added proxy settings for nginx in jiskefet-role

SoftwareForScience · Jul 25, 2019 · 576d3db · 576d3db
1 parent 1a67704
commit 576d3db
Show file tree

Hide file tree

Showing 8 changed files with 193 additions and 11 deletions.
diff --git a/roles/jiskefet-backend/tasks/createdbuser.yml b/roles/jiskefet-backend/tasks/createdbuser.yml
@@ -4,9 +4,10 @@
     name: "{{ jiskefet_api_general_settings.TYPEORM_USERNAME }}"
     host: "{{inventory_hostname}}"
     password: "{{ jiskefet_api_general_settings.TYPEORM_PASSWORD }}"
-    check_implicit_admin: "yes"
     login_user: "root"
     login_password: "{{ mysql_root_password }}"
-    state: "present"
+    state: present
+    check_implicit_admin: yes
+    priv: "*.*:ALL,GRANT"
   tags: configuration
 ...
diff --git a/roles/jiskefet-common/tasks/set-default-values.yml b/roles/jiskefet-common/tasks/set-default-values.yml
@@ -42,12 +42,15 @@
       JISKEFET_UI: "{{ repository_branch.JISKEFET_UI if ((repository_branch is defined) and (repository_branch.JISKEFET_UI is defined) and (repository_branch.JISKEFET_UI | trim != '')) else 'develop'}}"
     USE_CERN_SSO: "{{ USE_CERN_SSO if ((USE_CERN_SSO is defined) and (USE_CERN_SSO | trim != '')) else 'false'}}"
     jiskefet_api_general_settings: 
+      AUTH_REDIRECT_URI: "{{ jiskefet_oauth_settings.AUTH_REDIRECT_URI if ((jiskefet_oauth_settings.AUTH_REDIRECT_URI is defined) and (jiskefet_oauth_settings.AUTH_REDIRECT_URI | trim != '')) else 'http://{{inventory_hostname}}/callback' }}"
+      JWT_SECRET_KEY: "{{ jiskefet_api_general_settings.JWT_SECRET_KEY if ((jiskefet_api_general_settings.JWT_SECRET_KEY is defined) and (jiskefet_api_general_settings.JWT_SECRET_KEY | trim != '')) else 'NHcW7x9K' }}"
       FILE_UPLOAD_LIMIT: "{{ file_upload_limit }}"
       APPLICATION_NAME: "{{ jiskefet_api_general_settings.APPLICATION_NAME if ((jiskefet_api_general_settings.APPLICATION_NAME is defined) and (jiskefet_api_general_settings.APPLICATION_NAME | trim != '')) else '{{ application_name }}' }}"
       USE_API_BASE_PATH: "{{ jiskefet_api_general_settings.USE_API_BASE_PATH if ((jiskefet_api_general_settings.USE_API_BASE_PATH is defined) and (jiskefet_api_general_settings.USE_API_BASE_PATH | trim != '')) else 'true'}}"
       PORT: "{{ jiskefet_api_general_settings.PORT if ((jiskefet_api_general_settings.PORT is defined) and (jiskefet_api_general_settings.PORT | trim != '')) else 3000}}"
-      # TYPEORM_HOST: "{{ jiskefet_api_general_settings.TYPEORM_HOST if ((jiskefet_api_general_settings.TYPEORM_HOST is defined) and (jiskefet_api_general_settings.TYPEORM_HOST | trim != '')) else ansible_default_ipv4.address }}"
       TYPEORM_CONNECTION: "{{ jiskefet_api_general_settings.TYPEORM_CONNECTION if ((jiskefet_api_general_settings.TYPEORM_CONNECTION is defined) and (jiskefet_api_general_settings.TYPEORM_CONNECTION | trim != '')) else 'mysql'}}"
+      TYPEORM_HOST: "{{ jiskefet_api_general_settings.TYPEORM_HOST if ((jiskefet_api_general_settings.TYPEORM_HOST is defined) and (jiskefet_api_general_settings.TYPEORM_HOST | trim != '')) else 'localhost'}}"
+      TYPEORM_DATABASE: "{{ jiskefet_api_general_settings.TYPEORM_DATABASE if ((jiskefet_api_general_settings.TYPEORM_DATABASE is defined) and (jiskefet_api_general_settings.TYPEORM_DATABASE | trim != '')) else 'jiskefetdb'}}"
