drpuur
/
wo-bisch-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

This commit is contained in:
Joerg Lehmann 2021-03-31 15:50:39 +02:00
commit 4570e285eb
26 changed files with 21036 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
hcloud/

59
README.md Normal file
View File

@ -0,0 +1,59 @@
# wo-bisch-server - Server fuer den Dienst wo-bisch.ch
Code zum Erstellen des Servers
Spezifikaktion:
- CentOS 8
- Hetzner Cloud Server
- nginx Webserver/Proxy
- wo-bisch-web (Webapplikation/Golang)
- lorahandler (Webapplikation/Golang)
- Redis
## Erstellen des Servers
Mit dem Binary hcloud von:
https://github.com/hetznercloud/cli
Temporaer einen API Key erstellen (nachher wieder loeschen)
$ hcloud context create wo-bisch-server
$ hcloud image list # zeigt moegliche Images
$ hcloud server-type list # zeigt moegliche Typen
$ hcloud server create --name wobisch1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch
$ hcloud server set-rdns wobisch1 --hostname wobisch1.nbit.ch
$ IPV6="$(hcloud server ip wobisch1 -6)"
$ hcloud server set-rdns wobisch1 --ip $IPV6 --hostname wobisch1.nbit.ch
DNS Eintraege erstellen:
$ hcloud server ip wobisch1
$ hcloud server ip wobisch1 -6
Root-Passwort setzen (das machen wir von Hand)
## Ansible Playbook laufen lassen
$ cd ansible
$ ansible-playbook -i production wo-bisch-server.yml
Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)!
### Let's Encrypt Zertifikat einrichten
# curl https://get.acme.sh | sh -s email=info@nbit.ch
# acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web
[Sa Feb 27 17:27:34 CET 2021] Your cert is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer
[Sa Feb 27 17:27:34 CET 2021] Your cert key is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key
[Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in /root/.acme.sh/wo-bisch.ch/ca.cer
[Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there: /root/.acme.sh/wo-bisch.ch/fullchain.cer
### Influxdb Users
admin: admin7355
Org: wobischorg
Bucket: wobischbucket
RW-Token: PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg==
RO-Token: TQvQxxLLAj1kTKWuEqcx7BA-KfE6WtJUeDlPa_Dnvms6Zqf6uh6lMbpXtzcsCjKO_x3PrpxxGDR5E6YnDB5PFg==

10
ansible/production Normal file
View File

@ -0,0 +1,10 @@
[all:vars]
ansible_user=root
my_domain=wo-bisch.ch
zabbix_server_ip=195.201.222.24
mailserver=mail.nbit.ch
mail_forward_address=joerg.lehmann@nbit.ch
document_root=/home/appuser/wo-bisch-web
[wo_bisch_servers]
wobisch1.wo-bisch.ch

4
ansible/roles/aide/files/aide-update Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
/usr/sbin/aide -c /etc/aide.conf --init
/bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

1
ansible/roles/aide/files/aide.conf.local Normal file
View File

@ -0,0 +1 @@
!/root/.ansible/tmp

3
ansible/roles/aide/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: update aide database
action: command /usr/local/bin/aide-update

42
ansible/roles/aide/tasks/main.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: Install aide
yum:
name: aide
- name: Remove all the current ignore list in aide.conf
lineinfile:
dest: /etc/aide.conf
backup: yes
regexp: "^#!|!/"
state: absent
- name: change up aide.conf to standards set in aide_ignore_list var
lineinfile:
dest: /etc/aide.conf
line: "@@include /etc/aide.conf.local"
insertafter: EOF
state: present
- name: copy aide.conf.local
copy:
src: aide.conf.local
dest: /etc/aide.conf.local
mode: '0600'
- name: copy aide-update script
copy:
src: aide-update
dest: /usr/local/bin/aide-update
mode: '0755'
- name: Add crontab to check aide nightly
cron:
cron_file: aide_check
user: root
name: "Check Aide DB nightly"
hour: "23"
minute: "45"
job: "/usr/sbin/aide --check"
notify:
- update aide database

