start writting config files
This commit is contained in:
parent
130e101cc6
commit
2667d5affc
5 changed files with 155 additions and 2 deletions
32
README.md
32
README.md
|
@ -10,6 +10,13 @@ This role is part of my ansible roles. It is made to interact with other roles t
|
|||
|
||||
```
|
||||
ansible_managed: str, msg indicating a file managed by ansible
|
||||
http_sites: dictionnary of site, see the Http Sites section bellow
|
||||
```
|
||||
|
||||
## Optionnal variables
|
||||
|
||||
```
|
||||
in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
|
||||
```
|
||||
|
||||
## Add role to you ansible playbook:
|
||||
|
@ -21,6 +28,31 @@ git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/nginx.git roles/ngin
|
|||
git submodule init
|
||||
```
|
||||
|
||||
## Http Sites
|
||||
|
||||
The variable `http_sites` is a dictionnary of the http site managed by nginx.
|
||||
|
||||
```
|
||||
http_sites:
|
||||
`server_name`:
|
||||
root_snippets:
|
||||
- ? TODO
|
||||
locations:
|
||||
`location`:
|
||||
template: `template`
|
||||
...
|
||||
```
|
||||
|
||||
`server_name` is the string corresponding to the server name (eg: "example.com").
|
||||
|
||||
`root_snippets` is a list of snippets/templates (To be determine) containing configurations for the http server.
|
||||
|
||||
`locations` is a dictionnary of location block. `location` (the key of an item) is the location (eg, "/"), `template` is the jinja template defining the contant of the location block. Other variables can be added to the location block depending on the template used.
|
||||
|
||||
Inside the templates, `server_name` is accessed with `{{ item.key }}`, en variables of the server block with `{{ item.value.varname }}`.
|
||||
|
||||
Inside templates of a location, in addition to the variables of the server block, the variables of the location block can be accessed with `{{ location.value.varname }}`, and the value of `location` with `{{ location.key }}`.
|
||||
|
||||
## Copyright
|
||||
|
||||
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
|
||||
|
|
|
@ -2,11 +2,14 @@
|
|||
- name: Install NGINX
|
||||
apt:
|
||||
update_cache: true
|
||||
name: nginx
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
loop:
|
||||
- nginx
|
||||
- "python3-cryptography"
|
||||
|
||||
- name: Copy snippets
|
||||
template:
|
||||
|
@ -20,6 +23,11 @@
|
|||
path: /etc/nginx/certs
|
||||
state: directory
|
||||
|
||||
- name: check if dummy cert exist
|
||||
stat:
|
||||
path: /etc/nginx/certs/dummy.pem
|
||||
register: dummy_cert
|
||||
|
||||
- name: Create a dummy cert
|
||||
block:
|
||||
- name: Generate private key
|
||||
|
@ -38,6 +46,7 @@
|
|||
privatekey_path: /etc/nginx/certs/dummy.key
|
||||
csr_path: /etc/nginx/certs/dummy.req
|
||||
provider: selfsigned
|
||||
when: dummy_cert.stat.exists == False
|
||||
|
||||
- name: Add wasm to mime type
|
||||
lineinfile:
|
||||
|
@ -54,8 +63,40 @@
|
|||
src: nginx.conf
|
||||
dest: /etc/nginx/nginx.conf
|
||||
|
||||
# TODO: << Manage reverse proxy >>
|
||||
- name: Create the SSL reverse proxy conf
|
||||
template:
|
||||
src: stream_rp.conf
|
||||
dest: /etc/nginx/stream_rp.conf
|
||||
force: no
|
||||
|
||||
# Manage each http site
|
||||
- name: Copy reverse proxy sites
|
||||
template:
|
||||
src: http_server.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.key }}"
|
||||
loop: "{{ http_sites | dict2items}}"
|
||||
|
||||
- name: Use the dummy certificate
|
||||
file:
|
||||
src: /etc/nginx/certs/dummy.pem
|
||||
dest: "/etc/nginx/certs/{{ item.key }}.crt"
|
||||
state: link
|
||||
force: no
|
||||
loop: "{{ http_sites | dict2items}}"
|
||||
|
||||
- name: Use the dummy key
|
||||
file:
|
||||
src: /etc/nginx/certs/dummy.key
|
||||
dest: "/etc/nginx/certs/{{ item.key }}.key"
|
||||
state: link
|
||||
force: no
|
||||
loop: "{{ http_sites | dict2items}}"
|
||||
|
||||
- name: Activate sites
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item.key }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.key }}"
|
||||
state: link
|
||||
force: yes
|
||||
loop: "{{ http_sites | dict2items}}"
|
||||
|
|
61
templates/http_server.j2
Normal file
61
templates/http_server.j2
Normal file
|
@ -0,0 +1,61 @@
|
|||
{{ ansible_managed | comment }}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ item.key }};
|
||||
# Redirect to https
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# FLoC you google
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
{% if in_memoriam is defined -%}
|
||||
# "A man is not dead while his name is still spoken." -- Going Postal
|
||||
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
|
||||
{%- endif %}
|
||||
}
|
||||
|
||||
server {
|
||||
# listen port + ssl
|
||||
{# <- TODO: Allow other ports -> -#}
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/{{ item.key }}.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/{{ item.key }}.key;
|
||||
{# <- TODO: Allow other ports -> #}
|
||||
|
||||
server_name {{ item.key }};
|
||||
|
||||
{# <- TODO: move this to defaut root snippets -> -#}
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# FLoC you google
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
{% if in_memoriam is defined -%}
|
||||
# "A man is not dead while his name is still spoken." -- Going Postal
|
||||
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
|
||||
{% endif -%}
|
||||
{# <- TODO: move this to defaut root snippets -> -#}
|
||||
|
||||
# Logs
|
||||
access_log /var/log/nginx/{{ item.key }}.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log;
|
||||
|
||||
{% for location in (item.value.locations | default([]) | dict2items) -%}
|
||||
location {{ location.key }} {
|
||||
{% filter indent(width=8) -%}
|
||||
{% include location.value.template -%}
|
||||
{%- endfilter %}
|
||||
}
|
||||
{%- endfor %}
|
||||
|
||||
}
|
||||
|
|
@ -28,8 +28,10 @@ http {
|
|||
error_log /var/log/nginx/error.log;
|
||||
|
||||
gzip off; # compression and crypto don't mix
|
||||
|
||||
# include /etc/nginx/conf.d/*.conf; # Ansible
|
||||
|
||||
include /etc/nginx/snippets/connection_upgrade.conf;
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
|
17
templates/proxy_pass.j2
Normal file
17
templates/proxy_pass.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
proxy_pass {{ location.value.to }};
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Pass the real client IP
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# Tell proxified server that we are HTTPS, fix Wordpress
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# WebSocket support
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
Loading…
Reference in a new issue