add revproxy role

4041fc49 · Nico · 985c6a5f · 4041fc49 · 4041fc49 · 4041fc49
Commit 4041fc49 authored Jan 9, 2021 by Nico
--- a/all.yml
+++ b/all.yml
@@ -3,3 +3,4 @@
  roles:
    - users
    - autoupdate
+    - revproxy
--- a/roles/revproxy/defaults/main.yml
+++ b/roles/revproxy/defaults/main.yml
+---
+dhparam_file: /etc/nginx/dhparam.pem
+letsencrypt_conf_dir: /etc/dehydrated
+letsencrypt_cert_dir: "{{ letsencrypt_conf_dir }}/certs"
+letsencrypt_account_email: none
+letsencrypt_account_dir: "{{ letsencrypt_conf_dir }}/account"
+# default to staging
+letsencrypt_acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+# .well-known/acme-challenge will be appended, sorry
+letsencrypt_challenge_dir: /var/www/acme-challenge/
+rsa_key_size: 4096
--- a/roles/revproxy/files/dehydrated-hook.sh
+++ b/roles/revproxy/files/dehydrated-hook.sh
+#!/usr/bin/env bash
+deploy_cert() {
+    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
+    systemctl reload nginx
+}
+HANDLER="$1"; shift
+if [[ "${HANDLER}" == "deploy_cert" ]]; then
+  "$HANDLER" "$@"
+fi
--- a/roles/revproxy/files/ffdhe2048.txt
+++ b/roles/revproxy/files/ffdhe2048.txt
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
\ No newline at end of file
--- a/roles/revproxy/files/nginx.conf
+++ b/roles/revproxy/files/nginx.conf
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        server_tokens off;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        ##
+        # SSL Settings
+        ##
+        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+        ##
+        # Logging Settings
+        ##
+        log_format combined_with_host '$remote_addr - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" "$http_host"';
+        access_log /var/log/nginx/access.log;
+        #error_log syslog:server=unix:/dev/log,tag=nginx_errorlog,nohostname;
+        error_log /var/log/nginx/error.log;
+		map $remote_addr $ip_anonym1 {
+			default 0.0.0;
+			"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+			"~(?P<ip>[^:]+:[^:]+):" $ip;
+		}
+		map $remote_addr $ip_anonym2 {
+			default .0;
+			"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+			"~(?P<ip>[^:]+:[^:]+):" ::;
+		}
+		map $ip_anonym1$ip_anonym2 $ip_anonymized {
+			default 0.0.0.0;
+			"~(?P<ip>.*)" $ip;
+		}
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        gzip_disable "msie6";
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
--- a/roles/revproxy/handlers/main.yml
+++ b/roles/revproxy/handlers/main.yml
+---
+- name: restart nginx
+  service: name=nginx state=restarted
+- name: renew certificates
+  command:
+    cmd: "dehydrated -c"
--- a/roles/revproxy/tasks/cert-selfsigned.yml
+++ b/roles/revproxy/tasks/cert-selfsigned.yml
+- name: Generating self-signed certificate 
+  command: >
+      openssl req -x509 -nodes -subj '/CN={{ common_name }}' 
+      -days 3650 -newkey rsa:4096 -sha256 
+      -keyout {{ key_path }}
+      -out {{ cert_path }}
+      creates={{ cert_path }}
--- a/roles/revproxy/tasks/main.yml
+++ b/roles/revproxy/tasks/main.yml
+---
+- name: Installing Dependencies
+  apt: 
+    name: nginx
+    state: present
+# these must be created now, because self signed default 
+# certificate is also created here
+- file:
+    path: "{{ letsencrypt_conf_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+- file:
+    path: "{{ letsencrypt_cert_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+# create a self-signed default certificate
+# a certificate must be specified for the default vhost.
+# we either could pick any certificate here or simply create
+# a self-signed certificate, which also works if no Vhosts
+# are enabled.