       TYPEORM_USERNAME: "{{ jiskefet_api_general_settings.TYPEORM_USERNAME if ((jiskefet_api_general_settings.TYPEORM_USERNAME is defined) and (jiskefet_api_general_settings.TYPEORM_USERNAME | trim != '')) else 'jiskefet'}}"
       TYPEORM_PASSWORD: "{{ jiskefet_api_general_settings.TYPEORM_PASSWORD if ((jiskefet_api_general_settings.TYPEORM_PASSWORD is defined) and (jiskefet_api_general_settings.TYPEORM_PASSWORD | trim != '')) else 'abd1516812'}}"
       TYPEORM_PORT: "{{ jiskefet_api_general_settings.TYPEORM_PORT if ((jiskefet_api_general_settings.TYPEORM_PORT is defined) and (jiskefet_api_general_settings.TYPEORM_PORT | trim != '')) else 3306}}"
@@ -57,7 +60,7 @@
       SUB_SYSTEM_TOKEN_EXPIRES_IN: "{{ jiskefet_api_general_settings.SUB_SYSTEM_TOKEN_EXPIRES_IN if ((jiskefet_api_general_settings.SUB_SYSTEM_TOKEN_EXPIRES_IN is defined) and (jiskefet_api_general_settings.SUB_SYSTEM_TOKEN_EXPIRES_IN | trim != '')) else '365 days'}}" 
       USE_INFO_LOGGER: "{{ jiskefet_api_general_settings.USE_INFO_LOGGER if ((jiskefet_api_general_settings.USE_INFO_LOGGER is defined) and (jiskefet_api_general_settings.USE_INFO_LOGGER | trim != '')) else 'false'}}"
     jiskefet_api_optional_settings:
-      # TEST_DB_HOST: "{{ jiskefet_api_optional_settings.TEST_DB_HOST if ((jiskefet_api_optional_settings.TEST_DB_HOST is defined) and (jiskefet_api_optional_settings.TEST_DB_HOST | trim != '')) else ansible_default_ipv4.address }}"
+      TEST_DB_HOST: "{{ jiskefet_api_optional_settings.TEST_DB_HOST if ((jiskefet_api_optional_settings.TEST_DB_HOST is defined) and (jiskefet_api_optional_settings.TEST_DB_HOST | trim != '')) else 'localhost' }}"
       TEST_DB_CONNECTION: "{{ jiskefet_api_optional_settings.TEST_DB_CONNECTION if ((jiskefet_api_optional_settings.TEST_DB_CONNECTION is defined) and (jiskefet_api_optional_settings.TEST_DB_CONNECTION | trim != '')) else 'mysql'}}"
       TEST_DB_DATABASE: "{{ jiskefet_api_optional_settings.TEST_DB_DATABASE if ((jiskefet_api_optional_settings.TEST_DB_DATABASE is defined) and (jiskefet_api_optional_settings.TEST_DB_DATABASE | trim != '')) else 'test_{{ database_name }}'}}"
       TEST_DB_PORT: "{{ jiskefet_api_optional_settings.TEST_DB_PORT if ((jiskefet_api_optional_settings.TEST_DB_PORT is defined) and (jiskefet_api_optional_settings.TEST_DB_PORT | trim != '')) else 3306}}"
@@ -68,6 +71,8 @@
       APPLICATION_NAME: "{{ jiskefet_ui_settings.APPLICATION_NAME if ((jiskefet_ui_settings.APPLICATION_NAME is defined) and (jiskefet_ui_settings.APPLICATION_NAME | trim != '')) else '{{ application_name }}' }}"
       FILE_UPLOAD_LIMIT: "{{ file_upload_limit }} if ((jiskefet_ui_settings.FILE_UPLOAD_LIMIT is defined) and (jiskefet_ui_settings.FILE_UPLOAD_LIMIT | trim != '')) else '50000' }}"
       ALLOW_ANONYMOUS: "{{ jiskefet_ui_settings.ALLOW_ANONYMOUS }} if ((jiskefet_ui_settings.ALLOW_ANONYMOUS is defined) and (jiskefet_ui_settings.ALLOW_ANONYMOUS | trim != '')) else 'true' }}"
+    jiskefet_oauth_settings: 
+      AUTH_REDIRECT_URI: "{{ jiskefet_oauth_settings.AUTH_REDIRECT_URI if ((jiskefet_oauth_settings.AUTH_REDIRECT_URI is defined) and (jiskefet_oauth_settings.AUTH_REDIRECT_URI | trim != '')) else 'http://{{inventory_hostname}}/callback' }}"
   delegate_to: "{{ item }}"
   with_items:
     - "{{ groups.all }}"

