Rename nginx/server to nginx_server

2023-10-13 16:17:07 +00:00 · 2023-10-13 16:17:07 +00:00 · 15c612cb3b
commit 15c612cb3b
parent 39fad6ed05
14 changed files with 38 additions and 38 deletions
--- a/roles/nginx_site/tasks/main.yml
+++ b/roles/nginx_site/tasks/main.yml
@ -0,0 +1,47 @@
+---
+- name: "Create site data directory for {{ site }}"
+  ansible.builtin.file:
+    path: "/srv/web/{{ site }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  when: redirect is not defined and proxy is not defined
+
+- name: "Create site config for {{ site }}"
+  ansible.builtin.template:
+    dest: /etc/nginx/conf.d/{{ site }}.conf
+    src: site.conf.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart nginx
+
+- name: "Copy site private key for {{ site }}"
+  ansible.builtin.copy:
+    dest: "{{ tls_private }}/{{ site }}.key"
+    src: "{{ item }}"
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/privkey.pem"
+    - "/srv/ca/private/{{ site }}.key"
+    - "/srv/ca/private/{{ inventory_hostname }}.key"
+  tags: certificates
+  notify: Restart nginx
+
+- name: "Copy site certificate for {{ site }}"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ tls_certs }}/{{ site }}-fullchain.crt"
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+    validate: /usr/bin/openssl x509 -in %s -noout
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/fullchain.pem"
+    - "/srv/ca/certs/hosts/{{ site }}.crt"
+    - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
+  tags: certificates
+  notify: Restart nginx
--- a/roles/nginx_site/templates/git.foo.sh.conf.j2
+++ b/roles/nginx_site/templates/git.foo.sh.conf.j2
@ -0,0 +1,2 @@
+    # disable any limits to avoid HTTP 413 for large pushes
+    client_max_body_size 100m;
--- a/roles/nginx_site/templates/gw.home.foo.sh.conf.j2
+++ b/roles/nginx_site/templates/gw.home.foo.sh.conf.j2
@ -0,0 +1,19 @@
+    ssl_client_certificate {{ tls_certs }}/ca.crt;
+    ssl_verify_client on;
+
+{% for host in ssh_proxy_hosts %}
+    location /{{ host | hash('sha1') }}/ {
+        proxy_pass http://127.0.0.1:6000?token={{ host | hash('sha1') }};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_read_timeout 600s;
+        proxy_buffering off;
+    }
+
+{% endfor %}
+    location / {
+        deny all;
+    }
+
--- a/roles/nginx_site/templates/registry.foo.sh.conf.j2
+++ b/roles/nginx_site/templates/registry.foo.sh.conf.j2
@ -0,0 +1,6 @@
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
--- a/roles/nginx_site/templates/site.conf.j2
+++ b/roles/nginx_site/templates/site.conf.j2
@ -0,0 +1,66 @@
+{% if proxy is defined and proxy is not string %}
+upstream {{ site }} {
+{% for item in proxy %}
+{%   set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %}
+{%   if item | regex_search(".*:[0-9]+$") %}
+    server {{ item }};
+{%   else %}
+    server {{ item }}:443;
+{%   endif %}
+{% endfor %}
+}
+{% endif %}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ site }};
+
+    access_log {{ nginx_logdir }}/{{ site }}.access.log combined;
+    error_log {{ nginx_logdir }}/{{ site }}.error.log warn;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+{% if ssl_config is defined %}
+{%   if ssl_config == "old" %}
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
+    ssl_prefer_server_ciphers on;
+{%   endif %}
+{% endif %}
+    ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
+    ssl_certificate_key {{ tls_private }}/{{ site }}.key;
+
+{% include "./{}.conf.j2".format(site) ignore missing %}
+{% if redirect is defined %}
+    return 301 {{ redirect }};
+{% elif proxy is defined %}
+    location / {
+{%  if proxy is not string %}
+{%    set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
+        # https://trac.nginx.org/nginx/ticket/1307
+        proxy_ssl_verify off;
+        proxy_pass https://{{ site }}{{ path }};
+{%  else %}
+        proxy_pass {{ proxy }};
+{%  endif %}
+    }
+{% else %}
+    root /srv/web/{{ site }};
+{% endif %}
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ site }};
+    location /.well-known/acme-challenge/ {
+        proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
+    }
+    location / {
+{% if redirect is defined %}
+        return 301 {{ redirect }};
+{% else %}
+        return 301 https://$host$request_uri;
+{% endif %}
+    }
+}
--- a/roles/nginx_site/templates/www.foo.sh.conf.j2
+++ b/roles/nginx_site/templates/www.foo.sh.conf.j2
@ -0,0 +1,11 @@
+    location /collab/ {
+        return 301 https://collab.foo.sh/collab/;
+    }
+
+    location /roles/ {
+        proxy_pass https://static01.home.foo.sh/roles/;
+    }
+    location /~ {
+        proxy_pass https://static01.home.foo.sh/~;
+    }
+