From 01bfd0d436d65abcd98195884514a616ed05c05d Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Wed, 16 Dec 2020 22:22:53 -0300 Subject: [PATCH 1/6] roles/maintenance: Add set up custom nginx task Added a task that sets a custom nginx maintenance mode template, if the calling role sets the service_nginx_template variable. This allows for much greater flexibility, while putting the responsibility of actually setting the maintenance mode on the calling role. --- roles/maintenance/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/maintenance/tasks/main.yml b/roles/maintenance/tasks/main.yml index a6cc4300..31e9a77a 100644 --- a/roles/maintenance/tasks/main.yml +++ b/roles/maintenance/tasks/main.yml @@ -17,7 +17,17 @@ group: root mode: 0644 notify: reload nginx - when: maintenance is defined and maintenance|bool + when: service_nginx_template is not defined and maintenance is defined and maintenance|bool + +- name: set up custom nginx maintenance mode + template: + src: "{{ service_nginx_template }}" + dest: "{{ service_nginx_conf }}" + owner: root + group: root + mode: 0644 + notify: reload nginx + when: service_nginx_template is defined and maintenance is defined and maintenance|bool - name: create the 503 html file template: -- GitLab From 9b72f90976b50a93471e66807d9ee7984b03ead5 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 17 Dec 2020 00:08:46 -0300 Subject: [PATCH 2/6] roles/archweb: Add the service_nginx_template variable and fix when the maintenance mode should run Configured the variable for the custom nginx template used on maintenance mode. It is important that this template handles the maintenance on it's own. Also, the maintenance mode was running on gemini, even though archweb_site is false there. Add a check for archweb_site, to make sure the maintenance mode only runs on the machine hosting the site. --- roles/archweb/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml index 3384dea1..4c03e5f9 100644 --- a/roles/archweb/tasks/main.yml +++ b/roles/archweb/tasks/main.yml @@ -7,7 +7,8 @@ service_domain: "{{ archweb_domain }}" service_alternate_domains: "{{ archweb_alternate_domains }}" service_nginx_conf: "{{ archweb_nginx_conf }}" - when: maintenance is defined + service_nginx_template: "maintenance-nginx.d.conf.j2" + when: maintenance is defined and archweb_site - name: install required packages pacman: name=git,python-setuptools,python-psycopg2,llvm-libs,uwsgi-plugin-python state=present -- GitLab From 80bef6b3fe20ddb7e91dd45b19f8a3db14666a1d Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 17 Dec 2020 00:11:46 -0300 Subject: [PATCH 3/6] roles/archweb: Add the custom nginx template for maintenance mode This template is very similar to the regular archweb nginx one with a few notable differences: - Regardless of the domain, everything will go to the main domain - It allows the network manager check to pass - It will use the ip address of the person running the role, and exempt only that ip address from hitting the maintenance page. Everybody else should see the maintenance page. --- .../templates/maintenance-nginx.d.conf.j2 | 168 ++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 roles/archweb/templates/maintenance-nginx.d.conf.j2 diff --git a/roles/archweb/templates/maintenance-nginx.d.conf.j2 b/roles/archweb/templates/maintenance-nginx.d.conf.j2 new file mode 100644 index 00000000..a8105879 --- /dev/null +++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2 @@ -0,0 +1,168 @@ +upstream archweb { + server unix:///run/uwsgi/archweb.sock; +} + +{% if service_alternate_domains %} +{% for domain in service_alternate_domains %} + +server { + listen 80; + listen [::]:80; + server_name {{ domain }}; + + access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced; + error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log; + + include snippets/letsencrypt.conf; + + location / { + access_log off; + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ domain }}; + + access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced; + error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log; + + ssl_certificate /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ service_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem; + + location / { + access_log off; + return 301 https://{{ service_domain }}; + } +} +{% endfor %} + +server { +{% else %} + +server { +{% endif %} + listen 80; + listen [::]:80; + server_name {{ service_domain }}; + + access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced; + error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log; + + include snippets/letsencrypt.conf; + + location /check_network_status.txt { + access_log off; + add_header Cache-Control "max-age=0, must-revalidate"; + return 200 'NetworkManager is online'; + } + + location / { + access_log off; + return 301 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ service_domain }}; + + access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced; + error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log; + + ssl_certificate /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ service_domain }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem; + + error_page 503 /503.html; + + location /.well-known/matrix/server { + add_header Content-Type application/json; + return 200 '{"m.server": "{{ matrix_domain }}:443"}'; + } + + location /.well-known/matrix/client { + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }'; + } + + location /robots.txt { + alias {{ archweb_dir }}/archlinux.org/robots.txt; + } + + location /humans.txt { + alias {{ archweb_dir }}/archlinux.org/humans.txt; + } + + location /google7827eadf026b4a87.html { + alias {{ archweb_dir }}/archlinux.org/google7827eadf026b4a87.html; + } + + location /BingSiteAuth.xml { + alias {{ archweb_dir }}/archlinux.org/BingSiteAuth.xml; + } + + location /favicon.ico { + alias {{ archweb_dir }}/collected_static/favicon.ico; + } + + location /pacman { + alias {{ archweb_dir }}/archlinux.org/pacman/; + } + + location /netcfg { + alias {{ archweb_dir }}/archlinux.org/netcfg/; + } + + location /logos { + alias {{ archweb_dir }}/archlinux.org/logos/; + } + + location ~ ^/iso/(.*\.(iso|img|tar\.gz|sfs)$) { + deny all; + } + + location /iso { + alias {{ archweb_rsync_iso_dir }}; + } + + # Cache django's css, js and png files. + location /static { + expires 30d; + add_header Pragma public; + add_header Cache-Control "public"; + alias {{ archweb_dir }}/collected_static; + } + + location /img { + alias {{ archweb_dir }}/media/img; + } + + location /retro { + alias {{ archweb_retro_dir }}; + } + + if ($remote_addr = {{ maintenance_remote_machine }}) { + set $maintenance_remote_machine true; + } + + location / { + include uwsgi_params; + + if ($maintenance_remote_machine = true) { + access_log /var/log/nginx/{{ archweb_domain }}/access.log main; + uwsgi_pass archweb; + } + + return 503; + } + + location = /503.html { + root {{ maintenance_http_dir }}/{{ service_domain }}; + } +} -- GitLab From 780dc16d886bf82f7d650c69721957ba9ad30187 Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 17 Dec 2020 00:18:15 -0300 Subject: [PATCH 4/6] roles/archweb: Fix typo on the custom nginx maintenance template --- roles/archweb/templates/maintenance-nginx.d.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/archweb/templates/maintenance-nginx.d.conf.j2 b/roles/archweb/templates/maintenance-nginx.d.conf.j2 index a8105879..ea170000 100644 --- a/roles/archweb/templates/maintenance-nginx.d.conf.j2 +++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2 @@ -158,7 +158,7 @@ server { access_log /var/log/nginx/{{ archweb_domain }}/access.log main; uwsgi_pass archweb; } - + return 503; } -- GitLab From bf6853478615b53c3bf10ef2667c3b194031022b Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 17 Dec 2020 00:21:22 -0300 Subject: [PATCH 5/6] roles/archweb: Add the missing break parameter Added the missing break; parameter to allow the maintenace remote machine in. --- roles/archweb/templates/maintenance-nginx.d.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/archweb/templates/maintenance-nginx.d.conf.j2 b/roles/archweb/templates/maintenance-nginx.d.conf.j2 index ea170000..7122122b 100644 --- a/roles/archweb/templates/maintenance-nginx.d.conf.j2 +++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2 @@ -157,6 +157,7 @@ server { if ($maintenance_remote_machine = true) { access_log /var/log/nginx/{{ archweb_domain }}/access.log main; uwsgi_pass archweb; + break; } return 503; -- GitLab From f40c23c04ed18dfea1d00a5187c1cdd35bd69f2c Mon Sep 17 00:00:00 2001 From: Giancarlo Razzolini Date: Thu, 17 Dec 2020 09:23:30 -0300 Subject: [PATCH 6/6] docs/maintenance: Add section on custom nginx template Added some documentation regarding the service_nginx_template variable and the implications of using it. --- docs/maintenance.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/maintenance.md b/docs/maintenance.md index 44323743..c703c99f 100644 --- a/docs/maintenance.md +++ b/docs/maintenance.md @@ -46,3 +46,12 @@ as a variable, to make sure the right file is used. This causes the regular nginx configuration to only be applied when there is no maintenance variable on the command line. + +# Adding a custom maintenance mode nginx template + +The maintenance role can also use a custom nginx template, if the service_nginx_template variable is +set alongside the other vars when including the maintenance role, it will look up first on the maintenance +role template directory and then on the calling role template directory for the specified template. + +Since this is a completely custom file, it is the job of this file of putting the service into maintenance +mode. The maintenance role will provide the 503 file and create the directories. -- GitLab