From 0899c5e72258d46df8a8346d68b8baa1308471ef Mon Sep 17 00:00:00 2001 From: Tiago de Bem Natel de Moura Date: Sat, 8 Feb 2020 15:08:57 +0000 Subject: [PATCH 1/4] add basic dependencies Signed-off-by: Tiago de Bem Natel de Moura --- ansible/ansible.cfg | 2 ++ ansible/hosts | 2 ++ ansible/madlambda.yml | 17 +++++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 ansible/ansible.cfg create mode 100644 ansible/hosts create mode 100644 ansible/madlambda.yml diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..3653316 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +hostfile = hosts diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..fd2171f --- /dev/null +++ b/ansible/hosts @@ -0,0 +1,2 @@ +[madlambda] +127.0.0.1 diff --git a/ansible/madlambda.yml b/ansible/madlambda.yml new file mode 100644 index 0000000..164d689 --- /dev/null +++ b/ansible/madlambda.yml @@ -0,0 +1,17 @@ +--- +- hosts: all + tasks: + - name: install basic dependencies + apt: + update_cache: yes + state: latest + pkg: + - mercurial + - git + - build-essential + - libssl-dev + - python-dev + - php-dev + - libphp-embed + - golang-go + From 3fc0a58c9064ec426f51f93fe3fa97f1f81f8280 Mon Sep 17 00:00:00 2001 From: Tiago de Bem Natel de Moura Date: Sat, 8 Feb 2020 18:05:48 +0000 Subject: [PATCH 2/4] automate the install.sh Signed-off-by: Tiago de Bem Natel de Moura --- ansible/ansible.cfg | 2 + ansible/madlambda.yml | 78 +++++++++++++++++++++++++ unit/apps/container-example/config.json | 24 -------- unit/config.json | 2 +- unit/routes.d/container.json | 9 --- unit/routes.d/i4k.json | 2 +- 6 files changed, 82 insertions(+), 35 deletions(-) delete mode 100644 unit/apps/container-example/config.json delete mode 100644 unit/routes.d/container.json diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 3653316..d4df479 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,2 +1,4 @@ [defaults] hostfile = hosts +stdout_callback=debug +stderr_callback=debug \ No newline at end of file diff --git a/ansible/madlambda.yml b/ansible/madlambda.yml index 164d689..d4dd5cf 100644 --- a/ansible/madlambda.yml +++ b/ansible/madlambda.yml @@ -1,6 +1,29 @@ --- - hosts: all + connection: local tasks: + - name: create madlambda group + group: + name: madlambda + + - name: create i4k user + user: + name: i4k + uid: 1337 + groups: madlambda + append: yes + + - name: prepare src dir + file: + path: /root/src + state: directory + mode: '0755' + + - name: clean unit source + file: + path: /root/src/unit + state: absent + - name: install basic dependencies apt: update_cache: yes @@ -14,4 +37,59 @@ - php-dev - libphp-embed - golang-go + - jq + - certbot + + - name: clone unit + shell: hg clone http://hg.nginx.org/unit/ + args: + chdir: /root/src + + - name: build unit (php, python and go) + shell: | + make clean || true + ./configure --cc-opt="-O3" --prefix=/usr/local/unit --tests --openssl + ./configure php + ./configure python + GOPATH=/root/src/unit/build/go ./configure go + make tests + ./build/tests + make + python3 ./test/run.py + make install + args: + chdir: /root/src/unit + + - name: init i4k dir + become_user: i4k + file: + path: /home/i4k/src + state: directory + mode: '0755' + + - name: remove i4k sources + become_user: i4k + file: + path: /home/i4k/src/i4k.madlambda.io + state: absent + + - name: install i4k stuff + become_user: i4k + shell: git clone https://github.com/tiago4orion/i4k.madlambda.io.git + args: + chdir: /home/i4k/src + + - name: install madlambda.io + shell: ./install.sh + args: + chdir: /root/src/madlambda.io + + - name: stop && start unit + shell: | + systemctl stop unit || true + systemctl start unit + - name: configure madlambda.io + shell: ./unit/apply.sh + args: + chdir: /root/src/madlambda.io diff --git a/unit/apps/container-example/config.json b/unit/apps/container-example/config.json deleted file mode 100644 index bf4a6f1..0000000 --- a/unit/apps/container-example/config.