AniNIX/Kapisi
AniNIX
/
Kapisi
2
0
Fork 0
Code Issues 25 Pull Requests 1 Projects 1 Releases Wiki Activity

catchup

This commit is contained in:
DarkFeather 2023-10-08 12:28:14 -05:00
parent 5ab88dc387
commit ea75da1b41
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
26 changed files with 257 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,8 +1,10 @@
# Generated files
roles/Node/files/*-vm.service
roles/Nazara/files/dns
roles/Nazara/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
roles/Sharingan/files/monit/checks/availability
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**

3
bin/deploy-role
View File

@ -33,8 +33,7 @@ done
# Get the targetgroup
targetgroup="$2"
if [ -z "$targetgroup" ]; then
echo Need a group
exit 2
targetgroup="$role" # Deploy a role to the server named for that function
fi
# Allow an inventory override

0
bin/generate-mirrorlist Normal file → Executable file
View File

83
bin/generate-monitoring.py Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env python3
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import subprocess
import sys
import yaml
rolepath='../roles/Sharingan/files'
monfilepath=rolepath+"/monit/checks/availability"
def WriteMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ping_mon with path "/usr/lib/monitoring-plugins/check_ping -H ' + hostname + ' -w 100,50% -c 1000,100% -p 3 -t 60 -4"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not online."\n\n')
except:
print(host + ' is not complete for monitoring.')
def WriteSSHMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ssh_mon with path "/usr/lib/monitoring-plugins/check_ssh -H ' + hostname + '"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not responding to SSH."\n\n')
except:
print(host + ' is not complete for monitoring.')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global monfilepath
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
if os.path.isfile(monfilepath): os.remove(monfilepath)
# Add DNS entries for each host
hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']:
WriteMonitoringEntry(content,hosttype,hostclass)
WriteSSHMonitoringEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','appliances']:
WriteMonitoringEntry(content,hosttype,hostclass)
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

2
bin/generate-pihole-dns-dhcp.py
View File

@ -74,7 +74,7 @@ def GenerateFiles(file):
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','appliances','iot']:
for hostclass in ['ovas','test_ovas','appliances','adhoc_appliances','iot']:
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)

4
bin/generate-systemd-vms.py
View File

@ -84,8 +84,8 @@ def GenerateFiles(file):
# Add service files for each host
WriteVMFile(content,'managed','virtual')
WriteVMFile(content,'unmanaged','ovas')
#WriteVMFile(content,'unmanaged','appliances')
WriteVMFile(content,'unmanaged','ovas',
WriteVMFile(content,'unmanaged','test_ovas')
if __name__ == '__main__':
if len(sys.argv) != 2:

54
examples/msn0.yml
View File

@ -71,6 +71,8 @@ all:
siem: true
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
DarkNet:
ipinterface: ens3
ip: 10.0.1.17
@ -110,17 +112,9 @@ all:
rotate: 90
unmanaged:
children:
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
ovas: # 10.0.1.48/28
hosts:
TDS-Jump:
ip: 10.0.1.48
mac: 00:15:5d:01:02:08
cores: 2
memory: 2
vnc: 4
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/TDSJump.qcow2'
Geth:
ip: 10.0.1.49
mac: DE:8B:9E:19:55:1E
@ -131,6 +125,17 @@ all:
uefi: true
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/hassos_ova-5.13.qcow2'
test_ovas: # 10.0.1.48/28
hosts:
TDS-Jump:
ip: 10.0.1.48
mac: 00:15:5d:01:02:08
cores: 2
memory: 2
vnc: 4
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/TDSJump.qcow2'
DedNet:
ip: 10.0.1.50
mac: 00:15:5d:01:02:09
@ -181,11 +186,26 @@ all:
vnc: 12
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
appliances:
hosts: # 10.0.1.64/27
Shadowfeed:
Shadowfeed: # Router must be at root
ip: 10.0.1.1
mac: 2c:30:33:64:f4:03
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
ip: 10.0.1.6
mac: 00:80:92:77:CE:E4
Geth-Eyes:
ip: 10.0.1.68
mac: 9C:A3:AA:33:A3:99
"Core-Console":
ip: 10.0.1.74
mac: 00:25:90:0D:82:5B
"Node0-Console":
ip: 10.0.1.75
mac: 00:25:90:3E:C6:8C
adhoc_appliances:
hosts: # 10.0.1.64/27
DarkFeather:
ip: 10.0.1.64
mac: D0:40:EF:D4:14:CF
@ -195,19 +215,13 @@ all:
Games:
ip: 10.0.1.66
mac: E0:BE:03:77:0E:88
Print:
ip: 10.0.1.67
mac: 00:80:92:77:CE:E4
Geth-Eyes:
ip: 10.0.1.68
mac: 9C:A3:AA:33:A3:99
LivingRoomTV:
ip: 10.0.1.69
mac: 80:D2:1D:17:63:0E
BedRoomTV:
ip: 10.0.1.70
mac: 80:D2:1D:17:63:0F
TraingRoomTV:
TrainingRoomTV:
ip: 10.0.1.71
mac: 80:D2:1D:17:63:10
Tachikoma:
@ -216,12 +230,6 @@ all:
Dedsec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F
"Core-Console":
ip: 10.0.1.74
mac: 00:25:90:0D:82:5B
"Node0-Console":
ip: 10.0.1.75
mac: 00:25:90:3E:C6:8C
# dhcp build space: 10.0.1.224/27
iot: # 10.0.2.0/24
hosts:

