From 2667d5affcbda113b95dd130f4482493e73efab3 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Sun, 19 Jun 2022 22:40:12 +0200
Subject: [PATCH] start writting config files

---
 README.md                | 32 +++++++++++++++++++++
 tasks/main.yml           | 43 +++++++++++++++++++++++++++-
 templates/http_server.j2 | 61 ++++++++++++++++++++++++++++++++++++++++
 templates/nginx.conf     |  4 ++-
 templates/proxy_pass.j2  | 17 +++++++++++
 5 files changed, 155 insertions(+), 2 deletions(-)
 create mode 100644 templates/http_server.j2
 create mode 100644 templates/proxy_pass.j2

diff --git a/README.md b/README.md
index f4097b8..df3ea84 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,13 @@ This role is part of my ansible roles. It is made to interact with other roles t
 
 ```
 ansible_managed: str, msg indicating a file managed by ansible
+http_sites: dictionnary of site, see the Http Sites section bellow
+```
+
+## Optionnal variables
+
+```
+in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
 ```
 
 ## Add role to you ansible playbook:
@@ -21,6 +28,31 @@ git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/nginx.git roles/ngin
 git submodule init
 ```
 
+## Http Sites
+
+The variable `http_sites` is a dictionnary of the http site managed by nginx.
+
+```
+http_sites:
+  `server_name`:
+    root_snippets:
+      - ? TODO
+    locations:
+      `location`:
+        template: `template`
+        ...
+```
+
+`server_name` is the string corresponding to the server name (eg: "example.com").
+
+`root_snippets` is a list of snippets/templates (To be determine) containing configurations for the http server.
+
+`locations` is a dictionnary of location block. `location` (the key of an item) is the location (eg, "/"), `template` is the jinja template defining the contant of the location block. Other variables can be added to the location block depending on the template used.
+
+Inside the templates, `server_name` is accessed with `{{ item.key }}`, en variables of the server block with `{{ item.value.varname }}`.
+
+Inside templates of a location, in addition to the variables of the server block, the variables of the location block can be accessed with `{{ location.value.varname }}`, and the value of `location` with `{{ location.key }}`.
+
 ## Copyright
 
 Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
diff --git a/tasks/main.yml b/tasks/main.yml
index 0305825..95f3aa6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,11 +2,14 @@
 - name: Install NGINX
   apt:
     update_cache: true
-    name: nginx
+    name: "{{ item }}"
     state: latest
   register: apt_result
   retries: 3
   until: apt_result is succeeded
+  loop:
+    - nginx
+    - "python3-cryptography"
 
 - name: Copy snippets
   template:
@@ -20,6 +23,11 @@
     path: /etc/nginx/certs
     state: directory
 
+- name: check if dummy cert exist
+  stat:
+    path: /etc/nginx/certs/dummy.pem
+  register: dummy_cert
+
 - name: Create a dummy cert
   block:
     - name: Generate private key
@@ -38,6 +46,7 @@
         privatekey_path: /etc/nginx/certs/dummy.key
         csr_path: /etc/nginx/certs/dummy.req
         provider: selfsigned
+  when: dummy_cert.stat.exists == False
 
 - name: Add wasm to mime type
   lineinfile:
@@ -54,8 +63,40 @@
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
 
+# TODO: << Manage reverse proxy >>
 - name: Create the SSL reverse proxy conf
   template:
     src: stream_rp.conf
     dest: /etc/nginx/stream_rp.conf
     force: no
+
+# Manage each http site
+- name: Copy reverse proxy sites
+  template:
+    src: http_server.j2
+    dest: "/etc/nginx/sites-available/{{ item.key }}"
+  loop: "{{ http_sites | dict2items}}"
+
+- name: Use the dummy certificate
+  file:
+    src: /etc/nginx/certs/dummy.pem
+    dest: "/etc/nginx/certs/{{ item.key }}.crt"
+    state: link
+    force: no
+  loop: "{{ http_sites | dict2items}}"
+
+- name: Use the dummy key
+  file:
+    src: /etc/nginx/certs/dummy.key
+    dest: "/etc/nginx/certs/{{ item.key }}.key"
+    state: link
+    force: no
+  loop: "{{ http_sites | dict2items}}"
+
+- name: Activate sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item.key }}"
+    dest: "/etc/nginx/sites-enabled/{{ item.key }}"
+    state: link
+    force: yes
+  loop: "{{ http_sites | dict2items}}"
diff --git a/templates/http_server.j2 b/templates/http_server.j2
new file mode 100644
index 0000000..d6b61ed
--- /dev/null
+++ b/templates/http_server.j2
@@ -0,0 +1,61 @@
+{{ ansible_managed | comment }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ item.key }};
+    # Redirect to https
+    location / {
+        return 302 https://$host$request_uri;
+    }
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # FLoC you google
+    add_header Permissions-Policy interest-cohort=();
+
+    {% if in_memoriam is defined -%}
+    # "A man is not dead while his name is still spoken." -- Going Postal
+    add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
+    {%- endif %}
+}
+
+server {
+    # listen port + ssl
+    {# <- TODO: Allow other ports -> -#}
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    ssl_certificate /etc/nginx/certs/{{ item.key }}.crt;
+    ssl_certificate_key /etc/nginx/certs/{{ item.key }}.key;
+    {# <- TODO: Allow other ports -> #}
+
+    server_name {{ item.key }};
+
+    {# <- TODO: move this to defaut root snippets -> -#}
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # FLoC you google
+    add_header Permissions-Policy interest-cohort=();
+
+    {% if in_memoriam is defined -%}
+    # "A man is not dead while his name is still spoken." -- Going Postal
+    add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
+    {% endif -%}
+    {#  <- TODO: move this to defaut root snippets -> -#}
+
+    # Logs
+    access_log /var/log/nginx/{{ item.key }}.log;
+    error_log /var/log/nginx/{{ item.key }}_error.log;
+
+    {% for location in (item.value.locations | default([]) | dict2items) -%}
+    location {{ location.key }} {
+        {% filter indent(width=8) -%}
+        {% include location.value.template -%}
+        {%- endfilter %}
+    }
+    {%- endfor %}
+
+}
+
diff --git a/templates/nginx.conf b/templates/nginx.conf
index 0e5334a..8e2719c 100644
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@@ -28,8 +28,10 @@ http {
     error_log /var/log/nginx/error.log;
 
     gzip off; # compression and crypto don't mix
-
     # include /etc/nginx/conf.d/*.conf;  # Ansible
+
+    include /etc/nginx/snippets/connection_upgrade.conf;
+
     include /etc/nginx/sites-enabled/*;
 }
 
diff --git a/templates/proxy_pass.j2 b/templates/proxy_pass.j2
new file mode 100644
index 0000000..30fcb6a
--- /dev/null
+++ b/templates/proxy_pass.j2
@@ -0,0 +1,17 @@
+proxy_pass {{ location.value.to }};
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+