diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-01-04 16:39:29 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-01-31 08:19:22 +0100 |
commit | f0488dccb2fe3cb7fc570372926abf0a312a8af8 (patch) | |
tree | fe9f421cad6d19ad27da4f68d58841c7078d6bc1 | |
parent | 649e6c4c696e369712ff18e792ef000125b5591c (diff) |
Install nginx.
-rw-r--r-- | files/etc/lacme/lacme-certs.conf.d/hel01.conf | 7 | ||||
-rw-r--r-- | files/etc/nftables.conf | 3 | ||||
-rw-r--r-- | files/etc/nginx/sites-enabled/webmap | 52 | ||||
-rw-r--r-- | files/etc/nginx/snippets/ssl.conf | 16 | ||||
-rw-r--r-- | handlers/main.yml | 6 | ||||
-rw-r--r-- | setup.yml | 1 | ||||
-rw-r--r-- | tasks/httpd.yml | 50 |
7 files changed, 134 insertions, 1 deletions
diff --git a/files/etc/lacme/lacme-certs.conf.d/hel01.conf b/files/etc/lacme/lacme-certs.conf.d/hel01.conf new file mode 100644 index 0000000..87f290b --- /dev/null +++ b/files/etc/lacme/lacme-certs.conf.d/hel01.conf @@ -0,0 +1,7 @@ +[httpd] +certificate-key = /etc/nginx/ssl/hel01.rsa.key +certificate-chain = /etc/nginx/ssl/hel01.rsa.pem +subject = /CN=hel01.guilhem.se +notify = /bin/systemctl reload postfix + +; vim:ft=dosini diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf index e8784ab..7a99b72 100644 --- a/files/etc/nftables.conf +++ b/files/etc/nftables.conf @@ -38,7 +38,8 @@ table inet filter { ct state related,established accept meta l4proto { icmp, icmpv6 } counter accept - tcp dport 22 ct state new counter accept + tcp dport 22 ct state new counter accept + tcp dport {80, 443} ct state new counter accept } chain output { diff --git a/files/etc/nginx/sites-enabled/webmap b/files/etc/nginx/sites-enabled/webmap new file mode 100644 index 0000000..26df41b --- /dev/null +++ b/files/etc/nginx/sites-enabled/webmap @@ -0,0 +1,52 @@ +server { + listen 80; + listen [::]:80; + + server_name hel01.guilhem.se; + + include /etc/lacme/nginx.conf; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name hel01.guilhem.se; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + ssl_certificate /etc/nginx/ssl/hel01.rsa.pem; + ssl_certificate_key /etc/nginx/ssl/hel01.rsa.key; + include snippets/ssl.conf; + + root /var/www/webmap; + index index.html; + + location ^~ /assets/ { + expires 7d; + gzip_static on; + try_files $uri =404; + } + location ^~ /tiles/ { + expires 1d; + gzip_static on; + try_files $uri =404; + error_page 404 /_.txt; + } + + location = /_.txt { + internal; + } + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/files/etc/nginx/snippets/ssl.conf b/files/etc/nginx/snippets/ssl.conf new file mode 100644 index 0000000..0bce30a --- /dev/null +++ b/files/etc/nginx/snippets/ssl.conf @@ -0,0 +1,16 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; + +ssl_dhparam /etc/ssl/dhparams.pem; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +ssl_stapling on; +ssl_stapling_verify on; + +ssl_trusted_certificate /usr/share/lacme/ca-certificates.crt; + +resolver 127.0.0.53; diff --git a/handlers/main.yml b/handlers/main.yml index 9a4521f..c241ecc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -40,3 +40,9 @@ - name: Update initramfs command: /usr/sbin/update-initramfs -u + +- name: Restart nginx + service: name=nginx.service state=restarted + +- name: Reload nginx + service: name=nginx.service state=reloaded @@ -12,5 +12,6 @@ - import_tasks: ./tasks/ssh.yml - import_tasks: ./tasks/base.yml - import_tasks: ./tasks/mail.yml + - import_tasks: ./tasks/httpd.yml handlers: - import_tasks: ./handlers/main.yml diff --git a/tasks/httpd.yml b/tasks/httpd.yml new file mode 100644 index 0000000..0973db1 --- /dev/null +++ b/tasks/httpd.yml @@ -0,0 +1,50 @@ +--- +- name: Install nginx + apt: pkg=nginx-light + +- name: Start nginx + service: name=nginx enabled=true state=started + +- meta: flush_handlers + +- name: Create directory /etc/nginx/ssl + file: path=/etc/nginx/ssl + state=directory + owner=root group=root + mode=0755 + +- name: Install lacme + apt: pkg=lacme + +- name: Copy /etc/lacme/lacme-certs.conf.d/hel01.conf + copy: src=etc/lacme/lacme-certs.conf.d/hel01.conf + dest=/etc/lacme/lacme-certs.conf.d/hel01.conf + owner=root group=root + mode=0644 + +- name: Copy /etc/nginx/snippets/ssl.conf + copy: src=etc/nginx/snippets/ssl.conf + dest=/etc/nginx/snippets/ssl.conf + owner=root group=root + mode=0644 + notify: Reload nginx + +- name: Copy /etc/nginx/sites-enabled/webmap + copy: src=etc/nginx/sites-enabled/webmap + dest=/etc/nginx/sites-enabled/webmap + owner=root group=root + mode=0644 + notify: Reload nginx + +- name: Create directory /var/www/webmap + file: path=/var/www/webmap + state=directory + owner=root group=root + mode=0755 + +- name: Create /var/www/webmap/_.txt + copy: dest=/var/www/webmap/_.txt content="" + owner=root group=root + mode=0644 + +- meta: flush_handlers |