From 29f6e0fbd9b64df1caa19de379f20ffbba6e69b5 Mon Sep 17 00:00:00 2001 From: Erik Gustafson Date: Tue, 4 Jan 2022 23:25:26 +0100 Subject: [PATCH] Add proxy in front --- db.yml | 40 ++++++++++++++ inventory.yml | 36 ++++++++++++ proxy.yml | 33 +++++++++++ site.yml | 109 ++----------------------------------- templates/proxy.conf.j2 | 11 ++++ templates/wp-config.php.j2 | 16 ++++++ webserver.yml | 47 ++++++++++++++++ 7 files changed, 187 insertions(+), 105 deletions(-) create mode 100644 db.yml create mode 100644 inventory.yml create mode 100644 proxy.yml create mode 100644 templates/proxy.conf.j2 create mode 100644 webserver.yml diff --git a/db.yml b/db.yml new file mode 100644 index 0000000..8cd032b --- /dev/null +++ b/db.yml @@ -0,0 +1,40 @@ +- name: Install packages database server + command: "bastille pkg {{jails['database'].name}} install -y mariadb105-server" + register: pkg_command + failed_when: pkg_command.stderr != "" + +- name: Set bind port for mariadb + lineinfile: + regex: "^port" + line: "port = {{database.port}}" + path: "/usr/local/bastille/jails/{{jails['database'].name}}/root/usr/local/etc/mysql/my.cnf" + +- name: sysrc enable mariadb + command: "bastille sysrc {{jails['database'].name}} mysql_enable='YES'" + +- name: start mariadb server + command: "bastille service {{jails['database'].name}} mysql-server restart" + +- name: "mariadb: remove anonymous users" + command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.user WHERE user=''\"" + +- name: "mariadb: Disallow root login remotely" + command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.global_priv WHERE user='root' AND host NOT IN ('localhost', '127.0.0.1', '::1')\"" + +- name: "mariadb: Drop database test" + command: "bastille cmd {{jails['database'].name}} mysql -e \"DROP DATABASE IF EXISTS test\"" + +- name: "mariadb: Remove privileges on database test" + command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.db WHERE SUBSTR(db, 4) == 'test' and user=''\"" + + +- name: "mariadb: create database for wordpress" + command: "bastille cmd {{jails['database'].name}} mysqladmin create {{database.dbname}}" + +- name: "mariadb: Create a database user for wordpress" + command: "bastille cmd {{jails['database'].name}} mysql -e \"GRANT ALL PRIVILEGES ON {{database.dbname}}.* TO '{{database.username}}'@'{{jails['webserver'].ip}}' IDENTIFIED BY '{{database.password}}'\"" + +- name: "mariadb: Flush privileges" + command: "bastille cmd {{jails['database'].name}} mysqladmin flush-privileges" + + diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..dd75d58 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,36 @@ +all: + vars: + jails: + webserver: + name: wp1xx + fbsd_version: 13.0-RELEASE + ip: 192.168.0.33 + host_interface: em0 + + database: + name: db1xx + fbsd_version: 13.0-RELEASE + ip: 192.168.0.34 + host_interface: em0 + + proxy: + name: proxy1xx + fbsd_version: 13.0-RELEASE + ip: 192.168.0.35 + host_interface: em0 + + + database: + port: 3307 + dbname: wordpress_playground + username: wordpress_playground + password: secret password + + website: + name: wordpress_playground + port: 82 + external_hostname: mysite.localhost + email: some@email.ad + + skip_create_jail: false + diff --git a/proxy.yml b/proxy.yml new file mode 100644 index 0000000..c5893ed --- /dev/null +++ b/proxy.yml @@ -0,0 +1,33 @@ +- name: Install packages proxy server + command: "bastille pkg {{jails['proxy'].name}} install -y nginx py38-certbot-nginx" + +- name: Enable weekly_certbot + lineinfile: + regex: "^weekly_certbot_enable=" + line: "weekly_certbot_enable=YES" + path: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/etc/periodic.conf" + create: true + +- name: "create sites-enabled directory" + command: "bastille cmd {{jails['proxy'].name}} mkdir /usr/local/etc/nginx/sites-enabled" + +- name: "nginx: configure website" + template: + src: proxy.conf.j2 + dest: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf" + + +- name: update nginx.conf to include sites-enabled + lineinfile: + insertbefore: "}" + line: " include sites-enabled/*.conf;" + path: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/usr/local/etc/nginx/nginx.conf" + +- name: "nginx: enable nginx service" + command: "bastille sysrc {{jails['proxy'].name}} nginx_enable='YES'" + +- name: "nginx: start nginx service" + command: "bastille service {{jails['proxy'].name}} nginx restart" + +- name: Generate certificates + command: "bastille cmd {{jails['proxy'].name}} sh -c 'certbot --nginx -m {{website.email}} -n --agree-tos --domains {{website.external_hostname}}'" diff --git a/site.yml b/site.yml index d4ce48c..4fc33ab 100644 --- a/site.yml +++ b/site.yml @@ -3,39 +3,12 @@ - name: Playbook for Wordpress hosts: localhost become: true - vars: - jails: - webserver: - name: wp1xx - fbsd_version: 13.0-RELEASE - ip: 192.168.0.33 - host_interface: em0 - - database: - name: db1xx - fbsd_version: 13.0-RELEASE - ip: 192.168.0.34 - host_interface: em0 - - database: - port: 3307 - dbname: wordpress - username: wordpress - password: secret password - - website: - name: wordpress_playground - port: 82 - - skip_create_jail: false vars_prompt: - name: ansible_become_password prompt: "Enter sudo password: " private: true tasks: - - - name: Find existing jails become: true shell: | @@ -67,82 +40,8 @@ when: skip_create_jail==0 loop: "{{jails|dict2items}}" - - name: Install packages on webserver - command: "bastille pkg {{jails['webserver'].name}} install -y nginx wordpress \ - php74-mbstring php74-dom php74-openssl php74-filter php74-iconv" - - - name: Install packages database server - command: "bastille pkg {{jails['database'].name}} install -y mariadb105-server" - - - name: Set bind port for mariadb - lineinfile: - regex: "^port" - line: "port = {{database.port}}" - path: "/usr/local/bastille/jails/{{jails['database'].name}}/root/usr/local/etc/mysql/my.cnf" - - - name: sysrc enable mariadb - command: "bastille sysrc {{jails['database'].name}} mysql_enable='YES'" - - - name: start mariadb server - command: "bastille service {{jails['database'].name}} mysql-server restart" - - - name: "mariadb: remove anonymous users" - command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.user WHERE user=''\"" - - - name: "mariadb: Disallow root login remotely" - command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.global_priv WHERE user='root' AND host NOT IN ('localhost', '127.0.0.1', '::1')\"" - - - name: "mariadb: Drop database test" - command: "bastille cmd {{jails['database'].name}} mysql -e \"DROP DATABASE IF EXISTS test\"" - - - name: "mariadb: Remove privileges on database test" - command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.db WHERE SUBSTR(db, 4) == 'test' and user=''\"" - - - - name: "mariadb: create database for wordpress" - command: "bastille cmd {{jails['database'].name}} mysqladmin create {{database.dbname}}" - - - name: "mariadb: Create a database user for wordpress" - command: "bastille cmd {{jails['database'].name}} mysql -e \"GRANT ALL PRIVILEGES ON {{database.dbname}}.* TO '{{database.username}}'@'{{jails['webserver'].ip}}' IDENTIFIED BY '{{database.password}}'\"" - - - name: "mariadb: Flush privileges" - command: "bastille cmd {{jails['database'].name}} mysqladmin flush-privileges" - - - name: "php: create php.ini" - command: "bastille cmd {{jails['webserver'].name}} cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini" - - - name: "php enable php-fpm service" - command: "bastille sysrc {{jails['webserver'].name}} php_fpm_enable='YES'" - - - name: "php start php-fpm service" - command: "bastille service {{jails['webserver'].name}} php-fpm start" - - - name: "nginx: create sites-enabled directory" - command: "bastille cmd {{jails['webserver'].name}} mkdir /usr/local/etc/nginx/sites-enabled" - - - name: "nginx: configure website" - template: - src: wordpress.conf.j2 - dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf" - - - name: "nginx: configure nginx.conf to include sites-enabled directory" - lineinfile: - insertbefore: "}" - line: " include sites-enabled/*.conf;" - path: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/nginx.conf" - - - name: "nginx: enable nginx service" - command: "bastille sysrc {{jails['webserver'].name}} nginx_enable='YES'" - - - name: "nginx: start nginx service" - command: "bastille service {{jails['webserver'].name}} nginx restart" - - - name: "copy wordpress folder for new website" - command: "bastille cmd {{jails['webserver'].name}} cp -R /usr/local/www/wordpress /usr/local/www/{{website.name}}" - when: website.name != 'wordpress' - - - name: "wordpress: create wp-config.php" - template: - src: wp-config.php.j2 - dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/www/{{website.name}}/wp-config.php" + - import_tasks: db.yml + - import_tasks: webserver.yml + tags: webserver + - import_tasks: proxy.yml diff --git a/templates/proxy.conf.j2 b/templates/proxy.conf.j2 new file mode 100644 index 0000000..f87b8ec --- /dev/null +++ b/templates/proxy.conf.j2 @@ -0,0 +1,11 @@ +server { + server_name {{website.external_hostname}}; + location / { + proxy_pass http://{{jails.webserver.ip}}:{{website.port}}; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} diff --git a/templates/wp-config.php.j2 b/templates/wp-config.php.j2 index 788ae59..9bb4d08 100644 --- a/templates/wp-config.php.j2 +++ b/templates/wp-config.php.j2 @@ -79,6 +79,22 @@ $table_prefix = 'wp_'; */ define( 'WP_DEBUG', false ); +if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { + $_SERVER['HTTPS']='on'; + $_SERVER['SERVER_PORT']=443; +} + +if ( isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { + $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST']; + define('WP_SITEURL', 'https://{{website.external_hostname}}'); + define('WP_HOME', 'https://{{website.external_hostname}}'); +}else{ + define('WP_SITEURL', "http://{$_SERVER['HTTP_HOST']}"); + define('WP_HOME', "http://{$_SERVER['HTTP_HOST']}"); +} + + + /* That's all, stop editing! Happy publishing. */ /** Absolute path to the WordPress directory. */ diff --git a/webserver.yml b/webserver.yml new file mode 100644 index 0000000..e9ae200 --- /dev/null +++ b/webserver.yml @@ -0,0 +1,47 @@ +- name: Install packages on webserver + command: "bastille pkg {{jails['webserver'].name}} install -y nginx wordpress \ + php74-mbstring php74-dom php74-openssl php74-filter php74-iconv" + + +- name: "php: create php.ini" + command: "bastille cmd {{jails['webserver'].name}} cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini" + +- name: "php enable php-fpm service" + command: "bastille sysrc {{jails['webserver'].name}} php_fpm_enable='YES'" + +- name: "php start php-fpm service" + command: "bastille service {{jails['webserver'].name}} php-fpm start" + +- name: "nginx: create sites-enabled directory" + command: "bastille cmd {{jails['webserver'].name}} mkdir /usr/local/etc/nginx/sites-enabled" + +- name: "nginx: configure website" + template: + src: wordpress.conf.j2 + dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf" + +- name: "nginx: configure nginx.conf to include sites-enabled directory" + lineinfile: + insertbefore: "}" + line: " include sites-enabled/*.conf;" + path: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/nginx.conf" + +- name: "nginx: enable nginx service" + command: "bastille sysrc {{jails['webserver'].name}} nginx_enable='YES'" + +- name: "nginx: start nginx service" + command: "bastille service {{jails['webserver'].name}} nginx restart" + +- name: "copy wordpress folder for new website" + command: "bastille cmd {{jails['webserver'].name}} cp -R /usr/local/www/wordpress /usr/local/www/{{website.name}}" + +- name: "wordpress: create wp-config.php" + template: + src: wp-config.php.j2 + dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/www/{{website.name}}/wp-config.php" + when: website.name != 'wordpress' + +- name: Set owner:group on website directory + command: bastille cmd {{jails['webserver'].name}} chown -R www:www /usr/local/www/{{website.name}} + +