oversignts and corrections -- most now seem to work on rpi

roles/kolibri/tasks/main.yml

@@ -119,6 +119,18 @@
 #    name: proxy_http
 
 - name: Start 'kolibri' systemd service, if kolibri_enabled
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    owner: root
+    group: root
+  with_items:
+    - { src: 'kolibri.service.j2', dest: '/etc/systemd/system/kolibri.service', mode: '0644' }
+    - { src: 'kolibri.conf.j2', dest: '/etc/apache2/sites-available/kolibri.conf', mode: '0644' }
+    - { src: 'kolibri-nginx.conf.j2', dest: '/etc/nginx/conf.d/kolibri-nginx.conf', mode: '0644' }
+
+- name: Enable & (Re)Start kolibri service
   systemd:
     name: kolibri
     state: started

roles/kolibri/templates/kolibri-nginx.conf.j2

@@ -0,0 +1,9 @@
+location    /kolibri {
+   proxy_bind              $server_addr;
+   proxy_set_header        Host            $http_host;
+   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+   proxy_set_header        X-Scheme        $scheme;
+   proxy_set_header        X-Script-Name   /kolibri;
+   proxy_pass http://127.0.0.1:8009;
+}
+

roles/nginx/defaults/main.yml

@@ -0,0 +1 @@
+nginx_log_dir: /var/log/nginx

roles/nginx/files/README.md

@@ -0,0 +1,21 @@
+### Transition to NGINX
+1. Initial testing strategy is to move nginx to port 80, and proxy everything to apache on port 8090-- creating a shim.
+2. Without php available via fastcgi, any function at all for php based applications validates nginx.
+3. Current state (7/15/19):
+    1. Principal functions migrated to nginx.
+         * Admin Console
+         * Awstats
+         * kiwix -- goes directly to port 3000
+         * kalite -- goes directly to port 8009
+         * calibre-web
+         * kolibri
+         * usb-lib
+         * maps
+    2. Still proxied to Apache
+         * mediawiki
+         * elgg
+         * nodered
+         * nextcloud
+         * wordpress
+         * moodle
+         * archive.org

roles/nginx/tasks/main.yml

@@ -0,0 +1,62 @@
+- name: Insure that apache2 is not running -- we may need port swap
+  service: 
+      name: apache2
+      enabled: False 
+      state: stopped
+  ignore_errors: True
+
+- name: Install nginx required  and helper packages
+  package: name={{ item }} state=present
+  with_items:
+    - nginx-extras
+    - uwsgi
+    - uwsgi-plugin-python
+    - php-fpm
+    - libnginx-mod-http-subs-filter
+
+- name: Put the config file in place
+  template: 
+      src: '{{ item.src}}'  
+      dest: '{{ item.dest }}'
+  with_items:
+     - { src: "server.conf",dest: "/etc/nginx/" }
+     - { src: "nginx.conf",dest: "/etc/nginx/" }
+     - { src: "usb-lib.conf",dest: "/etc/nginx/conf.d/" }
+     - { src: "admin-console.ini",dest: "/etc/uwsgi/apps-enabled/" }
+     - { src: "uwsgi.unit",dest: "/etc/systemd/system/" }
+# optional services
+     - { src: "kiwix.conf",dest: "/etc/nginx/conf.d/" }
+
+- name: Add http server  user to shadow group, so it can authenticate Admin Console
+  user:
+      name: "{{ apache_user }}"
+      groups: shadow
+
+- name: Remove the nginx default config
+  file: path=/etc/nginx/sites-enabled/default state=absent
+
+- name: Install config for Admin Console
+  template: 
+        src: admin-console-nginx.conf
+# Comment one or the other to revert from nginx back to apache2, if required
+#        src: admin-console-apache.conf
+        dest: /etc/nginx/conf.d/admin-console.conf
+  when: admin_console_enabled | bool
+
+- name: Enable the uwsgi systemd service
+  service:
+      name: uwsgi
+      state: started
+      enabled: True
+
+- name: Make sure nginx picks up the config 
+  service: 
+      name: nginx 
+      state: restarted
+  when: nginx_enabled | bool
+          
+# it might not be installed yet, so ignore errors
+- name: Since we stopped apache2, start it again
+  service: name=apache2 state=started enabled=True
+  when: apache_enabled | bool
+  ignore_errors: True

roles/nginx/templates/admin-console-apache.conf

@@ -0,0 +1,9 @@
+location /admin {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/admin;
+}
+location /cmd-service {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/cmd-service;
+}
+ 
+  
+

