diff --git a/common/nginx/handlers/main.yml b/common/nginx/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..7217c0ff81e01cca9d2f9a5b23634b38ac457118 --- /dev/null +++ b/common/nginx/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart nginx + service: name=nginx state=restarted + +- name: restart telegraf + service: name=telegraf state=restarted diff --git a/webserver/nginx/includes/alerta b/common/nginx/includes/alerta.warpzone.ms similarity index 100% rename from webserver/nginx/includes/alerta rename to common/nginx/includes/alerta.warpzone.ms diff --git a/webserver/nginx/includes/auth b/common/nginx/includes/auth.warpzone.ms similarity index 100% rename from webserver/nginx/includes/auth rename to common/nginx/includes/auth.warpzone.ms diff --git a/webserver/nginx/includes/gitlab b/common/nginx/includes/gitlab.warpzone.ms similarity index 100% rename from webserver/nginx/includes/gitlab rename to common/nginx/includes/gitlab.warpzone.ms diff --git a/webserver/nginx/includes/infra-test b/common/nginx/includes/infra-test.warpzone.ms similarity index 100% rename from webserver/nginx/includes/infra-test rename to common/nginx/includes/infra-test.warpzone.ms diff --git a/webserver/nginx/includes/infra b/common/nginx/includes/infra.warpzone.ms similarity index 100% rename from webserver/nginx/includes/infra rename to common/nginx/includes/infra.warpzone.ms diff --git a/webserver/nginx/includes/ldap b/common/nginx/includes/ldap.warpzone.ms similarity index 100% rename from webserver/nginx/includes/ldap rename to common/nginx/includes/ldap.warpzone.ms diff --git a/webserver/nginx/includes/mattermost b/common/nginx/includes/mattermost.warpzone.ms similarity index 100% rename from webserver/nginx/includes/mattermost rename to common/nginx/includes/mattermost.warpzone.ms diff --git a/webserver/nginx/includes/md b/common/nginx/includes/md.warpzone.ms similarity index 100% rename from webserver/nginx/includes/md rename to common/nginx/includes/md.warpzone.ms diff --git a/webserver/nginx/includes/pad b/common/nginx/includes/pad.warpzone.ms similarity index 100% rename from webserver/nginx/includes/pad rename to common/nginx/includes/pad.warpzone.ms diff --git a/common/nginx/includes/verwaltung-git.warpzone.ms b/common/nginx/includes/verwaltung-git.warpzone.ms new file mode 100644 index 0000000000000000000000000000000000000000..4206d1d4b65534e4fdf08eec2d4ba3a41757f936 --- /dev/null +++ b/common/nginx/includes/verwaltung-git.warpzone.ms @@ -0,0 +1,12 @@ + + location / { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://127.0.0.1:42001/; + proxy_redirect off; + + } diff --git a/common/nginx/includes/verwaltung.warpzone.ms b/common/nginx/includes/verwaltung.warpzone.ms new file mode 100644 index 0000000000000000000000000000000000000000..50abb8ca1260e5c2694bffdc41372c85eac21098 --- /dev/null +++ b/common/nginx/includes/verwaltung.warpzone.ms @@ -0,0 +1,5 @@ + + location / { + rewrite ^(.*) https://verwaltung-git.warpzone.ms$1; + } + diff --git a/common/nginx/includes/warpzone.ms b/common/nginx/includes/warpzone.ms new file mode 100644 index 0000000000000000000000000000000000000000..4a318e052fef05166d1cb541363427cb8cdb6398 --- /dev/null +++ b/common/nginx/includes/warpzone.ms @@ -0,0 +1,4 @@ + + location / { + rewrite ^(.