2
roles/Foundation/files/custom/templates/custom/footer.tmpl
View File

@ -13,7 +13,7 @@ _gaq.push(['_trackPageview']);
</script>
<!-- Replace Gitea icon with AniNIX -->
<script type="text/javascript">
document.getElementsByClassName('brand')[0].children[0].children[0].src="/assets/img/AniNIX.png";
document.getElementById('navbar').children[0].children[0].children[0].src="/assets/img/AniNIX.png";
$('meta[property=og\\:image]').attr('content', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('href', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('color', '#000000');

10
roles/Foundation/files/hooks/gitea.hook Normal file
View File

@ -0,0 +1,10 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = gitea
[Action]
Description = Updating Gitea Custom Pages
When = PostTransaction
Exec = /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom

74
roles/Foundation/templates/app.ini.j2
View File

@ -20,10 +20,6 @@ FORCE_PRIVATE = false
DEFAULT_PRIVATE = last
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = -1
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Patch test queue length, increase if pull request patch testing starts hanging
PULL_REQUEST_QUEUE_LENGTH = 1000
; Preferred Licenses to place at the top of the List
; The name here must match the filename in conf/license or custom/conf/license
PREFERRED_LICENSES = AniNIX-WTFPL
@ -233,12 +229,14 @@ LANDING_PAGE = home
; Enables git-lfs support. true or false, default is false.
LFS_START_SERVER = true
; Where your lfs files reside, default is data/lfs.
LFS_CONTENT_PATH = data/lfs
; LFS authentication secret, change this yourself
LFS_JWT_SECRET = {{ secrets.Foundation.lfs_jwt_secret }}
; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
LFS_HTTP_AUTH_EXPIRY = 20m
[lfs]
PATH = data/lfs
; Define allowed algorithms and their minimum key length (use -1 to disable a type)
[ssh.minimum_key_sizes]
ED25519 = 256
@ -278,19 +276,10 @@ DB_RETRY_BACKOFF = 3s
ISSUE_INDEXER_TYPE = bleve
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = indexers/issues.bleve
; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
; default is indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = indexers/issues.queue
; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
ISSUE_INDEXER_QUEUE_CONN_STR = addrs=127.0.0.1:6379 db=0
; Batch queue number, default is 20
ISSUE_INDEXER_QUEUE_BATCH_NUMBER = 20
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = false
REPO_INDEXER_PATH = indexers/repos.bleve
UPDATE_BUFFER_LEN = 20
MAX_FILE_SIZE = 1048576
[admin]
@ -361,7 +350,7 @@ RESET_PASSWD_CODE_LIVE_MINUTES = 180
REGISTER_EMAIL_CONFIRM = false
; List of domain names that are allowed to be used to register on a Gitea instance
; gitea.io,example.com
EMAIL_DOMAIN_WHITELIST =
EMAIL_DOMAIN_ALLOWLIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
@ -430,43 +419,9 @@ SKIP_TLS_VERIFY = false
PAGING_NUM = 10
ALLOWED_HOST_LIST = ::1/128, 127.0.0.1/32
; We don't use mail
[mailer]
ENABLED = false
; Buffer length of channel, keep it as it is if you don't know what it is.
SEND_BUFFER_LEN = 100
; Prefix displayed before subject in mail
SUBJECT_PREFIX =
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST =
; Disable HELO operation when hostnames are different.
DISABLE_HELO =
; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
HELO_HOSTNAME =
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY =
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = custom/mailer/cert.pem
KEY_FILE = custom/mailer/key.pem
; Should SMTP connection use TLS
IS_TLS_ENABLED = false
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM =
; Mailer user name and password
USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD =
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
MAILER_TYPE = smtp
; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments
SENDMAIL_ARGS =
[cache]
; Either "memory", "redis", or "memcache", default is "memory"
@ -544,6 +499,13 @@ MAX_FILES = 5
FORMAT =
[log]
ROOT_PATH = %(GITEA_WORK_DIR)/log
MODE = console
LEVEL = Info
STACKTRACE_LEVEL = None
logger.router.MODE = ,
logger.xorm.MODE = ,
logger.access.MODE =
ROOT_PATH = /var/log/gitea/
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
@ -551,11 +513,8 @@ MODE = console
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info"
ROUTER_LOG_LEVEL = Critical
ROUTER = none
ENABLE_ACCESS_LOG = true
ACCESS_LOG_TEMPLATE = {{ '{{' }}.Ctx.RemoteAddr{{ '}}' }} - {{ '{{' }}.Identity{{ '}}' }} {{ '{{' }}.Start.Format "[02/Jan/2006:15:04:05 -0700]" {{ '}}' }} "{{ '{{' }}.Ctx.Req.Method{{ '}}' }} {{ '{{' }}.Ctx.Req.RequestURI{{ '}}' }} {{ '{{' }}.Ctx.Req.Proto{{ '}}' }}" {{ '{{' }}.ResponseWriter.Status{{ '}}' }} {{ '{{' }}.ResponseWriter.Size{{ '}}' }} "{{ '{{' }}.Ctx.Req.Referer{{ '}}' }}\" \"{{ '{{' }}.Ctx.Req.UserAgent{{ '}}' }}"
ACCESS = console
logger.access.MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
@ -570,9 +529,10 @@ COLORIZE = false
; For "console" mode only
[log.console]
LEVEL =
COLORIZE = false
STDERR = false
MODE = console
FLAGS = stdflags
PREFIX =
COLORIZE = true
; For "file" mode only
[log.file]

