From e47d8e1040c63f0d931aa2cc03547f48c68f5518 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Wed, 15 Jun 2016 03:58:08 +0200
Subject: [PATCH] Add proper modular nginx role and a dbscripts specific config
---
playbooks/orion.yml | 3 +-
roles/dbscripts/files/dbscripts.htpasswd | 6 ++++
roles/dbscripts/tasks/main.yml | 8 +++++
roles/dbscripts/templates/nginx.d.conf.j2 | 42 +++++++++++++++++++++++
roles/nginx/handlers/main.yml | 4 +++
roles/nginx/tasks/main.yml | 21 ++++++++++++
roles/nginx/templates/nginx.conf.j2 | 21 ++++++++++++
7 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 roles/dbscripts/files/dbscripts.htpasswd
create mode 100644 roles/dbscripts/templates/nginx.d.conf.j2
create mode 100644 roles/nginx/handlers/main.yml
create mode 100644 roles/nginx/tasks/main.yml
create mode 100644 roles/nginx/templates/nginx.conf.j2
diff --git a/playbooks/orion.yml b/playbooks/orion.yml
index 7907f4ae7..4a768e9f2 100644
--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -12,5 +12,6 @@
- { role: opendkim, dkim_selector: orion }
- { role: postfix}
- archusers
- - dbscripts
+ - nginx
+ - { role: dbscripts, repos_domain: "repos.archlinux.org" }
- sudo
diff --git a/roles/dbscripts/files/dbscripts.htpasswd b/roles/dbscripts/files/dbscripts.htpasswd
new file mode 100644
index 000000000..a63cd2ae1
--- /dev/null
+++ b/roles/dbscripts/files/dbscripts.htpasswd
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+37613433353765373835616636316630623836316464626530333165643665383438356561613164
+6437326361383366636634353961633932646333343337620a383532633039663235323334386638
+62376235346133313233393662633766376234613136356231366238653431306336343961313730
+6230613130313731310a616465383536653830336333353234376265653263613532366564353132
+39666538613236306465313837306234363764373530353766663135386264646437
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 33dc53c0a..8194729db 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -18,6 +18,14 @@
- name: set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600
+- name: set up nginx
+ template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
+ notify:
+ - restart nginx
+
+- name: put dbscripts.htpasswd in place
+ copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
+
- name: create Arch Linux-specific users
user:
name: "{{ item.key }}"
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
new file mode 100644
index 000000000..53da46e39
--- /dev/null
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -0,0 +1,42 @@
+server {
+ listen 80 default_server;
+ listen [::];
+ server_name {{ repos_domain }};
+ root /srv/ftp;
+
+ satisfy any;
+
+ location /lastupdate {
+ allow all;
+ }
+
+ # Server at velocitynet
+ allow 66.211.214.130; # dom0.archlinux.org.
+ allow 66.211.214.131; # gudrun.archlinux.org.
+ allow 66.211.214.132; # gerolde.archlinux.org.
+ allow 2001:470:1f10:717::2/128; # gerolde's tunnel IP
+
+ # Thomas' home
+ #allow 87.193.186.180; # port-87-193-186-180.static.qsc.de.
+ allow 2001:1a80:3026::/48;
+
+ # orion.archlinux.org
+ allow 88.198.91.70;
+ allow 2a01:4f8:160:6087::1;
+
+ # brynhild.archlinux.org
+ allow 176.9.18.112;
+ allow 2a01:4f8:150:1261::2;
+
+ # alberich.archlinux.org
+ allow 216.151.172.98;
+
+ # allison.archlinux.de
+ allow 144.76.107.12;
+ allow 2a01:4f8:192:520b::2;
+
+ auth_basic "Restricted";
+ auth_basic_user_file auth/dbscripts.htpasswd;
+
+ autoindex on;
+}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 000000000..82c6f07c0
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart nginx
+ service: name=nginx state=restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 000000000..ae4f43131
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+
+- name: install nginx
+ pacman: name=nginx-mainline state=present
+
+- name: configure nginx
+ template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=644
+ notify:
+ - restart nginx
+
+- name: create nginx.d directory
+ file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=755
+
+- name: create auth directory
+ file: state=directory path=/etc/nginx/auth owner=root group=root mode=755
+
+- name: create default nginx log directory
+ file: state=directory path=/var/log/nginx/default owner=http group=log mode=750
+
+- name: enable nginx
+ service: name=nginx enabled=yes
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
new file mode 100644
index 000000000..d7cf03dbd
--- /dev/null
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,21 @@
+worker_processes auto;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+
+ sendfile on;
+ keepalive_timeout 65;
+ client_max_body_size 16M;
+
+ index index.php index.html index.htm;
+
+ access_log /var/log/nginx/default/access.log;
+ error_log /var/log/nginx/default/error.log;
+
+ include nginx.d/*.conf;
+}
--
GitLab