Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible
This commit is contained in:
commit
b8f2306667
12 changed files with 139 additions and 2 deletions
|
@ -27,6 +27,10 @@ haproxy_http:
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'embassy.ccchb.de'
|
- host: 'embassy.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'kasse.z1.ccchb.de'
|
||||||
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'kasse.zweigstelle.space'
|
||||||
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'jabber.ccchb.de'
|
- host: 'jabber.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::13'
|
addr: '2a01:4f8:150:926f::13'
|
||||||
|
|
||||||
|
@ -47,6 +51,10 @@ haproxy_sni:
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'embassy.ccchb.de'
|
- host: 'embassy.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::11'
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'kasse.z1.ccchb.de'
|
||||||
|
addr: '2a01:4f8:150:926f::11'
|
||||||
|
- host: 'kasse.zweigstelle.space'
|
||||||
|
addr: '2a01:4f8:150:926f::11'
|
||||||
- host: 'jabber.ccchb.de'
|
- host: 'jabber.ccchb.de'
|
||||||
addr: '2a01:4f8:150:926f::13'
|
addr: '2a01:4f8:150:926f::13'
|
||||||
|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit 0474dc8d0c7031f7fcb58484c9c6552b1b9869eb
|
Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5
|
|
@ -40,6 +40,8 @@ mediawiki_nginx_conf: |
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||||
|
|
||||||
client_max_body_size 100M;
|
client_max_body_size 100M;
|
||||||
|
|
||||||
include snippets/certbot.conf;
|
include snippets/certbot.conf;
|
||||||
|
|
|
@ -29,7 +29,7 @@ $wgEmailAuthentication = true;
|
||||||
require 'LocalSettings_secrets.php';
|
require 'LocalSettings_secrets.php';
|
||||||
|
|
||||||
## Shared memory settings
|
## Shared memory settings
|
||||||
$wgMainCacheType = CACHE_NONE;
|
$wgMainCacheType = CACHE_ACCEL;
|
||||||
$wgMemCachedServers = array();
|
$wgMemCachedServers = array();
|
||||||
|
|
||||||
## To enable image uploads, make sure the 'images' directory
|
## To enable image uploads, make sure the 'images' directory
|
||||||
|
|
23
roles/mete/defaults/main.yml
Normal file
23
roles/mete/defaults/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
mete_domain: kasse.z1.ccchb.de
|
||||||
|
mete_nginx_domains:
|
||||||
|
- kasse.z1.ccchb.de
|
||||||
|
- kasse.zweigstelle.space
|
||||||
|
mete_app_dir: /var/www/kiosk.z1.ccchb.de/mete
|
||||||
|
mete_app_url: "http://127.0.0.1:3000/"
|
||||||
|
mete_nginx_config: |
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
|
{% for domain in mete_nginx_domains %}
|
||||||
|
server_name {{ domain }};
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ mete_domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ mete_domain }}/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ mete_domain }}/chain.pem;
|
||||||
|
|
||||||
|
include snippets/certbot.conf;
|
||||||
|
|
||||||
|
...
|
19
roles/mete/tasks/main.yml
Normal file
19
roles/mete/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: Install mete systemd unit
|
||||||
|
template:
|
||||||
|
src: service.j2
|
||||||
|
dest: "/etc/systemd/system/mete@{{ mete_domain }}.service"
|
||||||
|
|
||||||
|
- name: Install mete nginx site
|
||||||
|
notify: reload nginx
|
||||||
|
template:
|
||||||
|
src: nginx.j2
|
||||||
|
dest: /etc/nginx/sites-available/{{ mete_domain }}
|
||||||
|
|
||||||
|
- name: Activate mete site
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/{{ mete_domain }}
|
||||||
|
dest: /etc/nginx/sites-enabled/{{ mete_domain }}
|
||||||
|
state: link
|
||||||
|
|
||||||
|
...