roles/nginx/templates/admin-console-nginx.conf

@@ -0,0 +1,29 @@
+location /admin {
+#  proxy_pass http://127.0.0.1:{{ apache_port }}/admin;
+   alias /opt/admin/console;
+   auth_pam                "Secure zone";
+   auth_pam_service_name   "nginx";
+
+}
+
+location ~ /admin/(.*)\.php$ {
+    alias /opt/admin/console/$1.php;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    fastcgi_pass php;
+    fastcgi_index index.php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+    include fastcgi_params;
+}
+ 
+location /cmd-service {
+#  proxy_pass http://127.0.0.1:{{ apache_port }}/cmd-service;
+   include uwsgi_params;
+   uwsgi_pass unix:///tmp/admin-console.sock;
+}
+
+  
+

roles/nginx/templates/admin-console.ini

@@ -0,0 +1,8 @@
+[uwsgi]
+	uid = www-data
+	gid = www-data
+	socket = /tmp/admin-console.sock
+	chdir = /opt/admin/console
+	wsgi-file = cmd-service.wsgi
+	master = true
+   plugins = python

roles/nginx/templates/kalite-nginx.conf

@@ -0,0 +1,59 @@
+# NGINX configuration for KA Lite
+#
+# Upstream KA-Lite server uses port 7007
+# Nginx proxy for KA-Lite uses port 8008
+#
+# If you want the website to be accessible at a different port, change
+#  PROXY_PORT = nnnn setting in /var/ka-lite/.kalite/settings.py
+# and change the below accordingly.
+
+
+upstream kalite {
+    server 127.0.0.1:7007;
+}
+
+server {
+
+    listen 8008;
+
+    # Default value, overwritten in nginx.d
+    set $kalite_home {{ kalite_root }};
+    include /etc/ka-lite/nginx.d/*.conf;
+
+    location /static {
+        alias   $kalite_home/httpsrv/static/;
+    }
+
+    location /media {
+        alias   $kalite_home/httpsrv/media/;
+    }
+
+    location /content {
+        alias   $kalite_home/content/;
+    }
+
+    location /favicon.ico {
+        empty_gif;
+    }
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_pass http://kalite;
+        error_page 502 = @502;
+    }
+
+    location @502 {
+        types { }
+        default_type "text/html";
+        return 502 "
+        <BR>
+        <H1>KA-Lite might be busy - wait a few moments and then reload this page
+        <BR><BR>
+        <H2>If KA-Lite is still busy, get help from the system administrator
+        <H3>Error code: nginx 502 Bad Gateway (maybe the KA-Lite webserver is not working correctly)";
+    }
+
+}
+

roles/nginx/templates/kiwix.conf

@@ -0,0 +1,3 @@
+location /kiwix {
+  proxy_pass http://127.0.0.1:3000;
+}

roles/nginx/templates/nginx.conf

@@ -0,0 +1,80 @@
+# IIAB notes: sites-enabled is for server declarations
+# cond.d is for location declarations within the main server block
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type text/html;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log {{ apache_log_dir }}/access.log;
+	error_log {{ apache_log_dir }}/error.log;
+   log_format scripts '$request > $document_root$fastcgi_script_name $fastcgi_path_info';
+
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	##
+	# Virtual Host Configs
+	##
+
+
+   # include a server file which in turn includes conf.d/*
+   include /etc/nginx/server.conf;
+        
+   # include other sites
+	include /etc/nginx/sites-enabled/*.conf;
+
+
+   # define the upstream backend fastcgi for php
+   upstream php {
+      server  unix:/run/php/php{{ php_version }}-fpm.sock;
+   }
+           
+}
+

roles/nginx/templates/server.conf

@@ -0,0 +1,40 @@
+server {
+      root {{ doc_root }};
+      server_name {{ iiab_hostname }};
+      listen 80;
+ 
+      access_log {{ apache_log_dir }}/access.log;
+      error_log {{ apache_log_dir }}/error.log;
+      access_log {{ apache_log_dir }}/scripts.log scripts;
+
+      index  index.php index.html index.htm;
+      rewrite ^/$ $scheme://$server_addr/home/;
+
+      # let individual services drop location blocks in conf.d
+      include /etc/nginx/conf.d/*;
+ 
+      location ~ .*\.php$ {
+          proxy_set_header X-Real-IP  $remote_addr;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header Host $host;
+          fastcgi_pass php;
+          fastcgi_index index.php;
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+          fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+          include fastcgi_params;
+       }
+ 
+      location /cgi-bin {
+         root /usr/lib;
+      }
+
+       # if you don't like seeing all the errors for missing favicon.ico in root
+       location = /favicon.ico { access_log off; log_not_found off; }
+ 
+       # if you don't like seeing errors for a missing robots.txt in root
+       location = /robots.txt { access_log off; log_not_found off; }
+ 
+       # this will prevent files like .htaccess .htpassword .secret etc from being served
+       location ~ /\. { deny all; }
+}

