kopia lustrzana https://github.com/jaseg/gerbolyze
Misc changes. Move up to fedora 30, add gerbolyze, secure download
rodzic
95775fee30
commit
69bc25b81a
|
@ -5,3 +5,4 @@ all:
|
|||
ansible_host: wendelstein.jaseg.net
|
||||
ansible_ssh_identity_file: ~/.ssh/id_ed25519
|
||||
ansible_user: root
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
|
|
@ -51,36 +51,86 @@ http {
|
|||
ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
|
||||
ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
|
||||
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
resolver 67.207.67.2 67.207.67.3 valid=300s;
|
||||
resolver_timeout 10s;
|
||||
resolver 67.207.67.2 67.207.67.3 valid=300s;
|
||||
resolver_timeout 10s;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=86400";
|
||||
add_header Strict-Transport-Security "max-age=86400";
|
||||
|
||||
# Load configuration files for the default server block.
|
||||
include /etc/nginx/default.d/*.conf;
|
||||
|
||||
location ^~ /static/ {
|
||||
root /var/lib/gerboweb;
|
||||
}
|
||||
location ^~ /static/ {
|
||||
root /var/lib/gerboweb;
|
||||
}
|
||||
|
||||
location / {
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
|
||||
}
|
||||
|
||||
error_page 404 /404.html;
|
||||
location = /40x.html {
|
||||
root /usr/share/nginx/html;
|
||||
location = /40x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name blog.jaseg.net blog.jaseg.net;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name blog.jaseg.net blog.jaseg.net;
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
ssl_certificate "/etc/letsencrypt/live/blog.jaseg.net/fullchain.pem";
|
||||
ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.net/privkey.pem";
|
||||
ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
resolver 67.207.67.2 67.207.67.3 valid=300s;
|
||||
resolver_timeout 10s;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=86400";
|
||||
|
||||
# Load configuration files for the default server block.
|
||||
include /etc/nginx/default.d/*.conf;
|
||||
|
||||
location / {
|
||||
root /var/www/blog.jaseg.net;
|
||||
}
|
||||
|
||||
location /d/ {
|
||||
rewrite ^/d/(.*)$ /$1 break;
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:/run/uwsgi/secure-download.socket;
|
||||
}
|
||||
|
||||
error_page 404 /404.html;
|
||||
location = /40x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -41,5 +41,12 @@ http {
|
|||
server_name gerbolyze.jaseg.net;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name blog.jaseg.net;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
- name: Install host requisites
|
||||
dnf:
|
||||
name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services
|
||||
name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex
|
||||
state: latest
|
||||
|
||||
- name: Disable password-based root login
|
||||
|
@ -28,18 +28,10 @@
|
|||
state: restarted
|
||||
when: disable_root_pw_ssh is changed
|
||||
|
||||
- name: Create iptables firewall config dir
|
||||
file:
|
||||
path: /etc/iptables
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0775
|
||||
|
||||
- name: Configure iptables firewall service
|
||||
copy:
|
||||
src: iptables.rules
|
||||
dest: /etc/iptables/iptables.rules
|
||||
dest: /etc/sysconfig/iptables
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0664
|
||||
|
@ -65,3 +57,6 @@
|
|||
|
||||
- name: Setup clippy
|
||||
include_tasks: setup_clippy.yml
|
||||
|
||||
- name: Setup secure download
|
||||
include_tasks: setup_secure_download.yml
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
SERVE_PATH="{{secure_download_dir}}"
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
- name: Set local facts
|
||||
set_fact:
|
||||
secure_download_dir: /var/cache/secure_download
|
||||
|
||||
- name: Copy webapp sources
|
||||
synchronize:
|
||||
# FIXME: make this path configurable
|
||||
src: ~/secure_download/
|
||||
dest: /var/lib/secure_download/
|
||||
group: no
|
||||
owner: no
|
||||
|
||||
- name: Create secure download worker user and group
|
||||
user:
|
||||
name: uwsgi-secure-download
|
||||
create_home: no
|
||||
group: uwsgi
|
||||
password: '!'
|
||||
shell: /sbin/nologin
|
||||
system: yes
|
||||
|
||||
- name: Template webapp config
|
||||
template:
|
||||
src: secure_download.cfg.j2
|
||||
dest: /var/lib/secure_download/secure_download_prod.cfg
|
||||
owner: uwsgi-secure-download
|
||||
group: root
|
||||
mode: 0660
|
||||
|
||||
- name: Copy uwsgi config
|
||||
copy:
|
||||
src: uwsgi-secure-download.ini
|
||||
dest: /etc/uwsgi.d/secure-download.ini
|
||||
owner: uwsgi-secure-download
|
||||
group: uwsgi
|
||||
mode: 440
|
||||
|
||||
- name: Enable uwsgi systemd socket
|
||||
systemd:
|
||||
daemon-reload: yes
|
||||
name: uwsgi-app@secure-download.socket
|
||||
enabled: yes
|
||||
|
||||
- name: Copy server dir tmpfiles.d config
|
||||
template:
|
||||
src: tmpfiles-secure-download.conf.j2
|
||||
dest: /etc/tmpfiles.d/secure-download.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
register: sec_dl_tmpfiles_config
|
||||
|
||||
- name: Kick systemd tmpfiles service to create serve dir
|
||||
command: systemd-tmpfiles --create
|
||||
when: sec_dl_tmpfiles_config is changed
|
||||
|
|
@ -9,6 +9,14 @@
|
|||
groups: uwsgi
|
||||
append: yes
|
||||
|
||||
- name: Create blog.jaseg.net content dir
|
||||
file:
|
||||
path: /var/www/blog.jaseg.net
|
||||
state: directory
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0550
|
||||
|
||||
- name: Copy uwsgi systemd socket config
|
||||
copy:
|
||||
src: uwsgi-app@.socket
|
||||
|
@ -30,11 +38,16 @@
|
|||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: Create letsencrypt certificate
|
||||
- name: Create letsencrypt certificate for gerbolyze.jaseg.net
|
||||
command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
|
||||
args:
|
||||
creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem
|
||||
|
||||
- name: Create letsencrypt certificate for blog.jaseg.net
|
||||
command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
|
||||
args:
|
||||
creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem
|
||||
|
||||
- name: Copy final nginx config
|
||||
copy:
|
||||
src: nginx.conf
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d
|
|
@ -0,0 +1,10 @@
|
|||
[uwsgi]
|
||||
master = True
|
||||
cheap = True
|
||||
die-on-idle = False
|
||||
manage-script-name = True
|
||||
plugins = python3
|
||||
chdir = /var/lib/secure_download
|
||||
mount = /=server:app
|
||||
env = SECURE_DOWNLOAD_SETTINGS=secure_download_prod.cfg
|
||||
|
Ładowanie…
Reference in New Issue