From 9784d868394b7e5d635b56ecc52a567e0954e091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Fri, 17 Sep 2021 16:48:41 +0200 Subject: [PATCH] srht: Update nginx config with upstream changes --- roles/srht/files/graphql.conf | 20 +++++++++++ roles/srht/files/nginx/builds.conf | 31 ++++------------- roles/srht/files/nginx/git.conf | 35 ++++---------------- roles/srht/files/nginx/hub.conf | 15 +++------ roles/srht/files/nginx/lists.conf | 35 ++++---------------- roles/srht/files/nginx/man.conf | 11 +++--- roles/srht/files/nginx/meta.conf | 35 ++++---------------- roles/srht/files/nginx/paste.conf | 11 +++--- roles/srht/files/nginx/todo.conf | 31 ++++------------- roles/srht/files/srht.conf | 4 +++ roles/srht/files/{nginx => }/srht_robots.txt | 0 roles/srht/files/srht_web.conf | 5 +++ roles/srht/tasks/main.yml | 14 ++++++++ 13 files changed, 88 insertions(+), 159 deletions(-) create mode 100644 roles/srht/files/graphql.conf create mode 100644 roles/srht/files/srht.conf rename roles/srht/files/{nginx => }/srht_robots.txt (100%) create mode 100644 roles/srht/files/srht_web.conf diff --git a/roles/srht/files/graphql.conf b/roles/srht/files/graphql.conf new file mode 100644 index 0000000..cc990ca --- /dev/null +++ b/roles/srht/files/graphql.conf @@ -0,0 +1,20 @@ +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; +} + +add_header 'Access-Control-Allow-Origin' '*'; +add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; +add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; +add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; diff --git a/roles/srht/files/nginx/builds.conf b/roles/srht/files/nginx/builds.conf index 73bcb00..06d17d7 100644 --- a/roles/srht/files/nginx/builds.conf +++ b/roles/srht/files/nginx/builds.conf @@ -7,46 +7,27 @@ server { include /etc/nginx/snippets/https.conf; server_name builds.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always; - client_max_body_size 100M; - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5002; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/buildsrht; + root /usr/lib/$python/site-packages/buildsrht; expires 30d; } location /query { proxy_pass http://127.0.0.1:5102; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; - charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include /etc/nginx/snippets/graphql.conf; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/git.conf b/roles/srht/files/nginx/git.conf index 3a7faeb..11cd386 100644 --- a/roles/srht/files/nginx/git.conf +++ b/roles/srht/files/nginx/git.conf @@ -7,23 +7,18 @@ server { include /etc/nginx/snippets/https.conf; server_name git.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; - client_max_body_size 100M; - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5001; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/gitsrht; + root /usr/lib/$python/site-packages/gitsrht; expires 30d; } @@ -48,28 +43,10 @@ server { location /query { proxy_pass http://127.0.0.1:5101; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; - charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include /etc/nginx/snippets/graphql.conf; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/hub.conf b/roles/srht/files/nginx/hub.conf index 622c7a2..b56f82c 100644 --- a/roles/srht/files/nginx/hub.conf +++ b/roles/srht/files/nginx/hub.conf @@ -7,25 +7,20 @@ server { include /etc/nginx/snippets/https.conf; server_name hub.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5014; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/hubsrht; + root /usr/lib/$python/site-packages/hubsrht; expires 30d; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/lists.conf b/roles/srht/files/nginx/lists.conf index fee8f26..6d9a353 100644 --- a/roles/srht/files/nginx/lists.conf +++ b/roles/srht/files/nginx/lists.conf @@ -7,48 +7,25 @@ server { include /etc/nginx/snippets/https.conf; server_name lists.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'"; - - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5006; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'"; + include /etc/nginx/snippets/srht_web.conf; } location /query { proxy_pass http://127.0.0.1:5106; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include /etc/nginx/snippets/graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/listssrht; + root /usr/lib/$python/site-packages/listssrht; expires 30d; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/man.conf b/roles/srht/files/nginx/man.conf index 6c44b44..fb18453 100644 --- a/roles/srht/files/nginx/man.conf +++ b/roles/srht/files/nginx/man.conf @@ -7,23 +7,22 @@ server { include /etc/nginx/snippets/https.conf; server_name man.