Generalizing GeoIP to be consumed by more services

roles/GeoIP/README.md

@@ -0,0 +1,30 @@
+Geolocation by IP is a methodology
+
+# Etymology
+
+GeoIP is a shortening of geolocation by IP.
+
+# Relevant Files and Software
+
+This content is derived & packed by Arch, pulling regularly from [MaxMind](https://maxmind.com).
+
+# Available Clients
+
+The Python `geoip2` library can be used with snippets like below:
+
+```
+#!/usr/bin/env python3
+
+import geoip2.database
+import sys
+
+with geoip2.database.Reader('/etc/nginx/conf/maxmind-geoip2.mmdb') as reader:
+    response = reader.country(sys.argv[1])
+    print(response.country.iso_code)
+```
+
+We also install the `geoiplookup` client from the GeoIP client.
+
+# Equivalents or Competition
+
+Whois and other tools can also provide corroboration or alternate responses for these queries.

roles/GeoIP/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+ - name: Install components
+   become: yes
+   package:
+     name: "{{ item }}"
+     state: present
+   loop:
+     - geoip
+     - geoip-database
+     - geoip-database-extra
+     - libmaxminddb
+
+ # This is a hack while geoip-database only provides the legacy version.
+ - name: Ensure GeoIP2 database is present
+   become: yes
+   file:
+     path: /usr/share/GeoIP/GeoIP2.mmdb
+     owner: root
+     group: root
+     mode: 0755
+     state: file

roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf

@@ -1,5 +1,6 @@
 server {
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name default_server;
 
     include conf/sec.conf;
@@ -7,6 +8,9 @@ server {
 
     include conf/letsencrypt.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location / {
 
       rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@@ -65,7 +69,8 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name foundation.aninix.net;
     include conf/sec.conf;
     include conf/letsencrypt.conf;

roles/WebServer/files/conf.d/Yggdrasil/adhan.conf

@@ -1,12 +0,0 @@
-server {
-    listen      443 ssl http2;
-    server_name adhan.aninix.net;
-
-    include conf/sec.conf;
-    include conf/default.csp.conf;
-
-    location /
-    {
-        root /srv/adhan/;
-    }
-}

roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf

@@ -2,6 +2,9 @@ server {
     listen      443 ssl;
     server_name cyberbrain.aninix.net;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location ^~ /admin {
         deny all;
     }

roles/WebServer/files/conf.d/Yggdrasil/graylog.conf

@@ -1,18 +0,0 @@
-server {
-    #listen      443 ssl http2;
-    listen      444 ssl http2;
-    server_name sharingan.aninix.net;
-
-    include conf/sec.conf;
-    # include conf/default.csp.conf;
-
-    location /
-    {
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Forwarded-Host $host;
-      proxy_set_header X-Forwarded-Server $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Graylog-Server-URL https://$server_name/;
-      proxy_pass       http://10.0.1.5:9000;
-    }
-}

roles/WebServer/files/conf.d/Yggdrasil/irc.conf

@@ -1,11 +1,15 @@
 server {
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name irc.aninix.net;
 
     include conf/sec.conf;
     include conf/default.csp.conf;
     include conf/letsencrypt.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location /
     {
         root /usr/share/kiwiirc;

roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf

@@ -4,6 +4,9 @@ server {
 
     # include conf/local.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     root /usr/share/webapps/;
 
     client_max_body_size 5m;

roles/WebServer/files/conf.d/Yggdrasil/maat.conf

@@ -1,11 +1,15 @@
 server {
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name maat.aninix.net;
 
     include conf/sec.conf;
     include conf/default.csp.conf;
     include conf/letsencrypt.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location /
     {
       proxy_set_header Host $http_host;

roles/WebServer/files/conf.d/Yggdrasil/password.conf

@@ -1,11 +1,15 @@
 server {
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name password.aninix.net;
 
     include conf/sec.conf;
     include conf/default.csp.conf;
     include conf/letsencrypt.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location / {
         root /usr/share/webapps/self-service-password/htdocs/;
 

roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf

@@ -1,6 +1,7 @@
 server {
 
-    listen      443 ssl http2;
+    listen      443 ssl;
+    http2 on;
     server_name sharingan.aninix.net;
 
     include conf/sec.conf;
@@ -8,6 +9,10 @@ server {
     include conf/local.conf;
     include conf/letsencrypt.conf;
 
+    # GeoIP block
+    if ($deny) {
+        return 503;
+    }
 
     location /
     {

roles/WebServer/files/conf.d/Yggdrasil/singularity.conf

@@ -8,6 +8,9 @@ server {
 
     include conf.d/fastcgi.config;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     root /usr/share/webapps/tt-rss/;
 
     index index.php;

roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf

@@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
-    #listen      443 ssl http2;
+
     listen      443 ssl;
     server_name superintendent.aninix.net;
 
@@ -14,9 +14,7 @@ server {
     include conf/letsencrypt.conf;
 
     # GeoIP block
-    if ($deny) {
+    if ($deny) { return 503; }
-        return 503;
-    }
 
     # Handle the location
     location /

roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf

@@ -6,6 +6,9 @@ server {
     include conf/letsencrypt.conf;
     include conf.d/fastcgi.config;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     root /opt/travelpawscvt;
 
     client_max_body_size 5m;

roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf

@@ -1,12 +1,15 @@
 server {
-    #listen      443 ssl http2;
+    listen      443 ssl;
-    listen      443 ssl http2;
+    http2 on;
     server_name yggdrasil.aninix.net;
 
     include conf/sec.conf;
     include conf/letsencrypt.conf;
     # include conf/default.csp.conf;
 
+    # GeoIP block
+    if ($deny) { return 503; }
+
     location /
     {
       proxy_set_header Host $http_host;

roles/WebServer/tasks/main.yml

@@ -44,14 +44,11 @@
 
  - name: Copy conf.d
    become: yes
-   copy:
+   become_user: http
+   ansible.posix.synchronize:
      src: "conf.d/{{ inventory_hostname }}/"
      dest: /etc/nginx/conf.d/
-     owner: http
+     delete: true
-     group: http
-     mode: 0660
-     directory_mode: 0770
-     follow: true
    register: confd
 
  - name: Copy conf
@@ -114,17 +111,6 @@
      mode: 0660
    register: geoipconf
 
- - name: Ensure MaxMindDB is present
-   become: yes
-   file:
-     path: /etc/nginx/conf/maxmind-geoip2.mmdb
-     state: file
-     owner: http
-     group: http
-     mode: 0440
-     # This requires a https://maxmind.com/ account, so the source will have to come from that site.
-     # This file should be the current country database.
-
  - name: Clone OWASP-CRS
    ignore_errors: true
    become: yes
@@ -168,6 +154,11 @@
      #validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
    register: baseconf
 
+ - name: Safety test on nginx
+   become: yes
+   command: 'nginx -t'
+   ignore_errors: false
+
  - name: Ensure service is started
    become: yes
    when: conf.changed or confd.changed or geoipconf.changed or secconf.changed or baseconf.changed or modsecconf.changed

roles/WebServer/templates/conf/geoip.conf.j2

@@ -1,5 +1,5 @@
 # Load database and set variables from the database.
-geoip2 /etc/nginx/conf/maxmind-geoip2.mmdb {
+geoip2 /usr/share/GeoIP/GeoIP2.mmdb {
     auto_reload 60m;
     $geoip2_metadata_country_build metadata build_epoch;
     $geoip2_data_country_code country iso_code;