5
roles/IRC/templates/inspircd/inspircd.conf.j2
View File

@ -67,8 +67,9 @@
<sslprofile
name="clients"
provider="openssl"
cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/cert.pem" keyfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/privkey.pem"
cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/chain.pem"
certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
keyfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/privkey.pem"
ciphers="{{ ssl['ciphersuite'] }}"
hash="sha256"
renegotiation="no"

1
roles/Maat/files/aur.list
View File

@ -71,6 +71,7 @@ https://aur.archlinux.org/perl-php-serialization.git
https://aur.archlinux.org/perl-sys-mmap.git
https://aur.archlinux.org/perl-term-shellui.git
https://aur.archlinux.org/php-pear.git
https://aur.archlinux.org/php-zts.git
https://aur.archlinux.org/pm-utils.git
https://aur.archlinux.org/powerpanel.git
https://aur.archlinux.org/python-aiohttp.git

5
roles/ShadowArch/tasks/main.yml
View File

@ -84,9 +84,10 @@
- name: Set up pacman.conf
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
ignorepkg: "{{ holdpackages | default('') }}"
become: yes
copy:
src: pacman.conf
template:
src: pacman.conf.j2
dest: /etc/pacman.conf
owner: root
group: root

2
roles/ShadowArch/files/pacman.conf → roles/ShadowArch/templates/pacman.conf.j2
View File

@ -23,7 +23,7 @@ CleanMethod = KeepCurrent
Architecture = auto
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
IgnorePkg = mediawiki
IgnorePkg = {{ ignorepkg }}
# IgnoreGroup =
#NoUpgrade =

11
roles/Sharingan/files/monit/checks/vips
View File

@ -25,5 +25,12 @@ check program https_singularity with path "/usr/lib/monitoring-plugins/check_htt
check program https_wolfpack with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H wolfpack.aninix.net"
if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical wolfpack.aninix.net not reporting OK"
#check program https_yggdrasil with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -u /web/index.html -H yggdrasil.aninix.net"
# if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical yggdrasil.aninix.net not reporting OK"
check program https_yggdrasil with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -u /web/index.html -H yggdrasil.aninix.net"
every "* 6-23 * * *"
if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical yggdrasil.aninix.net not reporting OK"
check program http_eyes with path "/usr/lib/monitoring-plugins/check_http -w 10 -c 10 -u / -H geth-eyes.msn0.aninix.net"
if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical geth-eyes HTTP not reporting OK"
check program http_shadowfeed with path "/usr/lib/monitoring-plugins/check_http -w 10 -c 10 -u / -H shadowfeed.msn0.aninix.net"
if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical shadowfeed HTTP not reporting OK"

2
roles/Sharingan/files/monit/hostdefs/Sharingan
View File

@ -1,3 +1,3 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/vips"
include "/etc/monit.d/checks/availability"

9
roles/Sharingan/tasks/eval.yml
View File

@ -1,6 +1,11 @@
---
- name: Sharingan-Eval service
- name: Generate monitoring from inventory
delegate_to: localhost
run_once: true
command: "python3 ../bin/generate-monitoring.py {{ inventory_file }}"
- name: Sharingan-Eval service copy
become: yes
register: eval_service
copy:
@ -55,5 +60,3 @@
owner: root
group: root
mode: 0700

