From 2119f96382f237420fc43d0ce181bd277a4fb520 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 13 Oct 2023 17:14:14 +0000 Subject: [PATCH] nginx_site: Prefix all variables with role name --- playbooks/dna-gw.yml | 2 +- playbooks/mail.yml | 4 +- playbooks/mqtt.yml | 2 +- playbooks/nms.yml | 2 +- playbooks/ns.yml | 4 +- playbooks/proxy.yml | 108 ++++++++++++------------ playbooks/relay.yml | 12 +-- roles/nginx_site/tasks/main.yml | 26 +++--- roles/nginx_site/templates/site.conf.j2 | 44 +++++----- 9 files changed, 103 insertions(+), 101 deletions(-) diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml index f94117c..7e1d9d0 100644 --- a/playbooks/dna-gw.yml +++ b/playbooks/dna-gw.yml @@ -18,7 +18,7 @@ - dhcpd - nginx/server - role: nginx_site - site: gw.home.foo.sh + nginx_site_name: gw.home.foo.sh - tftp - websockify diff --git a/playbooks/mail.yml b/playbooks/mail.yml index ca0bf58..1289c52 100644 --- a/playbooks/mail.yml +++ b/playbooks/mail.yml @@ -35,8 +35,8 @@ - dovecot - role: nginx/server - role: nginx_site - site: "{{ mail_server }}" - redirect: https://webmail.foo.sh/ + nginx_site_name: "{{ mail_server }}" + nginx_site_redirect: https://webmail.foo.sh/ - grossd - spamassassin - spamassassin_clamav diff --git a/playbooks/mqtt.yml b/playbooks/mqtt.yml index 89edf93..3b59540 100644 --- a/playbooks/mqtt.yml +++ b/playbooks/mqtt.yml @@ -15,4 +15,4 @@ - telegraf - nginx/server - role: nginx_site - site: iot.foo.sh + nginx_site_name: iot.foo.sh diff --git a/playbooks/nms.yml b/playbooks/nms.yml index 848ee50..36bd7b8 100644 --- a/playbooks/nms.yml +++ b/playbooks/nms.yml @@ -27,7 +27,7 @@ - base - nginx/server - role: nginx_site - site: oob.foo.sh + nginx_site_name: oob.foo.sh - sssd - mkhomedir - tftp diff --git a/playbooks/ns.yml b/playbooks/ns.yml index 82cca51..43508a3 100644 --- a/playbooks/ns.yml +++ b/playbooks/ns.yml @@ -17,7 +17,7 @@ - nsd - role: nginx/server - role: nginx_site - site: "{{ nsd_server }}" - redirect: https://www.foo.sh/ + nginx_site_name: "{{ nsd_server }}" + nginx_site_redirect: https://www.foo.sh/ - role: ifstated when: "'vultr' not in group_names" diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml index 11ef140..72096f6 100644 --- a/playbooks/proxy.yml +++ b/playbooks/proxy.yml @@ -17,92 +17,94 @@ - ifstated - nginx/server - role: nginx_site - site: ca.foo.sh + nginx_site_name: ca.foo.sh - role: nginx_site - site: foo.monster + nginx_site_name: foo.monster - role: nginx_site - site: tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: www.tuiradc.fi - redirect: https://facebook.com/TuiraDC + nginx_site_name: www.tuiradc.fi + nginx_site_redirect: https://facebook.com/TuiraDC - role: nginx_site - site: foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: autoconfig.foo.sh + nginx_site_name: autoconfig.foo.sh - role: nginx_site - site: boot.foo.sh - ssl_config: old + nginx_site_name: boot.foo.sh + nginx_site_ssl_config: old - role: nginx_site - site: bitbucket.foo.sh - redirect: https://bitbucket.org/tmakinen/ + nginx_site_name: bitbucket.foo.sh + nginx_site_redirect: https://bitbucket.org/tmakinen/ - role: nginx_site - site: certbot.home.foo.sh - proxy: https://certbot.home.foo.sh/ + nginx_site_name: certbot.home.foo.sh + nginx_site_proxy: https://certbot.home.foo.sh/ - role: nginx_site - site: chat.foo.sh - proxy: + nginx_site_name: chat.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/rocketchat/ - https://oci-node02.home.foo.sh/rocketchat/ - role: nginx_site - site: collab.foo.sh - proxy: https://collab01.home.foo.sh/ + nginx_site_name: collab.foo.sh + nginx_site_proxy: https://collab01.home.foo.sh/ - role: nginx_site - site: devel01.foo.sh - proxy: https://devel01.home.foo.sh/ + nginx_site_name: devel01.foo.sh + nginx_site_proxy: https://devel01.home.foo.sh/ - role: nginx_site - site: dns.home.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: dns.home.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: git.foo.sh - proxy: https://gitea02.home.foo.sh/ + nginx_site_name: git.foo.sh + nginx_site_proxy: https://gitea02.home.foo.sh/ - role: nginx_site - site: gitea.foo.sh - redirect: https://git.foo.sh/ + nginx_site_name: gitea.foo.sh + nginx_site_redirect: https://git.foo.sh/ - role: nginx_site - site: ha.foo.sh - proxy: https://homeassistant01.home.foo.sh/ + nginx_site_name: ha.foo.sh + nginx_site_proxy: https://homeassistant01.home.foo.sh/ - role: nginx_site - site: id.foo.sh - proxy: + nginx_site_name: id.