Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible
This commit is contained in:
commit
b8f2306667
12 changed files with 139 additions and 2 deletions
|
@ -27,6 +27,10 @@ haproxy_http:
|
|||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'embassy.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'kasse.z1.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'kasse.zweigstelle.space'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'jabber.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::13'
|
||||
|
||||
|
@ -47,6 +51,10 @@ haproxy_sni:
|
|||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'embassy.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'kasse.z1.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'kasse.zweigstelle.space'
|
||||
addr: '2a01:4f8:150:926f::11'
|
||||
- host: 'jabber.ccchb.de'
|
||||
addr: '2a01:4f8:150:926f::13'
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit 0474dc8d0c7031f7fcb58484c9c6552b1b9869eb
|
||||
Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5
|
|
@ -40,6 +40,8 @@ mediawiki_nginx_conf: |
|
|||
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
include snippets/certbot.conf;
|
||||
|
|
|
@ -29,7 +29,7 @@ $wgEmailAuthentication = true;
|
|||
require 'LocalSettings_secrets.php';
|
||||
|
||||
## Shared memory settings
|
||||
$wgMainCacheType = CACHE_NONE;
|
||||
$wgMainCacheType = CACHE_ACCEL;
|
||||
$wgMemCachedServers = array();
|
||||
|
||||
## To enable image uploads, make sure the 'images' directory
|
||||
|
|
23
roles/mete/defaults/main.yml
Normal file
23
roles/mete/defaults/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
|
||||
mete_domain: kasse.z1.ccchb.de
|
||||
mete_nginx_domains:
|
||||
- kasse.z1.ccchb.de
|
||||
- kasse.zweigstelle.space
|
||||
mete_app_dir: /var/www/kiosk.z1.ccchb.de/mete
|
||||
mete_app_url: "http://127.0.0.1:3000/"
|
||||
mete_nginx_config: |
|
||||
listen [::]:443 ssl http2;
|
||||
listen 443 ssl http2;
|
||||
|
||||
{% for domain in mete_nginx_domains %}
|
||||
server_name {{ domain }};
|
||||
{% endfor %}
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ mete_domain }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ mete_domain }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ mete_domain }}/chain.pem;
|
||||
|
||||
include snippets/certbot.conf;
|
||||
|
||||
...
|
19
roles/mete/tasks/main.yml
Normal file
19
roles/mete/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Install mete systemd unit
|
||||
template:
|
||||
src: service.j2
|
||||
dest: "/etc/systemd/system/mete@{{ mete_domain }}.service"
|
||||
|
||||
- name: Install mete nginx site
|
||||
notify: reload nginx
|
||||
template:
|
||||
src: nginx.j2
|
||||
dest: /etc/nginx/sites-available/{{ mete_domain }}
|
||||
|
||||
- name: Activate mete site
|
||||
file:
|
||||
src: /etc/nginx/sites-available/{{ mete_domain }}
|
||||
dest: /etc/nginx/sites-enabled/{{ mete_domain }}
|
||||
state: link
|
||||
|
||||
...
|
17
roles/mete/templates/nginx.j2
Normal file
17
roles/mete/templates/nginx.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
{{ mete_nginx_config }}
|
||||
|
||||
location / {
|
||||
proxy_pass {{ mete_app_url }};
|
||||
|
||||
satisfy any;
|
||||
|
||||
allow 45.152.242.34;
|
||||
allow 2001:67c:708::/48;
|
||||
|
||||
auth_basic "CCCHB internal";
|
||||
auth_basic_user_file "htpasswd";
|
||||
}
|
||||
}
|
12
roles/mete/templates/service.j2
Normal file
12
roles/mete/templates/service.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Mete application server on {{ mete_domain }}
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/bundler exec rails server
|
||||
WorkingDirectory={{ mete_app_dir }}
|
||||
User=www-data
|
||||
Environment=RAILS_ENV=production
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -16,6 +16,20 @@
|
|||
args:
|
||||
creates: /var/lib/dehydrated/accounts
|
||||
|
||||
- name: Install letsencrypt cronjob
|
||||
template:
|
||||
dest: "/etc/systemd/system/{{ item }}"
|
||||
src: "{{ item }}"
|
||||
with_items:
|
||||
- dehydrated.service
|
||||
- dehydrated.timer
|
||||
|
||||
- name: Start lets encrypt cronjob
|
||||
systemd:
|
||||
name: dehydrated.timer
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: nginx default config
|
||||
notify: reload nginx
|
||||
template:
|
||||
|
@ -27,3 +41,5 @@
|
|||
template:
|
||||
src: snippets-tls.nginx
|
||||
dest: /etc/nginx/snippets/tls-acme.conf
|
||||
|
||||
|
||||
|
|
6
roles/nginx/templates/dehydrated.service
Normal file
6
roles/nginx/templates/dehydrated.service
Normal file
|
@ -0,0 +1,6 @@
|
|||
[Unit]
|
||||
Description=Check and renew ACME TLS certificates
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/dehydrated -c
|
8
roles/nginx/templates/dehydrated.timer
Normal file
8
roles/nginx/templates/dehydrated.timer
Normal file
|
@ -0,0 +1,8 @@
|
|||
[Unit]
|
||||
Description=Check and renew ACME TLS certificates
|
||||
|
||||
[Timer]
|
||||
OnCalendar=daily UTC
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
|
@ -3,6 +3,8 @@
|
|||
server:
|
||||
ip-address: 127.0.0.1@5353
|
||||
ip-address: ::1@5353
|
||||
ip-address: 176.9.59.104@53
|
||||
ip-address: 2a01:4f8:150:926f::2@53
|
||||
|
||||
# policy
|
||||
statistics: 3600
|
||||
|
@ -19,6 +21,9 @@ server:
|
|||
log-time-ascii: no
|
||||
debug-mode: yes
|
||||
|
||||
# zones are state, not configuration
|
||||
zonesdir: "/var/db/nsd/zones"
|
||||
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
|
@ -38,3 +43,24 @@ zone:
|
|||
request-xfr: 2001:7fd::1 NOKEY # k.root-servers.net
|
||||
request-xfr: 2620:0:2830:202::132 NOKEY # xfr.cjr.dns.icann.org
|
||||
request-xfr: 2620:0:2d0:202::132 NOKEY # xfr.lax.dns.icann.org
|
||||
|
||||
# Patterns for dynamically managed zones
|
||||
# The list of dynamic zones is in /var/db/nsd/zone.list and is managed
|
||||
# by `nsd-control addzone` and `nsd-control delzone`
|
||||
pattern:
|
||||
name: "local"
|
||||
zonefile: "%s"
|
||||
# brunn.ccchb.de
|
||||
provide-xfr: 159.69.196.38 NOKEY
|
||||
provide-xfr: 2a01:4f8:1c1c:c197:: NOKEY
|
||||
# ns1.grimpen.net
|
||||
provide-xfr: 51.83.186.231 NOKEY
|
||||
provide-xfr: 2001:41d0:601:1100::33b7 NOKEY
|
||||
|
||||
pattern:
|
||||
name: "replicate-brunn"
|
||||
# brunn.ccchb.de
|
||||
allow-notify: 159.69.196.38 NOKEY
|
||||
allow-notify: 2a01:4f8:1c1c:c197:: NOKEY
|
||||
request-xfr: AXFR 2a01:4f8:1c1c:c197:: NOKEY
|
||||
|
||||
|
|
Loading…
Reference in a new issue