Introduce Kumpir, our new www server, add wordpress role (#26)

* Introduce Kumpir, our new www server, add wordpress role

* move kumpir to services group, use safer distinction for ssl_cert location, reduce www playbook

* set server type to services

* fix typo

* rename service-wordpress to service-nginx-wordpress

* Add service-nginx-etherpad role

* Add ed25519 keypair for system_users when supported.

* Revert "Add ed25519 keypair for system_users when supported."

This reverts commit ffef991ca41185d19953b96439e80b1b9a6ba534.

* Change generated keys format to ed25519

* fix indention of nginx templates, reduce amount of needed tasks by adding extra_opts to unarchive, remove not needed mysql db tasks, make new acme_server default

* Change new default preference for acme servers, marking acme_server zuckerwatte deprecated soon.

.gitignore

@@ -2,3 +2,6 @@ playbooks/test.yml
 roles/geerlingguy.mysql
 roles/powerdns.pdns
 roles/lean_delivery.java
+roles/geerlingguy.php
+roles/systemli.etherpad
+roles/geerlingguy.nodejs

ansible.cfg

@@ -9,6 +9,7 @@ stdout_callback		= yaml
 bin_ansible_callbacks	= True
 jinja2_extensions	= jinja2.ext.do
 forks			= 10
+allow_world_readable_tmpfiles = True
 
 [privilege_escalation]
 become			= True

inventory/group_vars/all

@@ -219,6 +219,51 @@ wireguard_networks:
       - unifi
       - suesskartoffel
     port: 50035
+  - ipv4: 10.87.253.72/31
+    peers:
+      - kumpir
+      - ingwer
+    port: 50036
+  - ipv4: 10.87.253.74/31
+    peers:
+      - kumpir
+      - spinat
+    port: 50037
+  - ipv4: 10.87.253.76/31
+    peers:
+      - kumpir
+      - uffschnitt
+    port: 50038
+  - ipv4: 10.87.253.78/31
+    peers:
+      - kumpir
+      - lotuswurzel
+    port: 50039
+  - ipv4: 10.87.253.80/31
+    peers:
+      - kumpir
+      - wasserfloh
+    port: 50040
+  - ipv4: 10.87.253.82/31
+    peers:
+      - kumpir
+      - linse
+    port: 50041
+  - ipv4: 10.87.253.84/31
+    peers:
+      - kumpir
+      - kichererbse
+    port: 50042
+  - ipv4: 10.87.253.86/31
+    peers:
+      - kumpir
+      - suesskartoffel
+    port: 50043
+  - ipv4: 10.87.253.88/31
+    peers:
+      - kumpir
+      - unifi
+    port: 50044
 
 fastd_groups:
   - gateways

inventory/host_vars/kumpir.freifunk-mwu.de

@@ -0,0 +1,63 @@
+---
+server_type: "services"
+
+magic: 162
+
+acme_server: linse
+
+
+php_packages:
+  - php
+  - php-fpm
+  - php-cli
+  - php-gd
+  - php-mysql
+  - php-mbstring
+  - php-xml
+php_webserver_daemon: "nginx"
+php_default_version_debian: "7.3"
+php_enable_php_fpm: true
+php_use_managed_ini: true
+php_upload_max_filesize: "512M"
+php_post_max_size: "512M"
+
+wp_install_dir: "/var/www/wordpress"
+wp_mysql_db: "wordpress"
+wp_mysql_user: "wordpress"
+wp_mysql_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_wordpress') }}"
+wp_service_name: "blog.freifunk-mainz.de"
+
+
+mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root') }}"
+mysql_databases:
+  - name: "wordpress"
+    encoding: "utf8mb4"
+    collation: "utf8mb4_unicode_ci"
+  - name: "etherpad"
+    encoding: "utf8mb4"
+    collation: "utf8mb4_unicode_ci"
+mysql_users:
+  - name: "wordpress"
+    host: "localhost"
+    password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_wordpress') }}"
+    priv: "wordpress.*:ALL"
+  - name: "etherpad"
+    host: "localhost"
+    password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_etherpad') }}"
+    priv: "etherpad.*:ALL"
+mysql_max_binlog_size: "100M"
+mysql_expire_logs_days: "10"
+mysql_bind_address: "127.0.0.1"
+
+nginx_ssl_directory: /etc/nginx/ssl/freifunk-mwu.de/
+
+nginx_etherpad_url: "pad.freifunk-mwu.de"
+
+etherpad_db_type: mysql
+etherpad_ip: 127.0.0.1
+etherpad_port: 9002
+etherpad_mysql_database_host: localhost
+etherpad_mysql_database_name: etherpad
+etherpad_mysql_database_user: etherpad
+etherpad_mysql_database_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_etherpad') }}"
+etherpad_mysql_database_port: 3306