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; + include /etc/nginx/snippets/srht.conf; client_max_body_size 100M; - gzip on; - gzip_types text/css; - location / { proxy_pass http://127.0.0.1:5004; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/mansrht; + root /usr/lib/$python/site-packages/mansrht; expires 30d; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/meta.conf b/roles/srht/files/nginx/meta.conf index c0b8a09..ee93c00 100644 --- a/roles/srht/files/nginx/meta.conf +++ b/roles/srht/files/nginx/meta.conf @@ -7,48 +7,25 @@ server { include /etc/nginx/snippets/https.conf; server_name meta.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; - - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/metasrht; + root /usr/lib/$python/site-packages/metasrht; expires 30d; } location /query { proxy_pass http://127.0.0.1:5100; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; - charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include /etc/nginx/snippets/graphql.conf; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/paste.conf b/roles/srht/files/nginx/paste.conf index 528c0ed..c467c25 100644 --- a/roles/srht/files/nginx/paste.conf +++ b/roles/srht/files/nginx/paste.conf @@ -7,23 +7,22 @@ server { include /etc/nginx/snippets/https.conf; server_name paste.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; + include /etc/nginx/snippets/srht.conf; client_max_body_size 10M; - gzip on; - gzip_types text/css; - location / { proxy_pass http://127.0.0.1:5011; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; + include /etc/nginx/snippets/srht_web.conf; } location /static { - root /usr/lib/python3.9/site-packages/pastesrht; + root /usr/lib/$python/site-packages/pastesrht; expires 30d; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/nginx/todo.conf b/roles/srht/files/nginx/todo.conf index ff67523..08adc9e 100644 --- a/roles/srht/files/nginx/todo.conf +++ b/roles/srht/files/nginx/todo.conf @@ -7,46 +7,27 @@ server { include /etc/nginx/snippets/https.conf; server_name todo.xenrox.net; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - client_max_body_size 100M; - gzip on; - gzip_types text/css; + include /etc/nginx/snippets/srht.conf; location / { proxy_pass http://127.0.0.1:5003; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; + include /etc/nginx/snippets/srht_web.conf; } location /query { proxy_pass http://127.0.0.1:5103; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; - charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include /etc/nginx/snippets/graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/todosrht; + root /usr/lib/$python/site-packages/todosrht; expires 30d; } location = /robots.txt { - alias /etc/nginx/nginx.d/srht_robots.txt; + alias /etc/nginx/snippets/srht_robots.txt; } } diff --git a/roles/srht/files/srht.conf b/roles/srht/files/srht.conf new file mode 100644 index 0000000..896f6c0 --- /dev/null +++ b/roles/srht/files/srht.conf @@ -0,0 +1,4 @@ +# TODO: Read IP with ansible dns and python version from installed packages +set $python "python3.9"; +set_real_ip_from 127.0.0.0/16; +set_real_ip_from 178.63.61.184 diff --git a/roles/srht/files/nginx/srht_robots.txt b/roles/srht/files/srht_robots.txt similarity index 100% rename from roles/srht/files/nginx/srht_robots.txt rename to roles/srht/files/srht_robots.txt diff --git a/roles/srht/files/srht_web.conf b/roles/srht/files/srht_web.conf new file mode 100644 index 0000000..a89f03b --- /dev/null +++ b/roles/srht/files/srht_web.conf @@ -0,0 +1,5 @@ +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml index 6262942..31060d1 100644 --- a/roles/srht/tasks/main.yml +++ b/roles/srht/tasks/main.yml @@ -194,6 +194,20 @@ notify: - restart nginx +- name: Copy nginx snippets + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/nginx/snippets + owner: root + group: root + mode: 0755 + with_items: + - graphql.conf + - srht.conf + - srht_robots.txt + - srht_web.conf + notify: restart nginx + - name: copy api key ansible.builtin.template: src: image-refresh-token.j2 -- 2.44.0