+- name: Generating self-signed certificate for default site
+  include: cert-selfsigned.yml
+  vars:
+      common_name: "{{ ansible_facts['nodename'] }}"
+      key_path: "{{ letsencrypt_cert_dir }}/default-key.pem"
+      cert_path: "{{ letsencrypt_cert_dir}}/default-cert.pem"
+- name: Removing nginx default site
+  file:
+      state: absent
+      path: /etc/nginx/sites-enabled/default
+  notify:
+      - restart nginx
+- name: Deploying nginx default site
+  template:
+    src: default.conf
+    dest: /etc/nginx/sites-enabled/000-default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+      - restart nginx
+- name: Deploy nginx config
+  copy:
+    dest: "/etc/nginx/nginx.conf"
+    src: "nginx.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart nginx
+- name: Ensure Lets Encrypt Challenge Dir exists
+  file:
+    path: "{{ letsencrypt_challenge_dir }}/.well-known/acme-challenge"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+- name: Deploy mozilla dhparams
+  copy: 
+    src: "ffdhe2048.txt"
+    dest: "{{ dhparam_file }}"
+    mode: 0644
+    owner: root
+    group: root
+  notify:
+      - restart nginx
+- name: Install dehydrated and moreutils (for chronic)
+  apt:
+    pkg: 
+      - dehydrated
+      - moreutils
+    state: present
+- name: Deploying dehydrated config
+  template:
+    src: dehydrated.sh
+    dest: /etc/dehydrated/conf.d/00_ansible.sh
+    owner: root
+    group: root
+    mode: 0644
+- name: Deploying dehydrated hook script
+  copy:
+    src: dehydrated-hook.sh
+    dest: /etc/dehydrated/hook.sh
+    owner: root
+    group: root
+    mode: 0755
+- name: Register with dehydrated
+  command:
+    cmd: "dehydrated --register --accept-terms"
+    creates: "{{ letsencrypt_account_dir }}"
+- name: Generating VHost Configurations
+  include: vhost.yml 
+  with_items: "{{ vhosts }}" 
+  loop_control:
+    loop_var: vhost
+  when: "vhost is defined"
+- name: Deploy autorenew dehydrated job
+  cron:
+    name: dehydrated autorenew
+    weekday: "*"
+    minute: "53"
+    hour: "6"
+    user: root
+    job: "/usr/bin/chronic /usr/bin/dehydrated -c"
+    cron_file: ansible_dehydrated
--- a/roles/revproxy/tasks/vhost.yml
+++ b/roles/revproxy/tasks/vhost.yml
+---
+- name: "Configure VHost {{ vhost.domain }} in dehydrated"
+  lineinfile:
+    line: "{{ vhost.domain }}"
+    path: /etc/dehydrated/domains.txt
+    create: true
+    state: "{{ vhost.enabled|ternary('present', 'absent') }}"
+  notify:
+    - renew certificates
+- name: Flush handlers
+  meta: flush_handlers
+- name: "Ensuring VHost Configuration {{ vhost.domain }} is absent on disabled VHost"
+  file:
+      path: /etc/nginx/sites-enabled/{{ vhost.domain }}.conf
+      state: absent
+  when: vhost.enabled != true
+  notify:
+      - restart nginx
+- name: "Generating VHost Configuration {{ vhost.domain }}"
+  template: src=vhosts.conf dest=/etc/nginx/sites-enabled/{{ vhost.domain }}.conf
+  when: vhost.enabled == true
+  notify:
+    - restart nginx
--- a/roles/revproxy/templates/default.conf
+++ b/roles/revproxy/templates/default.conf
+server {
+    listen [::]:80 ipv6only=off;
+    listen [::]:443 ssl default_server ipv6only=off;
+    server_name _;
+    ssl_certificate {{ letsencrypt_cert_dir }}/default-cert.pem;
+    ssl_certificate_key {{ letsencrypt_cert_dir }}/default-key.pem;
+    # lets encrypt challenges
+    location /.well-known/acme-challenge/ {
+        alias {{ letsencrypt_challenge_dir }}/.well-known/acme-challenge/;
+    }
+    root /var/www/default/;
+    location /nginx_status {
+        stub_status on;
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
+    }
+}
--- a/roles/revproxy/templates/dehydrated.sh
+++ b/roles/revproxy/templates/dehydrated.sh
+# ansible managed
+WELLKNOWN="{{ letsencrypt_challenge_dir }}/.well-known/acme-challenge/"
+CONTACT_EMAIL="{{ letsencrypt_account_email }}"
+CERTDIR="{{ letsencrypt_cert_dir }}"
+KEYSIZE="{{ rsa_key_size }}"
+ACCOUNTDIR="{{ letsencrypt_account_dir }}"
+CA="{{ letsencrypt_acme_directory }}"
+HOOK="/etc/dehydrated/hook.sh"
+{% if proxy_url is defined %}
+CURL_OPTS="-x {{ proxy_url }}"
+{% endif %}
--- a/roles/revproxy/templates/vhosts.conf
+++ b/roles/revproxy/templates/vhosts.conf
+server {
+    listen [::]:443 ssl http2;
+    server_name {{ vhost.domain }};
+    ssl_certificate {{ letsencrypt_cert_dir }}/{{ vhost.domain }}/fullchain.pem;
+    ssl_certificate_key {{ letsencrypt_cert_dir }}/{{ vhost.domain }}/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_dhparam  {{ dhparam_file }};
+    ssl_session_cache shared:SSL:10m;
+    add_header Strict-Transport-Security "max-age=31536000";
+    #add_header X-Frame-Options "SAMEORIGIN";
+    client_max_body_size 3G;
+    # lets encrypt challenges
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/lets-encrypt/challenges/.well-known/acme-challenge/;
+    }
+    location / {
+            proxy_pass       {{ vhost.backend }};
+            proxy_set_header Host      $host;
+            proxy_set_header X-Forwarded-For $ip_anonymized;
+            proxy_set_header X-Forwarded-Proto $scheme;
+{% if vhost.additional_headers is defined %}
+{% for header in vhost.additional_headers %}
+            proxy_set_header {{ header.name }} {{ header.value }};
+{% endfor %}
+{% endif %}
+            proxy_pass_header  Authorization;
+            proxy_read_timeout 600s;
+            proxy_request_buffering off;
+    }
+}
+server {
+    listen [::]:80;
+    server_name {{ vhost.domain}};
+    location / {
+        return 301 https://{{ vhost.domain }}$request_uri;
+    }
+    # lets encrypt challenges
+    location /.well-known/acme-challenge/ {
+        alias {{ letsencrypt_challenge_dir }}/.well-known/acme-challenge/;
+    }
+}