|
17
roles/mete/templates/nginx.j2
Normal file
17
roles/mete/templates/nginx.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
{{ mete_nginx_config }}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass {{ mete_app_url }};
|
||||||
|
|
||||||
|
satisfy any;
|
||||||
|
|
||||||
|
allow 45.152.242.34;
|
||||||
|
allow 2001:67c:708::/48;
|
||||||
|
|
||||||
|
auth_basic "CCCHB internal";
|
||||||
|
auth_basic_user_file "htpasswd";
|
||||||
|
}
|
||||||
|
}
|
12
roles/mete/templates/service.j2
Normal file
12
roles/mete/templates/service.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Mete application server on {{ mete_domain }}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/bin/bundler exec rails server
|
||||||
|
WorkingDirectory={{ mete_app_dir }}
|
||||||
|
User=www-data
|
||||||
|
Environment=RAILS_ENV=production
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -16,6 +16,20 @@
|
||||||
args:
|
args:
|
||||||
creates: /var/lib/dehydrated/accounts
|
creates: /var/lib/dehydrated/accounts
|
||||||
|
|
||||||
|
- name: Install letsencrypt cronjob
|
||||||
|
template:
|
||||||
|
dest: "/etc/systemd/system/{{ item }}"
|
||||||
|
src: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- dehydrated.service
|
||||||
|
- dehydrated.timer
|
||||||
|
|
||||||
|
- name: Start lets encrypt cronjob
|
||||||
|
systemd:
|
||||||
|
name: dehydrated.timer
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
- name: nginx default config
|
- name: nginx default config
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
template:
|
template:
|
||||||
|
@ -27,3 +41,5 @@
|
||||||
template:
|
template:
|
||||||
src: snippets-tls.nginx
|
src: snippets-tls.nginx
|
||||||
dest: /etc/nginx/snippets/tls-acme.conf
|
dest: /etc/nginx/snippets/tls-acme.conf
|
||||||
|
|
||||||
|
|
||||||
|
|
6
roles/nginx/templates/dehydrated.service
Normal file
6
roles/nginx/templates/dehydrated.service
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Check and renew ACME TLS certificates
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/dehydrated -c
|
8
roles/nginx/templates/dehydrated.timer
Normal file
8
roles/nginx/templates/dehydrated.timer
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Check and renew ACME TLS certificates
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=daily UTC
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
|
@ -3,6 +3,8 @@
|
||||||
server:
|
server:
|
||||||
ip-address: 127.0.0.1@5353
|
ip-address: 127.0.0.1@5353
|
||||||
ip-address: ::1@5353
|
ip-address: ::1@5353
|
||||||
|
ip-address: 176.9.59.104@53
|
||||||
|
ip-address: 2a01:4f8:150:926f::2@53
|
||||||
|
|
||||||
# policy
|
# policy
|
||||||
statistics: 3600
|
statistics: 3600
|
||||||
|
@ -19,6 +21,9 @@ server:
|
||||||
log-time-ascii: no
|
log-time-ascii: no
|
||||||
debug-mode: yes
|
debug-mode: yes
|
||||||
|
|
||||||
|
# zones are state, not configuration
|
||||||
|
zonesdir: "/var/db/nsd/zones"
|
||||||
|
|
||||||
# Remote control config section.
|
# Remote control config section.
|
||||||
remote-control:
|
remote-control:
|
||||||
control-enable: yes
|
control-enable: yes
|
||||||
|
@ -38,3 +43,24 @@ zone:
|
||||||
request-xfr: 2001:7fd::1 NOKEY # k.root-servers.net
|
request-xfr: 2001:7fd::1 NOKEY # k.root-servers.net
|
||||||
request-xfr: 2620:0:2830:202::132 NOKEY # xfr.cjr.dns.icann.org
|
request-xfr: 2620:0:2830:202::132 NOKEY # xfr.cjr.dns.icann.org
|
||||||
request-xfr: 2620:0:2d0:202::132 NOKEY # xfr.lax.dns.icann.org
|
request-xfr: 2620:0:2d0:202::132 NOKEY # xfr.lax.dns.icann.org
|
||||||
|
|
||||||
|
# Patterns for dynamically managed zones
|
||||||
|
# The list of dynamic zones is in /var/db/nsd/zone.list and is managed
|
||||||
|
# by `nsd-control addzone` and `nsd-control delzone`
|
||||||
|
pattern:
|
||||||
|
name: "local"
|
||||||
|
zonefile: "%s"
|
||||||
|
# brunn.ccchb.de
|
||||||
|
provide-xfr: 159.69.196.38 NOKEY
|
||||||
|
provide-xfr: 2a01:4f8:1c1c:c197:: NOKEY
|
||||||
|
# ns1.grimpen.net
|
||||||
|
provide-xfr: 51.83.186.231 NOKEY
|
||||||
|
provide-xfr: 2001:41d0:601:1100::33b7 NOKEY
|
||||||
|
|
||||||
|
pattern:
|
||||||
|
name: "replicate-brunn"
|
||||||
|
# brunn.ccchb.de
|
||||||
|
allow-notify: 159.69.196.38 NOKEY
|
||||||
|
allow-notify: 2a01:4f8:1c1c:c197:: NOKEY
|
||||||
|
request-xfr: AXFR 2a01:4f8:1c1c:c197:: NOKEY
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue