From 6b8fb0916fb2e79a05fb062e1ce011fd5a62fbf7 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 22 Feb 2021 21:22:07 +0100
Subject: [PATCH] [nginx/moinmoin] Extract nginx configuration
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
group_vars/nginx.yml | 2 +-
group_vars/wiki.yml | 37 +++++++++++
host_vars/kiwi.adm.crans.org.yml | 2 +-
host_vars/sputnik.adm.crans.org | 5 --
host_vars/sputnik.adm.crans.org.yml | 64 ++++++++++++++++++-
hosts | 8 +++
plays/moinmoin.yml | 12 +++-
roles/moinmoin/handlers/main.yml | 5 --
roles/moinmoin/tasks/main.yml | 13 ----
.../templates/nginx/sites-available/wiki.j2 | 31 ---------
10 files changed, 121 insertions(+), 58 deletions(-)
create mode 100644 group_vars/wiki.yml
delete mode 100644 host_vars/sputnik.adm.crans.org
delete mode 100644 roles/moinmoin/templates/nginx/sites-available/wiki.j2
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
index 774fa0e1..e2868541 100644
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@@ -28,5 +28,5 @@ glob_nginx:
default_ssl_domain: crans.org
real_ip_from:
- "172.16.0.0/16"
- - "2a0c:700:0:2::/64"
+ - "fd00:0:0:10::/64"
deploy_robots_file: false
diff --git a/group_vars/wiki.yml b/group_vars/wiki.yml
new file mode 100644
index 00000000..310fe049
--- /dev/null
+++ b/group_vars/wiki.yml
@@ -0,0 +1,37 @@
+---
+glob_moinmoin:
+ main: false
+
+loc_nginx:
+ service_name: wiki
+ ssl: []
+ servers:
+ - server_name: "{{ query('ldap', 'ip', ansible_hostname, 'adm') | ipwrap + [ansible_hostname, ansible_hostname + '.adm.crans.org'] }}"
+ default: true
+ access_log: "/var/log/nginx/wiki.log combined"
+ error_log: "/var/log/nginx/wiki.error.log"
+ additional_params:
+ - "rewrite ^/$ $scheme://wiki.crans.org/PageAccueil"
+ - "client_max_body_size 15M"
+
+ locations:
+ - filter: "/wiki"
+ params:
+ - "alias /var/local/wiki/htdocs/"
+
+ - filter: "/robots.txt"
+ params:
+ - "alias /var/local/wiki/robots.txt"
+
+ - filter: "/favicon.ico"
+ params:
+ - "/var/local/wiki/favicon.ico"
+
+ - filter: "/www-sitemap.xml"
+ params:
+ - "alias /var/local/wiki/www-sitemap.xml"
+
+ - filter: "/"
+ params:
+ - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
+ - "include uwsgi_params"
diff --git a/host_vars/kiwi.adm.crans.org.yml b/host_vars/kiwi.adm.crans.org.yml
index 162f1944..5ed64596 100644
--- a/host_vars/kiwi.adm.crans.org.yml
+++ b/host_vars/kiwi.adm.crans.org.yml
@@ -31,5 +31,5 @@ to_backup:
read_only: "yes",
}
-moinmoin:
+loc_moinmoin:
main: true
diff --git a/host_vars/sputnik.adm.crans.org b/host_vars/sputnik.adm.crans.org
deleted file mode 100644
index 2878a578..00000000
--- a/host_vars/sputnik.adm.crans.org
+++ /dev/null
@@ -1,5 +0,0 @@
----
-loc_slapd:
- ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
- replica: true
- replica_rid: 4
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index 6b2473f1..c0aa02b8 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -23,5 +23,67 @@ to_backup:
hosts_allow: ["zephir.adm.crans.org", "10.231.136.6", "172.31.0.1"],
}
-moinmoin:
+loc_slapd:
+ ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
+ replica: true
+ replica_rid: 4
+
+loc_moinmoin:
main: false
+
+loc_certbot:
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
+ mail: root@crans.org
+ certname: adm.crans.org
+ domains: "*.adm.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "git2.crans.org, status.crans.org, wiki.crans.org"
+
+loc_nginx:
+ service_name: wiki
+ ssl:
+ - name: adm.crans.org
+ cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
+ - name: crans.org
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ servers:
+ - server_name:
+ - "wiki2.crans.org"
+ ssl : "crans.org"
+ access_log: "/var/log/nginx/wiki.log combined"
+ error_log: "/var/log/nginx/wiki.error.log"
+ additional_params:
+ - "rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil"
+ - "client_max_body_size 15M"
+
+ locations:
+ - filter: "/wiki"
+ params:
+ - "alias /var/local/wiki/htdocs/"
+
+ - filter: "/robots.txt"
+ params:
+ - "alias /var/local/wiki/robots.txt"
+
+ - filter: "/favicon.ico"
+ params:
+ - "/var/local/wiki/favicon.ico"
+
+ - filter: "/www-sitemap.xml"
+ params:
+ - "alias /var/local/wiki/www-sitemap.xml"
+
+ - filter: "/"
+ params:
+ - "uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket"
+ - "include uwsgi_params"
diff --git a/hosts b/hosts
index a42cb4f7..59945c46 100644
--- a/hosts
+++ b/hosts
@@ -20,6 +20,9 @@ tealc.adm.crans.org
[belenios]
belenios.adm.crans.org
+[certbot]
+sputnik.adm.crans.org
+
[certbot:children]
dovecot
git
@@ -93,6 +96,7 @@ mailman
reverseproxy
roundcube
thelounge
+wiki
[ntp_server]
charybde.adm.crans.org
@@ -136,6 +140,10 @@ daniel.adm.crans.org
jack.adm.crans.org
sam.adm.crans.org
+[wiki]
+kiwi.adm.crans.org
+sputnik.adm.crans.org
+
[crans_routeurs:children]
