Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible

This commit is contained in:
Crest 2021-03-31 00:57:26 +02:00
commit b8f2306667
12 changed files with 139 additions and 2 deletions

View file

@ -27,6 +27,10 @@ haproxy_http:
addr: '2a01:4f8:150:926f::11'
- host: 'embassy.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.z1.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.zweigstelle.space'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'
@ -47,6 +51,10 @@ haproxy_sni:
addr: '2a01:4f8:150:926f::11'
- host: 'embassy.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.z1.ccchb.de'
addr: '2a01:4f8:150:926f::11'
- host: 'kasse.zweigstelle.space'
addr: '2a01:4f8:150:926f::11'
- host: 'jabber.ccchb.de'
addr: '2a01:4f8:150:926f::13'

@ -1 +1 @@
Subproject commit 0474dc8d0c7031f7fcb58484c9c6552b1b9869eb
Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5

View file

@ -40,6 +40,8 @@ mediawiki_nginx_conf: |
ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
client_max_body_size 100M;
include snippets/certbot.conf;

View file

@ -29,7 +29,7 @@ $wgEmailAuthentication = true;
require 'LocalSettings_secrets.php';
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMainCacheType = CACHE_ACCEL;
$wgMemCachedServers = array();
## To enable image uploads, make sure the 'images' directory

View file

@ -0,0 +1,23 @@
---
mete_domain: kasse.z1.ccchb.de
mete_nginx_domains:
- kasse.z1.ccchb.de
- kasse.zweigstelle.space
mete_app_dir: /var/www/kiosk.z1.ccchb.de/mete
mete_app_url: "http://127.0.0.1:3000/"
mete_nginx_config: |
listen [::]:443 ssl http2;
listen 443 ssl http2;
{% for domain in mete_nginx_domains %}
server_name {{ domain }};
{% endfor %}
ssl_certificate /etc/letsencrypt/live/{{ mete_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ mete_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mete_domain }}/chain.pem;
include snippets/certbot.conf;
...

19
roles/mete/tasks/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Install mete systemd unit
template:
src: service.j2
dest: "/etc/systemd/system/mete@{{ mete_domain }}.service"
- name: Install mete nginx site
notify: reload nginx
template:
src: nginx.j2
dest: /etc/nginx/sites-available/{{ mete_domain }}
- name: Activate mete site
file:
src: /etc/nginx/sites-available/{{ mete_domain }}
dest: /etc/nginx/sites-enabled/{{ mete_domain }}
state: link
...

View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
server {
{{ mete_nginx_config }}
location / {
proxy_pass {{ mete_app_url }};
satisfy any;
allow 45.152.242.34;
allow 2001:67c:708::/48;
auth_basic "CCCHB internal";
auth_basic_user_file "htpasswd";
}
}

View file

@ -0,0 +1,12 @@
[Unit]
Description=Mete application server on {{ mete_domain }}
[Service]
ExecStart=/bin/bundler exec rails server
WorkingDirectory={{ mete_app_dir }}
User=www-data
Environment=RAILS_ENV=production
[Install]
WantedBy=multi-user.target

View file

@ -16,6 +16,20 @@
args:
creates: /var/lib/dehydrated/accounts
- name: Install letsencrypt cronjob
template:
dest: "/etc/systemd/system/{{ item }}"
src: "{{ item }}"
with_items:
- dehydrated.service
- dehydrated.timer
- name: Start lets encrypt cronjob
systemd:
name: dehydrated.timer
state: started
enabled: yes
- name: nginx default config
notify: reload nginx
template:
@ -27,3 +41,5 @@
template:
src: snippets-tls.nginx
dest: /etc/nginx/snippets/tls-acme.conf

View file

@ -0,0 +1,6 @@
[Unit]
Description=Check and renew ACME TLS certificates
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated -c

View file

@ -0,0 +1,8 @@
[Unit]
Description=Check and renew ACME TLS certificates
[Timer]
OnCalendar=daily UTC
[Install]
WantedBy=timers.target

View file

@ -3,6 +3,8 @@
server:
ip-address: 127.0.0.1@5353
ip-address: ::1@5353
ip-address: 176.9.59.104@53
ip-address: 2a01:4f8:150:926f::2@53
# policy
statistics: 3600
@ -19,6 +21,9 @@ server:
log-time-ascii: no
debug-mode: yes
# zones are state, not configuration
zonesdir: "/var/db/nsd/zones"
# Remote control config section.
remote-control:
control-enable: yes
@ -38,3 +43,24 @@ zone:
request-xfr: 2001:7fd::1 NOKEY # k.root-servers.net
request-xfr: 2620:0:2830:202::132 NOKEY # xfr.cjr.dns.icann.org
request-xfr: 2620:0:2d0:202::132 NOKEY # xfr.lax.dns.icann.org
# Patterns for dynamically managed zones
# The list of dynamic zones is in /var/db/nsd/zone.list and is managed
# by `nsd-control addzone` and `nsd-control delzone`
pattern:
name: "local"
zonefile: "%s"
# brunn.ccchb.de
provide-xfr: 159.69.196.38 NOKEY
provide-xfr: 2a01:4f8:1c1c:c197:: NOKEY
# ns1.grimpen.net
provide-xfr: 51.83.186.231 NOKEY
provide-xfr: 2001:41d0:601:1100::33b7 NOKEY
pattern:
name: "replicate-brunn"
# brunn.ccchb.de
allow-notify: 159.69.196.38 NOKEY
allow-notify: 2a01:4f8:1c1c:c197:: NOKEY
request-xfr: AXFR 2a01:4f8:1c1c:c197:: NOKEY