diff --git a/network.yml b/network.yml index a6ec7a1c..16865b78 100755 --- a/network.yml +++ b/network.yml @@ -100,6 +100,7 @@ - {from: autoconfig.crans.org, to: 10.231.136.46} - {from: grafana.crans.org, to: 10.231.136.102} - {from: webirc.crans.org, to: "10.231.136.1:9000"} + - {from: framadate.crans.org, to: 185.230.79.194} # Zamok - {from: install-party.crans.org, to: 10.231.136.1} diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml index 02c698e7..4c39e3d5 100644 --- a/roles/framadate/tasks/main.yml +++ b/roles/framadate/tasks/main.yml @@ -4,8 +4,8 @@ apt: update_cache: true name: - - apache2 - - libapache2-mod-php + - nginx + - php-fpm - php-intl - php-mbstring - php-pgsql @@ -37,12 +37,32 @@ retries: 3 until: composer_result is succeeded -# cd framadate -# sudo -u www-data touch admin/stdout.log -# sudo chmod 600 admin/stdout.log +- name: Create log file + file: + path: "{{ framadate.path }}/admin/stdout.log" + owner: www-data + state: touch + mode: 0600 + +- name: Configure admin password + copy: + content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n" + dest: /etc/nginx/.htpasswd + +- name: Configure nginx site + template: + src: nginx-site.j2 + dest: /etc/nginx/sites-available/framadate + +- name: Enable nginx site + file: + src: /etc/nginx/sites-available/framadate + dest: /etc/nginx/sites-enabled/framadate + state: link - name: Indicate role in motd template: src: update-motd.d/05-service.j2 dest: /etc/update-motd.d/05-framadate mode: 0755 + diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2 new file mode 100644 index 00000000..ef963c3e --- /dev/null +++ b/roles/framadate/templates/nginx-site.j2 @@ -0,0 +1,60 @@ +{{ ansible_header | comment }} + +server { + listen 80; + listen [::]:80; + + server_name framadate.crans.org; + + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'"; + add_header Referrer-Policy "strict-origin"; + + root {{ framadate.path }}; + + index index.php; + + location ~^/(\.git)/{ + deny all; + } + + location ~ /\. { + deny all; + } + + location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh { + deny all; + } + + location /admin/ { + auth_basic "Restricted access"; + auth_basic_user_file /etc/nginx/.htpasswd; + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } + try_files $uri $uri/ =401; + } + + location / { + rewrite "^/admin$" "/admin/" permanent; + + # Clean URL + rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last; + rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last; + rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last; + try_files $uri /index.php; + } + + location ~ \.php$ { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + } +} + diff --git a/services_web.yml b/services_web.yml index 17515e3f..4c6f7d78 100755 --- a/services_web.yml +++ b/services_web.yml @@ -9,8 +9,10 @@ vars: framadate: repo: https://framagit.org/framasoft/framadate/framadate.git - version: 1.1.10 + version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd" path: /var/www/framadate + admin_username: framadate + admin_password_hash: "{{ vault_framadate_password_hash }}" roles: - framadate