- role: dirty-hacks/vex2-base
- role: acmetool/base
- role: nginx
- - role: web/realraumat
- role: web/r3redirects
- role: web/dokuwiki
- role: web/r3status
---
-r3at_urls:
- - r3.at
-wikirealraumat_urls:
- - wiki.realraum.at
- - w.r3.at
-
-sensors_urls:
- - sensors.realraum.at
+r3redirect_servers:
+ - name: r3.at
+ rootdir: /srv/r3.at/www/
+ urls:
+ - r3.at
+ - name: w.r3.at
+ rootdir: /srv/wiki.realraum.at/www/
+ urls:
+ - wiki.realraum.at
+ - w.r3.at
+ - name: sensors.realraum.at
+ rootdir: /srv/sensors.realraum.at/www/
+ urls:
+ - sensors.realraum.at
+ - name: www.realraum.at
+ rootdir: /srv/www.realraum.at/www/
+ urls:
+ - www.realraum.at
+ - realraum.at
--- /dev/null
+<html>
+<head>
+ <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+ <!--meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src data:; script-src 'self'; style-src 'unsafe-inline'"-->
+ <meta content="origin" name="referrer">
+ <title>404 - Error ressource not found</title>
+ <style>
+ h1 {
+ font-size:400%;
+ text-align: center;
+ }
+ h2 {
+ font-size:200%;
+ text-align: center;
+ }
+ </style>
+</head>
+<body>
+<h1><img src="https://www.realraum.at/logo-red_250x250.png"><br/>4 ohhh 4</h1>
+<h2>In four dimensions we can have a brane.</h2>
+<h2>But call it a dimension, then you need to get a brain!<h2>
+</body>
+</html>
+
+
+
---
-
-- import_tasks: nginx.yml
+- name: run nginx for each server
+ loop: "{{ r3redirect_servers }}"
+ loop_control:
+ loop_var: r3rsrv
+ include_tasks: nginx.yml
\ No newline at end of file
---
+- name: create webroot path
+ file:
+ name: "{{ r3rsrv.rootdir }}"
+ state: directory
+ owner: www-data
+
+- name: Copy files to remote locations
+ ansible.builtin.copy:
+ dest: "{{ r3rsrv.rootdir }}/404.html"
+ group: www-data
+ owner: www-data
+ src: files/404.html
+
- name: install nginx vhost config files
- loop:
- - r3.at
- - w.r3.at
- - sensors.realraum.at
template:
- src: "{{ item }}.j2"
- dest: /etc/nginx/sites-available/{{ item }}
+ src: "{{ r3rsrv.name }}.j2"
+ dest: /etc/nginx/sites-available/{{ r3rsrv.name }}
notify: reload nginx
-- name: check if acme certs already exists
- stat:
- path: /var/lib/acme/live/w.r3.at
- register: wr3_acme_cert
+- name: clear variable
+ set_fact:
+ nginx_acme_cert: {}
- name: check if acme certs already exists
stat:
- path: /var/lib/acme/live/r3.at
- register: r3_acme_cert
-
-- name: check if acme certs already exists
- stat:
- path: /var/lib/acme/live/sensors.realraum.at
- register: sensors_acme_cert
-
-- name: link nonexistent hostname to self-signed interim cert
- when: not wr3_acme_cert.stat.exists
- block:
- - name: get id of existing selfsigned interim certificate
- command: cat /var/lib/acme/.selfsigned-interim-cert
- changed_when: false
- check_mode: false
- register: selfsigned_interim_cert_id
-
- - name: set selfsigned_interim_cert_id variable
- set_fact:
- selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
-
- - name: link to snakeoil cert for nonexistent hostnames
- file:
- src: "../certs/{{ selfsigned_interim_cert_id }}"
- dest: /var/lib/acme/live/w.r3.at
- state: link
-
-- name: link nonexistent hostname to self-signed interim cert
- when: not r3_acme_cert.stat.exists
- block:
- - name: get id of existing selfsigned interim certificate
- command: cat /var/lib/acme/.selfsigned-interim-cert
