim.j2
+    owner: "{{ root.user }}"
+    group: "{{ root.group }}"
+    mode: "644"
+
+- name: Enable movim website
+  ansible.builtin.file:
+    state: link
+    dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
+    src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
+
+- name: Enable auto redirect to TLS
+  ansible.builtin.file:
+    state: link
+    dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
+    src: "{{ nginx.paths.sites_available }}/redirect_to_https"
+
+- name: Reload nginx service
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
--- a/playbooks/tasks/chat/templates/movim.j2
+++ b/playbooks/tasks/chat/templates/movim.j2
@ -0,0 +1,53 @@
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ movim.domain }};
+	ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+	# Where Movim public directory is setup
+	root {{ movim.path }}/public;
+
+	index index.php;
+
+	# Ask nginx to cache every URL starting with "/picture"
+	location /picture {
+		set $no_cache 0; # Enable cache only there
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
+
+	location / {
+		set $no_cache 1;
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
+
+	location ~ \.php$ {
+		add_header X-Cache $upstream_cache_status;
+
+		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+		fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
+		fastcgi_cache_valid any 7d;
+		fastcgi_cache_bypass $no_cache;
+		fastcgi_no_cache $no_cache;
+
+		# Pass everything to PHP FastCGI, at the discretion of the administrator
+		include fastcgi.conf;
+	}
+
+	location /ws/ {
+		proxy_pass http://127.0.0.1:8080/;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_redirect off;
+		proxy_read_timeout 1800s;
+		proxy_send_timeout 1800s;
+	}
+}
--- a/playbooks/tasks/chat/tls.yml
+++ b/playbooks/tasks/chat/tls.yml
--- a/playbooks/vars.yml
+++ b/playbooks/vars.yml
@ -17,5 +17,11 @@ www:
 movim:
  version: "0.24.1"
  path: /var/www/chat.trans13nrv.eu.org
+  domain: chat.trans13nrv.eu.org
 postgres:
  user: postgres
+nginx:
+  paths:
+    sites_enabled: /etc/nginx/sites-enabled
+    sites_available: /etc/nginx/sites-available
+    conf_d: /etc/nginx/conf.d