2
ansible/roles/common/files/jail.local Normal file
View File

@ -0,0 +1,2 @@
[sshd]
enabled = true

30
ansible/roles/common/handlers/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Restart ssh
service:
name=sshd
state=restarted
- name: Restart zabbix-agent
service:
name=zabbix-agent
state=restarted
- name: Restart postfix
service:
name=postfix
state=restarted
- name: Restart fail2ban
service:
name=fail2ban
state=restarted
- name: reload firewalld
systemd:
name=firewalld
state=reloaded
- name: Restore selinux context
command: restorecon -irv /home/appuser/wo-bisch-web

170
ansible/roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,170 @@
---
- name: install basic packages
yum:
name: "{{ packages }}"
vars:
packages:
- langpacks-en
- langpacks-de
- glibc-all-langpacks
- podman
- sysstat
- mailx
- bind-utils
- epel-release
- setroubleshoot-server
- socat
- unzip
- wget
- name: Enable SELinux
selinux:
policy: targeted
state: enforcing
- name: disable kdump
systemd:
name: kdump
enabled: no
- name: Add Group appuser
group:
name: appuser
gid: 1000
state: present
- name: Add User appuser
user:
name: appuser
shell: /bin/bash
uid: 1000
group: appuser
- name: Change permission of /home/appuser
file:
path: /home/appuser
state: directory
owner: appuser
group: appuser
mode: '0755'
- name: Create /home/appuser/wo-bisch-web
file:
path: /home/appuser/wo-bisch-web
state: directory
owner: appuser
group: appuser
mode: '0755'
- name: Allow apache to read files in /home/appuser/wo-bisch-web
sefcontext:
target: '/home/appuser/wo-bisch-web(/.*)?'
setype: httpd_sys_content_t
state: present
notify:
- Restore selinux context
- name: allow root SSH with key only
lineinfile: dest=/etc/ssh/sshd_config
regexp="^PermitRootLogin"
line="PermitRootLogin without-password"
state=present
notify: Restart ssh
- name: create /etc/hosts from template
template:
src: hosts.j2
dest: /etc/hosts
owner: root
group: root
backup: yes
mode: '0644'
- name: install zabbix agent
yum:
name: zabbix40-agent
- name: enable zabbix agent
systemd:
name: zabbix-agent
enabled: yes
- name: zabbix config
lineinfile: dest=/etc/zabbix/zabbix_agentd.conf
regexp="^Server="
line="Server={{ zabbix_server_ip }}"
state=present
notify: Restart zabbix-agent
- name: install postfix
yum:
name: postfix
- name: enable postfix
systemd:
name: postfix
enabled: yes
- name: postfix config
lineinfile: dest=/etc/postfix/main.cf
regexp="^relayhost"
line="relayhost = [{{ mailserver }}]:25"
state=present
notify: Restart postfix
- name: postfix config
lineinfile: dest=/etc/postfix/main.cf
regexp="^myhostname"
line="myhostname = {{ ansible_hostname }}.{{ my_domain }}"
state=present
notify: Restart postfix
- name: create .forward file
copy:
dest: "/root/.forward"
content: "{{ mail_forward_address }}\n"
- name: install fail2ban
yum:
name: fail2ban
- name: enable fail2ban
systemd:
name: fail2ban
enabled: yes
- name: copy fail2ban config
copy:
src: jail.local
dest: /etc/fail2ban/jail.local
mode: '0644'
notify: Restart fail2ban
- name: setup firewalld rules - services
firewalld:
service: "{{ item }}"
permanent: yes
state: enabled
loop:
- ssh
- http
- https
notify: reload firewalld
- name: setup firewalld rules - remove services
firewalld:
service: "{{ item }}"
permanent: yes
state: disabled
loop:
- cockpit
notify: reload firewalld
- name: setup firewalld rules - ports
firewalld:
port: "{{ item }}"
permanent: yes
state: enabled
loop:
- 10050/tcp
notify: reload firewalld