diff --git a/roles/jiskefet-frontend/tasks/main.yml b/roles/jiskefet-frontend/tasks/main.yml
@@ -54,4 +54,7 @@
   tags:
     - git_pull
 
+- import_tasks: setupproxynginx.yml
+  tags:
+    - git_pull
 ...
diff --git a/roles/jiskefet-frontend/tasks/setupproxynginx.yml b/roles/jiskefet-frontend/tasks/setupproxynginx.yml
@@ -0,0 +1,35 @@
+---
+- name: Copy custom proxy.conf from local to remote
+  template:
+    src: proxy.conf.j2
+    dest: /etc/nginx/conf.d/proxy.conf
+  become_method: sudo
+  tags: configuration
+
+- name: Replace default nginx.conf
+  template: 
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+  become_method: sudo
+  tags: configuration
+
+- name: Change owner of folder /var/lib/nginx to {{ jiskefet_user }}
+  file:
+    path: /var/lib/nginx
+    state: directory
+    recurse: yes
+    owner: "{{ jiskefet_user }}"
+    group: "{{ jiskefet_user }}"
+  become_method: sudo
+  tags: configuration
+
+- name: Remove default.conf
+  file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
+
+- name: Test NGiNX config
+  command: nginx -T
+  become_method: sudo
+  tags: configuration
+...
diff --git a/roles/jiskefet-frontend/templates/nginx.conf.j2 b/roles/jiskefet-frontend/templates/nginx.conf.j2
@@ -0,0 +1,72 @@
+# /*
+#  * Copyright (C) 2018 Amsterdam University of Applied Sciences (AUAS)
+#  *
+#  * This software is distributed under the terms of the
+#  * GNU General Public Licence version 3 (GPL) version 3,
+#  * copied verbatim in the file "LICENSE"
+#  */
+
+user {{ jiskefet_user }};
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
diff --git a/roles/jiskefet-frontend/templates/proxy.conf.j2 b/roles/jiskefet-frontend/templates/proxy.conf.j2
@@ -0,0 +1,54 @@
+# /*
+#  * Copyright (C) 2018 Amsterdam University of Applied Sciences (AUAS)
+#  *
+#  * This software is distributed under the terms of the
+#  * GNU General Public Licence version 3 (GPL) version 3,
+#  * copied verbatim in the file "LICENSE"
+#  */
+
+server {
+    ## port to listen on
+    listen 80;
+    listen [::]:80;
+    listen 443;
+    listen [::]:443;
+    ## set root directory
+    root /var/lib/jiskefet/jiskefet-ui/;
+
+    ## if a page is not specified look for index.html
+    index src/index.html;
+
+    ## when root is accessed, go to whatever is specified in block
+    location / {
+        autoindex on;
+        try_files $uri /src/index.html; # used for not resolving the oauth callback in url /callback
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        add_header Content-Security-Policy {{ allow_csp_payload }};
+    }
+
+    ## reverse proxy 
+    location /api/ {
+        proxy_pass http://localhost:{{ jiskefet_api_general_settings.PORT }}/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        client_max_body_size {{ (file_upload_limit | int) * 1024 * 1024 }}; # Setting the file upload limit for the API
+    }
+
+    ## Media: images, icons, video, audio, HTC
+    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+
+    ## CSS and Javascript
+    #location ~* \.(?:css|js)$ {
+    # 	expires 1y;
+    # 	access_log off;
+    #	add_header Cache-Control "public";
+    #}
+}
diff --git a/roles/jiskefet-frontend/vars/main.yml b/roles/jiskefet-frontend/vars/main.yml
@@ -1,8 +1,18 @@
 ---
 use_local_repository: 'no'
+file_upload_limit: 500000
 
 remote_repository_url:
   JISKEFET_UI: https://github.com/SoftwareForScience/jiskefet-ui.git
 repository_branch:
   JISKEFET_UI: develop
+
+
+allow_csp_payload: >-
+    "default-src 'self' http://{{ inventory_hostname }} https://{{ inventory_hostname }}
+    http://localhost:{{jiskefet_api_general_settings.PORT}} https://localhost:{{jiskefet_api_general_settings.PORT}}
+    https://github.com https://api.github.com; script-src 'self' https://use.fontawesome.com/releases/v5.3.1/js/all.js
+    https://github.com https://api.github.com; style-src 'self' 'unsafe-inline'; object-src 'none'; font-src 'self'
+    data: fonts.gstatic.com; img-src https://*.githubusercontent.com
+    http://{{ inventory_hostname }} https://{{ inventory_hostname }}"
 ...
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
@@ -34,11 +34,13 @@
   tags: installation
 
 - name: Set root user password
-  mysql_user: name=root
-              host=localhost
-              password="{{ mysql_root_password }}"
-              check_implicit_admin=yes
-              login_user="root"
-              login_password="{{ mysql_root_old_password }}"
-              state=present
+  mysql_user: 
+    name: "root"
+    host: "localhost"
+    password: "{{ mysql_root_password }}"
+    login_user: "root"
+    login_password: "{{ mysql_root_old_password }}"
+    state: present
+    check_implicit_admin: yes
+    priv: "*.*:ALL,GRANT"
   tags: configuration