[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-ansible-taler-exchange] branch master updated: improve nginx depl
|
From: |
gnunet |
|
Subject: |
[taler-ansible-taler-exchange] branch master updated: improve nginx deployment, letsencrypt setups |
|
Date: |
Mon, 16 Dec 2024 01:41:53 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository ansible-taler-exchange.
The following commit(s) were added to refs/heads/master by this push:
new b22bf06 improve nginx deployment, letsencrypt setups
b22bf06 is described below
commit b22bf069faa3982c602752b82e747ab3343bd126
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Mon Dec 16 01:41:51 2024 +0100
improve nginx deployment, letsencrypt setups
---
README | 15 +++-
TODO | 9 +--
playbooks/setup.yml | 1 +
playbooks/test-secrets.yml | 3 +
roles/auditor/tasks/main.yml | 26 ++++++-
.../etc/nginx/sites-available/auditor-http.conf.j2 | 19 ++++++
.../nginx/sites-available/auditor-nginx.conf.j2 | 28 +-------
roles/challenger/tasks/main.yml | 64 +++++++++++++++---
.../sites-available/email-challenger-http.conf.j2 | 20 ++++++
.../sites-available/email-challenger-nginx.conf.j2 | 29 +-------
.../sites-available/postal-challenger-http.conf.j2 | 19 ++++++
...-nginx.conf => postal-challenger-nginx.conf.j2} | 30 +-------
.../sites-available/sms-challenger-http.conf.j2 | 20 ++++++
.../sites-available/sms-challenger-nginx.conf.j2 | 30 +-------
roles/common_packages/tasks/main.yml | 7 ++
roles/exchange/tasks/main.yml | 23 +++++--
.../nginx/sites-available/exchange-http.conf.j2 | 19 ++++++
.../nginx/sites-available/exchange-nginx.conf.j2 | 29 +-------
roles/monitoring/tasks/main.yml | 79 ++++++++++++++++++++++
.../nginx/sites-available/monitoring-http.conf.j2 | 19 ++++++
.../nginx/sites-available/monitoring-nginx.conf.j2 | 55 +++++++++++++++
.../files/etc/nginx/conf.d/log-format-apm.conf | 9 +++
roles/webserver/tasks/main.yml | 8 +++
23 files changed, 407 insertions(+), 154 deletions(-)
diff --git a/README b/README
index f9245de..77627a1 100644
--- a/README
+++ b/README
@@ -1,11 +1,24 @@
# Ansible Taler Playbooks
+## Installing dependencies
+
+First, install the prometheus collection using:
+
+$ ansible-galaxy collection install prometheus.prometheus
+
+
## Running the Playbook
To run the main playbook (playbooks/setup.yml):
```
-$ ansible-playbook --verbose --inventory <host>, --user root
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
+$ ansible-playbook --verbose --inventory <host> --user root
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
+```
+
+For example, if you are root@taler-ops.ch, you may be able to:
+
+```
+$ ansible-playbook --verbose --inventory inventories/tops --user root
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
```
Instead of specifying the host(s) as arguments (note the trailing comma!)
diff --git a/TODO b/TODO
index a09fc1c..63fea3c 100644
--- a/TODO
+++ b/TODO
@@ -2,11 +2,12 @@
- setup postfix role (needed for email-challenger)
=> https://github.com/FoxyRoles/ansible-dkim seems about right!
-@TBD (#9352)
-- setup prometheus-nginx-exporter, postgres-exporter, node-exporter,
- systemd_exporter, possibly alertmanager
+@TBD (#9352)2
+- postgres prometheus exporter setup is incomplete: postgres part (access!) is
missing
- setup loki log aggregator
-- setup HTTPS reverse proxy for the above, limit access using basic auth!
+- setup HTTPS reverse proxy loki
+- check limit access using basic auth to prometheus exporters
+ => right now uses Bearer token. Is that OK?
