This repository contains the ansible configuration for deploying the machines in the jak-linux.org domain, and some related machines.
For each host, the array domains
configures the domains configured
on that host to be served by nginx
. It also configures TLS
certificates, either using dummy ones or letsencrypt.
Let's consider the following example:
domains:
- cname: example.com
alias:
- www.example.com
nginx_add_locations:
# This is added to the server configuration
location ~ /iamfancy/ {
fastcgi_pass unix:/run/path/to/socket;
include fastcgi_params;
}
letsencrypt_email: jak@jak-linux.org
This configures a domain with the canonical domain example.com
,
and redirects from wwww.example.com
. It also sets up /iamfancy
to passthrough to a fastcgi socket. Content will be served from the
directory /var/www/example.com
, and one certificate will be generated
with example.com
and wwww.example.com
as subject alternative names.
Configured websites are TLS-only. They are configured with letsencrypt
certificates or dummy certificates, depending on whether they have the
role letsencrypt
or snake-oil-letsencrypt
. The latter is useful
for testing purposes.
Confinement: The nginx server is confined using AppArmor to only read the SSL keys, webdata, and other stuff it needs to operate.
The weechatserver
role configures a user called weechat
and a
system weechat
service that runs weechat inside of tmux. It also
installs mosh
so you can connect to the running weechat
.
Furthermore, it also configures a weechat relay to listen on port 9000 on localhost. This can then be made available through nginx using websockets, for example, including a rate limiting to 5 requests per minute:
nginx_conf:
weechat:
# Rate limit weechat
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;
domains:
- cname: example.com
alias:
- www.example.com
nginx_add_locations: |
location /weechat {
proxy_pass http://localhost:9000/weechat; # Change the port to your relay's
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # These two lines ensure that the
proxy_set_header Connection "Upgrade"; # a WebSocket is used
proxy_read_timeout 604800; # Prevent idle disconnects
proxy_set_header X-Real-IP $remote_addr; # Let WeeChat see the client's IP
limit_req zone=weechat burst=1 nodelay; # Brute force prevention
}
It is not exposed by default however.
Confinement: The weechat binary is confined to mostly ~/.weechat using AppArmor, reducing the attack surface considerably.