From 5cfc600b37551a73ff5ac455c68b25720e853056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torma=20Krist=C3=B3f?= Date: Thu, 14 Apr 2022 21:41:04 +0200 Subject: [PATCH] add web gateway stuff --- roles/openvpn/tasks/main.yaml | 8 ++ roles/webgateway/files/certbot-script.service | 9 ++ roles/webgateway/files/certbot.target | 5 ++ roles/webgateway/files/certbot.timer | 10 +++ roles/webgateway/tasks/main.yaml | 87 ++++++++++++++++-- roles/webgateway/templates/certbot.sh | 8 ++ roles/webgateway/templates/nginx.conf | 90 +++++++++++++++++++ roles/webgateway/vars/main.yaml | 16 ++++ webgateway.yaml | 7 ++ 9 files changed, 234 insertions(+), 6 deletions(-) create mode 100644 roles/webgateway/files/certbot-script.service create mode 100644 roles/webgateway/files/certbot.target create mode 100644 roles/webgateway/files/certbot.timer create mode 100644 roles/webgateway/templates/certbot.sh create mode 100644 roles/webgateway/templates/nginx.conf create mode 100644 roles/webgateway/vars/main.yaml create mode 100644 webgateway.yaml diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml index c7d6a51..7b8f48f 100644 --- a/roles/openvpn/tasks/main.yaml +++ b/roles/openvpn/tasks/main.yaml @@ -6,6 +6,14 @@ name: - openvpn-server +- name : "Enable ipv4 forwarding via sysctl" + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + - name: Upload openvpn config to server ansible.posix.synchronize: src: openvpn-config diff --git a/roles/webgateway/files/certbot-script.service b/roles/webgateway/files/certbot-script.service new file mode 100644 index 0000000..4d755a5 --- /dev/null +++ b/roles/webgateway/files/certbot-script.service @@ -0,0 +1,9 @@ +[Unit] +Description=Renew certificates with certbot + +[Service] +Type=simple +ExecStart=/usr/bin/bash /opt/certbot.sh + +[Install] +WantedBy=certbot.target \ No newline at end of file diff --git a/roles/webgateway/files/certbot.target b/roles/webgateway/files/certbot.target new file mode 100644 index 0000000..67fed4a --- /dev/null +++ b/roles/webgateway/files/certbot.target @@ -0,0 +1,5 @@ +[Unit] +Description=Script based certificate renewal via certbot + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/roles/webgateway/files/certbot.timer b/roles/webgateway/files/certbot.timer new file mode 100644 index 0000000..38c8d41 --- /dev/null +++ b/roles/webgateway/files/certbot.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Periodic certificate renewal + +[Timer] +OnBootSec=10min +OnCalendar=Sun *-*-* 00:00:00 +Unit=certbot.target + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/webgateway/tasks/main.yaml b/roles/webgateway/tasks/main.yaml index 32ffd50..9553523 100644 --- a/roles/webgateway/tasks/main.yaml +++ b/roles/webgateway/tasks/main.yaml @@ -1,19 +1,94 @@ --- -- name: "Install Apache via apt" +- name: "Install nginx via apt" apt: update_cache: yes state: present name: - - apache2 + - nginx + - python3-certbot + - python3-certbot-nginx -# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket - -- name: Enable and restart Apache2 daemon +- name: Enable and restart nginx daemon service: - name: apache2 + name: nginx state: restarted enabled: yes +- name: Generate certificate for all proxied domains + command: + cmd: certbot certonly --apache -d {{item.domain}} + with_items: "{{ proxy }}" + +- name: Generate certificate for all static sites + command: + cmd: certbot certonly --apache -d {{item.domain}} + with_items: "{{ static }}" + +- name: "Generate certbot script" + ansible.builtin.template: + src: certbot.sh + dest: /opt/certbot.sh + owner: root + group: root + mode: '0700' + +- name: Copy certbot-script.service to target + copy: + src: certbot-script.service + dest: /usr/lib/systemd/system/certbot-script.service + mode: 644 + owner: root + +- name: Copy certbot.target to target + copy: + src: certbot.target + dest: /usr/lib/systemd/system/certbot.target + mode: 644 + owner: root + +- name: Copy