*) https://www.warpzone.ms$1; + } diff --git a/webserver/nginx/includes/wiki b/common/nginx/includes/wiki.warpzone.ms similarity index 100% rename from webserver/nginx/includes/wiki rename to common/nginx/includes/wiki.warpzone.ms diff --git a/webserver/nginx/includes/www b/common/nginx/includes/www-test.warpzone.ms similarity index 100% rename from webserver/nginx/includes/www rename to common/nginx/includes/www-test.warpzone.ms diff --git a/webserver/nginx/includes/www-test b/common/nginx/includes/www.warpzone.ms similarity index 100% rename from webserver/nginx/includes/www-test rename to common/nginx/includes/www.warpzone.ms diff --git a/common/nginx/tasks/config_site.yml b/common/nginx/tasks/config_site.yml new file mode 100644 index 0000000000000000000000000000000000000000..a867aac369a572171d9995b61b076aae16745221 --- /dev/null +++ b/common/nginx/tasks/config_site.yml @@ -0,0 +1,23 @@ + +# Konfiguration einer nginx-site +# {{ item }} enthält den vollständigen Domänennamen +# Falls erforderlich wird das Zertifikat über Letsencrypt geholt + +- name: Check if cert already exists for {{ item }} + stat: + path: /etc/letsencrypt/live/{{ item }}/privkey.pem + register: cert + +- name: Stop nginx + service: name=nginx state=stopped + notify: restart nginx + when: cert.stat.exists == False + +- name: Get Certificate for {{ item }} via Certbot + command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ item }}" + when: cert.stat.exists == False + +- name: Create nginx config for {{ item }} + template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }} + notify: restart nginx + diff --git a/common/nginx/tasks/main.yml b/common/nginx/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..18b83ae9d8a55d5c3f533a8f91b4fd5c938d0eb9 --- /dev/null +++ b/common/nginx/tasks/main.yml @@ -0,0 +1,70 @@ +# Pakete installieren +- name: nginx installieren + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - nginx-light + - libnginx-mod-http-lua + - ca-certificates + - openssl + - certbot + - git + + +# DH Parameter geneieriern + +- name: check if DH Params exists + stat: + path: /etc/nginx/dhparams.pem + register: dhparams + +- name: generate new DH Params + command: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + when: dhparams.stat.exists == False + + +# NginX einrichten + +- name: nginx default Konfig entfernen + file: + path: /etc/nginx/sites-enabled/default + state: absent + + +# LetsEncrypt Script erstellen + +- name: LetsEncrypt Script erstellen + template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x + notify: restart nginx + +- name: Cronjob für Zertifikatserneuerung + cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh" + + +# nginx konfigurieren + +- include: config_site.yml + with_items: + - "{{ webserver_domains }}" + + +- name: Konfig-Datei status erstellen + template: src=nginx-status dest=/etc/nginx/sites-enabled/status + notify: restart nginx + + +# telegraf konfigurieren + +- name: Konfig-Datei status erstellen + template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf + notify: restart telegraf + +- name: adding existing user 'telegraf' to group adm + user: + name: telegraf + groups: adm + append: yes + diff --git a/common/nginx/templates/letsencrypt.sh b/common/nginx/templates/letsencrypt.sh new file mode 100644 index 0000000000000000000000000000000000000000..8e5efbfcd168068a0c47779a12c22a08c593dbb8 --- /dev/null +++ b/common/nginx/templates/letsencrypt.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +{% for domain in webserver_domains %} +certbot certonly --non-interactive --agree-tos --webroot -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ domain }}.void.ms +{% endfor %} diff --git a/common/nginx/templates/nginx-site b/common/nginx/templates/nginx-site new file mode 100644 index 0000000000000000000000000000000000000000..34c155ecf4bf3704c60a41b98fbbe936fc545e4f --- /dev/null +++ b/common/nginx/templates/nginx-site @@ -0,0 +1,56 @@ + + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + + listen 80; + listen [::]:80; + + server_name {{ item }}; + root /dev/null; + index index.html; + + location /.well-known/acme-challenge/ { + root /var/www/html/; + } + + location / { + rewrite ^(.