inventory/services

@@ -2,3 +2,4 @@
 kichererbse.freifunk-mwu.de
 linse.freifunk-mwu.de
 unifi.freifunk-mwu.de
+kumpir.freifunk-mwu.de

inventory/www

@@ -0,0 +1,2 @@
+[www]
+kumpir.freifunk-mwu.de

playbooks/site.yml

@@ -6,3 +6,4 @@
 - import_playbook: dns.yml
 - import_playbook: buildservers.yml
 - import_playbook: unifi.yml
+- import_playbook: www.yml

playbooks/www.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+---
+- name: Webservers
+  hosts: www
+
+  roles:
+  - service-nginx-wordpress
+  - service-nginx-etherpad

requirements.yml

@@ -1,3 +1,5 @@
 - src: geerlingguy.mysql
 - src: powerdns.pdns
 - src: lean_delivery.java
+- src: geerlingguy.php
+- src: systemli.etherpad

roles/service-nginx-etherpad/README.md

@@ -0,0 +1,16 @@
+# Ansible Role: Etherpad Nginx Config
+
+Ansible role that installs and configures Nginx for Etherpad.
+
+
+## Requirements & Dependencies
+- service-nginx
+- systemli.etherpad
+
+
+## Variables
+
+```yaml
+etherpad_service_name: www.example.com (required)
+nginx_ssl_directory: /etc/nginx/ssl/freifunk-mwu.de/ (required)
+```

roles/service-nginx-etherpad/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted

roles/service-nginx-etherpad/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - service-nginx
+  - systemli.etherpad

roles/service-nginx-etherpad/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Etherpad | Nginx | Copy virtual host configuration file
+  template:
+    src: "nginx-vhost.j2"
+    dest: /etc/nginx/conf.d/{{ nginx_etherpad_url.split(".")[0] }}.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart nginx

roles/service-nginx-etherpad/templates/nginx-vhost.j2

@@ -0,0 +1,38 @@
+server {
+		listen 80;
+		listen [::]:80;
+		server_name {{ nginx_etherpad_url }};
+		return 301 https://$http_host$request_uri;
+}
+
+map $http_upgrade $connection_upgrade {
+				default upgrade;
+				'' close;
+		}
+
+server {
+		listen 443 ssl http2;
+		listen [::]:443 ssl http2;
+		server_name {{ nginx_etherpad_url }};
+
+		ssl_certificate {{ nginx_ssl_directory }}fullchain.pem;
+		ssl_certificate_key {{ nginx_ssl_directory }}privkey.pem;
+		ssl_prefer_server_ciphers       on;
+
+		location / {
+				proxy_pass             http://localhost:9002/;
+				proxy_set_header       Host $host;
+				proxy_pass_header Server;
+				# be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+				proxy_buffering off;
+				proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
+				proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+				proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+				proxy_set_header Host $host;  # pass the host header
+				proxy_http_version 1.1;  # recommended with keepalive connections
+				# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
+				proxy_set_header Upgrade $http_upgrade;
+				proxy_set_header Connection $connection_upgrade;
+		}
+
+}

roles/service-nginx-wordpress/README.md

@@ -0,0 +1,34 @@
+<p align="center">
+  <img width="150" height="150" src="https://upload.wikimedia.org/wikipedia/commons/9/98/WordPress_blue_logo.svg">
+</p>
+
+# Ansible Role: WordPress
+
+Ansible role that installs and configures WordPress with Nginx.
+
+Features include:
+- Installation of any WordPress version to specified directory
+- Configuration of `wp-config.php`
+- Fetch random salts for wp-config.php (https://api.wordpress.org/secret-key/1.1/salt/)
+
+## Requirements & Dependencies
+- Ansible 1.4 or higher
+- Curl
+
+## Variables
+Here is a list of all the default variables for this role, which are also available in `defaults/main.yml`.
+
+```yaml
+wp_version: latest
+wp_install_dir: '/var/www/html'
+wp_db_name: "{{ wp_mysql_db }}" (required)
+wp_db_user: "{{ wp_mysql_user }}" (required)
+wp_db_password: "{{ wp_mysql_password }}" (required)
+wp_db_host: 'localhost'
+wp_db_charset: 'utf8mb4'
+wp_db_collate: 'utf8mb4_unicode_ci'
+wp_table_prefix: 'wp_'
+wp_debug: false
+wp_admin_email: 'admin@example.com'
+site_name: "{{ wp_sitename }}" (requires)
+```