certbot.timer to target + copy: + src: certbot.timer + dest: /usr/lib/systemd/system/certbot.timer + mode: 644 + owner: root + +- name: Enable certbot-script.service and reload systemd daemon + when: ansible_service_mgr == "systemd" + ansible.builtin.systemd: + enabled: yes + daemon_reload: yes + name: certbot-script.service + +- name: Enable certbot.target + when: ansible_service_mgr == "systemd" + ansible.builtin.systemd: + enabled: yes + name: certbot.target + +- name: Enable certbot.timer + when: ansible_service_mgr == "systemd" + ansible.builtin.systemd: + enabled: yes + name: certbot.timer + +- name: "Generate nginx configuration" + ansible.builtin.template: + src: nginx.conf + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: '0644' + +- name: Validate nginx configuration + command: + cmd: nginx -t + +- name: Reload nginx after configuration change + service: + name: nginx + state: reloaded + - name: Allow http port via ufw community.general.ufw: rule: allow diff --git a/roles/webgateway/templates/certbot.sh b/roles/webgateway/templates/certbot.sh new file mode 100644 index 0000000..3999ef3 --- /dev/null +++ b/roles/webgateway/templates/certbot.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# {{ansible_managed}} +{% for proxysite in proxy %} +certbot renew --nginx --cert-name {{proxysite.domain}} +{% endfor %} +{% for staticsite in static %} +certbot renew --nginx --cert-name {{staticsite.domain}} +{% endfor %} diff --git a/roles/webgateway/templates/nginx.conf b/roles/webgateway/templates/nginx.conf new file mode 100644 index 0000000..9a1f450 --- /dev/null +++ b/roles/webgateway/templates/nginx.conf @@ -0,0 +1,90 @@ +# {{ansible_managed}} +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + multi_accept on; +} + +http { + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + + server { + + listen 80 default_server http2; + listen [::]:80 default_server http2 ipv6only=on; + server_name _; + return 301 https://$host$request_uri; + } + + {% for proxysite in proxy %} + server { + listen 443 ssl http2; + listen [::]:443 ssl http2 ipv6only=on; + server_name {{proxysite.domain}}; + ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem; + location /{ + proxy_pass https://{{proxysite.ip}}; + proxy_ssl_verify off; + } + } + + {% endfor %} + + {% for staticsite in static %} + server { + listen 443 ssl http2; + listen [::]:443 ssl http2 ipv6only=on; + server_name {{staticsite.domain}}; + ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem; + root {{staticsite.directory}}; + location /{ + try_files $uri $uri/ =404; + } + } + + {% endfor %} +} \ No newline at end of file diff --git a/roles/webgateway/vars/main.yaml b/roles/webgateway/vars/main.yaml new file mode 100644 index 0000000..8a2779d --- /dev/null +++ b/roles/webgateway/vars/main.yaml @@ -0,0 +1,16 @@ +proxy: + - {domain: bitwarden.tormakristof.eu, ip: bitwarden.stargate.internal} + - {domain: nextcloud.tormakristof.eu, ip: nextcloud.stargate.internal} + - {domain: drone.kmlabz.com, ip: drone.stargate.internal} + - {domain: git.kmlabz.com, ip: git.stargate.internal} + - {domain: guacamole.kmlabz.com, ip: guacamole.stargate.internal} + - {domain: keycloak.kmlabz.com, ip: keycloak.stargate.internal} + - {domain: nexus.kmlabz.com, ip: nexus.stargate.internal} + - {domain: registry.kmlabz.com, ip: registry.stargate.internal} + - {domain: swagger.kmlabz.com, ip: swagger.stargate.internal} + +static: + - {domain: tormakristof.eu, directory: /var/www/tormakristof.eu} + - {domain: tormakris.dev, directory: /var/www/tormakristof.eu} + - {domain: torma.xyz, directory: /var/www/tormakristof.eu} + - {domain: kmlabz.com, directory: /var/www/kmlabz.com} diff --git a/webgateway.yaml b/webgateway.yaml new file mode 100644 index 0000000..14e7054 --- /dev/null +++ b/webgateway.yaml @@ -0,0 +1,7 @@ +--- +- name: "Deploy managed web gateway" + hosts: webgateway + roles: + - common + - webgateway + - internalsmtp