diff --git a/configure_nginx.yml b/configure_nginx.yml index 68abdc93231c010dc9f4b180693c0c0c199b7aa2..0ec77d152c54ef8be727eb1b49e1ba2a095b0bae 100644 --- a/configure_nginx.yml +++ b/configure_nginx.yml @@ -32,6 +32,26 @@ - absent - directory + # add and enable default_server entry; on http: 302->https, on https throw 403 per default + - name: setup nginx vhosts + template: + src: templates/nginx_default_site.conf.j2 + dest: "{{ nginx_sites_available }}/default.{{ otree_domain }}" + owner: root + group: root + mode: "0644" + + - name: create symlinks for nginx vhosts confs + file: + state: link + src: "{{ nginx_sites_available }}/default.{{ otree_domain }}" + dest: "{{ nginx_sites_enabled }}/default.{{ otree_domain }}" + owner: root + group: root + mode: "0644" + notify: restart nginx + + # add new vhost configs and enable them - name: setup nginx vhosts template: @@ -62,22 +82,6 @@ group: root mode: "0644" notify: restart nginx - # TLS certificates - # Unfourtunately not scriptable due to security considerations - #- name: copy over certificate key files - # copy: - # src: "{{ item.src }}" - # dest: "{{ item.dest }}" - # group: root - # mode: "{{ item.mode }}" - # no_log: yes - # with_items: - # - src: "ssl/certs/localhost.crt" - # dest: "/etc/ssl/certs/localhost.crt" - # mode: "0644" - # - src: "ssl/private/localhost.key" - # dest: "/etc/ssl/private/localhost.key" - # mode: "0600" handlers: - name: restart nginx diff --git a/configure_otree.yml b/configure_otree.yml index 496355f61375a9b4c143786326b505898f6caaf6..84082a927fde25ba3c7567920e9900f3c178c1d3 100644 --- a/configure_otree.yml +++ b/configure_otree.yml @@ -115,20 +115,3 @@ become_user: "{{ item.key }}" with_dict: "{{ otree_users }}" when: item.value.override - - - name: create supervisor-config for otree instances from template - template: - src: templates/supervisor_otree.conf.j2 - dest: "/etc/supervisor/conf.d/{{ item.key }}.conf" - owner: root - group: root - mode: "0644" - with_dict: "{{ otree_users }}" - when: item.value.override - - - name: make sure services are created and (re)-started - supervisorctl: - name: "{{ item.key }}" - state: restarted - with_dict: "{{ otree_users }}" - # TODO: set up otree (create venv, install pip packages, adapt .bashrc, run resetdb diff --git a/configure_supervisor.yml b/configure_supervisor.yml index 6eeb9006dd0ea9db80a765a43fe2b8d1dffa6d30..f5b0deef513389713e765ad2737c1a2ab52eb373 100644 --- a/configure_supervisor.yml +++ b/configure_supervisor.yml @@ -1 +1,22 @@ -FIXME: TODO +--- +- name: setup otree + become: true + hosts: all + tasks: + # create current supervisor configs and start it + - name: create supervisor-config for otree instances from template + template: + src: templates/supervisor_otree.conf.j2 + dest: "/etc/supervisor/conf.d/{{ item.key }}.conf" + owner: root + group: root + mode: "0640" + with_dict: "{{ otree_users }}" + when: item.value.override + + - name: make sure services are created and (re)-started + supervisorctl: + name: "{{ item.key }}" + state: restarted + with_dict: "{{ otree_users }}" + when: item.value.override diff --git a/site.yml b/site.yml index 301b99c4880e91737451b710e12b22728ebf7681..2761bda74b03761cbc3dae213e22d2be5b84ccc9 100644 --- a/site.yml +++ b/site.yml @@ -22,6 +22,15 @@ - postgresql - postgresql-contrib tasks: + # install all apt packages + - name: update package information + apt: update_cache=yes + + - name: install required packages + apt: + name: "{{ prereq_packages }}" + state: latest + # create/delete users as specified in group_vars/otree_users.yml - name: Create group for otreeusers group: @@ -45,11 +54,10 @@ set_fact: removed_users: "{{existing_users.stdout_lines | difference(otree_users) }}" - - name: Delete removed user accounts - user: + - name: stop supervisor services + supervisorctl: name: "{{ item }}" - state: absent - remove: yes + state: stopped with_items: "{{ removed_users }}" - name: remove supervisor services @@ -57,23 +65,22 @@ name: "{{ item }}" state: absent with_items: "{{ removed_users }}" - # FIXME: remove supervisor configs for deleted users - # add python repos, FIXME should be avoided by using recent unbuntu version - #- name: add ppa repository with python versions - # apt_repository: "ppa:deadsnakes/ppa" - # state: present - - # install all apt packages - - name: update package information - apt: update_cache=yes + - name: remove supervisor config files + file: + state: absent + path: "/etc/supervisor/conf.d/{{ item }}.conf" + with_items: "{{ removed_users }}" - - name: install required packages - apt: - name: "{{ prereq_packages }}" - state: latest + - name: Delete removed user accounts + user: + name: "{{ item }}" + state: absent + remove: yes + with_items: "{{ removed_users }}" - import_playbook: "configure_nginx.yml" - import_playbook: "configure_postgresql.yml" - import_playbook: "configure_otree.yml" +- import_playbook: "configure_supervisor.yml" - import_playbook: "configure_ufw.yml" diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index ecd6b9c7c74c19826644ccefbdd85c1d13b293f8..266a0bc712bc028256c85849a31b17a47c4a4911 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -29,7 +29,7 @@ http { ## # SSL Settings - # keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d={{ otree_domain }} + # keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d=otree.{{ otree_domain }} ## ssl_dhparam /etc/nginx/dhparam.pem; # assumes command executed: openssl dhparam -out /etc/nginx/dhparam.pem 4096 diff --git a/templates/nginx_default_site.conf.j2 b/templates/nginx_default_site.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..22eb9a2fa8d030b7e739572b4583a213b85cd2c3 --- /dev/null +++ b/templates/nginx_default_site.conf.j2 @@ -0,0 +1,27 @@ +# Default server configuration for http +# Redirect http to https +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + + return 301 https://$host$request_uri; +} + +# Default server configuration for https +# Throw 403 if no specific domain is matched +# FIXME: Custom 403 +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + + ssl_certificate {{ ssl_certificate_path }}; + ssl_certificate_key {{ ssl_certificate_key_path }}; + + location / { + return 403; + } +} + diff --git a/templates/nginx_site.conf.j2 b/templates/nginx_site.conf.j2 index b08f76b8a8054db8f32d05f2fd6f71b60c69e236..b64b6717de3f3977a536cf7eeeb49a5ccb7ccca4 100644 --- a/templates/nginx_site.conf.j2 +++ b/templates/nginx_site.conf.j2 @@ -3,32 +3,19 @@ map $http_upgrade $connection_upgrade { '' close; } -{% if item.key == otree_master %} -# Default server configuration for http -# Redirect http to https server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; + listen 443 ssl; + listen [::]:443 ssl; - return 301 https://$host$request_uri; -} -{% endif %} - -server { - - listen 443 ssl{% if item.key == otree_master %} default_server{% endif %}; - listen [::]:443 ssl{% if item.key == otree_master %} default_server{% endif %}; - - server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %}; + server_name {{ item.key }}.{{ otree_domain }}; ssl_certificate {{ ssl_certificate_path }}; ssl_certificate_key {{ ssl_certificate_key_path }}; location / { access_log off; - proxy_pass http://localhost:{{ item.value.port }}; + proxy_pass http://127.0.0.1:{{ item.value.port }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;