From 146ec99561ce9dafc646b7bf224d95166dc41278 Mon Sep 17 00:00:00 2001
From: bax1489 <fabian.gallenkamp@uni-hamburg.de>
Date: Wed, 25 Sep 2019 16:14:54 +0200
Subject: [PATCH] seperate supervisor config;added supervisor config removal;
added nginx default site with 403; various small fixes
---
configure_nginx.yml | 36 +++++++++++++-----------
configure_otree.yml | 17 ------------
configure_supervisor.yml | 23 +++++++++++++++-
site.yml | 41 ++++++++++++++++------------
templates/nginx.conf.j2 | 2 +-
templates/nginx_default_site.conf.j2 | 27 ++++++++++++++++++
templates/nginx_site.conf.j2 | 21 +++-----------
7 files changed, 98 insertions(+), 69 deletions(-)
create mode 100644 templates/nginx_default_site.conf.j2
diff --git a/configure_nginx.yml b/configure_nginx.yml
index 68abdc9..0ec77d1 100644
--- a/configure_nginx.yml
+++ b/configure_nginx.yml
@@ -32,6 +32,26 @@
- absent
- directory
+ # add and enable default_server entry; on http: 302->https, on https throw 403 per default
+ - name: setup nginx vhosts
+ template:
+ src: templates/nginx_default_site.conf.j2
+ dest: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+ owner: root
+ group: root
+ mode: "0644"
+
+ - name: create symlinks for nginx vhosts confs
+ file:
+ state: link
+ src: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+ dest: "{{ nginx_sites_enabled }}/default.{{ otree_domain }}"
+ owner: root
+ group: root
+ mode: "0644"
+ notify: restart nginx
+
+
# add new vhost configs and enable them
- name: setup nginx vhosts
template:
@@ -62,22 +82,6 @@
group: root
mode: "0644"
notify: restart nginx
- # TLS certificates
- # Unfourtunately not scriptable due to security considerations
- #- name: copy over certificate key files
- # copy:
- # src: "{{ item.src }}"
- # dest: "{{ item.dest }}"
- # group: root
- # mode: "{{ item.mode }}"
- # no_log: yes
- # with_items:
- # - src: "ssl/certs/localhost.crt"
- # dest: "/etc/ssl/certs/localhost.crt"
- # mode: "0644"
- # - src: "ssl/private/localhost.key"
- # dest: "/etc/ssl/private/localhost.key"
- # mode: "0600"
handlers:
- name: restart nginx
diff --git a/configure_otree.yml b/configure_otree.yml
index 496355f..84082a9 100644
--- a/configure_otree.yml
+++ b/configure_otree.yml
@@ -115,20 +115,3 @@
become_user: "{{ item.key }}"
with_dict: "{{ otree_users }}"
when: item.value.override
-
- - name: create supervisor-config for otree instances from template
- template:
- src: templates/supervisor_otree.conf.j2
- dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
- owner: root
- group: root
- mode: "0644"
- with_dict: "{{ otree_users }}"
- when: item.value.override
-
- - name: make sure services are created and (re)-started
- supervisorctl:
- name: "{{ item.key }}"
- state: restarted
- with_dict: "{{ otree_users }}"
- # TODO: set up otree (create venv, install pip packages, adapt .bashrc, run resetdb
diff --git a/configure_supervisor.yml b/configure_supervisor.yml
index 6eeb900..f5b0dee 100644
--- a/configure_supervisor.yml
+++ b/configure_supervisor.yml
@@ -1 +1,22 @@
-FIXME: TODO
+---
+- name: setup otree
+ become: true
+ hosts: all
+ tasks:
+ # create current supervisor configs and start it
+ - name: create supervisor-config for otree instances from template
+ template:
+ src: templates/supervisor_otree.conf.j2
+ dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
+ owner: root
+ group: root
+ mode: "0640"
+ with_dict: "{{ otree_users }}"
+ when: item.value.override
+
+ - name: make sure services are created and (re)-started
+ supervisorctl:
+ name: "{{ item.key }}"
+ state: restarted
+ with_dict: "{{ otree_users }}"
+ when: item.value.override
diff --git a/site.yml b/site.yml
index 301b99c..2761bda 100644
--- a/site.yml
+++ b/site.yml
@@ -22,6 +22,15 @@
- postgresql
- postgresql-contrib
tasks:
+ # install all apt packages
+ - name: update package information
