Add configuration for forwarder service

Author: MTecknology

Makefile

@@ -28,8 +28,8 @@ test: test-debian test-ubuntu test-rocky
 test-%: tpod_%
 	podman run --rm -it \
 		--hostname service01-test \
-		-v "$(PWD):/srv/ansible" \
-		tpod_$* /srv/ansible/test/docker/test.sh
+		-v "$(PWD):/srv/services" \
+		tpod_$* /srv/services/test/docker/test.sh
 
 
 ##
@@ -45,7 +45,7 @@ tpod_%:
 login-%: tpod_%
 	podman run --rm -it \
 		--hostname service01-test \
-		-v "$(PWD):/srv/ansible" \
+		-v "$(PWD):/srv/services" \
 		tpod_$* /bin/bash
 
 

README.md

@@ -4,22 +4,17 @@ Recovery Source: Services
 This repository provides a "standardized" solution to test, deploy, and maintain
 various web "services" provided by [Recovery Source](https://handbook.recoverysource.net/).
 
-Basic Workflows
----------------
-
-To Do ...
-
 Repository Structure
 --------------------
 
-The structure of this repository:
+Important directories:
 
-- ``Makefile``: Convenient helper tasks
-- ``data/``: Primary source of data (all known 12-Step groups)
-- ``sync/``: Python3 module that collects and re-mangles data
-- ``web_index/``: Hugo-based website that hosts https://sober.page
-- ``ansible/``: Used for configuration management (deploy, maintain, etc.)
-- ``test/``: Data used for automated testing
+- **data**: Source data for all services
+- **web_index**: [Directory listing of 12-Step groups](https://sober.page/)
+- **nameserver**: Configuration for [DNS](https://handbook.recoverysource.net/essentials/websites.html#domain-name-system) services
+- **forwarder**: Configuration for "HTTP Redirector" service
+- **sync**: Python module used to synchronize data
+- **test**: Data used for automated testing
 
 Web Index
 ---------
@@ -69,23 +64,7 @@ of feed locations (type+url)
 Sync
 ----
 
-Data synchronization is done using the ``sync`` python module.
-
-**$ cd services && python3 -m sync -h**:
+Data synchronization is done using the ``sync`` python module:
 ```
-usage: python3 -m sync [-h] [actions] <options>
-
-Synchronize sober.page data with various destinations
-
-options:
-  -h, --help        show this help message and exit
-  -H <path>         Path to source data (hugo format)
-  -w <path>         Local workspace used for importing/caching data
-  -l <level>        Log level (DEBUG, INFO*, WARNING, ERROR)
-
-actions[*]:
-  -m <path>         Generate nginx map file at <path>
-  -z <zone>:<path>  Generate bind9 zone (db) at <path>
-
-[*] At least one script action must be specified.
+$ cd services && python3 -m sync -h
 ```

ansible/bootstrap

@@ -69,12 +69,12 @@ elif command -v dnf >/dev/null; then
 fi
 
 NOTE 'Verify the ansible repository is present'
-if [ ! -d /srv/ansible ]; then
-	git clone -b release https://github.com/recoverysource/services /srv/ansible
+if [ ! -d /srv/services ]; then
+	git clone -b release https://github.com/recoverysource/services /srv/services
 fi
 
 NOTE 'Change to ansible directory' # avoids repetitive references
-cd /srv/ansible/ansible || exit 1
+cd /srv/services/ansible || exit 1
 
 NOTE 'Unpack vault password'
 if [ ! -e .vaultpass ]; then

ansible/roles/common/tasks/baseline.yml

@@ -79,13 +79,13 @@
 - name: Obtain copy of configuration repository
   ansible.builtin.git:
     repo: https://github.com/recoverysource/services.git
-    dest: /srv/ansible
+    dest: /srv/services
     update: false  # ansible-forced updates will reset local history
     version: release
 
 - name: Add self-managed ansible runs to cron
   ansible.builtin.cron:
-    job: "cd /srv/ansible/ansible && git pull && ansible-playbook maintenance.yml"
+    job: "cd /srv/services/ansible && git pull && ansible-playbook maintenance.yml"
     name: ansible-maintenance
     special_time: hourly
   when: "'test' not in ansible_os_family"

ansible/roles/custom/tasks/main.yml

@@ -1,4 +1,9 @@
-- name: Run extra tasks for "service" hosts
-  ansible.builtin.include_tasks:
-    file: service.yml
+- name: Include name server on (service) hosts
+  ansible.builtin.include_role:
+    name: nameserver
+  when: "'service' in ansible_hostname"
+
+- name: Include forwarding service on (service) hosts
+  ansible.builtin.include_role:
+    name: forwarder
   when: "'service' in ansible_hostname"

ansible/roles/nginx/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: Restart nginx service
+  listen: restart-nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
+
+- name: Reload nginx service
+  listen: reload-nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded

ansible/roles/nginx/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Install nginx package
+  ansible.builtin.package:
+    name: nginx
+
+- name: Manage no-tokens.conf
+  ansible.builtin.copy:
+    dest: /etc/nginx/conf.d/no-tokens.conf
+    content: |
+      server_tokens off;
+    mode: '0644'
+  notify: reload-nginx
+
+- name: Manage ssl-settings.conf
+  ansible.builtin.copy:
+    dest: /etc/nginx/conf.d/ssl-settings.conf
+    content: |
+      ssl_session_cache shared:SSL:10m;
+      ssl_session_tickets off;
+      ssl_session_timeout 10m;
+      ssl_stapling on;
+      ssl_stapling_verify on;
+    mode: '0644'
+  notify: reload-nginx
+
+- name: Manage nginx.conf
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  notify: reload-nginx
+
+- name: Remove default site configuration
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: reload-nginx
+
+- name: Ensure service is running
+  ansible.builtin.service:
+    name: nginx
+    state: started

ansible/roles/nginx/templates/nginx.conf

@@ -0,0 +1,64 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 1000;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048; 
+	# server_tokens off;
+	etag on;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;  
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	#include /etc/nginx/sites-enabled/*;
+	include /etc/nginx/conf.d/*.conf;
+}

forwarder/nginx.conf forwarder/files/nginx_forwarder.confforwarder/nginx.conf renamed to forwarder/files/nginx_forwarder.conf

@@ -0,0 +1,22 @@
+- name: Depends on nginx role
+  ansible.builtin.include_role:
+    name: nginx
+
+- name: Manage nginx forwarder configuration
+  ansible.builtin.copy:
+    src: nginx_forwarder.conf
+    dest: /etc/nginx/conf.d/forwarder.conf
+  notify: reload-nginx
+
+- name: Ensure canonical_redirects.map exists
+  ansible.builtin.command:
+    chdir: /srv/service
+    cmd: python3 -m sync -n /etc/nginx/canonical_redirects.map
+    creates: /etc/nginx/canonical_redirects.map
+  notify: reload-nginx
+
+- name: Regularly re-generate canonical_redirects.map
+  ansible.builtin.cron:
+    job: "cd /srv/service && python3 -m sync -n /etc/nginx/canonical_redirects.map && service nginx reload"
+    name: canonical_redirects
+    special_time: hourly