*) https://{{ item }}$1 permanent; + } + +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/letsencrypt/live/{{ item }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ item }}/privkey.pem; + ssl_dhparam /etc/nginx/dhparams.pem; + + ssl_session_cache shared:SSL:5m; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers on; + + server_name {{ item }}; + root /dev/null; + index index.html; + + location /.well-known/acme-challenge/ { + root /var/www/html/; + } + + {% include "includes/" + item ignore missing %} + +} + + diff --git a/common/nginx/templates/nginx-status b/common/nginx/templates/nginx-status new file mode 100644 index 0000000000000000000000000000000000000000..7bc3c674d26e156bb5cf287a860dd05078643e88 --- /dev/null +++ b/common/nginx/templates/nginx-status @@ -0,0 +1,24 @@ + + +server { + + listen 9145; + + location /status { + + # Turn on nginx stats + stub_status on; + + # I do not need logs for stats + access_log off; + + # Security: Only allow access from + allow 127.0.0.1; + + # Send rest of the world to /dev/null # + deny all; + + } + +} + diff --git a/common/nginx/templates/telegraf.conf b/common/nginx/templates/telegraf.conf new file mode 100644 index 0000000000000000000000000000000000000000..34894dd33112bf182f036a94bd1f3dbb1b44ed30 --- /dev/null +++ b/common/nginx/templates/telegraf.conf @@ -0,0 +1,24 @@ + +# Read Nginx's basic status information (ngx_http_stub_status_module) +[[inputs.nginx]] + ## An array of Nginx stub_status URI to gather stats. + urls = ["http://127.0.0.1:9145/status"] + + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification + # insecure_skip_verify = false + + ## HTTP response timeout (default: 5s) + response_timeout = "5s" + + +#[[inputs.logparser]] +# files = ["/var/log/nginx/access.log"] +# from_beginning = true +# name_override = "nginx_access_log" +# [inputs.logparser.grok] +# patterns = ["%{COMBINED_LOG_FORMAT}"] + diff --git a/group_vars/all b/group_vars/all index fdd88092707c51cbfa0b4ee91562e7f3b0c6a22a..0657e77d7389fdef6726b044ef97c9428601ad0a 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,5 +1,8 @@ # Globale Variablen für alle Server +# Letsencrypt notification mail +letsencrypt_mail: verwaltung@warpzone.ms + # IP Adresse des LDAP Servers # Extern läuft auf dem webserver ldap_ip_ext: 10.0.20.2 diff --git a/host_vars/vorstand b/host_vars/vorstand index 0d54f0715253db90962dff4336ef615edbc1513d..bd03105ba46517e3541c5ac285bf2105f1904108 100644 --- a/host_vars/vorstand +++ b/host_vars/vorstand @@ -9,12 +9,24 @@ debian_sources: - "deb http://repo.myloc.de/debian stretch main non-free contrib" - "deb https://download.docker.com/linux/debian stretch stable" - "deb http://packages.x2go.org/debian stretch main" + - "deb https://repos.influxdata.com/debian stretch stable" + debian_keys_id: - "E1F958385BFE2B6E" # x2go repo key debian_keys_url: - "https://download.docker.com/linux/debian/gpg" + - "https://repos.influxdata.com/influxdb.key" + + +# Art des Hosts: physical, vm, docker +host_type: "vm" + + +webserver_domains: + - "verwaltung.warpzone.ms" + - "verwaltung-git.warpzone.ms" administratorenteam: diff --git a/host_vars/webserver b/host_vars/webserver index 7ec39357afb53517b3372b2608328992db780db4..da8dec9241fc0b3007b7377378462fd4f05d02ae 100644 --- a/host_vars/webserver +++ b/host_vars/webserver @@ -24,29 +24,23 @@ debian_keys_url: host_type: "vm" -letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221 - -letsencrypt_mail: verwaltung@warpzone.ms - webserver_domains: - - "auth" - - "alerta" - - "gitlab" - - "infra" - - "infra-test" - - "jabber" - - "muc.jabber" - - "proxy.jabber" - - "jabber-test" - - "muc.jabber-test" - - "proxy.jabber-test" - - "ldap" - - "mattermost" - - "md" - - "pad" - - "wiki" - - "www" - - "www-test" + - "auth.warpzone.ms" + - "alerta.warpzone.ms" + - "gitlab.warpzone.ms" + - "infra.warpzone.ms" + - "jabber.warpzone.ms" + - "muc.jabber.warpzone.ms" + - "proxy.jabber.warpzone.ms" + - "jabber-test.warpzone.ms" + - "muc.jabber-test.warpzone.ms" + - "proxy.jabber-test.warpzone.ms" + - "ldap.warpzone.ms" + - "mattermost.warpzone.ms" + - "md.warpzone.ms" + - "pad.warpzone.ms" + - "wiki.warpzone.ms" + - "www.warpzone.ms" administratorenteam: - "void" diff --git a/host_vars/webserver-test b/host_vars/webserver-test index b14b978918f107ee1dd1d6680894ad17efa2b086..348cdf10cb288ef19338f7efad018c0ccb5167a9 100644 --- a/host_vars/webserver-test +++ b/host_vars/webserver-test @@ -22,16 +22,13 @@ debian_keys: host_type: "vm" -letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221 - -letsencrypt_mail: verwaltung@warpzone.ms webserver_domains: - - "infra-test" - - "jabber-test" - - "muc.jabber-test" - - "proxy.jabber-test" - - "www-test" + - "infra-test.warpzone.ms" + - "jabber-test.warpzone.ms" + - "muc.jabber-test.warpzone.ms" + - "proxy.jabber-test.warpzone.ms" + - "www-test.warpzone.ms" administratorenteam: - "void" diff --git a/vorstand/main.yml b/vorstand/main.yml index e8fa988c853ee923a91322e0c0255ae1b932d26c..3f13121d899801c89e1ecb0b763bd5443f994011 100644 --- a/vorstand/main.yml +++ b/vorstand/main.yml @@ -3,7 +3,10 @@ - hosts: vorstand remote_user: root roles: + - { role: ../common/telegraf, tags: telegraf } - { role: ../common/docker, tags: docker } + - { role: ../common/nginx, tags: nginx } + - { role: docker_gitea, tags: gitea } - { role: docker_mysql, tags: mysql } - { role: user, tags: user } - { role: jameica, tags: jameica } diff --git a/webserver-test/main.yml b/webserver-test/main.yml index e06af65396ccca04175eb6d0397c45d3e2a0ee1c..c45786014f51647441c53cc1c525ebc43f01969a 100644 --- a/webserver-test/main.yml +++ b/webserver-test/main.yml @@ -4,7 +4,7 @@ remote_user: root roles: - { role: ../common/docker, tags: docker } - - { role: ../webserver/nginx, tags: nginx } + - { role: ../common/nginx, tags: nginx } - { role: ../webserver/docker_jabber, tags: jabber } - { role: ../webserver/docker_ldap, tags: ldap } - { role: ../webserver/docker_warpinfra, tags: warpinfra } diff --git a/webserver/main.yml b/webserver/main.yml index 7e5861b5b2ddec168cc1142fb366e231e4560251..e7be0116f7bd19590d31f5caa23ba49d98316e52 100644 --- a/webserver/main.yml +++ b/webserver/main.yml @@ -6,7 +6,7 @@ - { role: ../common/borgbackup, tags: borgbackup } - { role: ../common/docker, tags: docker } - { role: ../common/telegraf, tags: telegraf } - - { role: nginx, tags: nginx } + - { role: ../common/nginx, tags: nginx } - { role: openvpn, tags: openvpn } - { role: docker_alerta, tags: alerta } - { role: docker_dokuwiki, tags: dokuwiki } diff --git a/webserver/nginx/handlers/main.yml b/webserver/nginx/handlers/main.yml deleted file mode 100644 index 92971d2cdf145a0108a354b0c6c9e9aef0dd0464..0000000000000000000000000000000000000000 --- a/webserver/nginx/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart nginx - service: name=nginx state=restarted diff --git a/webserver/nginx/tasks/main.yml b/webserver/nginx/tasks/main.yml deleted file mode 100644 index 2e9f058854893080ca1b2a07d7b2484f51809070..0000000000000000000000000000000000000000 --- a/webserver/nginx/tasks/main.yml +++ /dev/null @@ -1,89 +0,0 @@ -# Pakete installieren -- name: nginx installieren - apt: - name: "{{ packages }}" - update_cache: yes - state: present - vars: - packages: - - nginx - - git - - ca-certificates - - gcc - - libssl-dev - - libffi-dev - - python - - python-dev - - virtualenv - -- name: nginx default Konfig entfernen - file: - path: /etc/nginx/sites-enabled/default - state: absent - -# DH Parameter geneieriern - -- name: check if DH Params exists - stat: - path: /etc/nginx/dhparams.pem - register: dhparams - -- name: generate new DH Params - command: openssl dhparam -out /etc/nginx/dhparams.pem 2048 - when: dhparams.stat.exists == False - -# sinp_le installieren - -- name: create folder simp_le - file: - path: "/opt/simp_le/" - state: "directory" - -- name: clone simp_le repo - git: - repo: "https://github.com/zenhack/simp_le.git" - version: "60ee2111609022e6550dbe137c2a6064890a5ca0" - dest: "/opt/simp_le/" - - -# LetsEncrypt Script erstellen - -- name: LetsEncrypt Script erstellen - template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x - register: letsencryptsh - -- name: Cronjob für Zertifikatserneuerung - cron: name="letsencrypt" weekday="2" hour="20" minute="0" job="/opt/letsencrypt.sh" - - -# nginx konfigurieren (initial, falls noch kein Zertifikat existiert) - -- name: check if fullchain.pem exists - stat: path=/etc/ssl/fullchain.pem - register: sslcert - -- name: Konfig-Datei default erstellen (initial) - template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms - with_items: webserver_domains - notify: restart nginx - when: sslcert.stat.exists == False - -- name: nginx restarten (initial) - meta: flush_handlers - when: sslcert.stat.exists == False - -- name: Letsencrypt-Zertifikat beantragen und installieren - shell: "/opt/letsencrypt.sh" - when: sslcert.stat.exists == False or letsencryptsh.changed - - -# nginx konfigurieren - -- name: Konfig-Datei default erstellen - template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms - with_items: - - "{{webserver_domains}}" - notify: restart nginx - - - diff --git a/webserver/nginx/templates/letsencrypt.sh b/webserver/nginx/templates/letsencrypt.sh deleted file mode 100644 index 2f09b63134ef14e6c5f26ed6a03663ca43df3126..0000000000000000000000000000000000000000 --- a/webserver/nginx/templates/letsencrypt.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -cd /opt/simp_le/ -if [ ! -e venv/bin/python ]; then ./venv.sh; fi - -cd /etc/ssl -PATH=/opt/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin - -simp_le --email {{ letsencrypt_mail }} -f account_key.json -f key.pem -f fullchain.pem --tos_sha256 {{ letsencrypt_tos_sha256 }} {% for domain in webserver_domains %} -d {{ domain }}.warpzone.ms:/var/www/html {% endfor %} && systemctl reload nginx && /usr/local/bin/docker-compose -f /srv/jabber_test/docker-compose.yml restart && /usr/local/bin/docker-compose -f /srv/jabber/docker-compose.yml diff --git a/webserver/nginx/templates/nginx-site b/webserver/nginx/templates/nginx-site deleted file mode 100644 index 5dfc1f100fb7f7dace7177cc98683d5dfd54d952..0000000000000000000000000000000000000000 --- a/webserver/nginx/templates/nginx-site +++ /dev/null @@ -1,82 +0,0 @@ - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - - listen 80; - listen [::]:80; - - server_name {{ item }}.warpzone.ms; - root /dev/null; - index index.html; - - - access_log /dev/null; - error_log /dev/null; - - access_log off; - error_log off; - - - location /.well-known/ { - root /var/www/html/; - } - - {% if sslcert.stat.exists == True %} - - location / { - return 301 https://$server_name$request_uri; - } - - {% endif %} - -} - -{% if sslcert.stat.exists == True %} - -server { - - listen 443 ssl http2; - listen [::]:443 ssl http2; - - ssl_certificate /etc/ssl/fullchain.pem; - ssl_certificate_key /etc/ssl/key.pem; - ssl_dhparam /etc/nginx/dhparams.pem; - - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_session_cache shared:SSL:5m; - ssl_session_timeout 5m; - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;"; - - # ab nginx > 1.13 ist TLS1.3 möglich - ssl_protocols TLSv1.2; - ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on; - - - server_name {{ item }}.warpzone.ms; - root /dev/null; - index index.html; - - - access_log /dev/null; - error_log /dev/null; - - access_log off; - error_log off; - - - location /.well-known/ { - root /var/www/html/; - } - - {% include "includes/" + item ignore missing %} - -} - -{% endif %}