----
@LATER:
diff --git a/playbooks/setup.yml b/playbooks/setup.yml
index 4185209..e3bc890 100644
--- a/playbooks/setup.yml
+++ b/playbooks/setup.yml
@@ -9,6 +9,7 @@
- libeufin-nexus
- exchange
- auditor
+ - monitoring
# Note that we ONLY define those variables here that are NOT
# secrets. For secrets, test-secrets.yml contains a template.
vars:
diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
index 6bd2f3e..4efedf7 100644
--- a/playbooks/test-secrets.yml
+++ b/playbooks/test-secrets.yml
@@ -21,3 +21,6 @@ EXCHANGE_KYCAID_ACCESS_TOKEN: FIXME
# Bearer access token for the auditor
AUDITOR_ACCESS_TOKEN: secret-token:FIXME
+
+# Bearer access token for monitoring
+PROMETHEUS_ACCESS_TOKEN: secret-token:FIXME
diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml
index bc4a9e5..7c058f4 100644
--- a/roles/auditor/tasks/main.yml
+++ b/roles/auditor/tasks/main.yml
@@ -18,7 +18,15 @@
path: "/etc/taler-auditor"
state: directory
-- name: Ensure Taler exchange virtualhost configuration file exists
+- name: Ensure Taler letsencrypt auditor dir exists from installation
+ file:
+ path: "/var/www/letsencrypt/auditor.{{ DOMAIN_NAME
}}/.well-known/acme-challenge/"
+ state: directory
+ owner: www-data
+ group: www-data
+ mode: 0755
+
+- name: Ensure Taler auditor virtualhost configuration file exists
template:
src: templates/etc/nginx/sites-available/auditor-nginx.conf.j2
dest: "/etc/nginx/sites-available/auditor-nginx.conf"
@@ -27,6 +35,22 @@
mode: 0644
notify: restart nginx
+- name: Ensure Taler auditor HTTP virtualhost configuration file exists
+ template:
+ src: templates/etc/nginx/sites-available/auditor-http.conf.j2
+ dest: "/etc/nginx/sites-available/auditor-http.conf"
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart nginx
+
+- name: Enable Taler HTTP auditor reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/auditor-http.conf
+ dest: /etc/nginx/sites-enabled/auditor-http.conf
+ state: link
+ notify: restart nginx
+
- name: Secure the auditor site with Letsencrypt
ansible.builtin.include_role:
name: geerlingguy.certbot
diff --git
a/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2
b/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2
new file mode 100644
index 0000000..637bd32
--- /dev/null
+++ b/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2
@@ -0,0 +1,19 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name auditor.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/auditor.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git
a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2
b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2
index b468e1d..451b128 100644
--- a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2
+++ b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2
@@ -1,20 +1,3 @@
-server {
-
- listen 80;
- listen [::]:80;
-
- server_name auditor.{{ DOMAIN_NAME }};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/auditor.{{ DOMAIN_NAME }};
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
server {
listen 443;
@@ -41,15 +24,10 @@ server {
keepalive_requests 1000000;
keepalive_timeout 6500s;
- # Redirect non-https traffic to https
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
+ if ($http_user_agent ~*
"Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451
; }
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }};
- }
+ error_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}.log apm;
location / {
# Most of the API we will put behind simple access control for now.
diff --git a/roles/challenger/tasks/main.yml b/roles/challenger/tasks/main.yml
index d0a5acc..2156f08 100644
--- a/roles/challenger/tasks/main.yml
+++ b/roles/challenger/tasks/main.yml
@@ -225,10 +225,18 @@
group: root
mode: 0644
-- name: Enable SMS challenger reverse proxy configuration
+- name: Place SMS challenger HTTP Nginx configuration
+ ansible.builtin.template:
+ src: templates/etc/nginx/sites-available/sms-challenger-http.conf.j2
+ dest: /etc/nginx/sites-available/sms-challenger-http.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable SMS challenger HTTP reverse proxy configuration
file:
- src: /etc/nginx/sites-available/sms-challenger-nginx.conf
- dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf
+ src: /etc/nginx/sites-available/sms-challenger-http.conf
+ dest: /etc/nginx/sites-enabled/sms-challenger-http.conf
state: link
notify: restart nginx
@@ -240,10 +248,18 @@
group: root
mode: 0644
-- name: Enable email challenger reverse proxy configuration
+- name: Place email challenger HTTP Nginx configuration
+ ansible.builtin.template:
+ src: templates/etc/nginx/sites-available/email-challenger-http.conf.j2
+ dest: /etc/nginx/sites-available/email-challenger-http.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable email challenger HTTP reverse proxy configuration
file:
- src: /etc/nginx/sites-available/email-challenger-nginx.conf
- dest: /etc/nginx/sites-enabled/email-challenger-nginx.conf
+ src: /etc/nginx/sites-available/email-challenger-http.conf
+ dest: /etc/nginx/sites-enabled/email-challenger-http.conf