roles/nginx/templates/usb-lib.conf

@@ -0,0 +1,7 @@
+location /usb {
+  alias /library/www/html/local_content/;
+  autoindex on;
+}
+location /local_content/ {
+  autoindex on;
+}

roles/nginx/templates/uwsgi.unit

@@ -0,0 +1,13 @@
+Unit]
+Description=uWSGI Service
+
+[Service]
+ExecStart=/usr/local/bin/uwsgi --ini /etc/uwsgi/admin_console_wsgi.ini
+Restart=always
+RestartSec=5
+KillSignal=SIGQUIT
+Type=notify
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target

roles/nodered/tasks/main.yml

@@ -171,6 +171,15 @@
     mode: 0666
   when: nodered_install | bool
 
+- name: Install nginx's conf.d file from template
+  template:
+    src: nodered-nginx.conf.j2
+    dest: /etc/nginx/conf.d/nodered-nginx.conf
+    owner: root
+    group: root
+    mode: 0666
+  when: nodered_install | bool
+
 - name: Create symlink nodered.conf from sites-enabled to sites-available, for short URL http://box/nodered (if nodered_enabled)
   file:
     src: /etc/apache2/sites-available/nodered.conf
@@ -187,6 +196,12 @@
   when: not nodered_enabled
 
 # SEE ALSO THE apache2_module SECTION IN roles/httpd/tasks/main.yml
+- name: Remove symlink /etc/nginx/conf.d/nodered-nginx.conf (if not nodered_enabled)
+  file:
+    path: /etc/nginx/conf.d/nodered-nginx.conf
+    state: absent
+  when: not nodered_enabled
+
 - name: Enable proxy_wstunnel apache2 module
   apache2_module:
     state: present

roles/nodered/templates/nodered-nginx.conf.j2

@@ -0,0 +1,3 @@
+location /nodered {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/nodered;
+}

roles/osm-vector-maps/tasks/main.yml

@@ -70,23 +70,17 @@
     src: map_functions.js
     dest: '{{ vector_map_path }}/maplist/assets'
 
-- name: Install /etc/{{ apache_config_dir }}/osm-vector-maps.conf from template
+- name: Install /etc/nginx/conf.d/osm-vector-maps.conf from template
   template:
-    src: osm-vector-maps.conf
-    dest: "/etc/{{ apache_config_dir }}/osm-vector-maps.conf"
+    src: osm-vector-maps-nginx.conf
+    dest: "/etc/nginx/conf.d/osm-vector-maps-nginx.conf"
+  when: osm_vector_maps_enabled | bool
 
-- name: Create symlink osm-vector-maps.conf from sites-enabled to sites-available (debuntu, not nec for redhat)
+- name: Remove config /etc/nginx/conf,d/osm-vector-maps.conf (debuntu)
   file:
-    src: /etc/apache2/sites-available/osm-vector-maps.conf
-    path: /etc/apache2/sites-enabled/osm-vector-maps.conf
-    state: link
-  when: osm_vector_maps_enabled and is_debuntu
-
-- name: Remove symlink /etc/apache2/sites-enabled/osm-vector-maps.conf (debuntu)
-  file:
-    path: /etc/apache2/sites-enabled/osm-vector-maps.conf
+    path: /etc/nginx/conf.d/osm-vector-maps-nginx.conf
     state: absent
-  when: not osm_vector_maps_enabled and is_debuntu
+  when: not osm_vector_maps_enabled | bool
 
