majic-ansible-roles Changeset

Changeset - d26fe0368a4b

Parent rev.

Child rev.

[Not reviewed]

0 5 0

Branko Majic (branko) - 9 years ago 2015-05-29 19:09:58
branko@majic.rs

MAR-5: Updated php and wsgi website roles to include set-up website-specific TLS configuration for Nginx (including separate TLS key/certificate if necessary).

5 files changed with 67 insertions and 7 deletions:

docs/rolereference.rst

roles/php_website/tasks/main.yml

roles/php_website/templates/nginx_site.j2

roles/wsgi_website/tasks/main.yml

roles/wsgi_website/templates/nginx_site.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -916,6 +916,7 @@ The role implements the following: @@
 * Adds website administrator to website's group, so administrator could manage
   the code and data.
 * Installs additional packages required for running the role (as configured).
 * Deploys the HTTPS TLS private key and certificate (for website vhost).
 * Configures PHP FPM and nginx to serve the website.
 The role is implemented with the following layout/logic in mind:
@@ @@ -965,6 +966,14 @@ Parameters @@
   succession, until the first match, or until it runs out of matches, when a
   client requests an URI pointing to directory. Default is ``index.php``.
 **https_tls_certificate** (string, mandatory)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
 **https_tls_key** (string, mandatory)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
 **php_file_regex** (string, optional)
   Regular expression used for determining which file should be interepted via
   PHP. Default is ``\.php$``.
@@ @@ -1020,6 +1029,8 @@ running *ownCloud* and *The Bug Genie* applications): @@
         - php5-json
         - php5-mysql
         - php5-curl
       https_tls_key: "{{ inventory_dir }}/tls/cloud.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/cloud.example.com_https.pem"
     - role: php_website
       admin: admin
       deny_files_regex:
@@ @@ -1028,7 +1039,8 @@ running *ownCloud* and *The Bug Genie* applications): @@
         - ^(.*) /index.php?url=$1
       fqdn: tbg.example.com
       uid: 2007
       https_tls_key: "{{ inventory_dir }}/tls/tbg.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/tbg.example.com_https.pem"
 WSGI Website
@@ @@ -1058,6 +1070,7 @@ The role implements the following: @@
 * Installs additional packages required for running the role in Python virtual
   environment (as configured).
 * Configures systemd to run the website code (using Gunicorn)
 * Deploys the HTTPS TLS private key and certificate (for website vhost).
 * Configures nginx to serve the website (static files served directly, requests
   passed on to Gunicorn).
@@ @@ -1103,6 +1116,14 @@ Parameters @@
   for calculating the user/group name for dedicated website user, as well as
   home directory of the website user (where data/code should be stored at).
 **https_tls_certificate** (string, mandatory)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
 **https_tls_key** (string, mandatory)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
 **packages** (list, optional)
   A list of additional packages to install for this particular WSGI
   website. This is usually going to be development libraries for building Python
@@ @@ -1147,8 +1168,6 @@ running a bare Django project): @@
 .. code-block:: yaml
     ---
     - role: wsgi_website
       admin: admin
       fqdn: django.example.com
@@ @@ -1159,3 +1178,5 @@ running a bare Django project): @@
       virtualenv_packages:
         - django
       wsgi_application: django_example_com.wsgi:application
       https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"

roles/php_website/tasks/main.yml

➞

Show inline comments

@@ @@ -32,6 +32,18 @@ @@
   notify:
     - Restart php5-fpm
 - name: Deploy nginx TLS private key for website
   copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

 server {
     # Base settings.
     listen 80;
     root {{ home }}/htdocs/;
     index {{ index }};
     server_name {{ fqdn }};
     # HTTP (plaintext) configuration.
     listen 80;
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
     ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
     ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
     {% if rewrites -%}
     # Generic URL rewrites.
     {% for rewrite in rewrites -%}

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

@@ @@ -81,6 +81,18 @@ @@
   file: path="{{ home }}/htdocs/" state=directory
         owner="{{ admin }}" group="{{ user }}" mode="2750"
 - name: Deploy nginx TLS private key for website
   copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

roles/wsgi_website/templates/nginx_site.j2

➞

Show inline comments

 server {
     listen 80;
     # Base settings.
     root {{ home }}/htdocs/;
     server_name {{ fqdn }};
     # HTTP (plaintext) configuration.
     listen 80;
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
     ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
     ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
     {% if rewrites -%}
     # Site rewrites.
     {% for rewrite in rewrites -%}

0 comments (0 inline, 0 general)