- changed_when: false
- check_mode: false
- register: selfsigned_interim_cert_id
-
- - name: set selfsigned_interim_cert_id variable
- set_fact:
- selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
-
- - name: link to snakeoil cert for nonexistent hostnames
- file:
- src: "../certs/{{ selfsigned_interim_cert_id }}"
- dest: /var/lib/acme/live/r3.at
- state: link
+ path: /var/lib/acme/live/{{ r3rsrv.name }}
+ register: nginx_acme_cert
- name: link nonexistent hostname to self-signed interim cert
- when: not sensors_acme_cert.stat.exists
+ when: not nginx_acme_cert.stat.exists
block:
- name: get id of existing selfsigned interim certificate
command: cat /var/lib/acme/.selfsigned-interim-cert
- name: link to snakeoil cert for nonexistent hostnames
file:
src: "../certs/{{ selfsigned_interim_cert_id }}"
- dest: /var/lib/acme/live/sensors.realraum.at
+ dest: /var/lib/acme/live/{{ r3rsrv.name }}
state: link
- name: enable nginx vhost config
- loop:
- - r3.at
- - w.r3.at
- - sensors.realraum.at
file:
- src: ../sites-available/{{ item }}
- dest: /etc/nginx/sites-enabled/{{ item }}
+ src: ../sites-available/{{ r3rsrv.name }}
+ dest: /etc/nginx/sites-enabled/{{ r3rsrv.name }}
state: link
notify: reload nginx
# import_role:
# name: acmetool/cert
# vars:
-# acmetool_cert_name: {{ item }}
-# loop:
-# - r3.at
-# - w.r3.at
+# acmetool_cert_name: {{ r3rsrv.name }}
listen [::]:443 ssl;
listen 443 ssl;
- server_name {{ r3at_urls | join(' ') }};
+ server_name {{ r3rsrv.urls | join(' ') }};
include snippets/acmetool.conf;
include snippets/ssl.conf;
- ssl_certificate /var/lib/acme/live/{{ r3at_urls[0] }}/fullchain;
- ssl_certificate_key /var/lib/acme/live/{{ r3at_urls[0] }}/privkey;
+ ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
+ ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
include snippets/hsts.conf;
include snippets/security-headers.conf;
+ root {{ r3rsrv.rootdir }};
location = /events.ics {
return 302 https://status.realraum.at/shmcache/grical_realraum.ical; # planned: 301
location = / {
return 302 https://realraum.at/;
}
+
+ error_page 404 /404.html;
}
listen [::]:443 ssl;
listen 443 ssl;
- server_name {{ sensors_urls | join(' ') }};
+ server_name {{ r3rsrv.urls | join(' ') }};
include snippets/acmetool.conf;
include snippets/ssl.conf;
- ssl_certificate /var/lib/acme/live/{{ sensors_urls[0] }}/fullchain;
- ssl_certificate_key /var/lib/acme/live/{{ sensors_urls[0] }}/privkey;
+ ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
+ ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
include snippets/hsts.conf;
include snippets/security-headers.conf;
+ root {{ r3rsrv.rootdir }};
+
access_log off;
location / {
return 307 https://status.realraum.at/;
}
+
+ error_page 404 /404.html;
}
listen [::]:443 ssl;
listen 443 ssl;
- server_name {{ wikirealraumat_urls | join(' ') }};
+ server_name {{ r3rsrv.urls | join(' ') }};
include snippets/acmetool.conf;
include snippets/ssl.conf;
- ssl_certificate /var/lib/acme/live/{{ wikirealraumat_urls[0] }}/fullchain;
- ssl_certificate_key /var/lib/acme/live/{{ wikirealraumat_urls[0] }}/privkey;
+ ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
+ ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
include snippets/hsts.conf;
include snippets/security-headers.conf;
