Commit 8dd862d8 by Jocelyn Delalande

ynh-onion-admin: Create role

parent 8d9e6993
- name: reload nginx
service: name=nginx state=reloaded
- name: restart tor
service:
name: tor
state: restarted
- include: tor.yml
- include: nginx.yml
- name: Find all domains
command: "yunohost --output-as plain domain list"
register: domains
- name: Disable admin+API on all domains
replace:
dest: "/etc/nginx/conf.d/{{ item }}.conf"
regexp: "^ include conf[.]d/yunohost_(admin|api)[.]conf[.]inc[;]"
replace: '# yunohost \1 disabled in favor of onion-only access'
  • ca ne serait pas plus simple (et funky) de vider / commenter le contenu des fichiers yunohost_{admin,api}.conf.inc, pour attaquer le problème à la source, et ne pas avoir a gérer les ajouts/suppressions de domaines ?

  • Oui, bonne idée, ça me chagrinait de « détruire » un de ces fichiers, mais après-tout pourquoi pas.

    Je peux te laisser PR ça comme exercice ansible ? ;-) Selon le temps que tu souhaites passer à faire du ansible hein, sinon je peux le faire. Dis-moi ce que tu veux.

Please register or sign in to reply
with_items: "{{ domains.stdout_lines }}"
notify: reload nginx
# Using https because, ynh-api websockets seems to operate only over https
- name: Make the yunohost_admin vhost onion-only
template:
src: ynh_onion_admin.conf.j2
dest: /etc/nginx/conf.d/yunohost_admin.conf
owner: www-data
mode: 0700
notify: reload nginx
- name: Install Tor
apt: name=tor update_cache=yes cache_valid_time=1800
notify: restart tor
- name: Add required lines in torrc
lineinfile: dest=/etc/tor/torrc line={{ item }}
with_items:
- "HiddenServiceDir /var/lib/tor/hidden_service/"
- "HiddenServicePort 80 127.0.0.1:80"
- "HiddenServicePort 443 127.0.0.1:443"
notify: restart tor
- name: restart tor now, required (required for .onion generation)
meta: flush_handlers
- name: Wait for Tor HS directory to become available
wait_for: path=/var/lib/tor/hidden_service/hostname
- name: Register onion-name
shell: cat /var/lib/tor/hidden_service/hostname
register: cat_hidden_service
- name: Store onion-name as a fact
set_fact:
ynh_onion_admin_onion_name: "{{ cat_hidden_service.stdout }}"
- name: Summary
debug: msg="Your hidden service is now configured. You can access it at http://{{ ynh_onion_admin_onion_name }}."
\ No newline at end of file
# {{ ansible_managed }}
#
# Essentialy copied from default yunohost_admin.conf :
# - removing the `default_server` options
# - adding the `server_name` directive
server {
listen 80;
listen [::]:80;
server_name {{ ynh_onion_admin_onion_name }};
location / {
return 302 https://$http_host/yunohost/admin;
}
location /yunohost/admin {
return 301 https://$http_host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ ynh_onion_admin_onion_name }};
ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem;
ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
add_header Strict-Transport-Security "max-age=31536000;";
location / {
return 302 https://$http_host/yunohost/admin;
}
location /yunohost {
# Block crawlers bot
if ($http_user_agent ~ (crawl|Googlebot|Slurp|spider|bingbot|tracker|click|parser|spider|facebookexternalhit) ) {
return 403;
}
# Redirect most of 404 to maindomain.tld/yunohost/sso
access_by_lua_file /usr/share/ssowat/access.lua;
}
include conf.d/yunohost_admin.conf.inc;
include conf.d/yunohost_api.conf.inc;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment