From 71850abd5abeb133e3e98fe193bd0f62b97f1c81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonah=20Br=C3=BCchert?= <jbb@kaidan.im>
Date: Sat, 10 Feb 2024 16:24:12 +0100
Subject: [PATCH] ansible: Serve web interface directly with nginx

---
 ansible/hosts                                 |  4 ++
 ansible/motis.yml                             |  1 +
 ansible/roles/motis/files/config.ini          |  4 +-
 .../files/api.transitous.jbb.ghsq.de.conf     | 21 ++++++
 ansible/roles/nginx/files/nginx.conf          | 65 +++++++++++++++++
 .../nginx/files/transitous.jbb.ghsq.de.conf   | 29 ++++++++
 ansible/roles/nginx/tasks/main.yml            | 69 +++++++++++++++++++
 7 files changed, 192 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/nginx/files/api.transitous.jbb.ghsq.de.conf
 create mode 100644 ansible/roles/nginx/files/nginx.conf
 create mode 100644 ansible/roles/nginx/files/transitous.jbb.ghsq.de.conf
 create mode 100644 ansible/roles/nginx/tasks/main.yml

diff --git a/ansible/hosts b/ansible/hosts
index 7586c4e0..b917d601 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -7,3 +7,7 @@ motis:
     spline-vm-motis:
       ansible_user: root
       ansible_host: 130.133.110.196
+      cert_domains:
+        - transitous.jbb.ghsq.de
+        - api.transitous.jbb.ghsq.de
+      email: jbb@kaidan.im
diff --git a/ansible/motis.yml b/ansible/motis.yml
index 2dfa7e92..4e6990ef 100644
--- a/ansible/motis.yml
+++ b/ansible/motis.yml
@@ -6,6 +6,7 @@
   hosts: motis
   roles:
     - motis
+    - nginx
   tasks:
     - name: Install rsync
       apt:
diff --git a/ansible/roles/motis/files/config.ini b/ansible/roles/motis/files/config.ini
index b55216ff..56c71e60 100644
--- a/ansible/roles/motis/files/config.ini
+++ b/ansible/roles/motis/files/config.ini
@@ -11,10 +11,12 @@ modules=intermodal
 modules=nigiri
 
 intermodal.router=nigiri
-server.static_path=/opt/motis/web
 dataset.no_schedule=true
 
 
+[server]
+host=127.0.0.1
+
 [import]
 #paths=osm:europe-latest.osm.pbf
 paths=osm:aachen.osm.pbf
diff --git a/ansible/roles/nginx/files/api.transitous.jbb.ghsq.de.conf b/ansible/roles/nginx/files/api.transitous.jbb.ghsq.de.conf
new file mode 100644
index 00000000..96abcea6
--- /dev/null
+++ b/ansible/roles/nginx/files/api.transitous.jbb.ghsq.de.conf
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2024 Jonah Brüchert <jbb@kaidan.im>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+server {
+    #listen 443 http2 ssl;
+    #listen [::]:443 http2 ssl;
+    listen 80;
+    listen [::]:80;
+
+    server_name api.transitous.jbb.ghsq.de;
+
+    # For certbot
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/html/;
+    }
+
+    location / {
+        proxy_pass http://localhost:8080;
+    }
+}
diff --git a/ansible/roles/nginx/files/nginx.conf b/ansible/roles/nginx/files/nginx.conf
new file mode 100644
index 00000000..4e8476fd
--- /dev/null
+++ b/ansible/roles/nginx/files/nginx.conf
@@ -0,0 +1,65 @@
+# SPDX-FileCopyrightText: 2024 Jonah Brüchert <jbb@kaidan.im>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
diff --git a/ansible/roles/nginx/files/transitous.jbb.ghsq.de.conf b/ansible/roles/nginx/files/transitous.jbb.ghsq.de.conf
new file mode 100644
index 00000000..08ec5e81
--- /dev/null
+++ b/ansible/roles/nginx/files/transitous.jbb.ghsq.de.conf
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2024 Jonah Brüchert <jbb@kaidan.im>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+server {
+    #listen 443 http2 ssl;
+    #listen [::]:443 http2 ssl;
+    listen 80;
+    listen [::]:80;
+
+    server_name transitous.jbb.ghsq.de;
+
+    # For certbot
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/html/;
+    }
+
+    location = / {
+        if ($arg_motis != http%3A%2F%2Fapi.transitous.jbb.ghsq.de) {
+                return 301 http://$host?motis=http%3A%2F%2Fapi.transitous.jbb.ghsq.de;
+        }
+
+        root /opt/motis/web/;
+    }
+
+    location / {
+        root /opt/motis/web/;
+    }
+}
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
new file mode 100644
index 00000000..dd8ec7e6
--- /dev/null
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -0,0 +1,69 @@
+# SPDX-FileCopyrightText: 2024 Jonah Brüchert <jbb@kaidan.im>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+- name: Install nginx
+  apt:
+    name: nginx
+
+- name: Make sure nginx is running
+  systemd:
+    name: nginx.service
+    state: started
+#
+# - name: Install certbot
+#   apt:
+#     name: certbot
+#
+# - name: Check if certificate already exists.
+#   stat:
+#     path: /etc/letsencrypt/live/{{ cert_domains | first | replace('*.', '') }}/cert.pem
+#   register: letsencrypt_cert
+#
+# - name: Generate new certificate if one doesn't exist.
+#   command: >-
+#     certbot certonly --noninteractive --agree-tos --dry-run
+#     --email {{ email }}
+#     -w /var/www/html/
+#     -d {{ cert_domains | join(',') }}
+#     --webroot
+#     --expand
+#   when: not letsencrypt_cert.stat.exists
+#
+# - name: Enable automatic certificate renewal
+#   service:
+#     name: certbot.timer
+#     enabled: true
+#     masked: false
+
+- name: Install nginx config
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Install site config
+  copy:
+    src: "{{ item }}.conf"
+    dest: "/etc/nginx/sites-available/{{ item }}.conf"
+  with_items:
+    - transitous.jbb.ghsq.de
+    - api.transitous.jbb.ghsq.de
+
+- name: Disable default site configuration
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: Enable nginx sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
+    state: link
+  with_items:
+    - transitous.jbb.ghsq.de
+    - api.transitous.jbb.ghsq.de
+
+- name: Reload nginx
+  systemd:
+    name: nginx.service
+    state: reloaded