From 5713d3d410c465c1d2d81d3e68ebdd35cfd70990 Mon Sep 17 00:00:00 2001 From: Amritanshu Date: Tue, 2 Aug 2022 06:40:29 +0530 Subject: [PATCH] Updates --- bifrost/app/.env | 9 -- bifrost/app/Dockerfile | 14 --- bifrost/files/nginx.conf.j2 | 19 ---- bifrost/playbook.yml | 69 ----------- bifrost/readme.md | 46 -------- bifrost/vars/default.yml | 5 - bitwarden/playbook.yml | 3 +- bitwarden/vars/default.yml | 4 +- gitea/files/nginx.conf.j2 | 6 +- gitea/playbook.yml | 16 +-- nextcloud/playbook.yml | 12 +- nextcloud/web/nginx.conf | 209 +++++++++++++++++++--------------- postgres/playbook.yml | 1 + redis/playbook.yml | 1 + setup_ubuntu1804/playbook.yml | 33 ++++++ snibox/playbook.yml | 6 +- 16 files changed, 179 insertions(+), 274 deletions(-) delete mode 100644 bifrost/app/.env delete mode 100644 bifrost/app/Dockerfile delete mode 100644 bifrost/files/nginx.conf.j2 delete mode 100755 bifrost/playbook.yml delete mode 100644 bifrost/readme.md delete mode 100644 bifrost/vars/default.yml create mode 100755 setup_ubuntu1804/playbook.yml diff --git a/bifrost/app/.env b/bifrost/app/.env deleted file mode 100644 index 0edd87d..0000000 --- a/bifrost/app/.env +++ /dev/null @@ -1,9 +0,0 @@ -API_URL_BASE=https://api.digitalocean.com/v2 -API_TOKEN=daf49849af95f3a06e5e235d8ae8a56c25cf35c0c5ab4b88baa559aac45d8bb5 -HTPASSWD=/app/.htpasswd -HOST=0.0.0.0 -PORT=80 -LOG_LEVEL=info -DEBUG=true - -MODULE_NAME=bifrost.main diff --git a/bifrost/app/Dockerfile b/bifrost/app/Dockerfile deleted file mode 100644 index 6994c1b..0000000 --- a/bifrost/app/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM python:latest - -LABEL maintainer="Amritanshu " - -RUN git clone https://git.tanshu.com/tanshu/bifrost.git /app && pip install --no-cache-dir --requirement /app/requirements.txt && pip install /app - -COPY ./.env /app -WORKDIR /app/ - -ENV PYTHONPATH=/app - -EXPOSE 80 - -CMD ["python", "-m", "bifrost"] diff --git a/bifrost/files/nginx.conf.j2 b/bifrost/files/nginx.conf.j2 deleted file mode 100644 index 686f755..0000000 --- a/bifrost/files/nginx.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -server { - - listen 80; - server_name {{ http_host }}; - - # set max upload size - client_max_body_size 10G; - - location / { - - proxy_set_header Host $host:$server_port; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Forwarded-For $remote_addr; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - proxy_pass http://localhost:{{ host_port }}; - } - -} - diff --git a/bifrost/playbook.yml b/bifrost/playbook.yml deleted file mode 100755 index 84794d8..0000000 --- a/bifrost/playbook.yml +++ /dev/null @@ -1,69 +0,0 @@ -################################################# -# DO Community Playbooks: Docker -################################################# ---- -- hosts: all - become: true - vars_files: - - vars/default.yml - - tasks: - - name: Copy dockerfile - synchronize: src=app dest=/tmp - - - name: Build bifrost image - docker_image: - name: bifrost:latest - build: - path: /tmp/app/ - dockerfile: /tmp/app/Dockerfile - pull: yes - state: present - source: build - - - name: ensure that .htpasswd file exists - copy: - content: "" - dest: /var/lib/bifrost/.htpasswd - force: no - - - name: Create bifrost container - docker_container: - name: bifrost - image: bifrost:latest - state: started - restart_policy: "unless-stopped" - env_file: /tmp/app/.env - published_ports: - - "127.0.0.1:{{ host_port }}:80" - volumes: - - /var/lib/bifrost/.htpasswd:/app/.htpasswd:ro - - - - name: Check if Nginx conf file exists - stat: path="/etc/nginx/sites-available/{{ http_conf }}" - register: status - - - name: No need to reload Nginx - debug: msg= {{ "No need to reload Nginx as sites-available entries have already been created" }} - - - name: Set Nginx conf file - when: status.stat.exists == false - template: - src: "files/nginx.conf.j2" - dest: "/etc/nginx/sites-available/{{ http_conf }}" - - - name: Enable new site - when: status.stat.exists == false - file: - src: "/etc/nginx/sites-available/{{ http_conf }}" - dest: "/etc/nginx/sites-enabled/{{ http_conf }}" - state: link - notify: Reload Nginx - - handlers: - - name: Reload Nginx - service: - name: nginx - state: reloaded - diff --git a/bifrost/readme.md b/bifrost/readme.md deleted file mode 100644 index f6d7ecc..0000000 --- a/bifrost/readme.md +++ /dev/null @@ -1,46 +0,0 @@ -# Docker on Ubuntu 18.04 - -This playbook will install Docker an Ubuntu 18.04 machine, as explained in the guide on -[How to Use Ansible to Install and Set Up Docker on Ubuntu 