first initial commit (testing this as well)

6a51da34 · Karl Grube · 2a99664c · 6a51da34 · 6a51da34 · 6a51da34
Commit 6a51da34 authored 1 month ago by Karl Grube
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+fqdn: "{{inventory_hostname}}"
+domain_name: "{{fqdn|replace((ansible_hostname + '.'),'')}}"
+haproxy_cns: "{{groups['haproxy']}}"
--- a/handlers/main.yml
+++ b/handlers/main.yml
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
--- a/tasks/all.yml
+++ b/tasks/all.yml
+---
+- name: make sure nginx is installed
+  package:
+    name: nginx
+- name: remove bandersnatch site
+  file:
+    path: /etc/nginx/sites-enabled/bandersnatch
+    state: absent
+  notify: reload nginx
+- name: template pypi_cache site
+  template:
+    src: pypi_site.j2
+    dest: /etc/nginx/sites-available/pypi
+  tags: sites
+  notify: reload nginx
+- name: link pypi
+  file:
+    state: link
+    src: ../sites-available/pypi
+    path: /etc/nginx/sites-enabled/pypi
+  notify: reload nginx
+- name: nginx started and enabled
+  service:
+    name: nginx
+    state: started
+    enabled: yes
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+- import_tasks: all.yml
--- a/templates/pypi_site.j2
+++ b/templates/pypi_site.j2
+log_format pypi_cache '$remote_addr - $host [$time_local] '
+                      'request_time=$request_time upstream_time=$upstream_response_time '
+                      'cache_status=$upstream_cache_status \t'
+                      '$status "$request" $body_bytes_sent';
+access_log /dev/stdout pypi_cache buffer=64k flush=1s;
+# Log to file, can be useful for dev
+# access_log /var/log/nginx/cache.log pypi_cache buffer=64k flush=1s;
+# Cache 50G worth of packages for up to 1 month
+proxy_cache_path /var/lib/nginx/pypi levels=1:2 keys_zone=pypi:16m inactive=1M max_size=50G use_temp_path=off;
+# Having the same upstream server listed twice allegedly forces nginx to retry
+# connections and not fail the request immediately.
+upstream sg_pypi {
+    server pypi.org:443;
+    server pypi.org:443;
+    keepalive 16;
+}
+upstream sg_pythonhosted {
+    server files.pythonhosted.org:443;
+    server files.pythonhosted.org:443;
+    keepalive 16;
+}
+server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        server_name {{fqdn}};
+        ssl_prefer_server_ciphers on;
+        ssl_protocols TLSv1.3;
+        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+        ssl_certificate '/etc/ssl/step/{{fqdn}}.crt';
+        ssl_certificate_key '/etc/ssl/step/{{fqdn}}.key';
+        ssl_session_timeout 10m;
+        add_header Strict-Transport-Security max-age=15768000;
+        location / {
+          set $deny_access 1;
+      {% for client in haproxy_cns %}
+          if ($ssl_client_s_dn = "CN={{client}}" ){
+            set $deny_access 0;
+          }
+      {% endfor %}
+          if ($ssl_client_verify != "SUCCESS"){
+            set $deny_access 1;
+          }
+          if ($deny_access != 0){
+            return 403;
+          }
+            proxy_set_header Connection "";
+            proxy_set_header Accept-Encoding "";
+            proxy_cache_valid 200 301 10m;
+            proxy_cache_valid 404 1m;
+            proxy_set_header Host pypi.org;
+            proxy_ssl_name pypi.org;
+            proxy_pass 'https://sg_pypi';
+            proxy_redirect 'https://pypi.org' $scheme://$host;
+        }
+  proxy_cache pypi;
+        proxy_cache_key $uri/$http_accept_encoding;
+        proxy_cache_lock on;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_http_version 1.1;
+        proxy_ssl_server_name on;
+        # sub_filter can't apply to gzipped content, so be careful about that
+        add_header X-Pypi-Cache $upstream_cache_status;
+        sub_filter 'https://pypi.org' $scheme://$host;
+        sub_filter 'https://files.pythonhosted.org/packages' $scheme://$host/packages;
+        sub_filter_once off;
+        sub_filter_types application/vnd.pypi.simple.v1+json application/vnd.pypi.simple.v1+html;
+        location ^~ /simple {
+            proxy_set_header Connection "";
+            proxy_set_header Accept-Encoding "";
+            proxy_cache_valid 200 301 10m;
+            proxy_cache_valid 404 1m;
+            proxy_set_header Host pypi.org;
+            proxy_ssl_name pypi.org;
+            proxy_pass 'https://sg_pypi';
+            proxy_redirect 'https://pypi.org' $scheme://$host;
+        }
+        location ^~ /packages {
+            proxy_set_header Connection "";
+            proxy_set_header Accept-Encoding "";
+            proxy_cache_valid 200 301 1M;
+            proxy_cache_valid 404 1m;
+            proxy_set_header Host files.pythonhosted.org;
+            proxy_ssl_name files.pythonhosted.org;
+            proxy_pass 'https://sg_pythonhosted/packages';
+            proxy_redirect 'https://files.pythonhosted.org/packages' $scheme://$host/packages;
+        }
+        location /nginx_status {
+            stub_status;
+        }
+}