state: link
notify: restart nginx
@@ -255,14 +271,19 @@
group: root
mode: 0644
-- name: Enable postal challenger reverse proxy configuration
- file:
- src: /etc/nginx/sites-available/postal-challenger-nginx.conf
- dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf
- state: link
+- name: Place postal challenger HTTP Nginx configuration
+ ansible.builtin.template:
+ src: templates/etc/nginx/sites-available/postal-challenger-http.conf.j2
+ dest: /etc/nginx/sites-available/postal-challenger-http.conf
owner: root
group: root
mode: 0644
+
+- name: Enable postal challenger HTTP reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/postal-challenger-http.conf
+ dest: /etc/nginx/sites-enabled/postal-challenger-http.conf
+ state: link
notify: restart nginx
- name: Secure the SMS challenger site with Letsencrypt
@@ -335,3 +356,24 @@
- webroot: "/var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }}"
domains:
- "postal.challenger.{{ DOMAIN_NAME }}"
+
+- name: Enable SMS challenger reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/sms-challenger-nginx.conf
+ dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf
+ state: link
+ notify: restart nginx
+
+- name: Enable email challenger reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/email-challenger-nginx.conf
+ dest: /etc/nginx/sites-enabled/email-challenger-nginx.conf
+ state: link
+ notify: restart nginx
+
+- name: Enable postal challenger reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/postal-challenger-nginx.conf
+ dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf
+ state: link
+ notify: restart nginx
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2
b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2
new file mode 100644
index 0000000..ac6ca7a
--- /dev/null
+++
b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2
@@ -0,0 +1,20 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name email.challenger.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+
+}
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
index 2cc5109..1944cd2 100644
---
a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
+++
b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
@@ -1,21 +1,3 @@
-server {
-
- listen 80;
- listen [::]:80;
-
- server_name email.challenger.{{ DOMAIN_NAME }};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }};
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-
-}
-
server {
listen 443;
@@ -41,15 +23,10 @@ server {
keepalive_requests 10000;
keepalive_timeout 650s;
- # Redirect non-https traffic to https
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
+ if ($http_user_agent ~*
"Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451
; }
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }};
- }
+ error_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}.log apm;
location / {
proxy_pass http://unix:/var/run/challenger-email/challenger-http.sock;
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2
b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2
new file mode 100644
index 0000000..38d0037
--- /dev/null
+++
b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2
@@ -0,0 +1,19 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name postal.challenger.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf
b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2
similarity index 62%
rename from
roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf
rename to
roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2
index 17a5ffb..ccd7f19 100644
---
a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf
+++
b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2
@@ -1,21 +1,3 @@
-server {
-
- listen 80;
- listen [::]:80;
-
- server_name postal.challenger.{{ DOMAIN_NAME }};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }};
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-
server {
listen 443;
@@ -41,16 +23,8 @@ server {
keepalive_requests 10000;
keepalive_timeout 650s;
-
- # Redirect non-https traffic to https
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }};
- }
+ error_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}.log apm;
location / {
proxy_pass http://unix:/var/run/challenger-postal/challenger-http.sock;
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2
b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2
new file mode 100644
index 0000000..8871e1c
--- /dev/null
+++
b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2
@@ -0,0 +1,20 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name sms.challenger.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/sms.challenger.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+
+}
diff --git
a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
index f29718f..aff062f 100644
---
a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
+++
b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
@@ -1,22 +1,3 @@
-server {
-
- listen 80;
- listen [::]:80;
-
- server_name sms.challenger.{{ DOMAIN_NAME }};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/sms.challenger.{{ DOMAIN_NAME }};
