Merge branch 'ping' into 'master'

"Move" NM connectivity check file to a subdomain Closes #239 See merge request !311

Merge branch 'ping' into 'master'
498d5304 · Jelle van der Waa · 36bf4ef1 · fabccd0f · 498d5304 · 498d5304
Commit 498d5304 authored 4 years ago by Jelle van der Waa
--- a/docs/servers.md
+++ b/docs/servers.md
@@ -127,6 +127,7 @@ Medium-fast-ish packet.net Arch Linux box.

 ### Services
  - Redirects (nginx redirects)
+  - ping

 ## security.archlinux.org


--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -13,3 +13,4 @@
    - { role: redirects }
    - { role: prometheus_exporters }
    - { role: hardening }
+    - { role: ping }
--- a/roles/ping/defaults/main.yml
+++ b/roles/ping/defaults/main.yml
+ping_domain: 'ping.archlinux.org'
--- a/roles/ping/tasks/main.yml
+++ b/roles/ping/tasks/main.yml
+---
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ ping_domain }}"]
+
+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ ping_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/ping.conf" owner=root group=root mode=644
+  notify: reload nginx
+  tags: ['nginx']
--- a/roles/ping/templates/nginx.d.conf.j2
+++ b/roles/ping/templates/nginx.d.conf.j2
+server {
+    # We don't redirect to HTTPS because a redirect is considered a captive portal.
+    listen       80;
+    listen       [::]:80;
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ ping_domain }};
+
+    access_log   /var/log/nginx/{{ ping_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ ping_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ ping_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ ping_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ ping_domain }}/chain.pem;
+
+    default_type text/plain;
+
+    location = / {
+        return 200 'This domain is used for connectivity checking (captive portal detection).\n';
+    }
+
+    # https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
+    location /nm-check.txt {
+        access_log off;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 200 'NetworkManager is online\n';
+    }
+
+    location / {
+        access_log off;
+        return 404;
+    }
+}
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -284,6 +284,7 @@ locals {
    ipxe          = { value = "www" }
    mailman       = { value = "redirect" }
    packages      = { value = "www" }
+    ping          = { value = "redirect" }
    planet        = { value = "www" }
    projects      = { value = "luna" }
    repos         = { value = "gemini" }