From a23c96d9f85ead603cbfa88e864b128a33559d5b Mon Sep 17 00:00:00 2001
From: Gabriel Augendre <gabriel@augendre.info>
Date: Thu, 12 Nov 2020 15:24:10 +0100
Subject: [PATCH] Add nginx to playbook

---
 ansible/blog.service |   2 +-
 ansible/nginx.conf   |  59 ++++++++++++++++++++++++
 ansible/playbook.yml | 106 +++++++++++++++++++++++++------------------
 3 files changed, 123 insertions(+), 44 deletions(-)
 create mode 100644 ansible/nginx.conf

diff --git a/ansible/blog.service b/ansible/blog.service
index 8b8f7b1..c806e5c 100644
--- a/ansible/blog.service
+++ b/ansible/blog.service
@@ -11,7 +11,7 @@ rcvar="blog_enable"
 
 load_rc_config $name
 : ${blog_enable="NO"}
-: ${blog_listen_addr="0.0.0.0:8000"}
+: ${blog_listen_addr="127.0.0.1:8000"}
 
 pidfile="/var/run/${name}.pid"
 logfile="/var/log/${name}.log"
diff --git a/ansible/nginx.conf b/ansible/nginx.conf
new file mode 100644
index 0000000..cb1225e
--- /dev/null
+++ b/ansible/nginx.conf
@@ -0,0 +1,59 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        server_name localhost:80;
+
+        client_max_body_size 10M;
+
+        gzip on;
+        gzip_types
+          application/javascript
+          application/x-javascript
+          application/json
+          application/rss+xml
+          application/xml
+          image/svg+xml
+          image/x-icon
+          application/vnd.ms-fontobject
+          application/font-sfnt
+          text/css
+          text/plain;
+        gzip_min_length 256;
+        gzip_comp_level 5;
+        gzip_http_version 1.1;
+        gzip_vary on;
+
+        location /static/ {
+            alias /srv/blog/staticfiles/;
+            expires 30d;
+        }
+
+        location /media/ {
+            alias /srv/blog/media/;
+            expires 30d;
+        }
+
+        location / {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_pass http://localhost:8000;
+            proxy_redirect off;
+        }
+
+        listen [::]:80;
+        listen 80;
+    }
+}
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index be320a5..230146c 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -6,46 +6,66 @@
     PATH: /root/.poetry/bin:{{ ansible_env.PATH }}
 
   tasks:
-  - name: install dependencies
-    pkgng:
-      name: git,python38,py38-sqlite3,jpeg-turbo,nginx,curl,vim
-  - name: make python3.8 default
-    file:
-      path: /usr/local/bin/python3
-      src: /usr/local/bin/python3.8
-      state: link
-  - name: fetch code
-    git:
-      repo: https://git.sr.ht/~crocmagnon/blog
-      dest: /srv/blog
-      force: yes
-  - name: install poetry
-    shell:
-      cmd: POETRY_VERSION=1.1.4 curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
-      creates: /root/.poetry/bin/poetry
-  - name: create venv
-    shell:
-      cmd: python -m venv /srv/blogvenv
-      creates: /srv/blogvenv/bin/python
-  - name: install deps
-    shell:
-      chdir: /srv/blog
-      cmd: . /srv/blogvenv/bin/activate && poetry install --remove-untracked
-  - name: install service
-    copy:
-      remote_src: yes
-      src: /srv/blog/ansible/blog.service
-      dest: /usr/local/etc/rc.d/blog
-      owner: root
-      group: wheel
-      mode: 0755
-  - name: enable and restart blog service
-    service:
-      name: blog
-      state: restarted
-      enabled: yes
-#  - name: enable nginx service
-#    service:
-#      name: nginx
-#      state: started
-#      enabled: yes
+    - name: install system dependencies
+      pkgng:
+        name: git,python38,py38-sqlite3,jpeg-turbo,nginx,curl,vim
+    - name: make python3.8 default
+      file:
+        path: /usr/local/bin/python3
+        src: /usr/local/bin/python3.8
+        state: link
+    - name: fetch code
+      git:
+        repo: https://git.sr.ht/~crocmagnon/blog
+        dest: /srv/blog
+        force: yes
+    - name: install poetry
+      shell:
+        cmd: POETRY_VERSION=1.1.4 curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
+        creates: /root/.poetry/bin/poetry
+    - name: create venv
+      shell:
+        cmd: python -m venv /srv/blogvenv
+        creates: /srv/blogvenv/bin/python
+    - name: install python dependencies
+      shell:
+        chdir: /srv/blog
+        cmd: . /srv/blogvenv/bin/activate && poetry install --remove-untracked
+    - name: install service
+      copy:
+        remote_src: yes
+        src: /srv/blog/ansible/blog.service
+        dest: /usr/local/etc/rc.d/blog
+        owner: root
+        group: wheel
+        mode: 0755
+    - name: enable and restart blog service
+      service:
+        name: blog
+        state: restarted
+        enabled: yes
+    - name: backup old nginx conf
+      copy:
+        remote_src: yes
+        src: /usr/local/etc/nginx/nginx.conf
+        dest: /usr/local/etc/nginx/nginx.conf.BKP
+    - name: install nginx conf
+      copy:
+        remote_src: yes
+        src: /srv/blog/ansible/nginx.conf
+        dest: /usr/local/etc/nginx/nginx.conf
+        owner: root
+        group: wheel
+        mode: 0644
+      notify:
+        - restart nginx
+    - name: enable nginx service
+      service:
+        name: nginx
+        state: started
+        enabled: yes
+  handlers:
+    - name: restart nginx
+      service:
+        name: nginx
+        state: restarted