From 1380efe40049b63e5b81294033a523b8efed5e0e Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Fri, 12 Jul 2024 15:00:55 +0200 Subject: [PATCH] feat(server/nginx): implement nginx role Signed-off-by: Matej Focko --- roles/server/nginx/defaults/main.yml | 11 +++ roles/server/nginx/files/nginx.conf | 17 ++++ roles/server/nginx/files/proxy.conf | 12 +++ roles/server/nginx/tasks/install.yml | 6 ++ roles/server/nginx/tasks/main.yml | 89 +++++++++++++++++++ roles/server/nginx/templates/http.conf | 74 +++++++++++++++ roles/server/nginx/templates/me.conf | 20 +++++ .../server/nginx/templates/reverse_proxy.conf | 13 +++ roles/server/nginx/templates/ssl.conf | 14 +++ 9 files changed, 256 insertions(+) create mode 100644 roles/server/nginx/defaults/main.yml create mode 100644 roles/server/nginx/files/nginx.conf create mode 100644 roles/server/nginx/files/proxy.conf create mode 100644 roles/server/nginx/tasks/install.yml create mode 100644 roles/server/nginx/tasks/main.yml create mode 100644 roles/server/nginx/templates/http.conf create mode 100644 roles/server/nginx/templates/me.conf create mode 100644 roles/server/nginx/templates/reverse_proxy.conf create mode 100644 roles/server/nginx/templates/ssl.conf diff --git a/roles/server/nginx/defaults/main.yml b/roles/server/nginx/defaults/main.yml new file mode 100644 index 0000000..99cb0a1 --- /dev/null +++ b/roles/server/nginx/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# Name of the certificate generated by Certbot +server_nginx_certname: None + +# List of reverse proxies to be set up; objects of ‹domain›, ‹upstream› and +# ‹protocol› for proxying, e.g.: +# +# - domain: "cockpit" +# upstream: "127.0.0.1:9090" +# protocol: "https" +server_nginx_reverse_proxy: [] diff --git a/roles/server/nginx/files/nginx.conf b/roles/server/nginx/files/nginx.conf new file mode 100644 index 0000000..fc92e15 --- /dev/null +++ b/roles/server/nginx/files/nginx.conf @@ -0,0 +1,17 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +include /etc/nginx/http.conf; diff --git a/roles/server/nginx/files/proxy.conf b/roles/server/nginx/files/proxy.conf new file mode 100644 index 0000000..d70928d --- /dev/null +++ b/roles/server/nginx/files/proxy.conf @@ -0,0 +1,12 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + +proxy_redirect off; +proxy_http_version 1.1; +proxy_buffering off; +chunked_transfer_encoding off; +proxy_read_timeout 86400; diff --git a/roles/server/nginx/tasks/install.yml b/roles/server/nginx/tasks/install.yml new file mode 100644 index 0000000..8335768 --- /dev/null +++ b/roles/server/nginx/tasks/install.yml @@ -0,0 +1,6 @@ +--- +- name: Install as module on AlmaLinux + ansible.builtin.dnf: + name: "@nginx:1.24" + state: present + when: ansible_distribution == "AlmaLinux" diff --git a/roles/server/nginx/tasks/main.yml b/roles/server/nginx/tasks/main.yml new file mode 100644 index 0000000..62979bd --- /dev/null +++ b/roles/server/nginx/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Packages + ansible.builtin.include_tasks: install.yml + tags: install + +- name: Install the proxy snippet + ansible.builtin.copy: + src: files/proxy.conf + dest: /etc/nginx/proxy.conf + mode: 0644 + owner: root + group: root + +- name: Install the SSL snippet + ansible.builtin.template: + src: templates/ssl.conf + dest: /etc/nginx/ssl.conf + mode: 0644 + owner: root + group: root + +- name: Install the default config + ansible.builtin.copy: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + mode: 0644 + owner: root + group: root + +- name: Install the HTTP config + ansible.builtin.template: + src: templates/http.conf + dest: /etc/nginx/http.conf + mode: 0644 + owner: root + group: root + +- name: Enable $HOME shortcut + ansible.builtin.template: + src: templates/me.conf + dest: /etc/nginx/conf.d/me.conf + mode: 0644 + owner: root + group: root + +- name: Allow httpd in homedirs in SELinux + ansible.posix.seboolean: + name: httpd_enable_homedirs + state: true + persistent: true + when: ansible_facts.selinux.status == 'enabled' + +- name: Enable reverse proxy + ansible.builtin.template: + src: templates/reverse_proxy.conf + dest: "/etc/nginx/conf.d/{{ item.domain }}.conf" + mode: 0644 + owner: root + group: root + vars: + proxy_domain: "{{ item.domain }}" + proxy_upstream: "{{ item.upstream }}" + proxy_protocol: "{{ item.protocol }}" + loop: "{{ server_nginx_reverse_proxy }}" + +# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy +- name: Allow reverse proxy in SELinux + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy" + +- name: Enable nginx on firewall + ansible.posix.firewalld: + service: "{{ item }}" + immediate: true + permanent: true + state: enabled + loop: + - http + - https + tags: firewall + +- name: Enable nginx + ansible.builtin.service: + name: nginx + enabled: true + state: restarted diff --git a/roles/server/nginx/templates/http.conf b/roles/server/nginx/templates/http.conf new file mode 100644 index 0000000..2f5bbe7 --- /dev/null +++ b/roles/server/nginx/templates/http.conf @@ -0,0 +1,74 @@ +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + listen 80; + listen [::]:80; + + return 301 https://$host$request_uri; + } + +# Settings for a TLS enabled server. +# + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ host_fqdn }}; + root /usr/share/nginx/html; + + ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem; + + # Allow TLS version 1.2 only, which is a recommended default these days + # by international information security standards. + ssl_protocols TLSv1.2; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + error_page 404 /404.html; + location = /404.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + + location ~ /\.git { + return 404; + } + + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + autoindex on; + } + } + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } +} diff --git a/roles/server/nginx/templates/me.conf b/roles/server/nginx/templates/me.conf new file mode 100644 index 0000000..192d437 --- /dev/null +++ b/roles/server/nginx/templates/me.conf @@ -0,0 +1,20 @@ +server { + include ssl.conf; + include fastcgi.conf; + + server_name me.{{ host_fqdn }}; + + root /home/{{ target_user }}/public_html; + index index.html index.htm; + autoindex on; + + error_page 404 /404.html; + location = /40x.html {} + + error_page 500 502 503 504 /50x.html; + location = /50x.html {} + + location ~ /\.git { + return 404; + } +} diff --git a/roles/server/nginx/templates/reverse_proxy.conf b/roles/server/nginx/templates/reverse_proxy.conf new file mode 100644 index 0000000..74694ae --- /dev/null +++ b/roles/server/nginx/templates/reverse_proxy.conf @@ -0,0 +1,13 @@ +upstream {{ proxy_domain }} { + server {{ proxy_upstream }}; +} + +server { + include ssl.conf; + server_name {{ proxy_domain }}.{{ host_fqdn }}; + + location ~ / { + include proxy.conf; + proxy_pass {{ proxy_protocol }}://{{ proxy_domain }}; + } +} diff --git a/roles/server/nginx/templates/ssl.conf b/roles/server/nginx/templates/ssl.conf new file mode 100644 index 0000000..14a399b --- /dev/null +++ b/roles/server/nginx/templates/ssl.conf @@ -0,0 +1,14 @@ +listen 443 ssl http2; + +ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem; + +# Allow TLS version 1.2 only, which is a recommended default these days +# by international information security standards. +ssl_protocols TLSv1.2; + +ssl_session_cache shared:SSL:1m; +ssl_session_timeout 5m; + +ssl_ciphers HIGH:!aNULL:!MD5; +ssl_prefer_server_ciphers on;