 #- name: Does the {{ vector_map_path }}/index.html redirect already exist?
 #  stat:

roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf

@@ -0,0 +1,7 @@
+# For downloadable regional vector tilesets
+location /maps {
+   alias /library/www/osm-vector-maps;
+}
+location /osm-vector-maps {
+   alias /library/www/osm-vector-maps;
+}

roles/sugarizer/tasks/install.yml

@@ -138,7 +138,7 @@
 
 # 5. CONFIG FILES
 
-- name: "Install from templates: sugarizer.service (systemd), sugarizer.conf (Apache)"
+- name: "Install from templates: sugarizer.service (systemd), sugarizer-nginx.conf (nginx)"
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -147,7 +147,7 @@
     group: root
   with_items:
     - { src: 'sugarizer.service', dest: '/etc/systemd/system/sugarizer.service' }
-    - { src: 'sugarizer.conf.j2', dest: '/etc/apache2/sites-available/sugarizer.conf' }
+    - { src: 'sugarizer-nginx.conf', dest: '/etc/nginx/conf.d/sugarizer-nginx.conf' }
     #- { src: 'sugarizer.ini.j2', dest: '{{ iiab_base }}/sugarizer-server/env/sugarizer.ini' }
     #- { src: 'sugarizer.js', dest: '{{ iiab_base }}/sugarizer-server' }
 
@@ -223,14 +223,7 @@
 
 - name: Create symlink sugarizer.conf from sites-enabled to sites-available, for short URLs http://box/sugar & http://box/sugarizer (if sugarizer_enabled)
   file:
-    src: /etc/apache2/sites-available/sugarizer.conf
-    path: /etc/apache2/sites-enabled/sugarizer.conf
-    state: link
-  when: sugarizer_enabled and is_debuntu
-
-- name: Remove symlink /etc/apache2/sites-enabled/sugarizer.conf (if not sugarizer_enabled)
-  file:
-    path: /etc/apache2/sites-enabled/sugarizer.conf
+    path: /etc/nginx/conf.d/sugarizer-nginx.conf
     state: absent
   when: not sugarizer_enabled and is_debuntu
 
@@ -277,6 +270,12 @@
 #    state: stopped
 #  when: not sugarizer_enabled
 
+- name: Restart nginx when enabled
+  service:
+    name: nginx
+    state: restarted
+  when: sugarizer_enabled and nginx_enabled
+
 - name: Add 'sugarizer' variable values to {{ iiab_ini_file }}
   ini_file:
     path: "{{ iiab_ini_file }}"

roles/sugarizer/templates/sugarizer-nginx.conf

@@ -0,0 +1,12 @@
+# sugarizer_port is set to 8089 in /opt/iiab/iiab/vars/default_vars.yml
+# If you need to change this, edit /etc/iiab/local_vars.yml prior to installing
+
+
+location /sugarizer {
+   proxy_bind              $server_addr;
+   proxy_set_header        Host            $http_host;
+   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+   proxy_set_header        X-Scheme        $scheme;
+   proxy_set_header        X-Script-Name   /sugarizer;
+   proxy_pass http://127.0.0.1:8089;
+}

roles/wordpress/tasks/install.yml

@@ -116,6 +116,19 @@
   template:
     src: wordpress.conf.j2
     dest: "/etc/{{ apache_config_dir }}/wordpress.conf"
+  when: apache_enabled
+
+- name: Copy the nginx location info
+  template: 
+      src: wordpress-nginx.conf 
+      dest: /etc/nginx/conf.d/
+  when: nginx_enabled
+
+- name: Notify nginx service of changes
+  service: 
+      name: nginx 
+      state: restarted
+  when: nginx_enabled
 
 - name: Create symlink wordpress.conf from sites-enabled to sites-available, if wordpress_enabled (debuntu)
   file:

roles/wordpress/templates/wordpress-nginx.conf

@@ -0,0 +1,11 @@
+location /wordpress {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/wordpress;
+}
+ location ~ /wordpress/.*\.php$ {
+
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+
+}

vars/default_vars.yml

@@ -205,6 +205,10 @@ openvpn_server_real_ip: 3.89.148.185
 openvpn_server_virtual_ip: 10.8.0.1
 openvpn_server_port: 1194
 
+# apache
+apache_install: True
+apache_enabled: True
+allow_apache_sudo: False
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
@@ -221,6 +225,24 @@ exFAT_enabled: True
 
 
 # 3-BASE-SERVER
+# Variables fo Administrative Console
+admin_console_install: True
+admin_console_enabled: True
+
+# variables related to introduction of nginx
+# apache
+apache_port: "8090"
+apache_interface: "127.0.0.1"
+apache_install: True
+apache_enabled: True
+# The following variable, if True, allows Admin Console to poweroff IIAB
+allow_apache_sudo: False
+
+nginx_port: "80"
+nginx_interface: "0.0.0.0"
+nginx_install: True
+nginx_enabled: True
+
 
 # See also Apache vars {default_language, language_priority} @ top of this file
 #