18.04](https://www.digitalocean.com/community/tutorials/how-to-use-ansible-to-install-and-set-up-docker-on-ubuntu-18-04). -A number of containers will be created with the options specified in the `vars/default.yml` variable file. - -## Settings - -- `create_containers`: number of containers to create. -- `default_container_name`: default name for new containers. -- `default_container_image`: default image for new containers. -- `default_container_command`: default command to run on new containers. - - -## Running this Playbook - -Quick Steps: - -### 1. Obtain the playbook -```shell -git clone https://github.com/do-community/ansible-playbooks.git -cd ansible-playbooks/docker_ubuntu1804 -``` - -### 2. Customize Options - -```shell -nano vars/default.yml -``` - -```yml -#vars/default.yml ---- -create_containers: 4 -default_container_name: docker -default_container_image: ubuntu -default_container_command: sleep 1d -``` - -### 3. Run the Playbook - -```command -ansible-playbook -l [target] -i [inventory file] -u [remote user] playbook.yml -``` - -For more information on how to run this Ansible setup, please check this guide: [How to Use Ansible to Install and Set Up Docker on Ubuntu 18.04](https://www.digitalocean.com/community/tutorials/how-to-use-ansible-to-install-and-set-up-docker-on-ubuntu-18-04). \ No newline at end of file diff --git a/bifrost/vars/default.yml b/bifrost/vars/default.yml deleted file mode 100644 index b70293d..0000000 --- a/bifrost/vars/default.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -http_host: "bifrost.tanshu.com" -http_conf: "bifrost.tanshu.com.conf" -host_port: "8123" - diff --git a/bitwarden/playbook.yml b/bitwarden/playbook.yml index 68109fb..85c15ae 100755 --- a/bitwarden/playbook.yml +++ b/bitwarden/playbook.yml @@ -23,7 +23,8 @@ env: DATABASE_URL: "{{ db_url }}" DOMAIN: "https://{{ http_host }}" - links: "postgres:db" + links: + - "postgres:db" published_ports: - 127.0.0.1:8080:80 - 127.0.0.1:3012:3012 diff --git a/bitwarden/vars/default.yml b/bitwarden/vars/default.yml index cce8791..1f98bdb 100644 --- a/bitwarden/vars/default.yml +++ b/bitwarden/vars/default.yml @@ -4,6 +4,6 @@ http_conf: "vault.tanshu.com.conf" container_name: bitwarden container_image: vaultwarden/server:latest - -db_url: postgresql://postgres:123456@db:5432/bitwarden +db_server: db +db_url: postgresql://postgres:123456@{{ db_server }}:5432/bitwarden diff --git a/gitea/files/nginx.conf.j2 b/gitea/files/nginx.conf.j2 index 8d9cfad..b49ac7f 100644 --- a/gitea/files/nginx.conf.j2 +++ b/gitea/files/nginx.conf.j2 @@ -9,9 +9,11 @@ server { # } location / { - proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } - } diff --git a/gitea/playbook.yml b/gitea/playbook.yml index 38e09bc..4d739bf 100755 --- a/gitea/playbook.yml +++ b/gitea/playbook.yml @@ -14,17 +14,9 @@ comment: Git user create_home: yes - - name: Ensure SSH Passthrough file Directory exists - file: - path: /app/gitea - state: directory - group: git - owner: git - mode: 0755 - - name: Check if ssh passthrough file exists stat: - path: /app/gitea/gitea + path: /usr/local/bin/gitea register: pass_status - name: No need to upload ssh passthrough file @@ -36,7 +28,7 @@ when: pass_status.stat.exists == false template: src: "files/gitea" - dest: "/app/gitea/gitea" + dest: "/usr/local/bin/gitea" owner: "{{ user }}" group: "{{ user }}" mode: 0755 @@ -80,6 +72,7 @@ - name: Add key to authorized_files when: key_status.stat.exists == false copy: + remote_src: yes src: /home/git/.ssh/id_rsa.pub dest: /home/git/.ssh/authorized_keys owner: git @@ -104,6 +97,9 @@ image: "{{ container_image }}" state: started restart_policy: "unless-stopped" + cpus: .10 + memory: "512M" + memory_swap: "512M" env: USER_UID: "{{ getent_passwd[user][1] }}" USER_GID: "{{ getent_passwd[user][2] }}" diff --git a/nextcloud/playbook.yml b/nextcloud/playbook.yml index 6f75127..8147b0a 100755 --- a/nextcloud/playbook.yml +++ b/nextcloud/playbook.yml @@ -12,6 +12,7 @@ docker_image: name: "{{ container_image }}" source: pull + force_source: yes - name: Copy dockerfile synchronize: src=web dest=/tmp @@ -25,6 +26,7 @@ pull: yes state: present source: build + force_source: yes - name: Create Nextcloud container docker_container: @@ -42,7 +44,7 @@ - "postgres:db" # - "redis:redis" published_ports: - - "9000:9000" + - "127.0.0.1:9000:9000" volumes: - /var/lib/nextcloud:/var/www/html @@ -55,10 +57,16 @@ links: - "cloud:app" published_ports: - - "9080:80" + - "127.0.0.1:9080:80" volumes: - /var/lib/nextcloud:/var/www/html:ro + - name: Add cron job + cron: + name: Nextcloud cron + minute: "*/5" + job: "docker exec -u www-data {{ container_name }} php cron.php" + - name: Check if Nginx conf file exists stat: path="/etc/nginx/sites-available/{{ http_conf }}" register: status diff --git a/nextcloud/web/nginx.conf b/nextcloud/web/nginx.conf index 5eedca5..802e955 100644 --- a/nextcloud/web/nginx.conf +++ b/nextcloud/web/nginx.conf @@ -22,67 +22,43 @@ http { sendfile on; #tcp_nopush on; + # Prevent nginx HTTP Server Detection + server_tokens off; + keepalive_timeout 65; + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Forwarded-For; + #gzip on; upstream php-handler { server app:9000; } + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + map $arg_v $asset_immutable { + "" ""; + default "immutable"; + } + server { listen 80; - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # + + # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $http_x_scheme://$http_host/remote.php/dav; - } - - location = /.well-known/caldav { - return 301 $http_x_scheme://$http_host/remote.php/dav; - } + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; + client_max_body_size 1024M; + proxy_request_buffering off; # Enable gzip but do not remove ETag headers gzip on; @@ -92,77 +68,126 @@ http { gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; - location / { - rewrite ^ /index.php; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html; + + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } } - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; + location = /robots.txt { + allow all; + log_not_found off; + access_log off; } - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 $http_x_scheme://$http_host/remote.php/dav; } + location = /.well-known/caldav { return 301 $http_x_scheme://$http_host/remote.php/dav; } + + location = /.well-known/webfinger { + return 301 $http_x_scheme://$http_host/index.php/.well-known/webfinger; + } + location = /.well-known/nodeinfo { + return 301 $http_x_scheme://$http_host/index.php/.well-known/nodeinfo; + } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; + #fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - - # Enable pretty urls - fastcgi_param front_controller_active true; + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; + fastcgi_intercept_errors on; fastcgi_request_buffering off; } - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + location ~ \.woff2?$ { try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; } } } diff --git a/postgres/playbook.yml b/postgres/playbook.yml index 738e83a..bfa3c7b 100755 --- a/postgres/playbook.yml +++ b/postgres/playbook.yml @@ -12,6 +12,7 @@ docker_image: name: "{{ postgres_image }}" source: pull + force_source: yes # Creates the number of containers defined by the variable create_containers, using values from vars file - name: Create postgres container diff --git a/redis/playbook.yml b/redis/playbook.yml index 4a73e80..fa0912b 100755 --- a/redis/playbook.yml +++ b/redis/playbook.yml @@ -9,6 +9,7 @@ docker_image: name: "{{ container_image }}" source: pull + force_source: yes - name: Create redis container docker_container: diff --git a/setup_ubuntu1804/playbook.yml b/setup_ubuntu1804/playbook.yml new file mode 100755 index 0000000..f64fc5e --- /dev/null +++ b/setup_ubuntu1804/playbook.yml @@ -0,0 +1,33 @@ +################################################# +# DO Community Playbooks: Initial Server Setup +################################################# +--- +- hosts: all + become: true + vars_files: + - vars/default.yml + + tasks: + +# Sudo Group Setup + - name: Make sure we have a 'wheel' group + group: + name: wheel + state: present + + - name: Allow 'wheel' group to have passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + validate: '/usr/sbin/visudo -cf %s' + + +# Install Packages + - name: Update apt + apt: update_cache=yes + + - name: Install required system packages + apt: name={{ sys_packages }} state=latest + diff --git a/snibox/playbook.yml b/snibox/playbook.yml index 0c0e5eb..5cc19a4 100755 --- a/snibox/playbook.yml +++ b/snibox/playbook.yml @@ -13,7 +13,7 @@ name: "{{ backend_image }}" source: pull state: present -# force_source: yes + force_source: yes - name: Upload the .env file template: @@ -28,12 +28,12 @@ restart_policy: "unless-stopped" command: sh -c "cp -r /app/public/ / && rm -rf tmp/pids && ./bin/rails s -p 3003 -b '0.0.0.0'" env_file: "/var/lib/{{ host_directory }}/.env" + links: + - "postgres:db" published_ports: - "127.0.0.1:3003:3003" volumes: - "/var/lib/{{ host_directory }}/frontend:/public" - links: - - "postgres:db" - name: Check if Nginx conf file exists stat: path="/etc/nginx/sites-available/{{ http_conf }}"