1
roles/Sharingan/tasks/heartbeat.yml
View File

@ -45,4 +45,3 @@
name: syslog-ng@default.service
state: stopped
enabled: no

1
roles/Sharingan/tasks/main.yml
View File

@ -12,4 +12,3 @@
- import_tasks: ../roles/Sharingan/tasks/scans.yml
when: ansible_os_family == "Archlinux"

2
roles/Sharingan/tasks/siem.yml
View File

@ -5,7 +5,7 @@
package:
name:
- elasticsearch
- mongodb
- mongodb44-bin # Temporarily pinned for extensions
- graylog
state: present

2
roles/WebServer/files/conf.d/Core/aaa_default.conf
View File

@ -27,7 +27,7 @@ server {
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
rewrite /martialarts/maqotw.xml /MartialArts/Wiki/raw/branch/main/rss/maqotw.xml;
}
location /whatismyip {

54
roles/WebServer/files/conf.d/Core/cyberbrain.conf
View File

@ -1,22 +1,46 @@
server {
listen 443 ssl http2;
listen 443 ssl;
server_name cyberbrain.aninix.net;
include sec.conf;
include default.csp.conf;
include local.conf;
location /
{
auth_basic "Cyberbrain";
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
proxy_pass http://127.0.0.1:8822;
proxy_http_version 1.1;
proxy_read_timeout 300;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
root /usr/share/webapps/;
client_max_body_size 5m;
client_body_timeout 60;
include ../conf.d/fastcgi7.config;
location /mediawiki-gb/ {
try_files $uri $uri/ @rewrite;
rewrite ^/mediawiki-gb/(.*)$ /mediawiki/index.php?title=$1&$args;
rewrite ^$ /mediawiki-gb/Main_Page;
rewrite ^/$ /mediawiki-gb/Main_Page;
rewrite ^mediawiki-gb$ /mediawiki-gb/Main_Page;
rewrite ^mediawiki-gb/$ /mediawiki-gb/Main_Page;
}
location /mediawiki-ma/ {
try_files $uri $uri/ @rewrite;
rewrite ^/mediawiki-ma/(.*)$ /mediawiki/index.php?title=$1&$args;
rewrite ^$ /mediawiki-ma/Main_Page;
rewrite ^/$ /mediawiki-ma/Main_Page;
rewrite ^mediawiki-ma$ /mediawiki-ma/Main_Page;
rewrite ^mediawiki-ma/$ /mediawiki-ma/Main_Page;
}
location ^~ /maintenance/ {
return 403;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
try_files $uri /mediawiki/index.php;
expires max;
log_not_found off;
}
location ^~ /cache/ {
deny all;
}
include letsencrypt.conf;

13
roles/WebServer/files/conf.d/Core/fastcgi7.config
View File

@ -1,13 +0,0 @@
location ~ \.php$ {
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_pass unix:/run/php-fpm7/php-fpm.sock;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
}

2
roles/WebServer/files/conf.d/Core/lykos-wiki.conf
View File

@ -9,7 +9,7 @@ server {
client_max_body_size 5m;
client_body_timeout 60;
include ../conf.d/fastcgi7.config;
include ../conf.d/fastcgi.config;
location / {
try_files $uri $uri/ @rewrite;

37
roles/WebServer/files/conf/nginx.conf Normal file
View File

@ -0,0 +1,37 @@
user http;
worker_processes 4;
# Logs
error_log logs/error.log;
error_log logs/error.log notice;
error_log logs/error.log info;
events {
worker_connections 1024;
}
http {
include mime.types;
include fastcgi.conf;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 65;
gzip on;
# Redirect all HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
include ../conf.d/*.conf;
}

10
roles/WebServer/tasks/main.yml
View File

@ -35,12 +35,13 @@
- name: Copy conf.d
become: yes
copy:
src: "conf.d/{{ inventory_hostname }}"
dest: /opt/openresty/nginx/conf.d
src: "conf.d/{{ inventory_hostname }}/"
dest: /opt/openresty/nginx/conf.d/
owner: http
group: http
mode: 0660
directory_mode: 0770
follow: true
register: confd
- name: Copy conf
@ -51,17 +52,18 @@
owner: http
group: http
mode: 0660
follow: true
register: conf
- name: Populate security config
become: yes
template:
src: sec.conf.j2
src: conf/sec.conf.j2
dest: /opt/openresty/nginx/conf/sec.conf
owner: http
group: http
mode: 0660
register: secconf
register: secconf
- name: Ensure default openresty service file is off.