CodeNow · bkendall · May 12, 2016 · May 11, 2016 · May 11, 2016 · May 12, 2016
diff --git a/ansible/group_vars/alpha-proxy-socket-server.yml b/ansible/group_vars/alpha-proxy-socket-server.yml
@@ -15,5 +15,6 @@ docker_container_run_opts: >
   -v /etc/nginx/sites-available/:/etc/nginx/sites-enabled/:ro
   -v /etc/nginx/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
   -v /etc/ssl/certs/{{ domain }}:/etc/ssl/certs/{{ domain }}:ro
+  -v /etc/ssl/certs/{{ user_content_domain }}:/etc/ssl/certs/{{ user_content_domain }}:ro
   -v /etc/ssl/private:/etc/ssl/private:ro
   -v /var/log/nginx:/var/log/nginx
diff --git a/ansible/roles/user-content-pixel/tasks/main.yml b/ansible/roles/user-content-pixel/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: assert nginx config directory
+  tags: [ deploy ]
+  become: yes
+  file:
+    state: directory
+    dest: /etc/nginx
+
+- name: assert nginx sites-available directory
+  tags: [ deploy ]
+  become: yes
+  file:
+    state: directory
+    dest: /etc/nginx/sites-available
+
+- name: assert nginx sites-enable directory
+  tags: [ deploy ]
+  become: yes
+  file:
+    state: directory
+    dest: /etc/nginx/sites-enable
+
+- name: put configuration in place
+  tags: [ deploy ]
+  become: yes
+  template:
+    src: "{{ item }}"
+    dest: /etc/nginx/sites-available/{{ item }}
+  with_items:
+  - 90-user-content-pixel.conf
+
+- name: link configuration to enable
+  tags: [ deploy ]
+  become: yes
+  file:
+    state: link
+    dest: /etc/nginx/sites-enabled/{{ item }}
+    src: /etc/nginx/sites-available/{{ item }}
+  with_items:
+  - 90-user-content-pixel.conf
+
+- name: reload nginx
+  tags: [ deploy ]
+  become: yes
+  shell: >
+    docker ps |
+    awk '/nginx/{ print $1 }' |
+    xargs -n 1 docker kill --signal SIGHUP
+  args:
+    executable: /bin/bash
diff --git a/ansible/roles/user-content-pixel/templates/90-user-content-pixel.conf b/ansible/roles/user-content-pixel/templates/90-user-content-pixel.conf
@@ -0,0 +1,40 @@
+server {
+  listen 80;
+  server_name blue.{{ user_content_domain }};
+  location / {
+    return 404;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name blue.{{ user_content_domain }};
+  gzip off;
+
+  ssl on;
+  ssl_certificate /etc/ssl/certs/{{ user_content_domain }}/{{ user_content_domain }}.chained.crt;
+  ssl_certificate_key /etc/ssl/private/{{ user_content_domain }}.key;
+  ssl_trusted_certificate /etc/ssl/certs/{{ user_content_domain }}/ca.pem;
+
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+  ssl_prefer_server_ciphers on;
+  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver 8.8.8.8 8.8.4.4 valid=300s;
+  resolver_timeout 5s;
+
+  location = /pixel.gif {
+    add_header Set-Cookie "isModerating=1; Domain=.{{ user_content_domain }}; Path=/; HttpOnly; Secure;";
+    empty_gif;
+  }
+
+  location / {
+    return 404;
+  }
+}
diff --git a/ansible/socket-server-proxy.yml b/ansible/socket-server-proxy.yml
@@ -1,11 +1,8 @@
 ---
-- hosts: socket-server
-
 - hosts: socket-server-proxy
   vars_files:
     - group_vars/alpha-proxy-socket-server.yml
   roles:
     - role: datadog
       has_dd_integration: yes
-    - role: socket-proxy
     - role: container_restart
diff --git a/ansible/user-content-pixel.yml b/ansible/user-content-pixel.yml
@@ -0,0 +1,4 @@
+---
+- hosts: socket-server-proxy
+  roles:
+  - { role: user-content-pixel }