add web gateway stuff

2022-04-14 21:41:04 +02:00 · 2022-04-14 21:41:04 +02:00 · 5cfc600b37
commit 5cfc600b37
parent 0407a0de22
9 changed files with 234 additions and 6 deletions
--- a/roles/openvpn/tasks/main.yaml
+++ b/roles/openvpn/tasks/main.yaml
@ -6,6 +6,14 @@
    name:
     - openvpn-server

+- name : "Enable ipv4 forwarding via sysctl"
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
 - name: Upload openvpn config to server
  ansible.posix.synchronize:
    src: openvpn-config
--- a/roles/webgateway/files/certbot-script.service
+++ b/roles/webgateway/files/certbot-script.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Renew certificates with certbot
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/bash /opt/certbot.sh
+
+[Install]
+WantedBy=certbot.target
--- a/roles/webgateway/files/certbot.target
+++ b/roles/webgateway/files/certbot.target
@ -0,0 +1,5 @@
+[Unit]
+Description=Script based certificate renewal via certbot
+
+[Install]
+WantedBy=default.target
--- a/roles/webgateway/files/certbot.timer
+++ b/roles/webgateway/files/certbot.timer
@ -0,0 +1,10 @@
+[Unit]
+Description=Periodic certificate renewal
+
+[Timer]
+OnBootSec=10min
+OnCalendar=Sun *-*-* 00:00:00
+Unit=certbot.target
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/webgateway/tasks/main.yaml
+++ b/roles/webgateway/tasks/main.yaml
@ -1,19 +1,94 @@
 ---
- name: "Install Apache via apt"
+- name: "Install nginx via apt"
  apt:
    update_cache: yes
    state: present
    name:
-     - apache2
+     - nginx
+     - python3-certbot
+     - python3-certbot-nginx

-# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket
-
- name: Enable and restart Apache2 daemon
+- name: Enable and restart nginx daemon
  service:
-    name: apache2
+    name: nginx
    state: restarted
    enabled: yes

+- name: Generate certificate for all proxied domains
+  command:
+    cmd: certbot certonly --apache -d {{item.domain}}
+  with_items: "{{ proxy }}"
+
+- name: Generate certificate for all static sites
+  command:
+    cmd: certbot certonly --apache -d {{item.domain}}
+  with_items: "{{ static }}"
+
+- name: "Generate certbot script"
+  ansible.builtin.template:
+    src: certbot.sh
+    dest: /opt/certbot.sh
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Copy certbot-script.service to target
+  copy:
+    src: certbot-script.service
+    dest: /usr/lib/systemd/system/certbot-script.service
+    mode: 644
+    owner: root
+
+- name: Copy certbot.target to target
+  copy:
+    src: certbot.target
+    dest: /usr/lib/systemd/system/certbot.target
+    mode: 644
+    owner: root
+
+- name: Copy certbot.timer to target
+  copy:
+    src: certbot.timer
+    dest: /usr/lib/systemd/system/certbot.timer
+    mode: 644
+    owner: root
+
+- name: Enable certbot-script.service and reload systemd daemon
+  when: ansible_service_mgr == "systemd"
+  ansible.builtin.systemd:
+    enabled: yes
+    daemon_reload: yes
+    name: certbot-script.service
+
+- name: Enable certbot.target
+  when: ansible_service_mgr == "systemd"
+  ansible.builtin.systemd:
+    enabled: yes
+    name: certbot.target
+
+- name: Enable certbot.timer
+  when: ansible_service_mgr == "systemd"
+  ansible.builtin.systemd:
+    enabled: yes
+    name: certbot.timer
+
+- name: "Generate nginx configuration"
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Validate nginx configuration
+  command:
+    cmd: nginx -t
+
+- name: Reload nginx after configuration change
+  service:
+    name: nginx
+    state: reloaded
+
 - name: Allow http port via ufw
  community.general.ufw:
    rule: allow
--- a/roles/webgateway/templates/certbot.sh
+++ b/roles/webgateway/templates/certbot.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for proxysite in proxy %}
+certbot renew --nginx --cert-name {{proxysite.domain}}
+{% endfor %}
+{% for staticsite in static %}
+certbot renew --nginx --cert-name {{staticsite.domain}}
+{% endfor %}
--- a/roles/webgateway/templates/nginx.conf
+++ b/roles/webgateway/templates/nginx.conf
@ -0,0 +1,90 @@
+# {{ansible_managed}}
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        multi_accept on;
+}
+
+http {
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+
+        server_names_hash_bucket_size 64;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        gzip on;
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        proxy_redirect  off;
+        proxy_set_header    Host    $host;
+        proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header    Upgrade $http_upgrade;
+		proxy_set_header    Connection $http_connection;
+        client_max_body_size    10m;
+        client_body_buffer_size 128k;
+        proxy_connect_timeout   90;
+        proxy_send_timeout      90;
+        proxy_read_timeout      90;
+        proxy_buffers           32 4k;
+
+        server {
+
+            listen 80 default_server http2;
+            listen [::]:80 default_server http2 ipv6only=on;
+            server_name _;
+            return 301 https://$host$request_uri;
+        }
+
+        {% for proxysite in proxy %}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2 ipv6only=on;
+            server_name {{proxysite.domain}};
+            ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem;
+            location /{
+                proxy_pass  https://{{proxysite.ip}};
+                proxy_ssl_verify    off;
+            }
+        }
+
+        {% endfor %}
+
+        {% for staticsite in static %}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2 ipv6only=on;
+            server_name {{staticsite.domain}};
+            ssl_certificate /etc/letsencrypt/live/{{proxysite.domain}}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{proxysite.domain}}/privkey.pem;
+            root    {{staticsite.directory}};
+            location /{
+                try_files $uri $uri/ =404;
+            }
+        }
+
+        {% endfor %}
+}
--- a/roles/webgateway/vars/main.yaml
+++ b/roles/webgateway/vars/main.yaml
@ -0,0 +1,16 @@
+proxy:
+  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.stargate.internal}
+  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.stargate.internal}
+  - {domain: drone.kmlabz.com, ip: drone.stargate.internal}
+  - {domain: git.kmlabz.com, ip: git.stargate.internal}
+  - {domain: guacamole.kmlabz.com, ip: guacamole.stargate.internal}
+  - {domain: keycloak.kmlabz.com, ip: keycloak.stargate.internal}
+  - {domain: nexus.kmlabz.com, ip: nexus.stargate.internal}
+  - {domain: registry.kmlabz.com, ip: registry.stargate.internal}
+  - {domain: swagger.kmlabz.com, ip: swagger.stargate.internal}
+
+static:
+  - {domain: tormakristof.eu, directory: /var/www/tormakristof.eu}
+  - {domain: tormakris.dev, directory: /var/www/tormakristof.eu}
+  - {domain: torma.xyz, directory: /var/www/tormakristof.eu}
+  - {domain: kmlabz.com, directory: /var/www/kmlabz.com}
--- a/webgateway.yaml
+++ b/webgateway.yaml
@ -0,0 +1,7 @@
+---
+- name: "Deploy managed web gateway"
+  hosts: webgateway
+  roles:
+    - common
+    - webgateway
+    - internalsmtp