+ apt: update_cache=yes
+
+ - name: install required packages
+ apt:
+ name: "{{ prereq_packages }}"
+ state: latest
+
# create/delete users as specified in group_vars/otree_users.yml
- name: Create group for otreeusers
group:
@@ -45,11 +54,10 @@
set_fact:
removed_users: "{{existing_users.stdout_lines | difference(otree_users) }}"
- - name: Delete removed user accounts
- user:
+ - name: stop supervisor services
+ supervisorctl:
name: "{{ item }}"
- state: absent
- remove: yes
+ state: stopped
with_items: "{{ removed_users }}"
- name: remove supervisor services
@@ -57,23 +65,22 @@
name: "{{ item }}"
state: absent
with_items: "{{ removed_users }}"
- # FIXME: remove supervisor configs for deleted users
- # add python repos, FIXME should be avoided by using recent unbuntu version
- #- name: add ppa repository with python versions
- # apt_repository: "ppa:deadsnakes/ppa"
- # state: present
-
- # install all apt packages
- - name: update package information
- apt: update_cache=yes
+ - name: remove supervisor config files
+ file:
+ state: absent
+ path: "/etc/supervisor/conf.d/{{ item }}.conf"
+ with_items: "{{ removed_users }}"
- - name: install required packages
- apt:
- name: "{{ prereq_packages }}"
- state: latest
+ - name: Delete removed user accounts
+ user:
+ name: "{{ item }}"
+ state: absent
+ remove: yes
+ with_items: "{{ removed_users }}"
- import_playbook: "configure_nginx.yml"
- import_playbook: "configure_postgresql.yml"
- import_playbook: "configure_otree.yml"
+- import_playbook: "configure_supervisor.yml"
- import_playbook: "configure_ufw.yml"
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index ecd6b9c..266a0bc 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -29,7 +29,7 @@ http {
##
# SSL Settings
- # keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d={{ otree_domain }}
+ # keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d=otree.{{ otree_domain }}
##
ssl_dhparam /etc/nginx/dhparam.pem;
# assumes command executed: openssl dhparam -out /etc/nginx/dhparam.pem 4096
diff --git a/templates/nginx_default_site.conf.j2 b/templates/nginx_default_site.conf.j2
new file mode 100644
index 0000000..22eb9a2
--- /dev/null
+++ b/templates/nginx_default_site.conf.j2
@@ -0,0 +1,27 @@
+# Default server configuration for http
+# Redirect http to https
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+
+ return 301 https://$host$request_uri;
+}
+
+# Default server configuration for https
+# Throw 403 if no specific domain is matched
+# FIXME: Custom 403
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ server_name _;
+
+ ssl_certificate {{ ssl_certificate_path }};
+ ssl_certificate_key {{ ssl_certificate_key_path }};
+
+ location / {
+ return 403;
+ }
+}
+
diff --git a/templates/nginx_site.conf.j2 b/templates/nginx_site.conf.j2
index b08f76b..b64b671 100644
--- a/templates/nginx_site.conf.j2
+++ b/templates/nginx_site.conf.j2
@@ -3,32 +3,19 @@ map $http_upgrade $connection_upgrade {
'' close;
}
-{% if item.key == otree_master %}
-# Default server configuration for http
-# Redirect http to https
server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name _;
+ listen 443 ssl;
+ listen [::]:443 ssl;
- return 301 https://$host$request_uri;
-}
-{% endif %}
-
-server {
-
- listen 443 ssl{% if item.key == otree_master %} default_server{% endif %};
- listen [::]:443 ssl{% if item.key == otree_master %} default_server{% endif %};
-
- server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %};
+ server_name {{ item.key }}.{{ otree_domain }};
ssl_certificate {{ ssl_certificate_path }};
ssl_certificate_key {{ ssl_certificate_key_path }};
location / {
access_log off;
- proxy_pass http://localhost:{{ item.value.port }};
+ proxy_pass http://127.0.0.1:{{ item.value.port }};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--
GitLab