16
ansible/roles/common/templates/hosts.j2 Normal file
View File

@ -0,0 +1,16 @@
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.redhat.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data
#
# The following lines are desirable for IPv4 capable hosts
{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }}
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4
# The following lines are desirable for IPv6 capable hosts
{{ ansible_default_ipv6.address }} {{ ansible_hostname }}.{{ my_domain }} {{ ansible_hostname }}
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

31
ansible/roles/influxsw/files/telegraf.conf Normal file
View File

@ -0,0 +1,31 @@
[global_tags]
# Configuration for telegraf agent
[agent]
interval = "10s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 100000
collection_jitter = "0s"
flush_interval = "10s"
flush_jitter = "0s"
precision = ""
debug = false
quiet = false
logfile = ""
hostname = ""
omit_hostname = false
[[inputs.tail]]
files = ["/home/appuser/wo-bisch-lorahandler/wo-bisch-lorahandler.log"]
from_beginning = false
pipe = false
tagexclude = ["path","host"]
data_format = "influx"
# Configuration for sending metrics to InfluxDB 2.0
[[outputs.influxdb_v2]]
urls = ["http://127.0.0.1:8086"]
token = "PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg=="
organization = "wobischorg"
bucket = "wobischbucket"

5
ansible/roles/influxsw/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Restart telegraf
service:
name=telegraf
state=restarted

36
ansible/roles/influxsw/tasks/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
- name: Add repository
yum_repository:
name: influxrepo
description: InfluxDB Repository - RHEL
baseurl: https://repos.influxdata.com/rhel/8/x86_64/stable/
gpgkey: https://repos.influxdata.com/influxdb.key
gpgcheck: yes
- name: Install influx packages
yum:
name: "{{ item }}"
loop:
- telegraf
- influxdb2
- name: enable telegraf
systemd:
name: telegraf
enabled: yes
- name: enable influxdb
systemd:
name: influxdb
enabled: yes
state: started
- name: copy telegraf config
copy:
src: telegraf.conf
dest: /etc/telegraf/telegraf.conf
mode: '0644'
notify: Restart telegraf

17
ansible/roles/nginx/files/502.html Normal file
View File

@ -0,0 +1,17 @@
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>wo-bisch.ch - LoraWAN Tracker</title>
<link rel="stylesheet" href="/wo-bisch-web.css">
<link rel="stylesheet" href="/wo-bisch-web-custom.css">
</head>
<body>
<div class="section px-4 py-4">
<div class="notification is-danger">
<strong>Oops, da ist was schiefgegangen!</strong>
</div>
</div>
</body>
</html>

84
ansible/roles/nginx/files/wo-bisch-web-custom.css Normal file
View File

@ -0,0 +1,84 @@
.image.is-10by1 img, .image.is-20by3 img {
bottom: 0;
left: 0;
position: absolute;
right: 0;
top: 0;
height: 100%;
width: 100%;
}
.image.is-10by1 {
padding-top: 10%;
}
.image.is-20by3 {
padding-top: 15%;
}
hr {
margin: 0 0 15px 0;
}
.signup-box {
margin: auto;
width: 300px;
background: rgba(255,255,255,0.05);
border: 1px solid rgba(255,255,255,0.3);
border-radius: 10px;
}
.block-link {
text-decoration: none !important;
}
.apexcharts-title-text {
font-weight: 700 !important;
font-size: 24px !important;
font-family: "Rubik", sans-serif !important;
}
.apexcharts-legend {
font-family: "Rubik", sans-serif;
}
/**
* * The CSS shown here will not be introduced in the Quickstart guide, but
* * shows how you can use CSS to style your Element's container.
* */
input,
.StripeElement {
height: 40px;
padding: 10px 12px;
color: #32325d;
background-color: white;
border: 1px solid transparent;
border-radius: 4px;
box-shadow: 0 1px 3px 0 #e6ebf1;
-webkit-transition: box-shadow 150ms ease;
transition: box-shadow 150ms ease;
}
input:focus,
.StripeElement--focus {
box-shadow: 0 1px 3px 0 #cfd7df;
}
.StripeElement--invalid {
border-color: #fa755a;
}
.StripeElement--webkit-autofill {
background-color: #fefde5 !important;
}
.checkboxes input {
vertical-align: middle;
}
.checkboxes label span {
vertical-align: middle;
margin-left: 5px;
}

