Updating Ubiqtorate

roles/WebServer/README.md

@@ -0,0 +1,31 @@
+Having some information be publicly accessible is useful to the network -- it's how we can be available to new people. Because HTTPS is the protocol of choice today, the WebServer is our vector.
+
+# Etymology
+The WebServer serves content on the Web -- its name is simple to match the function.
+
+# Relevant Files and Software
+Configuration files live in [file:///etc/lighttpd/lighttpd.conf lighttpd.conf], including ciphersuites, URI redirection, and pathing. It can be validated with the following.
+<pre>lighttpd -t -f /etc/lighttpd/lighttpd.conf</pre>
+
+Most notably, our lighttpd.conf is set to set specific headers to prevent XSS vulnerabilities. We allow the plaintext listener for a better user experience, but we restrict scripts and style resources from loading from plaintext links via Content-Security-Policy. Our X-Frame options are also set to be restrictive against XSS vulnerabilities. We pin the [[Category:SSL|Let's Encrypt]] sha-256 public key signature, and require strict transport security.
+
+Data files live in [file:///srv/http/ the http directory]. Each domain is virtually hosted by the AniNIX and pathing is set up in configuration. Sites in the WebServer are designed to be as sparse and lightweight as possible for rapidly disseminating information; this comes at a cost of beauty.
+
+The WebServer uses six PHP child processes to handle the processing of pages. Both the WebServer and [[Wiki]] are built on PHP engines to reduce code sprawl and edit times. We will install a custom php.ini to handle things like disabling expose_php and configuring open_basedir.
+
+**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
+
+# Available Clients
+* Windows users should use [http://google.com/chrome/browser/desktop/ Chrome] or Firefox. A copy of Chrome is stored in [https://aninix.net/wolfpack WolfPack].
+    * Privacy-conscious users may be interested in [http://www.seamonkey-project.org/ Seamonkey], also stored in WolfPack. This browser includes mail and IRC clients and can be installed on a [[Holocron|flash drive]]. It can be set to silently purge privacy information on closing, and it is lighter on the OS.
+* [[ShadowArch]] users should use Seamonkey; chromium can be used to support custom Chrome extensions and bleeding-edge services, like Pushbullet or Netflix.
+[[Category:CachedClient]]
+* Mac users should use Safari or Chrome.
+* Mobile users should use the built-in browser.
+
+# Equivalents or Competition
+Hosting services like [https://godaddy.com GoDaddy] and [http://freehostia.com/ FreeHostia] will provide hosting services for web pages. Content management can be done with systems like WordPress.
+}}
+
+[[Category:Public_Service]]
+[[Category:SSL]]

roles/WebServer/files/conf.d/aaa_default.conf

@@ -0,0 +1,17 @@
+server {
+    #listen      443 ssl http2;
+    listen      444 ssl http2;
+    server_name default_server;
+
+    include sec.conf;
+    include default.csp.conf;
+
+    location /
+    {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_pass       http://127.0.0.1:3000;
+    }
+}

roles/WebServer/files/conf.d/adhan.conf

@@ -0,0 +1,12 @@
+server {
+    listen      444 ssl http2;
+    server_name adhan.aninix.net; 
+
+    include sec.conf;
+    include default.csp.conf;
+
+    location /
+    {
+        root /srv/adhan/;
+    }
+}

roles/WebServer/files/conf.d/graylog.conf

@@ -0,0 +1,18 @@
+server {
+    #listen      443 ssl http2;
+    listen      444 ssl http2;
+    server_name sharingan.aninix.net;
+
+    include sec.conf;
+    # include default.csp.conf;
+
+    location /
+    {
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Graylog-Server-URL https://$server_name/;
+      proxy_pass       http://10.0.1.5:9000;
+    }
+}

roles/WebServer/files/conf.d/lykos-wiki.conf

@@ -0,0 +1,46 @@
+server {
+    listen      444 ssl;
+    server_name lykos.aninix.net; 
+
+    include sec.conf;
+    include default.csp.conf;
+
+    root /usr/share/webapps/; 
+
+    location ~ ^/$ {
+        return 302 https://lykos.aninix.net:444/lykos-wiki/Main_Page;
+    } 
+
+    location ~ ^/lykos-wiki/ {
+        index /mediawiki/index.php;
+        try_files $uri $uri/ @mediawiki;
+    }
+    location @mediawiki {
+        rewrite ^/lykos-wiki/(.*)$ /mediawiki/index.php?title=$1;
+    }
+    location ~ \.php?$ {
+        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+        fastcgi_index /mediawiki/index.php;
+        try_files $uri @mediawiki;
+    }
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        try_files $uri /lykos-wiki/index.php;
+        expires max;
+        log_not_found off;
+    }
+# Restrictions based on the .htaccess files
+    location ~ ^/lykos-wiki/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ {
+        deny all;
+    }
+    location ~ ^/lykos-wiki/(bin|docs|extensions|includes|maintenance|mw-config|resources|serialized|tests)/ {
+        internal;
+    }
+    location ^~ /images/ {
+        try_files $uri /index.php;
+    }
+    location ~ /\. {
+        access_log off;
+        log_not_found off; 
+        deny all;
+    }
+}

roles/WebServer/files/conf.d/password.conf

@@ -0,0 +1,12 @@
+server {
+    listen      444 ssl http2;
+    server_name password.aninix.net; 
+
+    include sec.conf;
+    include default.csp.conf;
+
+    location /
+    {
+        root /usr/share/webapps/self-service-password/;
+    }
+}

roles/WebServer/files/nginx.conf

@@ -0,0 +1,34 @@
+user  http;
+worker_processes  4;
+
+# Logs
+error_log              logs/error.log;
+error_log              logs/error.log notice;
+error_log              logs/error.log info;
+
+events {
+    worker_connections 1024;
+}
+
+
+http {
+
+    include            mime.types;
+    include            fastcgi.conf;
+    default_type       application/octet-stream;
+
+    server_tokens      off;
+    sendfile           on;
+    keepalive_timeout  65;
+    gzip               on;
+
+    # Redirect all HTTP to HTTPS
+    server {
+        listen 81      default_server;
+    	listen [::]:81 default_server;
+        server_name    _;
+        return 301     https://$host$request_uri;
+    }
+
+    include            ../conf.d/*.conf;
+}

roles/WebServer/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+ - name: Install openresty
+   become: yes
+   package:
+     name: openresty
+     state: present
+
+
+ - name: Copy conf.d
+   become: yes
+   copy:
+     src: conf.d
+     dest: /opt/openresty/nginx/
+     owner: http
+     group: http
+     mode: 0660
+     directory_mode: 0770
+
+ - name: Copy main config
+   become: yes
+   copy:
+     src: nginx.conf
+     dest: /opt/openresty/nginx/conf/nginx.conf
+     owner: http
+     group: http
+     mode: 0660
+     validate: "/opt/openresty/nginx/sbin/nginx -t -c %s"
+
+
+ # TODO when openresty is ready to go, populate /usr/lib/systemd/system/webserver.service from /usr/lib/systemd/system/openresty.service
+
+ - name: Ensure service is started
+   become: yes
+   service:
+     name: openresty
+     enabled: yes
+     state: restarted