+ root {{ r3rsrv.rootdir }};
+
access_log off;
location / {
return 302 https://doku.realraum.at$request_uri;
}
+
+ error_page 404 /404.html;
}
--- /dev/null
+map $request_uri $wiki_page {
+ ~^/wiki/doku\.php\?(.+&)?id=([^&]*) $2;
+}
+
+server {
+ listen [::]:443 ssl;
+ listen 443 ssl;
+
+ server_name {{ r3rsrv.urls | join(' ') }};
+
+ include snippets/acmetool.conf;
+ include snippets/ssl.conf;
+ ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
+ ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+ include snippets/hsts.conf;
+
+ include snippets/security-headers.conf;
+ add_header Content-Security-Policy "upgrade-insecure-requests";
+ # Can be used rather than HSTS when it shouldn't be cached
+
+
+ root {{ r3rsrv.rootdir }};
+ access_log off;
+# rewrite_log on;
+
+
+ # Default redirect to WordPress site
+ location / {
+ return 302 https://wp.realraum.at$request_uri;
+ }
+
+ location ~ ^/wiki/doku\.php {
+ return 302 https://doku.realraum.at/$wiki_page;
+ }
+
+ # Specific file redirects to status subdomain
+ location = /sensors.html {
+ return 302 https://status.realraum.at/; # planned: 301
+ }
+
+ location = /status.json {
+ add_header Access-Control-Allow-Origin "*";
+ add_header Pragma "no-cache";
+ add_header Cache-Control "no-cache";
+ return 302 https://status.realraum.at/spaceapi.json; # planned: 301
+ }
+
+ location = /shmcache/status.json {
+ add_header Access-Control-Allow-Origin "*";
+ add_header Pragma "no-cache";
+ add_header Cache-Control "no-cache";
+ return 302 https://status.realraum.at/spaceapi.json; # planned: 301
+ }
+
+ location ~ ^/shmcache/(.*)$ {
+ add_header Access-Control-Allow-Origin "*";
+ add_header Pragma "no-cache";
+ add_header Cache-Control "no-cache";
+ return 302 https://status.realraum.at/ics/$1; # planned: 301
+ }
+
+ location = /gc_button1.gif {
+ return 302 https://status.realraum.at/gc_button1.gif; # planned: 301
+ }
+ location = /kiosk1024x768.html {
+ return 302 https://status.realraum.at/kiosk1024x768.html; # planned: 301
+ }
+ location = /kiosk1050x1680_2.html {
+ return 302 https://status.realraum.at/kiosk1050x1680_2.html; # planned: 301
+ }
+ location = /kiosk1366x768.html {
+ return 302 https://status.realraum.at/kiosk1366x768.html; # planned: 301
+ }
+ location = /kiosk1440x900.html {
+ return 302 https://status.realraum.at/kiosk1440x900.html; # planned: 301
+ }
+ location = /kiosk1680x1050_1.html {
+ return 302 https://status.realraum.at/kiosk1680x1050_1.html; # planned: 301
+ }
+ location = /kiosk768x1366.html {
+ return 302 https://status.realraum.at/kiosk768x1366.html; # planned: 301
+ }
+ location = /kiosk768x1366sensors.html {
+ return 302 https://status.realraum.at/kiosk768x1366sensors.html; # planned: 301
+ }
+ location = /kiosk900x1440.html {
+ return 302 https://status.realraum.at/kiosk900x1440.html; # planned: 301
+ }
+ location = /kiosk.css {
+ return 302 https://status.realraum.at/kiosk.css; # planned: 301
+ }
+ location = /kiosk.js {
+ return 302 https://status.realraum.at/kiosk.js; # planned: 301
+ }
+ location = /logo-red_250x250.png {
+ return 302 https://status.realraum.at/logo-red_250x250.png; # planned: 301
+ }
+ location = /logo-re_empty_100x100.png {
+ return 302 https://status.realraum.at/logo-re_empty_100x100.png; # planned: 301
+ }