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-
-}
-
-
server {
listen 443;
@@ -42,15 +23,8 @@ server {
keepalive_requests 10000;
keepalive_timeout 650s;
- # Redirect non-https traffic to https
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/sms.challenger.{{ DOMAIN_NAME }};
- }
+ error_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}.log apm;
location / {
proxy_pass http://unix:/var/run/challenger-sms/challenger-http.sock;
diff --git a/roles/common_packages/tasks/main.yml
b/roles/common_packages/tasks/main.yml
index e9f2264..bdcb3fa 100644
--- a/roles/common_packages/tasks/main.yml
+++ b/roles/common_packages/tasks/main.yml
@@ -73,5 +73,12 @@
- sudo
- uuid-runtime
- wget
+ - openssl
state: latest
when: ansible_os_family == 'Debian'
+
+- name: create dhparam.pem
+ command: openssl dhparam -out dhparam.pem 4096
+ args:
+ chdir: /etc/ssl/private/
+ creates: /etc/ssl/private/dhparam.pem
diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml
index 82a0bf1..1bf4441 100644
--- a/roles/exchange/tasks/main.yml
+++ b/roles/exchange/tasks/main.yml
@@ -20,10 +20,18 @@
group: root
mode: 0644
-- name: Enable Taler exchange reverse proxy configuration
+- name: Ensure Taler exchange HTTP virtualhost configuration file exists
+ template:
+ src: templates/etc/nginx/sites-available/exchange-http.conf.j2
+ dest: /etc/nginx/sites-available/exchange-http.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable Taler exchange HTTP reverse proxy configuration
file:
- src: /etc/nginx/sites-available/exchange-nginx.conf
- dest: /etc/nginx/sites-enabled/exchange-nginx.conf
+ src: /etc/nginx/sites-available/exchange-http.conf
+ dest: /etc/nginx/sites-enabled/exchange-http.conf
state: link
notify: restart nginx
@@ -50,6 +58,13 @@
domains:
- "exchange.{{ DOMAIN_NAME }}"
+- name: Enable Taler exchange reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/exchange-nginx.conf
+ dest: /etc/nginx/sites-enabled/exchange-nginx.conf
+ state: link
+ notify: restart nginx
+
- name: Ensure /etc/taler-exchange/config.d/ directory exists
file:
path: "/etc/taler-exchange/conf.d/"
@@ -117,7 +132,7 @@
- name: Ensure taler-exchange service is enabled and started
service:
- deamon_reload: true
+ daemon_reload: true
name: taler-exchange.target
state: started
enabled: true
diff --git
a/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2
b/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2
new file mode 100644
index 0000000..d0fd016
--- /dev/null
+++ b/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2
@@ -0,0 +1,19 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name exchange.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/exchange.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git
a/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2
b/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2
index 26baba9..f8f98cb 100644
--- a/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2
+++ b/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2
@@ -1,21 +1,3 @@
-server {
-
- listen 80;
- listen [::]:80;
-
- server_name exchange.{{ DOMAIN_NAME }};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/exchange.{{ DOMAIN_NAME }};
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-
server {
listen 443;
@@ -41,15 +23,10 @@ server {
keepalive_requests 1000000;
keepalive_timeout 6500s;
- # Redirect non-https traffic to https
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
+ if ($http_user_agent ~*
"Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451
; }
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /var/www/letsencrypt/exchange.{{ DOMAIN_NAME }};
- }
+ error_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}.log apm;
location / {
proxy_pass http://unix:/var/run/taler/exchange-httpd/exchange-http.sock;
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
new file mode 100644
index 0000000..dab66a6
--- /dev/null
+++ b/roles/monitoring/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: Deploy prometheus-nginx exporter
+ include_role:
+ name: prometheus.prometheus.nginx_exporter
+ vars:
+ nginx_exporter_web_listen_address: 127.0.0.1:9113
+
+- name: Deploy prometheus-node exporter
+ include_role:
+ name: prometheus.prometheus.node_exporter
+ vars:
+ node_exporter_web_listen_address: 127.0.0.1:9114
+
+- name: Deploy prometheus-postgres exporter
+ include_role:
+ name: prometheus.prometheus.postgres_exporter
+ vars:
+ postgres_exporter_web_listen_address: 127.0.0.1:9115
+ postgres_exporter_username: exporter
+ postgres_exporter_password: secret
+
+- name: Deploy prometheus-systemd exporter
+ include_role:
+ name: prometheus.prometheus.systemd_exporter
+ vars:
+ systemd_exporter_web_listen_address: 127.0.0.1:9116
+
+- name: Ensure Taler monitoring virtualhost configuration file exists
+ template:
+ src: templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
+ dest: /etc/nginx/sites-available/monitoring-nginx.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Ensure Taler monitoring HTTP virtualhost configuration file exists
+ template:
+ src: templates/etc/nginx/sites-available/monitoring-http.conf.j2
+ dest: /etc/nginx/sites-available/monitoring-http.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable Taler monitoring HTTP reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/monitoring-http.conf
+ dest: /etc/nginx/sites-enabled/monitoring-http.conf
+ state: link
+ notify: restart nginx
+
+- name: Secure the monitoring site with Letsencrypt
+ ansible.builtin.include_role:
+ name: geerlingguy.certbot
+ vars:
+ certbot_install_method: package
+ certbot_auto_renew: true
+ certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER'))
}}"
+ certbot_auto_renew_hour: "11"
+ certbot_auto_renew_minute: "11"
+ certbot_auto_renew_options: "--quiet"
+ certbot_create_method: webroot
+ certbot_create_if_missing: true
+ certbot_create_extra_args:
+ certbot_hsts: false
+ certbot_testmode: true
+ certbot_admin_email: "admin@{{ DOMAIN_NAME }}"
+ certbot_keep_updated: true
+ certbot_script: letsencrypt
+ certbot_certs:
+ - webroot: "/var/www/letsencrypt/monitoring.{{ DOMAIN_NAME }}"
+ domains:
+ - "exchange.{{ DOMAIN_NAME }}"
+
+- name: Enable Taler monitoring reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/monitoring-nginx.conf
+ dest: /etc/nginx/sites-enabled/monitoring-nginx.conf
+ state: link
+ notify: restart nginx
diff --git
a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2
b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2
new file mode 100644
index 0000000..c3abdd7
--- /dev/null
+++
b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2
@@ -0,0 +1,19 @@
+server {
+
+ listen 80;
+ listen [::]:80;
+
+ server_name monitoring.{{ DOMAIN_NAME }};
+
+ error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.err;
+ access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.log;
+
+ location ^~ /.well-known/acme-challenge/ {
+ default_type "text/plain";
+ root /var/www/letsencrypt/monitoring.{{ DOMAIN_NAME }};
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git
a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
new file mode 100644
index 0000000..ff067df
--- /dev/null
+++
b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
@@ -0,0 +1,55 @@
+server {
+
+ listen 443;
+ listen [::]:443;
+
+ # Do not identify as nginx
+ server_tokens off;
+ server_name monitoring.{{ DOMAIN_NAME }};
+
+ ssl_certificate /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME
}}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME
}}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME
}}/chain.pem;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_dhparam /etc/ssl/private/dhparam.pem;
+ ssl_protocols TLSv1.3 TLSv1.2;
+ ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;
preload";
+
+ error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.err;
+ access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.log;
+
+ location = /nginx/ {
+ # Put API behind simple access control. TODO: check Prometheus can do
this!
+ if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+ return 401;
+ }
+ proxy_pass http://127.0.0.1:9113/;
+ }
+
+ location = /node/ {
+ # Put API behind simple access control. TODO: check Prometheus can do
this!
+ if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+ return 401;
+ }
+ proxy_pass http://127.0.0.1:9114/;
+ }
+
+ location = /postgres/ {
+ # Put API behind simple access control. TODO: check Prometheus can do
this!
+ if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+ return 401;
+ }
+ proxy_pass http://127.0.0.1:9115/;
+ }
+
+ location = /systemd/ {
+ # Put API behind simple access control. TODO: check Prometheus can do
this!
+ if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {
+ return 401;
+ }
+ proxy_pass http://127.0.0.1:9116/;
+ }
+}
diff --git a/roles/webserver/files/etc/nginx/conf.d/log-format-apm.conf
b/roles/webserver/files/etc/nginx/conf.d/log-format-apm.conf
new file mode 100644
index 0000000..180720c
--- /dev/null
+++ b/roles/webserver/files/etc/nginx/conf.d/log-format-apm.conf
@@ -0,0 +1,9 @@
+# Define log format where we also log latencies.
+log_format apm '”$time_local” client=$remote_addr '
+ 'method=$request_method request=”$request” '
+ 'request_length=$request_length '
+ 'status=$status bytes_sent=$bytes_sent '
+ 'body_bytes_sent=$body_bytes_sent '
+ 'upstream_addr=$upstream_addr '
+ 'upstream_status=$upstream_status '
+ 'request_time=$request_time';
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
index 4156fad..8ec0998 100644
--- a/roles/webserver/tasks/main.yml
+++ b/roles/webserver/tasks/main.yml
@@ -24,6 +24,14 @@
path: /etc/nginx/sites-enabled/default
state: absent
+- name: Setup extended log format
+ copy:
+ src: etc/nginx/conf.d/log-format-apm.conf
+ dest: /etc/nginx/conf.d/log-format-apm.conf
+ owner: root
+ group: root
+ mode: 0644
+
- name: Ensure Nginx service is enabled and started
service:
name: nginx
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-ansible-taler-exchange] branch master updated: improve nginx deployment, letsencrypt setups,
gnunet <=