roles/service-nginx-wordpress/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+wp_version: latest
+wp_install_dir: '/var/www/html'
+wp_db_name: "{{ wp_mysql_db }}"
+wp_db_user: "{{ wp_mysql_user }}"
+wp_db_password: "{{ wp_mysql_password }}"
+wp_db_host: 'localhost'
+wp_db_charset: 'utf8mb4'
+wp_db_collate: 'utf8mb4_unicode_ci'
+wp_table_prefix: 'wp_'
+wp_debug: false
+wp_admin_email: 'admin@example.com'
+site_name: "{{ wp_sitename }}"

roles/service-nginx-wordpress/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted

roles/service-nginx-wordpress/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies:
+  - service-nginx
+  - geerlingguy.php
+  - geerlingguy.mysql

roles/service-nginx-wordpress/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Wordpress | Create directory
+  file:
+    path: "{{ wp_install_dir }}"
+    state: directory
+    mode: 0755
+
+- name: Wordpress | Extract archive in {{ wp_install_dir }}
+  unarchive:
+    src: "http://wordpress.org/wordpress-{{ wp_version }}.tar.gz"
+    dest: "{{ wp_install_dir }}"
+    extra_opts:
+    -  --strip-components=1
+    remote_src: yes
+
+- name: Wordpress | Fetch random salts for wp-config.php
+  delegate_to: localhost
+  command: curl https://api.wordpress.org/secret-key/1.1/salt/
+  become: False
+  args:
+    warn: false
+  register: 'wp_salt'
+
+- name: Wordpress | Copy wp-config.php file
+  template:
+    src: wp-config.php.j2
+    dest: "{{ wp_install_dir }}/wp-config.php"
+
+- name: Wordpress | Change ownership of installation directory
+  file:
+    path: "{{ wp_install_dir }}"
+    owner: www-data
+    group: www-data
+    state: directory
+    recurse: yes
+
+- name: Wordpress | Nginx | Copy virtual host configuration file
+  template:
+    src: "nginx-vhost.j2"
+    dest: /etc/nginx/conf.d/{{ wp_service_name.split(".")[0] }}.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart nginx

roles/service-nginx-wordpress/templates/nginx-vhost.j2

@@ -0,0 +1,52 @@
+server {
+		listen 80;
+		listen [::]:80;
+		server_name {{ wp_service_name }};
+		return 301 https://$http_host$request_uri;
+}
+
+server {
+		listen 443 ssl http2;
+		listen [::]:443 ssl http2;
+		server_name {{ wp_service_name }};
+
+		ssl_certificate {{ nginx_ssl_directory }}fullchain.pem;
+		ssl_certificate_key {{ nginx_ssl_directory }}privkey.pem;
+		ssl_prefer_server_ciphers       on;
+
+
+		root {{ wp_install_dir }};
+
+		# Add index.php to the list if you are using PHP
+		index index.php;
+
+		server_name {{ wp_service_name }};
+
+		client_max_body_size 1024M;
+
+		location / {
+				# First attempt to serve request as file, then
+				# as directory, then fall back to displaying a 404.
+				#try_files $uri $uri/ =404;
+				try_files $uri $uri/ /index.php$is_args$args;
+		}
+
+		location = /favicon.ico { log_not_found off; access_log off; }
+		location = /robots.txt { log_not_found off; access_log off; allow all; }
+		location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
+				expires max;
+				log_not_found off;
+		}
+
+		# pass the PHP scripts to FastCGI server listening on socket
+		location ~ \.php$ {
+				try_files $uri =404;
+				include /etc/nginx/fastcgi_params;
+				fastcgi_read_timeout 3600s;
+				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+				fastcgi_pass 127.0.0.1:9000;
+				fastcgi_split_path_info ^(.+\.php)(/.+)$;
+				fastcgi_index index.php;
+	 }
+
+}