+ location = /logo-re_open_100x100.png {
+ return 302 https://status.realraum.at/logo-re_open_100x100.png; # planned: 301
+ }
+ location = /purl.js {
+ return 302 https://status.realraum.at/purl.js; # planned: 301
+ }
+ location = /vis.css {
+ return 302 https://status.realraum.at/vis.css; # planned: 301
+ }
+ location = /vis.js {
+ return 302 https://status.realraum.at/vis.js; # planned: 301
+ }
+
+ error_page 404 /404.html;
+
+}
+++ /dev/null
----
-wwwrealraum_urls:
- - www.realraum.at
\ No newline at end of file
+++ /dev/null
-<html>
-<head>
- <meta http-equiv="Content-type" content="text/html; charset=utf-8">
- <!--meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src data:; script-src 'self'; style-src 'unsafe-inline'"-->
- <meta content="origin" name="referrer">
- <title>404 - Error ressource not found</title>
- <style>
- h1 {
- font-size:400%;
- text-align: center;
- }
- h2 {
- font-size:200%;
- text-align: center;
- }
- </style>
-</head>
-<body>
-<h1><img src="https://www.realraum.at/logo-red_250x250.png"><br/>4 ohhh 4</h1>
-<h2>In four dimensions we can have a brane.</h2>
-<h2>But call it a dimension, then you need to get a brain!<h2>
-</body>
-</html>
-
-
-
+++ /dev/null
----
-- name: reload nginx
- service:
- name: nginx
- state: reloaded
+++ /dev/null
----
-- name: create webroot path
- file:
- name: /srv/realraumat/www/
- state: directory
- owner: www-data
-
-- name: Copy files to remote locations
- ansible.builtin.copy:
- dest: /srv/realraumat/www/404.html
- group: www-data
- owner: www-data
- src: files/404.html
-
-- import_tasks: nginx.yml
-
-
+++ /dev/null
----
-
-- name: install nginx vhost config files
- loop:
- - www.realraum.at
- template:
- src: "{{ item }}.j2"
- dest: /etc/nginx/sites-available/{{ item }}
- notify: reload nginx
-
-- name: check if acme certs already exists
- stat:
- path: /var/lib/acme/live/www.realraum.at
- register: wwwrealraum_acme_cert
-
-- name: link nonexistent hostname to self-signed interim cert
- when: not wwwrealraum_acme_cert.stat.exists
- block:
- - name: get id of existing selfsigned interim certificate
- command: cat /var/lib/acme/.selfsigned-interim-cert
- changed_when: false
- check_mode: false
- register: selfsigned_interim_cert_id
-
- - name: set selfsigned_interim_cert_id variable
- set_fact:
- selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
-
- - name: link to snakeoil cert for nonexistent hostnames
- file:
- src: "../certs/{{ selfsigned_interim_cert_id }}"
- dest: /var/lib/acme/live/www.realraum.at
- state: link
-
-- name: enable nginx vhost config
- loop:
- - www.realraum.at
- file:
- src: ../sites-available/{{ item }}
- dest: /etc/nginx/sites-enabled/{{ item }}
- state: link
- notify: reload nginx
-
-- name: make sure nginx config has been loaded
- meta: flush_handlers
-
-# - name: get certificate using acmetool
-# import_role:
-# name: acmetool/cert
-# vars:
-# acmetool_cert_name: {{ item }}
-# loop:
-# - www.realraum.at
+++ /dev/null
-map $request_uri $wiki_page {
- ~^/wiki/doku\.php\?(.+&)?id=([^&]*) $2;
-}
-
-server {
- listen [::]:443 ssl;
- listen 443 ssl;
-
- server_name {{ wwwrealraum_urls | join(' ') }};
-
- include snippets/acmetool.conf;
- include snippets/ssl.conf;
- ssl_certificate /var/lib/acme/live/{{ wwwrealraum_urls[0] }}/fullchain;
