Add proxy in front

2022-01-04 23:25:26 +01:00
parent 27c8961fef
commit 29f6e0fbd9
7 changed files with 187 additions and 105 deletions
--- a/db.yml
+++ b/db.yml
@ -0,0 +1,40 @@
+- name: Install packages database server
+  command: "bastille pkg {{jails['database'].name}} install -y mariadb105-server"
+  register: pkg_command
+  failed_when: pkg_command.stderr != ""
+
+- name: Set bind port for mariadb
+  lineinfile:
+    regex: "^port"
+    line: "port = {{database.port}}" 
+    path: "/usr/local/bastille/jails/{{jails['database'].name}}/root/usr/local/etc/mysql/my.cnf"
+
+- name: sysrc enable mariadb
+  command: "bastille sysrc {{jails['database'].name}} mysql_enable='YES'"
+
+- name: start mariadb server
+  command: "bastille service {{jails['database'].name}} mysql-server restart"
+
+- name: "mariadb: remove anonymous users"
+  command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.user WHERE user=''\""
+
+- name: "mariadb: Disallow root login remotely"
+  command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.global_priv WHERE user='root' AND host NOT IN ('localhost', '127.0.0.1', '::1')\""
+
+- name: "mariadb: Drop database test"
+  command: "bastille cmd {{jails['database'].name}} mysql -e \"DROP DATABASE IF EXISTS test\""
+
+- name: "mariadb: Remove privileges on database test"
+  command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.db WHERE SUBSTR(db, 4) == 'test' and user=''\""
+
+
+- name: "mariadb: create database for wordpress"
+  command: "bastille cmd {{jails['database'].name}} mysqladmin create {{database.dbname}}"
+
+- name: "mariadb: Create a database user for wordpress"
+  command: "bastille cmd {{jails['database'].name}} mysql -e \"GRANT ALL PRIVILEGES ON {{database.dbname}}.* TO '{{database.username}}'@'{{jails['webserver'].ip}}' IDENTIFIED BY '{{database.password}}'\""
+
+- name: "mariadb: Flush privileges"
+  command: "bastille cmd {{jails['database'].name}} mysqladmin flush-privileges"
+
+
--- a/inventory.yml
+++ b/inventory.yml
@ -0,0 +1,36 @@
+all:
+  vars:
+    jails:
+      webserver:
+          name: wp1xx
+          fbsd_version: 13.0-RELEASE
+          ip: 192.168.0.33
+          host_interface: em0
+
+      database:
+        name: db1xx
+        fbsd_version: 13.0-RELEASE
+        ip: 192.168.0.34
+        host_interface: em0
+
+      proxy:
+        name: proxy1xx
+        fbsd_version: 13.0-RELEASE
+        ip: 192.168.0.35
+        host_interface: em0
+
+
+    database:
+      port: 3307
+      dbname: wordpress_playground
+      username: wordpress_playground
+      password: secret password
+
+    website:
+      name: wordpress_playground
+      port: 82
+      external_hostname: mysite.localhost
+      email: some@email.ad
+
+    skip_create_jail: false
+
--- a/proxy.yml
+++ b/proxy.yml
@ -0,0 +1,33 @@
+- name: Install packages proxy server
+  command: "bastille pkg {{jails['proxy'].name}} install -y nginx py38-certbot-nginx"
+
+- name: Enable weekly_certbot
+  lineinfile:
+    regex: "^weekly_certbot_enable="
+    line: "weekly_certbot_enable=YES"
+    path: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/etc/periodic.conf"
+    create: true
+
+- name: "create sites-enabled directory"
+  command: "bastille cmd {{jails['proxy'].name}} mkdir /usr/local/etc/nginx/sites-enabled"
+
+- name: "nginx: configure website"
+  template:
+    src: proxy.conf.j2
+    dest: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf"
+
+
+- name: update nginx.conf to include sites-enabled
+  lineinfile:
+    insertbefore: "}"
+    line: "    include sites-enabled/*.conf;"
+    path: "/usr/local/bastille/jails/{{jails['proxy'].name}}/root/usr/local/etc/nginx/nginx.conf"
+
+- name: "nginx: enable nginx service"
+  command: "bastille sysrc {{jails['proxy'].name}} nginx_enable='YES'"
+
+- name: "nginx: start nginx service"
+  command: "bastille service {{jails['proxy'].name}} nginx restart"
+
+- name: Generate certificates
+  command: "bastille cmd {{jails['proxy'].name}} sh -c 'certbot --nginx -m {{website.email}} -n --agree-tos --domains {{website.external_hostname}}'"
--- a/site.yml
+++ b/site.yml
@ -3,39 +3,12 @@
 - name: Playbook for Wordpress
  hosts: localhost
  become: true
-  vars:
-    jails:
-      webserver:
-          name: wp1xx
-          fbsd_version: 13.0-RELEASE
-          ip: 192.168.0.33
-          host_interface: em0
-
-      database:
-        name: db1xx
-        fbsd_version: 13.0-RELEASE
-        ip: 192.168.0.34
-        host_interface: em0
-
-    database:
-      port: 3307
-      dbname: wordpress
-      username: wordpress
-      password: secret password
-
-    website:
-      name: wordpress_playground
-      port: 82
-
-    skip_create_jail: false
  vars_prompt:
    - name: ansible_become_password
      prompt: "Enter sudo password: "
      private: true

  tasks:
-
-          
    - name: Find existing jails
      become: true
      shell: |
@ -67,82 +40,8 @@
      when: skip_create_jail==0
      loop: "{{jails|dict2items}}"

-    - name: Install packages on webserver
-      command: "bastille pkg {{jails['webserver'].name}} install -y nginx wordpress \
-                php74-mbstring php74-dom php74-openssl php74-filter php74-iconv"
-
-    - name: Install packages database server
-      command: "bastille pkg {{jails['database'].name}} install -y mariadb105-server"
-
-    - name: Set bind port for mariadb
-      lineinfile:
-        regex: "^port"
-        line: "port = {{database.port}}" 
-        path: "/usr/local/bastille/jails/{{jails['database'].name}}/root/usr/local/etc/mysql/my.cnf"
-
-    - name: sysrc enable mariadb
-      command: "bastille sysrc {{jails['database'].name}} mysql_enable='YES'"
-
-    - name: start mariadb server
-      command: "bastille service {{jails['database'].name}} mysql-server restart"
-
-    - name: "mariadb: remove anonymous users"
-      command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.user WHERE user=''\""
-
-    - name: "mariadb: Disallow root login remotely"
-      command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.global_priv WHERE user='root' AND host NOT IN ('localhost', '127.0.0.1', '::1')\""
-
-    - name: "mariadb: Drop database test"
-      command: "bastille cmd {{jails['database'].name}} mysql -e \"DROP DATABASE IF EXISTS test\""
-
-    - name: "mariadb: Remove privileges on database test"
-      command: "bastille cmd {{jails['database'].name}} mysql -e \"DELETE FROM mysql.db WHERE SUBSTR(db, 4) == 'test' and user=''\""
-
-
-    - name: "mariadb: create database for wordpress"
-      command: "bastille cmd {{jails['database'].name}} mysqladmin create {{database.dbname}}"
-
-    - name: "mariadb: Create a database user for wordpress"
-      command: "bastille cmd {{jails['database'].name}} mysql -e \"GRANT ALL PRIVILEGES ON {{database.dbname}}.* TO '{{database.username}}'@'{{jails['webserver'].ip}}' IDENTIFIED BY '{{database.password}}'\""
-
-    - name: "mariadb: Flush privileges"
-      command: "bastille cmd {{jails['database'].name}} mysqladmin flush-privileges"
-
-    - name: "php: create php.ini"
-      command: "bastille cmd {{jails['webserver'].name}} cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini"
-
-    - name: "php enable php-fpm service"
-      command: "bastille sysrc {{jails['webserver'].name}} php_fpm_enable='YES'"
-
-    - name: "php start php-fpm service"
-      command: "bastille service {{jails['webserver'].name}} php-fpm start"
-
-    - name: "nginx: create sites-enabled directory"
-      command: "bastille cmd {{jails['webserver'].name}} mkdir /usr/local/etc/nginx/sites-enabled"
-
-    - name: "nginx: configure website"
-      template:
-        src: wordpress.conf.j2
-        dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf"
-
-    - name: "nginx: configure nginx.conf to include sites-enabled directory"
-      lineinfile:
-        insertbefore: "}"
-        line: "    include sites-enabled/*.conf;"
-        path: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/nginx.conf"
-
-    - name: "nginx: enable nginx service"
-      command: "bastille sysrc {{jails['webserver'].name}} nginx_enable='YES'"
-
-    - name: "nginx: start nginx service"
-      command: "bastille service {{jails['webserver'].name}} nginx restart"
-
-    - name: "copy wordpress folder for new website"
-      command: "bastille cmd {{jails['webserver'].name}} cp -R /usr/local/www/wordpress /usr/local/www/{{website.name}}"
-      when: website.name != 'wordpress'
-
-    - name: "wordpress: create wp-config.php"
-      template:
-        src: wp-config.php.j2
-        dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/www/{{website.name}}/wp-config.php"
+    - import_tasks: db.yml
+    - import_tasks: webserver.yml
+      tags: webserver
+    - import_tasks: proxy.yml

--- a/templates/proxy.conf.j2
+++ b/templates/proxy.conf.j2
@ -0,0 +1,11 @@
+server {
+	server_name {{website.external_hostname}};
+	location / {
+		proxy_pass http://{{jails.webserver.ip}}:{{website.port}};
+		proxy_set_header Host $host:$server_port;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Host $host;
+		proxy_set_header X-Forwarded-Port $server_port;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+}
--- a/templates/wp-config.php.j2
+++ b/templates/wp-config.php.j2
@ -79,6 +79,22 @@ $table_prefix = 'wp_';
 */
 define( 'WP_DEBUG', false );

+if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
+	$_SERVER['HTTPS']='on';
+	$_SERVER['SERVER_PORT']=443;
+}
+
+if ( isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
+	$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
+	define('WP_SITEURL', 'https://{{website.external_hostname}}');
+	define('WP_HOME', 'https://{{website.external_hostname}}');
+}else{
+	define('WP_SITEURL', "http://{$_SERVER['HTTP_HOST']}");
+	define('WP_HOME', "http://{$_SERVER['HTTP_HOST']}");
+}
+
+
+
 /* That's all, stop editing! Happy publishing. */

 /** Absolute path to the WordPress directory. */
--- a/webserver.yml
+++ b/webserver.yml
@ -0,0 +1,47 @@
+- name: Install packages on webserver
+  command: "bastille pkg {{jails['webserver'].name}} install -y nginx wordpress \
+            php74-mbstring php74-dom php74-openssl php74-filter php74-iconv"
+
+
+- name: "php: create php.ini"
+  command: "bastille cmd {{jails['webserver'].name}} cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini"
+
+- name: "php enable php-fpm service"
+  command: "bastille sysrc {{jails['webserver'].name}} php_fpm_enable='YES'"
+
+- name: "php start php-fpm service"
+  command: "bastille service {{jails['webserver'].name}} php-fpm start"
+
+- name: "nginx: create sites-enabled directory"
+  command: "bastille cmd {{jails['webserver'].name}} mkdir /usr/local/etc/nginx/sites-enabled"
+
+- name: "nginx: configure website"
+  template:
+    src: wordpress.conf.j2
+    dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/sites-enabled/{{website.name}}.conf"
+
+- name: "nginx: configure nginx.conf to include sites-enabled directory"
+  lineinfile:
+    insertbefore: "}"
+    line: "    include sites-enabled/*.conf;"
+    path: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/etc/nginx/nginx.conf"
+
+- name: "nginx: enable nginx service"
+  command: "bastille sysrc {{jails['webserver'].name}} nginx_enable='YES'"
+
+- name: "nginx: start nginx service"
+  command: "bastille service {{jails['webserver'].name}} nginx restart"
+
+- name: "copy wordpress folder for new website"
+  command: "bastille cmd {{jails['webserver'].name}} cp -R /usr/local/www/wordpress /usr/local/www/{{website.name}}"
+
+- name: "wordpress: create wp-config.php"
+  template:
+    src: wp-config.php.j2
+    dest: "/usr/local/bastille/jails/{{jails['webserver'].name}}/root/usr/local/www/{{website.name}}/wp-config.php"
+  when: website.name != 'wordpress'
+
+- name: Set owner:group on website directory
+  command: bastille cmd {{jails['webserver'].name}} chown -R www:www /usr/local/www/{{website.name}}
+
+