roles/service-nginx-wordpress/templates/wp-config.php.j2

@@ -0,0 +1,60 @@
+<?php
+/**
+ * The base configurations of the WordPress.
+ *
+ * This file has the following configurations: MySQL settings, Table Prefix,
+ * Secret Keys, and ABSPATH. You can find more information by visiting
+ * {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
+ * Codex page. You can get the MySQL settings from your web host.
+ *
+ * This file is used by the wp-config.php creation script during the
+ * installation. You don't have to use the web site, you can just copy this file
+ * to "wp-config.php" and fill in the values.
+ *
+ * @package WordPress
+ */
+// ** MySQL settings - You can get this info from your web host ** //
+/** The name of the database for WordPress */
+define('DB_NAME', '{{wp_db_name}}');
+/** MySQL database username */
+define('DB_USER', '{{wp_db_user}}');
+/** MySQL database password */
+define('DB_PASSWORD', '{{wp_db_password}}');
+/** MySQL hostname */
+define('DB_HOST', '{{wp_db_host}}');
+/** Database Charset to use in creating database tables. */
+define('DB_CHARSET', '{{wp_db_charset}}');
+/** The Database Collate type. Don't change this if in doubt. */
+define('DB_COLLATE', '{{wp_db_collate}}');
+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
+ *
+ * @since 2.6.0
+ */
+{{wp_salt.stdout}}
+/**#@-*/
+/**
+ * WordPress Database Table prefix.
+ *
+ * You can have multiple installations in one database if you give each a unique
+ * prefix. Only numbers, letters, and underscores please!
+ */
+$table_prefix  = '{{wp_table_prefix}}';
+/**
+ * For developers: WordPress debugging mode.
+ *
+ * Change this to true to enable the display of notices during development.
+ * It is strongly recommended that plugin and theme developers use WP_DEBUG
+ * in their development environments.
+ */
+define('WP_DEBUG', {{wp_debug}});
+/* That's all, stop editing! Happy blogging. */
+/** Absolute path to the WordPress directory. */
+if ( !defined('ABSPATH') )
+	define('ABSPATH', dirname(__FILE__) . '/');
+/** Sets up WordPress vars and included files. */
+require_once(ABSPATH . 'wp-settings.php');

roles/service-nginx/templates/default.conf.j2

@@ -23,9 +23,13 @@ server {
 
     charset utf-8;
     server_tokens off;
-
+{% if acme_server == 'zuckerwatte' %}
     ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
     ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+{% else %}
+    ssl_certificate     /etc/nginx/ssl/{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ http_domain_external }}/privkey.pem;
+{% endif %}
 
     include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
 

roles/service-nginx/templates/ssl_certs.cron.j2

@@ -1,13 +1,20 @@
 #!/bin/sh
-
+{% if acme_server == 'zuckerwatte' %}
 DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}"
+{% else %}
+DOMAINS={{ http_domain_external }}
+{% endif %}
 LOCAL_DIR="/etc/nginx/ssl"
 
 for DOMAIN in $DOMAINS;
 do
  #Get Certs
+ {% if acme_server == 'zuckerwatte' %}
  rsync --delete -rz -e  'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
-  
+ {% else %}
+ rsync --delete -rz -e  'ssh -i /home/admin/.ssh/id_ed25519 -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
+ {% endif %}
+
  #Fix Permissions
  chmod 0550 $LOCAL_DIR/$DOMAIN
  chmod 0440 $LOCAL_DIR/$DOMAIN/*

roles/users/tasks/main.yml

@@ -11,7 +11,7 @@
     shell: "{{ item.shell }}"
     home: "{{ item.home }}"
     generate_ssh_key: "{{ item.generate_ssh_key }}"
-    ssh_key_bits: "{{ item.ssh_key_bits }}"
+    ssh_key_type: "{{ item.ssh_key_type }}"
     state: "{{ item.state }}"
   loop: "{{ system_users }}"
 

roles/users/vars/main.yml

@@ -6,8 +6,8 @@ system_users:
     home: "/home/admin"
     state: "present"
     ssh_keys: "{{ ssh_keys_admin_team }}"
+    ssh_key_type: ed25519
     generate_ssh_key: "yes"
-    ssh_key_bits: 4096
 
 admin_users: