start writting config files
This commit is contained in:
parent
130e101cc6
commit
2667d5affc
5 changed files with 155 additions and 2 deletions
32
README.md
32
README.md
|
@ -10,6 +10,13 @@ This role is part of my ansible roles. It is made to interact with other roles t
|
||||||
|
|
||||||
```
|
```
|
||||||
ansible_managed: str, msg indicating a file managed by ansible
|
ansible_managed: str, msg indicating a file managed by ansible
|
||||||
|
http_sites: dictionnary of site, see the Http Sites section bellow
|
||||||
|
```
|
||||||
|
|
||||||
|
## Optionnal variables
|
||||||
|
|
||||||
|
```
|
||||||
|
in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
|
||||||
```
|
```
|
||||||
|
|
||||||
## Add role to you ansible playbook:
|
## Add role to you ansible playbook:
|
||||||
|
@ -21,6 +28,31 @@ git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/nginx.git roles/ngin
|
||||||
git submodule init
|
git submodule init
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Http Sites
|
||||||
|
|
||||||
|
The variable `http_sites` is a dictionnary of the http site managed by nginx.
|
||||||
|
|
||||||
|
```
|
||||||
|
http_sites:
|
||||||
|
`server_name`:
|
||||||
|
root_snippets:
|
||||||
|
- ? TODO
|
||||||
|
locations:
|
||||||
|
`location`:
|
||||||
|
template: `template`
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
`server_name` is the string corresponding to the server name (eg: "example.com").
|
||||||
|
|
||||||
|
`root_snippets` is a list of snippets/templates (To be determine) containing configurations for the http server.
|
||||||
|
|
||||||
|
`locations` is a dictionnary of location block. `location` (the key of an item) is the location (eg, "/"), `template` is the jinja template defining the contant of the location block. Other variables can be added to the location block depending on the template used.
|
||||||
|
|
||||||
|
Inside the templates, `server_name` is accessed with `{{ item.key }}`, en variables of the server block with `{{ item.value.varname }}`.
|
||||||
|
|
||||||
|
Inside templates of a location, in addition to the variables of the server block, the variables of the location block can be accessed with `{{ location.value.varname }}`, and the value of `location` with `{{ location.key }}`.
|
||||||
|
|
||||||
## Copyright
|
## Copyright
|
||||||
|
|
||||||
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
|
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
|
||||||
|
|
|
@ -2,11 +2,14 @@
|
||||||
- name: Install NGINX
|
- name: Install NGINX
|
||||||
apt:
|
apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
name: nginx
|
name: "{{ item }}"
|
||||||
state: latest
|
state: latest
|
||||||
register: apt_result
|
register: apt_result
|
||||||
retries: 3
|
retries: 3
|
||||||
until: apt_result is succeeded
|
until: apt_result is succeeded
|
||||||
|
loop:
|
||||||
|
- nginx
|
||||||
|
- "python3-cryptography"
|
||||||
|
|
||||||
- name: Copy snippets
|
- name: Copy snippets
|
||||||
template:
|
template:
|
||||||
|
@ -20,6 +23,11 @@
|
||||||
path: /etc/nginx/certs
|
path: /etc/nginx/certs
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
|
- name: check if dummy cert exist
|
||||||
|
stat:
|
||||||
|
path: /etc/nginx/certs/dummy.pem
|
||||||
|
register: dummy_cert
|
||||||
|
|
||||||
- name: Create a dummy cert
|
- name: Create a dummy cert
|
||||||
block:
|
block:
|
||||||
- name: Generate private key
|
- name: Generate private key
|
||||||
|
@ -38,6 +46,7 @@
|
||||||
privatekey_path: /etc/nginx/certs/dummy.key
|
privatekey_path: /etc/nginx/certs/dummy.key
|
||||||
csr_path: /etc/nginx/certs/dummy.req
|
csr_path: /etc/nginx/certs/dummy.req
|
||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
|
when: dummy_cert.stat.exists == False
|
||||||
|
|
||||||
- name: Add wasm to mime type
|
- name: Add wasm to mime type
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -54,8 +63,40 @@
|
||||||
src: nginx.conf
|
src: nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
# TODO: << Manage reverse proxy >>
|
||||||
- name: Create the SSL reverse proxy conf
|
- name: Create the SSL reverse proxy conf
|
||||||
template:
|
template:
|
||||||
src: stream_rp.conf
|
src: stream_rp.conf
|
||||||
dest: /etc/nginx/stream_rp.conf
|
dest: /etc/nginx/stream_rp.conf
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
|
# Manage each http site
|
||||||
|
- name: Copy reverse proxy sites
|
||||||
|
template:
|
||||||
|
src: http_server.j2
|
||||||
|
dest: "/etc/nginx/sites-available/{{ item.key }}"
|
||||||
|
loop: "{{ http_sites | dict2items}}"
|
||||||
|
|
||||||
|
- name: Use the dummy certificate
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/certs/dummy.pem
|
||||||
|
dest: "/etc/nginx/certs/{{ item.key }}.crt"
|
||||||
|
state: link
|
||||||
|
force: no
|
||||||
|
loop: "{{ http_sites | dict2items}}"
|
||||||
|
|
||||||
|
- name: Use the dummy key
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/certs/dummy.key
|
||||||
|
dest: "/etc/nginx/certs/{{ item.key }}.key"
|
||||||
|
state: link
|
||||||
|
force: no
|
||||||
|
loop: "{{ http_sites | dict2items}}"
|
||||||
|
|
||||||
|
- name: Activate sites
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/{{ item.key }}"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{ item.key }}"
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
|
loop: "{{ http_sites | dict2items}}"
|
||||||
|
|
61
templates/http_server.j2
Normal file
61
templates/http_server.j2
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ item.key }};
|
||||||
|
# Redirect to https
|
||||||
|
location / {
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
# FLoC you google
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
|
||||||
|
{% if in_memoriam is defined -%}
|
||||||
|
# "A man is not dead while his name is still spoken." -- Going Postal
|
||||||
|
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
|
||||||
|
{%- endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
# listen port + ssl
|
||||||
|
{# <- TODO: Allow other ports -> -#}
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate /etc/nginx/certs/{{ item.key }}.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/certs/{{ item.key }}.key;
|
||||||
|
{# <- TODO: Allow other ports -> #}
|
||||||
|
|
||||||
|
server_name {{ item.key }};
|
||||||
|
|
||||||
|
{# <- TODO: move this to defaut root snippets -> -#}
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
# FLoC you google
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
|
||||||
|
{% if in_memoriam is defined -%}
|
||||||
|
# "A man is not dead while his name is still spoken." -- Going Postal
|
||||||
|
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
|
||||||
|
{% endif -%}
|
||||||
|
{# <- TODO: move this to defaut root snippets -> -#}
|
||||||
|
|
||||||
|
# Logs
|
||||||
|
access_log /var/log/nginx/{{ item.key }}.log;
|
||||||
|
error_log /var/log/nginx/{{ item.key }}_error.log;
|
||||||
|
|
||||||
|
{% for location in (item.value.locations | default([]) | dict2items) -%}
|
||||||
|
location {{ location.key }} {
|
||||||
|
{% filter indent(width=8) -%}
|
||||||
|
{% include location.value.template -%}
|
||||||
|
{%- endfilter %}
|
||||||
|
}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
|
@ -28,8 +28,10 @@ http {
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
gzip off; # compression and crypto don't mix
|
gzip off; # compression and crypto don't mix
|
||||||
|
|
||||||
# include /etc/nginx/conf.d/*.conf; # Ansible
|
# include /etc/nginx/conf.d/*.conf; # Ansible
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/connection_upgrade.conf;
|
||||||
|
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
17
templates/proxy_pass.j2
Normal file
17
templates/proxy_pass.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
proxy_pass {{ location.value.to }};
|
||||||
|
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
# Pass the real client IP
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
|
# Tell proxified server that we are HTTPS, fix Wordpress
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
|
||||||
|
# WebSocket support
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
Loading…
Reference in a new issue