add web gateway stuff

This commit is contained in:
Torma Kristóf 2022-04-14 21:41:04 +02:00
parent 0407a0de22
commit 5cfc600b37
9 changed files with 234 additions and 6 deletions

View File

@ -6,6 +6,14 @@
name:
- openvpn-server
- name : "Enable ipv4 forwarding via sysctl"
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: Upload openvpn config to server
ansible.posix.synchronize:
src: openvpn-config

View File

@ -0,0 +1,9 @@
[Unit]
Description=Renew certificates with certbot
[Service]
Type=simple
ExecStart=/usr/bin/bash /opt/certbot.sh
[Install]
WantedBy=certbot.target

View File

@ -0,0 +1,5 @@
[Unit]
Description=Script based certificate renewal via certbot
[Install]
WantedBy=default.target

View File

@ -0,0 +1,10 @@
[Unit]
Description=Periodic certificate renewal
[Timer]
OnBootSec=10min
OnCalendar=Sun *-*-* 00:00:00
Unit=certbot.target
[Install]
WantedBy=multi-user.target

View File

@ -1,19 +1,94 @@
---
- name: "Install Apache via apt"
- name: "Install nginx via apt"
apt:
update_cache: yes
state: present
name:
- apache2
- nginx
- python3-certbot
- python3-certbot-nginx
# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket
- name: Enable and restart Apache2 daemon
- name: Enable and restart nginx daemon
service:
name: apache2
name: nginx
state: restarted
enabled: yes
- name: Generate certificate for all proxied domains
command:
cmd: certbot certonly --apache -d {{item.domain}}
with_items: "{{ proxy }}"
- name: Generate certificate for all static sites
command:
cmd: certbot certonly --apache -d {{item.domain}}
with_items: "{{ static }}"
- name: "Generate certbot script"
ansible.builtin.template:
src: certbot.sh
dest: /opt/certbot.sh
owner: root
group: root
mode: '0700'
- name: Copy certbot-script.service to target
copy:
src: certbot-script.service
dest: /usr/lib/systemd/system/certbot-script.service
mode: 644
owner: root
- name: Copy certbot.target to target
copy:
src: certbot.target
dest: /usr/lib/systemd/system/certbot.target
mode: 644
owner: root
- name: Copy certbot.timer to target
copy:
src: certbot.timer
dest: /usr/lib/systemd/system/certbot.timer
mode: 644
owner: root
- name: Enable certbot-script.service and reload systemd daemon
when: ansible_service_mgr == "systemd"
ansible.builtin.systemd:
enabled: yes
daemon_reload: yes
name: certbot-script.service
- name: Enable certbot.target
when: ansible_service_mgr == "systemd"
ansible.builtin.systemd:
enabled: yes
name: certbot.target
- name: Enable certbot.timer
when: ansible_service_mgr == "systemd"
ansible.builtin.systemd:
enabled: yes
name: certbot.timer
- name: "Generate nginx configuration"
ansible.builtin.template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '0644'
- name: Validate nginx configuration
command:
cmd: nginx -t
- name: Reload nginx after configuration change
service:
name: nginx
state: reloaded
- name: Allow http port via ufw
community.general.ufw:
rule: allow

View File

@ -0,0 +1,8 @@
#!/bin/bash
# {{ansible_managed}}
{% for proxysite in proxy %}
certbot renew --nginx --cert-name {{proxysite.domain}}
{% endfor %}
{% for staticsite in static %}
certbot renew --nginx --cert-name {{staticsite.domain}}
{% endfor %}

View File

@ -0,0 +1,90 @@
# {{ansible_managed}}
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
server {
listen 80 default_server http2;
listen [::]:80 default_server http2 ipv6only=on;
server_name _;
return 301 https://$host$request_uri;
}
{% for proxysite in proxy %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2 ipv6only=on;
server_name {{proxysite.domain}};
ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem;
location /{
proxy_pass https://{{proxysite.ip}};
proxy_ssl_verify off;
}
}
{% endfor %}
{% for staticsite in static %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2 ipv6only=on;
server_name {{staticsite.domain}};
ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem;
root {{staticsite.directory}};
location /{
try_files $uri $uri/ =404;
}
}
{% endfor %}
}

View File

@ -0,0 +1,16 @@
proxy:
- {domain: bitwarden.tormakristof.eu, ip: bitwarden.stargate.internal}
- {domain: nextcloud.tormakristof.eu, ip: nextcloud.stargate.internal}
- {domain: drone.kmlabz.com, ip: drone.stargate.internal}
- {domain: git.kmlabz.com, ip: git.stargate.internal}
- {domain: guacamole.kmlabz.com, ip: guacamole.stargate.internal}
- {domain: keycloak.kmlabz.com, ip: keycloak.stargate.internal}
- {domain: nexus.kmlabz.com, ip: nexus.stargate.internal}
- {domain: registry.kmlabz.com, ip: registry.stargate.internal}
- {domain: swagger.kmlabz.com, ip: swagger.stargate.internal}
static:
- {domain: tormakristof.eu, directory: /var/www/tormakristof.eu}
- {domain: tormakris.dev, directory: /var/www/tormakristof.eu}
- {domain: torma.xyz, directory: /var/www/tormakristof.eu}
- {domain: kmlabz.com, directory: /var/www/kmlabz.com}

7
webgateway.yaml Normal file
View File

@ -0,0 +1,7 @@
---
- name: "Deploy managed web gateway"
hosts: webgateway
roles:
- common
- webgateway
- internalsmtp