20353
ansible/roles/nginx/files/wo-bisch-web.css Normal file
View File

File diff suppressed because it is too large Load Diff

9
ansible/roles/nginx/handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Restart nginx
service:
name=nginx
state=restarted
- name: Restore selinux context
command: restorecon -irv /root/.acme.sh/wo-bisch.ch

52
ansible/roles/nginx/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Install nginx
yum:
name: nginx
- name: enable nginx
ignore_errors: yes
systemd:
name: nginx
enabled: yes
state: started
- name: create static dir
file:
path: /home/appuser/wo-bisch-web/static
state: directory
- name: 502 error page
copy:
src: 502.html
dest: /home/appuser/wo-bisch-web/static/502.html
- name: copy css files
copy:
src: "{{ item }}"
dest: "/home/appuser/wo-bisch-web/static/{{ item }}"
loop:
- wo-bisch-web.css
- wo-bisch-web-custom.css
- name: Allow apache to read files in /root/.acme.sh/wo-bisch.ch
sefcontext:
target: '/root/.acme.sh/mail2.nbit.ch(/.*)?'
setype: httpd_sys_content_t
state: present
notify:
- Restore selinux context
- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: create /etc/nginx/nginx.conf from template
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: '0644'
notify: Restart nginx

60
ansible/roles/nginx/templates/nginx.conf.j2 Normal file
View File

@ -0,0 +1,60 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://wo-bisch.ch$request_uri;
}
server {
server_name wo-bisch.ch;
root {{ document_root }}/static;
error_page 502 /502.html;
location /lorahandler {
proxy_pass http://127.0.0.1:8080;
}
location / { try_files $uri @wo-bisch; }
location @wo-bisch {
proxy_pass http://127.0.0.1:4000;
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /root/.acme.sh/wo-bisch.ch/fullchain.cer;
ssl_certificate_key /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key;
}
}

10
ansible/roles/redis/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Install redis
yum:
name: redis
- name: enable redis
systemd:
name: redis
enabled: yes
state: started

3
ansible/roles/wo-bisch-lorahandler/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: Restore selinux context
command: restorecon -irv /home/appuser

15
ansible/roles/wo-bisch-lorahandler/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Allow apache to read files in /home/appuser/wo-bisch-web
sefcontext:
target: '/home/appuser/wo-bisch-web(/.*)?'
setype: httpd_sys_content_t
state: present
notify:
- Restore selinux context
- name: set SELinux permissions on binary
sefcontext:
target: "/home/appuser/wo-bisch-lorahandler/wo-bisch-lorahandler"
setype: bin_t
notify:
- Restore selinux context

3
ansible/roles/wo-bisch-web/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: Restore selinux context
command: restorecon -irv /home/appuser

7
ansible/roles/wo-bisch-web/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: set SELinux permissions on binary
sefcontext:
target: "/home/appuser/wo-bisch-web/wo-bisch-web"
setype: bin_t
notify:
- Restore selinux context

13
ansible/wo-bisch-server.yml Normal file
View File

@ -0,0 +1,13 @@
---
# file: wo-bisch-server.yml
- hosts: wo_bisch_servers
vars:
ansible_ssh_pipelining: yes
roles:
- common
- aide
- nginx
- redis
- influxsw
- wo-bisch-lorahandler
- wo-bisch-web