start writting config files

This commit is contained in:
histausse 2022-06-19 22:40:12 +02:00
parent 130e101cc6
commit 2667d5affc
Signed by: histausse
GPG key ID: 67486F107F62E9E9
5 changed files with 155 additions and 2 deletions

View file

@ -10,6 +10,13 @@ This role is part of my ansible roles. It is made to interact with other roles t
```
ansible_managed: str, msg indicating a file managed by ansible
http_sites: dictionnary of site, see the Http Sites section bellow
```
## Optionnal variables
```
in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
```
## Add role to you ansible playbook:
@ -21,6 +28,31 @@ git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/nginx.git roles/ngin
git submodule init
```
## Http Sites
The variable `http_sites` is a dictionnary of the http site managed by nginx.
```
http_sites:
`server_name`:
root_snippets:
- ? TODO
locations:
`location`:
template: `template`
...
```
`server_name` is the string corresponding to the server name (eg: "example.com").
`root_snippets` is a list of snippets/templates (To be determine) containing configurations for the http server.
`locations` is a dictionnary of location block. `location` (the key of an item) is the location (eg, "/"), `template` is the jinja template defining the contant of the location block. Other variables can be added to the location block depending on the template used.
Inside the templates, `server_name` is accessed with `{{ item.key }}`, en variables of the server block with `{{ item.value.varname }}`.
Inside templates of a location, in addition to the variables of the server block, the variables of the location block can be accessed with `{{ location.value.varname }}`, and the value of `location` with `{{ location.key }}`.
## Copyright
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>

View file

@ -2,11 +2,14 @@
- name: Install NGINX
apt:
update_cache: true
name: nginx
name: "{{ item }}"
state: latest
register: apt_result
retries: 3
until: apt_result is succeeded
loop:
- nginx
- "python3-cryptography"
- name: Copy snippets
template:
@ -20,6 +23,11 @@
path: /etc/nginx/certs
state: directory
- name: check if dummy cert exist
stat:
path: /etc/nginx/certs/dummy.pem
register: dummy_cert
- name: Create a dummy cert
block:
- name: Generate private key
@ -38,6 +46,7 @@
privatekey_path: /etc/nginx/certs/dummy.key
csr_path: /etc/nginx/certs/dummy.req
provider: selfsigned
when: dummy_cert.stat.exists == False
- name: Add wasm to mime type
lineinfile:
@ -54,8 +63,40 @@
src: nginx.conf
dest: /etc/nginx/nginx.conf
# TODO: << Manage reverse proxy >>
- name: Create the SSL reverse proxy conf
template:
src: stream_rp.conf
dest: /etc/nginx/stream_rp.conf
force: no
# Manage each http site
- name: Copy reverse proxy sites
template:
src: http_server.j2
dest: "/etc/nginx/sites-available/{{ item.key }}"
loop: "{{ http_sites | dict2items}}"
- name: Use the dummy certificate
file:
src: /etc/nginx/certs/dummy.pem
dest: "/etc/nginx/certs/{{ item.key }}.crt"
state: link
force: no
loop: "{{ http_sites | dict2items}}"
- name: Use the dummy key
file:
src: /etc/nginx/certs/dummy.key
dest: "/etc/nginx/certs/{{ item.key }}.key"
state: link
force: no
loop: "{{ http_sites | dict2items}}"
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item.key }}"
dest: "/etc/nginx/sites-enabled/{{ item.key }}"
state: link
force: yes
loop: "{{ http_sites | dict2items}}"

61
templates/http_server.j2 Normal file
View file

@ -0,0 +1,61 @@
{{ ansible_managed | comment }}
server {
listen 80;
listen [::]:80;
server_name {{ item.key }};
# Redirect to https
location / {
return 302 https://$host$request_uri;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
# FLoC you google
add_header Permissions-Policy interest-cohort=();
{% if in_memoriam is defined -%}
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
{%- endif %}
}
server {
# listen port + ssl
{# <- TODO: Allow other ports -> -#}
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/certs/{{ item.key }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ item.key }}.key;
{# <- TODO: Allow other ports -> #}
server_name {{ item.key }};
{# <- TODO: move this to defaut root snippets -> -#}
include /etc/nginx/mime.types;
default_type application/octet-stream;
# FLoC you google
add_header Permissions-Policy interest-cohort=();
{% if in_memoriam is defined -%}
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}";
{% endif -%}
{# <- TODO: move this to defaut root snippets -> -#}
# Logs
access_log /var/log/nginx/{{ item.key }}.log;
error_log /var/log/nginx/{{ item.key }}_error.log;
{% for location in (item.value.locations | default([]) | dict2items) -%}
location {{ location.key }} {
{% filter indent(width=8) -%}
{% include location.value.template -%}
{%- endfilter %}
}
{%- endfor %}
}

View file

@ -28,8 +28,10 @@ http {
error_log /var/log/nginx/error.log;
gzip off; # compression and crypto don't mix
# include /etc/nginx/conf.d/*.conf; # Ansible
include /etc/nginx/snippets/connection_upgrade.conf;
include /etc/nginx/sites-enabled/*;
}

17
templates/proxy_pass.j2 Normal file
View file

@ -0,0 +1,17 @@
proxy_pass {{ location.value.to }};
proxy_redirect off;
proxy_set_header Host $host;
# Pass the real client IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Tell proxified server that we are HTTPS, fix Wordpress
proxy_set_header X-Forwarded-Proto https;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;