crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[nginx-reverseproxy] Initial role

certbot_on_virtu
Alexandre Iooss 2020-05-02 10:18:10 +02:00 committed by Bombar Maxime
parent fa586e9a94
commit 39a33bfa06
8 changed files with 372 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
network.yml
View File

@ -60,8 +60,80 @@
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
bind: bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
nginx:
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
redirect_dnames:
- crans.eu
- crans.fr
reverseproxy_sites:
# Services web Crans
- {from: lutim.crans.org, to: 10.231.136.69}
- {from: zero.crans.org, to: 10.231.136.76}
- {from: pad.crans.org, to: 10.231.136.76}
- {from: ethercalc.crans.org, to: 10.231.136.203}
- {from: mediadrop.crans.org, to: 10.231.136.106}
- {from: videos.crans.org, to: 10.231.136.106}
- {from: video.crans.org, to: 10.231.136.106}
- {from: roundcube.crans.org, to: 10.231.136.105}
- {from: phabricator.crans.org, to: 10.231.136.123}
- {from: trackerusercontent.crans.org, to: 10.231.136.123}
- {from: cas.crans.org, to: 10.231.136.18}
- {from: auth.crans.org, to: 10.231.136.18}
- {from: login.crans.org, to: 10.231.136.18}
- {from: webmail.crans.org, to: 10.231.136.107}
- {from: horde.crans.org, to: 10.231.136.107}
- {from: owncloud.crans.org, to: 10.231.136.26}
- {from: ftps.crans.org, to: 10.231.136.98}
- {from: wiki.crans.org, to: 10.231.136.204}
- {from: www.crans.org, to: 10.231.136.46}
- {from: doc.crans.org, to: 10.231.136.46}
- {from: limesurvey.crans.org, to: 10.231.136.253}
- {from: lutim.crans.org, to: 10.231.136.69}
- {from: perso.crans.org, to: 10.231.136.1}
- {from: webnews.crans.org, to: 10.231.136.63}
- {from: re2o.crans.org, to: 10.231.136.9}
- {from: intranet.crans.org, to: 10.231.136.9}
- {from: autoconfig.crans.org, to: 10.231.136.46}
- {from: grafana.crans.org, to: 10.231.136.102}
- {from: webirc.crans.org, to: "10.231.136.1:9000"}
# Zamok
- {from: install-party.crans.org, to: 10.231.136.1}
- {from: med.crans.org, to: 10.231.136.1}
- {from: med-cartons.crans.org, to: 10.231.136.1}
- {from: amap.crans.org, to: 10.231.136.1}
- {from: pot-vieux.crans.org, to: 10.231.136.1}
- {from: bonvivens.crans.org, to: 10.231.136.1}
redirect_sites:
- {from: crans.org, to: www.crans.org}
# Aliases or legacy support
- {from: factures.crans.org, to: intranet.crans.org}
- {from: accounts.crans.org, to: intranet.crans.org}
- {from: intranet2.crans.org, to: intranet.crans.org}
- {from: clubs.crans.org, to: perso.crans.org}
- {from: task.crans.org, to: phabricator.crans.org}
- {from: adopteunpingouin.crans.org, to: install-party.crans.org}
- {from: i-p.crans.org, to: install-party.crans.org}
# To the wiki
- {from: wikipedia.crans.org, to: wiki.crans.org}
- {from: wifi.crans.org, to: wiki.crans.org/CransD%C3%A9marrage}
- {from: television.crans.org, to: wiki.crans.org/CransTv}
- {from: tv.crans.org, to: wiki.crans.org/CransTv}
# ENS Cachan
- {from: crans.ens-cachan.fr, to: www.crans.org}
- {from: install-party.ens-cachan.fr, to: install-party.crans.org}
roles: roles:
- certbot - certbot
- nginx-reverseproxy
- hosts: gitzly.adm.crans.org - hosts: gitzly.adm.crans.org
vars: vars:

5
roles/nginx-reverseproxy/handlers/main.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: nginx
state: reloaded

40
roles/nginx-reverseproxy/tasks/main.yml 100644
View File

@ -0,0 +1,40 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy reverse proxy sites
template:
src: "nginx/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Copy 50x error page
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755

83
roles/nginx-reverseproxy/templates/nginx/redirect.j2 100644
View File

@ -0,0 +1,83 @@
{{ ansible_header | comment }}
{% for site in nginx.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ site.from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ site.from }} to https://{{ site.to }}
server {
listen 443;
listen [::]:443;
server_name {{ site.from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endfor %}
{# Also redirect for DNAMEs #}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
# Redirect http://{{ from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ site.to }}
server {
listen 443;
listen [::]:443;
server_name {{ from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endfor %}
{% endfor %}

62
roles/nginx-reverseproxy/templates/nginx/reverseproxy.j2 100644
View File

@ -0,0 +1,62 @@
{{ ansible_header | comment }}
{% for site in nginx.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
listen [::]:80
server_name {{ site.from }};
location / {
return 302 https://$host$request_uri;
}
}
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
listen 443;
listen [::]:443;
server_name {{ site.from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
error_log /var/log/nginx/{{ site.from }}_error.log;
# Keep the TCP connection open a bit for faster browsing
keepalive_timeout 70;
# Custom error page
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
set_real_ip_from 10.231.136.0/24;
set_real_ip_from 2a0c:700:0:2::/64;
real_ip_header P-Real-Ip;
location / {
proxy_set_header Host {{ site.from }};
proxy_set_header P-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://{{ site.to }};
}
}
{% endfor %}

44
roles/nginx-reverseproxy/templates/nginx/reverseproxy_redirect_dname.j2 100644
View File

@ -0,0 +1,44 @@
{{ ansible_header | comment }}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.reverseproxy_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% set to = site.from %}
# Redirect http://{{ from }} to http://{{ to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ to }}
server {
listen 443;
listen [::]:443;
server_name {{ from }};
ssl on;
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
# SSL ciphers updated by Debian
include "/etc/letsencrypt/options-ssl-nginx.conf";
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
location / {
return 302 https://{{ to }}$request_uri;
}
}
{% endfor %}
{% endfor %}

3
roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 100755
View File

@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

63
roles/nginx-reverseproxy/templates/www/html/50x.html.j2 100644
View File

@ -0,0 +1,63 @@
<!doctype html>
<html lang="fr">
<head>
<meta charset="utf-8">
<title>502</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
* {
line-height: 1.2;
margin: 0;
}
html {
color: #888;
display: table;
font-family: sans-serif;
height: 100%;
text-align: center;
width: 100%;
}
body {
display: table-cell;
vertical-align: middle;
margin: 2em auto;
}
a {
color: #888;
text-decoration: underline dotted;
}
h1 {
color: #555;
font-size: 2em;
font-weight: 400;
}
p {
margin: 1em auto;
max-width: 480px;
}
@media only screen and (max-width: 280px) {
body, p {
width: 95%;
}
h1 {
font-size: 1.5em;
margin: 0 0 0.3em;
}
}
</style>
</head>
<body>
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
à contacter <a href="mailto:contact@crans.org">l'équipe technique du Cr@ns</a>.</p>
</body>
</html>