aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.md10
-rw-r--r--inventory.yaml5
-rw-r--r--playbook.yml7
-rw-r--r--roles/nginx-cloudflare-mtls/README.md19
-rw-r--r--roles/nginx-cloudflare-mtls/defaults/main.yml3
-rw-r--r--roles/nginx-cloudflare-mtls/files/cloudflare.crt35
-rw-r--r--roles/nginx-cloudflare-mtls/meta/main.yml3
-rw-r--r--roles/nginx-cloudflare-mtls/tasks/main.yml10
-rw-r--r--roles/nginx-ufw/README.md6
-rw-r--r--roles/nginx-ufw/meta/main.yml4
-rw-r--r--roles/nginx-ufw/tasks/main.yml8
-rw-r--r--roles/nginx/README.md7
-rw-r--r--roles/nginx/handlers/main.yml7
-rw-r--r--roles/nginx/tasks/main.yml7
14 files changed, 131 insertions, 0 deletions
diff --git a/README.md b/README.md
index babe9ca..ac10a37 100644
--- a/README.md
+++ b/README.md
@@ -22,3 +22,13 @@ requirements.txt # Python requirements
1. Install project dependancies: `python -m pip install -r requirements.txt`
1. Install the pre-commit hook: `pre-commit install`
1. Create a `vault_passwords` file and write the vault password to it
+
+
+## Documentation
+
+Infrastructure-related documentation ("the big picture"), once a sufficient
+level of infrastructure is established, can be found in [`docs/`](./docs/).
+
+Documentation for our Ansible roles can be found in the `README.md` file of
+each role, and role defaults (at `roles/myrole/defaults/main.yml`) contain a
+commented view on which variables are configurable for the given role.
diff --git a/inventory.yaml b/inventory.yaml
index 6e2f382..95fd4c7 100644
--- a/inventory.yaml
+++ b/inventory.yaml
@@ -23,5 +23,10 @@ all:
lovelace:
hopper:
ritchie:
+ nginx:
+ hosts:
+ turing:
+ ritchie:
+ neumann:
vars:
wireguard_port: 46850
diff --git a/playbook.yml b/playbook.yml
index 784f023..83389f4 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -6,6 +6,13 @@
- ufw
- wireguard
+- name: Deploy nginx to hosts
+ hosts: nginx
+ roles:
+ - nginx
+ - nginx-ufw
+ - nginx-cloudflare-mtls
+
- name: Deploy podman to container service hosts
hosts: podman
roles:
diff --git a/roles/nginx-cloudflare-mtls/README.md b/roles/nginx-cloudflare-mtls/README.md
new file mode 100644
index 0000000..8d766ae
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/README.md
@@ -0,0 +1,19 @@
+# Role "nginx-cloudflare-mtls"
+
+Installs the certificate required for performing mutual TLS authentication
+between NGINX and Cloudflare.
+
+To use mutual TLS in your NGINX virtual hosts, add this configuration snippet:
+
+```nginx
+ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }};
+ssl_verify_client on;
+```
+
+
+## Variables
+
+See [role defaults](./defaults/main.yml) for an annotated overview.
+
+
+<!-- vim: set textwidth=80 ts=2 ts=2: -->
diff --git a/roles/nginx-cloudflare-mtls/defaults/main.yml b/roles/nginx-cloudflare-mtls/defaults/main.yml
new file mode 100644
index 0000000..ff1c667
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# The path at which to install the certificate.
+nginx_cloudflare_mtls_certificate_path: /etc/nginx/certs/cloudflare.crt
diff --git a/roles/nginx-cloudflare-mtls/files/cloudflare.crt b/roles/nginx-cloudflare-mtls/files/cloudflare.crt
new file mode 100644
index 0000000..0684b9e
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/files/cloudflare.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
+aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
+cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
+MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
+BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
+VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
+ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
+42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
+ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
+hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
+QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
+Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
+aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
+lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
+PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
+CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
++4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
+AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
+DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
+alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
+QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
+zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
+VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
+6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
+0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
+5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
+fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
+bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
+iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
+AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
+fVQ6VpyjEXdiIXWUq/o=
+-----END CERTIFICATE----- \ No newline at end of file
diff --git a/roles/nginx-cloudflare-mtls/meta/main.yml b/roles/nginx-cloudflare-mtls/meta/main.yml
new file mode 100644
index 0000000..72b1bd7
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - nginx
diff --git a/roles/nginx-cloudflare-mtls/tasks/main.yml b/roles/nginx-cloudflare-mtls/tasks/main.yml
new file mode 100644
index 0000000..c10be7b
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: copy the cloudflare mutual TLS certificate
+ copy:
+ src: cloudflare.crt
+ dest: /etc/nginx/certs/cloudflare.crt;
+ owner: root
+ group: root
+ mode: 0444
+ tags:
+ - role::nginx-cloudflare-mtls
diff --git a/roles/nginx-ufw/README.md b/roles/nginx-ufw/README.md
new file mode 100644
index 0000000..042fda8
--- /dev/null
+++ b/roles/nginx-ufw/README.md
@@ -0,0 +1,6 @@
+# Role "nginx-ufw"
+
+Allows NGINX HTTP and HTTPS traffic through the UFW firewall.
+
+
+<!-- vim: set textwidth=80 sw=2 ts=2: -->
diff --git a/roles/nginx-ufw/meta/main.yml b/roles/nginx-ufw/meta/main.yml
new file mode 100644
index 0000000..dac7049
--- /dev/null
+++ b/roles/nginx-ufw/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+ - nginx
+ - ufw
diff --git a/roles/nginx-ufw/tasks/main.yml b/roles/nginx-ufw/tasks/main.yml
new file mode 100644
index 0000000..bea22aa
--- /dev/null
+++ b/roles/nginx-ufw/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: allow https traffic through the firewall
+ ufw:
+ app: WWW Secure
+ rule: allow
+ comment: nginx web server
+ tags:
+ - role::nginx-ufw
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000..245cc99
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,7 @@
+# Role "nginx"
+
+Installs nginx on target hosts and provides a handler for reloading nginx, for
+instance on configuration change or certificate renewal.
+
+
+<!-- vim: set textwidth=80 sw=2 ts=2: -->
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..376d85a
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: reload the nginx service
+ service:
+ name: nginx
+ state: reloaded
+ tags:
+ - role::nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..849a09e
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: install nginx
+ package:
+ name: nginx
+ state: present
+ tags:
+ - role::nginx