# dhcp TODO: Really needed ?
# keepalived
diff --git a/plays/moinmoin.yml b/plays/moinmoin.yml
index b9c63047..35207855 100755
--- a/plays/moinmoin.yml
+++ b/plays/moinmoin.yml
@@ -1,6 +1,16 @@
#!/usr/bin/env ansible-playbook
---
+- hosts: certbot:&wiki
+ vars:
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+ roles:
+ - certbot
+
# Deploy MoinMoin Wiki
-- hosts: kiwi.adm.crans.org,soyouz.adm.crans.org,sputnik.adm.crans.org
+- hosts: wiki
+ vars:
+ moinmoin: '{{ glob_moinmoin | default({}) | combine(loc_moinmoin | default({})) }}'
+ nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
roles:
- moinmoin
+ - nginx
diff --git a/roles/moinmoin/handlers/main.yml b/roles/moinmoin/handlers/main.yml
index ea116cb8..ba46876d 100644
--- a/roles/moinmoin/handlers/main.yml
+++ b/roles/moinmoin/handlers/main.yml
@@ -3,8 +3,3 @@
service:
name: uwsgi
state: restarted
-
-- name: Restart nginx
- service:
- name: nginx
- state: restarted
diff --git a/roles/moinmoin/tasks/main.yml b/roles/moinmoin/tasks/main.yml
index 50049b03..bef5dc51 100644
--- a/roles/moinmoin/tasks/main.yml
+++ b/roles/moinmoin/tasks/main.yml
@@ -40,19 +40,6 @@
enabled: true
state: started
-- name: Configure nginx
- template:
- src: nginx/sites-available/wiki.j2
- dest: /etc/nginx/sites-available/wiki
- notify: Restart nginx
-
-- name: Activate nginx site
- file:
- src: /etc/nginx/sites-available/wiki
- dest: /etc/nginx/sites-enabled/wiki
- state: link
- notify: Restart nginx
-
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
diff --git a/roles/moinmoin/templates/nginx/sites-available/wiki.j2 b/roles/moinmoin/templates/nginx/sites-available/wiki.j2
deleted file mode 100644
index 4c7482f0..00000000
--- a/roles/moinmoin/templates/nginx/sites-available/wiki.j2
+++ /dev/null
@@ -1,31 +0,0 @@
-{{ ansible_header | comment }}
-
-server {
- listen 80;
- listen [::]:80;
- server_name wiki.adm.crans.org;
-
- access_log /var/log/nginx/wiki.log combined;
- error_log /var/log/nginx/wiki.error.log;
-
- # Redirect to home page
- rewrite ^/$ $scheme://wiki.crans.org/PageAccueil;
-
- # Limit uploads
- client_max_body_size 15M;
-
- # MoinMoin paths
- location /wiki/ { alias /var/local/wiki/htdocs/; }
- location /robots.txt { alias /var/local/wiki/robots.txt; }
- location /favicon.ico { alias /var/local/wiki/favicon.ico; }
- location /www-sitemap.xml { alias /var/local/wiki/www-sitemap.xml; }
-
- location / {
- uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket;
- include uwsgi_params;
- }
-
- set_real_ip_from 172.16.10.0/24;
- set_real_ip_from fd00:0:0:10::/64;
- real_ip_header X-Real-Ip;
-}
--
GitLab