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "type": "external", - "working_directory": "/home/i4k/src/unit-container-tests", - "executable": "/home/i4k/src/unit-container-tests/container-example", - "user": "root", - "group": "root", - "isolation": { - "namespaces": { - "credential": true, - "mount": true, - "uname": true, - "network": true, - "cgroup": true, - "pid": true - }, - "uidmap": [ - {"container": 0, "host": 65534, "size": 1} - ], - "gidmap": [ - {"container": 0, "host": 65534, "size": 1} - ] - } -} - diff --git a/unit/config.json b/unit/config.json index fb5e84b..b1891c2 100644 --- a/unit/config.json +++ b/unit/config.json @@ -14,7 +14,7 @@ "user": "root", "group": "root", "module": "wsgi", - "path": "/root/madlambda.io/apps/redirect-to-https" + "path": "/root/src/madlambda.io/apps/redirect-to-https" } }, "settings": { diff --git a/unit/routes.d/container.json b/unit/routes.d/container.json deleted file mode 100644 index 4d7db8a..0000000 --- a/unit/routes.d/container.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "match": { - "host": "i4k.madlambda.io", - "uri": "/container" - }, - "action": { - "pass": "applications/container-example" - } -} diff --git a/unit/routes.d/i4k.json b/unit/routes.d/i4k.json index 97683d4..3eeb8d4 100644 --- a/unit/routes.d/i4k.json +++ b/unit/routes.d/i4k.json @@ -3,6 +3,6 @@ "host": "i4k.madlambda.io" }, "action": { - "share": "/home/i4k/i4k.madlambda.io/www" + "share": "/home/i4k/src/i4k.madlambda.io/www" } } From d53cab4c26b966c17a62bcdcc5d11a7a30216319 Mon Sep 17 00:00:00 2001 From: Tiago de Bem Natel de Moura Date: Sat, 8 Feb 2020 18:06:48 +0000 Subject: [PATCH 3/4] automate the install.sh Signed-off-by: Tiago de Bem Natel de Moura --- ansible/ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index d4df479..3b02ec3 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,4 +1,4 @@ [defaults] hostfile = hosts stdout_callback=debug -stderr_callback=debug \ No newline at end of file +stderr_callback=debug From 17c877d1ca776e6149e4d2d1a3f137730a2b3183 Mon Sep 17 00:00:00 2001 From: Tiago de Bem Natel de Moura Date: Mon, 10 Feb 2020 02:50:52 +0000 Subject: [PATCH 4/4] add support for TLS protocols and cipher Signed-off-by: Tiago de Bem Natel de Moura --- ansible/madlambda.yml | 25 +++++++++++++++++++++++++ unit/apply.sh | 12 +++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/ansible/madlambda.yml b/ansible/madlambda.yml index d4dd5cf..fe40fbd 100644 --- a/ansible/madlambda.yml +++ b/ansible/madlambda.yml @@ -39,12 +39,37 @@ - golang-go - jq - certbot + - wget + + - name: configure mercurial + copy: + dest: /root/.hgrc + content: | + [ui] + username = root + + color = + + [extensions] + mq = + purge = + + [diff] + showfunc = True - name: clone unit shell: hg clone http://hg.nginx.org/unit/ args: chdir: /root/src + - name: apply unit TLS patch + shell: | + wget -O tls-config.patch https://gist.githubusercontent.com/tiago4orion/a3a993c96813f691b9a417193a3ad54e/raw/280459007c2ee21b4b2895812cd9cb2652455530/tls-config.patch + hg qimport -n tls-config tls-config.patch + hg qpush + args: + chdir: /root/src/unit + - name: build unit (php, python and go) shell: | make clean || true diff --git a/unit/apply.sh b/unit/apply.sh index 217488c..fd6b646 100755 --- a/unit/apply.sh +++ b/unit/apply.sh @@ -47,13 +47,23 @@ if ! $CURL -XGET 127.0/certificates/madlambda.io | jq -e ".chain" >/dev/null; th fi fi +cat > tls.json << EOF +{ + "certificate": "madlambda.io", + "protocols": ["SSLv2", "SSLv3", "TLSv1.2", "TLSv1.3"], + "ciphers": "HIGH:!aNULL:!MD5" +} +EOF + if ! $CURL -XPUT '127.0/config/listeners/*:443/tls' \ - --data-binary '{"certificate": "madlambda.io"}' | jq -e ".success"; then + --data-binary @tls.json | jq -e ".success"; then echo "failed to apply certificate to listener *:443" exit 1 fi +rm -f tls.json + cd unit/apps for name in $(ls); do