- ssl_certificate_key /var/lib/acme/live/{{ wwwrealraum_urls[0] }}/privkey;
- include snippets/hsts.conf;
-
- include snippets/security-headers.conf;
- add_header Content-Security-Policy "upgrade-insecure-requests";
- # Can be used rather than HSTS when it shouldn't be cached
-
-
- root /srv/realraumat/www/;
- access_log off;
-# rewrite_log on;
-
-
- # Default redirect to WordPress site
- location / {
- return 302 https://wp.realraum.at$request_uri;
- }
-
- location ~ ^/wiki/doku\.php {
- return 302 https://doku.realraum.at/$wiki_page;
- }
-
- # Specific file redirects to status subdomain
- location = /sensors.html {
- return 302 https://status.realraum.at/; # planned: 301
- }
-
- location = /status.json {
- add_header Access-Control-Allow-Origin "*";
- add_header Pragma "no-cache";
- add_header Cache-Control "no-cache";
- return 302 https://status.realraum.at/spaceapi.json; # planned: 301
- }
-
- location = /shmcache/status.json {
- add_header Access-Control-Allow-Origin "*";
- add_header Pragma "no-cache";
- add_header Cache-Control "no-cache";
- return 302 https://status.realraum.at/spaceapi.json; # planned: 301
- }
-
- location ~ ^/shmcache/(.*)$ {
- add_header Access-Control-Allow-Origin "*";
- add_header Pragma "no-cache";
- add_header Cache-Control "no-cache";
- return 302 https://status.realraum.at/ics/$1; # planned: 301
- }
-
- location = /gc_button1.gif {
- return 302 https://status.realraum.at/gc_button1.gif; # planned: 301
- }
- location = /kiosk1024x768.html {
- return 302 https://status.realraum.at/kiosk1024x768.html; # planned: 301
- }
- location = /kiosk1050x1680_2.html {
- return 302 https://status.realraum.at/kiosk1050x1680_2.html; # planned: 301
- }
- location = /kiosk1366x768.html {
- return 302 https://status.realraum.at/kiosk1366x768.html; # planned: 301
- }
- location = /kiosk1440x900.html {
- return 302 https://status.realraum.at/kiosk1440x900.html; # planned: 301
- }
- location = /kiosk1680x1050_1.html {
- return 302 https://status.realraum.at/kiosk1680x1050_1.html; # planned: 301
- }
- location = /kiosk768x1366.html {
- return 302 https://status.realraum.at/kiosk768x1366.html; # planned: 301
- }
- location = /kiosk768x1366sensors.html {
- return 302 https://status.realraum.at/kiosk768x1366sensors.html; # planned: 301
- }
- location = /kiosk900x1440.html {
- return 302 https://status.realraum.at/kiosk900x1440.html; # planned: 301
- }
- location = /kiosk.css {
- return 302 https://status.realraum.at/kiosk.css; # planned: 301
- }
- location = /kiosk.js {
- return 302 https://status.realraum.at/kiosk.js; # planned: 301
- }
- location = /logo-red_250x250.png {
- return 302 https://status.realraum.at/logo-red_250x250.png; # planned: 301
- }
- location = /logo-re_empty_100x100.png {
- return 302 https://status.realraum.at/logo-re_empty_100x100.png; # planned: 301
- }
- location = /logo-re_open_100x100.png {
- return 302 https://status.realraum.at/logo-re_open_100x100.png; # planned: 301
- }
- location = /purl.js {
- return 302 https://status.realraum.at/purl.js; # planned: 301
- }
- location = /vis.css {
- return 302 https://status.realraum.at/vis.css; # planned: 301
- }
- location = /vis.js {
- return 302 https://status.realraum.at/vis.js; # planned: 301
- }
-
- error_page 404 /404.html;
-
-}
projects / noc.git / commitdiff