Give SBS an nginx server

SURFscz · Nov 3, 2023 · 0644bc1 · 0644bc1
1 parent 9581e15
commit 0644bc1
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 49 deletions.
diff --git a/roles/docker_sbs/defaults/main.yml b/roles/docker_sbs/defaults/main.yml
@@ -10,6 +10,7 @@ sbs_env_dir: "{{ sbs_work_dir }}/sbs-env"
 sbs_conf_dir: "{{ sbs_work_dir }}/config"
 sbs_log_dir: "{{ sbs_work_dir }}/log"
 sbs_cert_dir: "{{ sbs_work_dir }}/cert"
+sbs_nginx_conf: "{{ sbs_work_dir }}/nginx.conf"
 
 sbs_db_host: "localhost"
 sbs_db_name: "sbs"

diff --git a/roles/docker_sbs/tasks/main.yml b/roles/docker_sbs/tasks/main.yml
@@ -78,7 +78,7 @@
     - { path: "{{sbs_conf_dir}}",            mode: "0755" }
     - { path: "{{sbs_conf_dir}}/saml",       mode: "0755" }
     - { path: "{{sbs_log_dir}}",             mode: "0775" }
-    - { path: "{{sbs_cert_dir}}",             mode: "0775" }
+    - { path: "{{sbs_cert_dir}}",            mode: "0775" }
 
 # - name: "Fix file permissions"
 #   file:
@@ -216,11 +216,10 @@
 # - include_role:
 #     name: "nginx"
 
-# - name: "install nginx config"
-#   template:
-#     src: "sbs-nginx.j2"
-#     dest: "/etc/nginx/sites-enabled/10-sbs.conf"
-#   notify: "restart nginx"
+- name: "install nginx config"
+  template:
+    src: "sbs-nginx.j2"
+    dest: "{{ sbs_nginx_conf }}"
 
 # - name: "Install database dump script"
 #   template:
@@ -239,6 +238,21 @@
 #   changed_when: "'[alembic.runtime.migration] Running upgrade' in result.stderr"
 #   notify: "restart sbs"
 
+# We need to remove sram-static so it gets repopulated
+# with new SBS image static content
+- name: Stop and remove sbs and sbs-nginx containers
+  docker_container:
+    name: "{{ item }}"
+    state: absent
+  with_items:
+    - sbs
+    - sbs-nginx
+
+- name: Remove sram-static volume
+  community.docker.docker_volume:
+    name: sram-static
+    state: absent
+
 - name: Create sbs container
   docker_container:
     name: sbs
@@ -251,6 +265,21 @@
       - "{{ sbs_conf_dir }}:{{ sbs_conf_dir }}"
       - "{{ sbs_cert_dir }}:{{ sbs_cert_dir }}"
       - "{{ sbs_log_dir }}:/opt/sbs/log"
+      - sbs_static:/opt/sbs/client/build
+    networks:
+      - name: "traefik"
+
+- name: Create nginx container
+  docker_container:
+    name: sbs-nginx
+    image: nginx:1
+    # restart_policy: "always"
+    # restart: true
+    state: started
+    # pull: true
+    volumes:
+      - "{{ sbs_nginx_conf }}:/etc/nginx/nginx.conf:ro"
+      - sbs_static:/var/www
     networks:
       - name: "traefik"
     labels:

diff --git a/roles/docker_sbs/templates/sbs-nginx.j2 b/roles/docker_sbs/templates/sbs-nginx.j2
@@ -1,49 +1,60 @@
-server {
-    listen {{sbs_backend_port}} ssl http2;
-    server_name _        sbs.vm.scz-vm.net;
-
-    ssl_certificate     {{ ssl_certs_dir }}/{{ internal_base_domain }}.crt;
-    ssl_certificate_key {{ ssl_certs_dir }}/{{ internal_base_domain }}.key;
-
-    root /opt/sbs/sbs/client/build;
-
-    add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
-    add_header Permissions-Policy      "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()";
-
-    gzip  on;
-    gzip_min_length 1000;
-    gzip_proxied any;
-    gzip_types
-        text/css
-        text/javascript
-        application/javascript;
-
-    location / {
-        try_files $uri @index;
-    }
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
 
-    location /static {
-        add_header Cache-Control "max-age=3600, public";
-    }
+http {
+    server {
+        listen 80;
+        http2 on;
+        server_name _        {{ hostnames.sbs }};
 
-    location @index {
-        rewrite ^ /index.html;
-    }
+        root /var/www;
 
-    location ~ /(api|pam-weblogin|flasgger_static|swagger|health|config|info) {
         add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
-        add_header Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()";
-        add_header Cache-Control "nocache, private";
-        include proxy_params;
-        proxy_pass http://127.0.0.1:8080;
-    }
-
-    location /socket.io {
-        include proxy_params;
-        proxy_http_version 1.1;
-        proxy_buffering off;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_pass http://127.0.0.1:8080/socket.io;
+        add_header Permissions-Policy      "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()";
+
+        gzip  on;
+        gzip_min_length 1000;
+        gzip_proxied any;
+        gzip_types
+            text/css
+            text/javascript
+            application/javascript;
+
+        location / {
+            try_files $uri @index;
+        }
+
+        location /static {
+            add_header Cache-Control "max-age=3600, public";
+        }
+
+        location @index {
+            rewrite ^ /index.html;
+        }
+
+        location ~ /(api|pam-weblogin|flasgger_static|swagger|health|config|info) {
+            add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
+            add_header Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()";
+            add_header Cache-Control "nocache, private";
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_pass http://sbs;
+        }
+
+        location /socket.io {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_pass http://sbs;
+        }
     }
 }