Merge branch 'framadate' into 'master'

Framadate

See merge request nounous/ansible!17

network.yml

@@ -100,6 +100,7 @@
         - {from: autoconfig.crans.org, to: 10.231.136.46}
         - {from: grafana.crans.org, to: 10.231.136.102}
         - {from: webirc.crans.org, to: "10.231.136.1:9000"}
+        - {from: framadate.crans.org, to: 185.230.79.194}
 
         # Zamok
         - {from: install-party.crans.org, to: 10.231.136.1}

roles/framadate/tasks/main.yml

@@ -4,8 +4,8 @@
   apt:
     update_cache: true
     name:
-      - apache2
+      - nginx
-      - libapache2-mod-php
+      - php-fpm
       - php-intl
       - php-mbstring
       - php-pgsql
@@ -37,12 +37,32 @@
   retries: 3
   until: composer_result is succeeded
 
-# cd framadate
+- name: Create log file
-# sudo -u www-data touch admin/stdout.log
+  file:
-# sudo chmod 600 admin/stdout.log
+    path: "{{ framadate.path }}/admin/stdout.log"
+    owner: www-data
+    state: touch
+    mode: 0600
+
+- name: Configure admin password
+  copy:
+    content: "{{ framadate.admin_username }}:{{ framadate.admin_password_hash }}\n"
+    dest: /etc/nginx/.htpasswd
+
+- name: Configure nginx site
+  template:
+    src: nginx-site.j2
+    dest: /etc/nginx/sites-available/framadate
+
+- name: Enable nginx site
+  file:
+    src: /etc/nginx/sites-available/framadate
+    dest: /etc/nginx/sites-enabled/framadate
+    state: link
 
 - name: Indicate role in motd
   template:
     src: update-motd.d/05-service.j2
     dest: /etc/update-motd.d/05-framadate
     mode: 0755
+

roles/framadate/templates/nginx-site.j2

@@ -0,0 +1,60 @@
+{{ ansible_header | comment }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name framadate.crans.org;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
+    add_header Referrer-Policy "strict-origin";
+
+    root {{ framadate.path }};
+
+    index index.php;
+
+    location ~^/(\.git)/{
+        deny all;
+    }
+
+    location ~ /\. {
+        deny all;
+    }
+
+    location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
+        deny all;
+    }
+
+    location /admin/ {
+        auth_basic "Restricted access";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        location ~ \.php$ {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+        }
+        try_files $uri $uri/ =401; 
+    }
+
+    location / {
+        rewrite "^/admin$" "/admin/" permanent;
+
+        # Clean URL
+        rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
+        rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
+        try_files $uri /index.php; 
+    }
+
+    location ~ \.php$ {
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    }
+}
+

services_web.yml

@@ -9,8 +9,10 @@
   vars:
     framadate:
       repo: https://framagit.org/framasoft/framadate/framadate.git
-      version: 1.1.10
+      version: "77bf2aaa0c344fd25535e2d0543d9a76bf35b5fd"
       path: /var/www/framadate
+      admin_username: framadate
+      admin_password_hash: "{{ vault_framadate_password_hash }}"
   roles:
     - framadate