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh - https://oci-node02.home.foo.sh - role: nginx_site - site: influxdb.foo.sh - proxy: https://influxdb01.home.foo.sh/ + nginx_site_name: influxdb.foo.sh + nginx_site_proxy: https://influxdb01.home.foo.sh/ - role: nginx_site - site: iot.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: iot.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: munin.foo.sh - proxy: https://munin01.home.foo.sh/ + nginx_site_name: munin.foo.sh + nginx_site_proxy: https://munin01.home.foo.sh/ - role: nginx_site - site: mirrors.foo.sh - proxy: https://mirror01.home.foo.sh/ + nginx_site_name: mirrors.foo.sh + nginx_site_proxy: https://mirror01.home.foo.sh/ - role: nginx_site - site: movies.foo.sh - proxy: + nginx_site_name: movies.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/php4dvd/ - role: nginx_site - site: noc.foo.sh - proxy: + nginx_site_name: noc.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/grafana/ - https://oci-node02.home.foo.sh/grafana/ - role: nginx_site - site: print.foo.sh - proxy: https://print01.home.foo.sh:631/ + nginx_site_name: print.foo.sh + nginx_site_proxy: https://print01.home.foo.sh:631/ - role: nginx_site - site: registry.foo.sh - proxy: ["registry01.home.foo.sh:5000", "registry02.home.foo.sh:5000"] + nginx_site_name: registry.foo.sh + nginx_site_proxy: + - "registry01.home.foo.sh:5000" + - "registry02.home.foo.sh:5000" - role: nginx_site - site: webmail.foo.sh - proxy: + nginx_site_name: webmail.foo.sh + nginx_site_proxy: - https://oci-node01.home.foo.sh/roundcube/ - role: nginx_site - site: wpad.foo.sh + nginx_site_name: wpad.foo.sh - role: nginx_site - site: www.foo.sh + nginx_site_name: www.foo.sh - role: nginx_site - site: zm.foo.sh - proxy: https://zm02.home.foo.sh/ + nginx_site_name: zm.foo.sh + nginx_site_proxy: https://zm02.home.foo.sh/ diff --git a/playbooks/relay.yml b/playbooks/relay.yml index 9ed46a0..a7cd0b4 100644 --- a/playbooks/relay.yml +++ b/playbooks/relay.yml @@ -18,11 +18,11 @@ - relayd - nginx/server - role: nginx_site - site: ldap.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: ldap01.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: ldap01.foo.sh + nginx_site_redirect: https://www.foo.sh/ - role: nginx_site - site: loghost.foo.sh - redirect: https://www.foo.sh/ + nginx_site_name: loghost.foo.sh + nginx_site_redirect: https://www.foo.sh/ diff --git a/roles/nginx_site/tasks/main.yml b/roles/nginx_site/tasks/main.yml index fe8d61b..0afcf5e 100644 --- a/roles/nginx_site/tasks/main.yml +++ b/roles/nginx_site/tasks/main.yml @@ -1,47 +1,47 @@ --- -- name: "Create site data directory for {{ site }}" +- name: "Create site data directory for {{ nginx_site_name }}" ansible.builtin.file: - path: "/srv/web/{{ site }}" + path: "/srv/web/{{ nginx_site_name }}" state: directory mode: "0755" owner: root group: "{{ ansible_wheel }}" - when: redirect is not defined and proxy is not defined + when: nginx_site_redirect is not defined and nginx_site_proxy is not defined -- name: "Create site config for {{ site }}" +- name: "Create site config for {{ nginx_site_name }}" ansible.builtin.template: - dest: /etc/nginx/conf.d/{{ site }}.conf + dest: /etc/nginx/conf.d/{{ nginx_site_name }}.conf src: site.conf.j2 mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart nginx -- name: "Copy site private key for {{ site }}" +- name: "Copy site private key for {{ nginx_site_name }}" ansible.builtin.copy: - dest: "{{ tls_private }}/{{ site }}.key" + dest: "{{ tls_private }}/{{ nginx_site_name }}.key" src: "{{ item }}" mode: "0600" owner: root group: "{{ ansible_wheel }}" with_first_found: - - "/srv/letsencrypt/live/{{ site }}/privkey.pem" - - "/srv/ca/private/{{ site }}.key" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/privkey.pem" + - "/srv/ca/private/{{ nginx_site_name }}.key" - "/srv/ca/private/{{ inventory_hostname }}.key" tags: certificates notify: Restart nginx -- name: "Copy site certificate for {{ site }}" +- name: "Copy site certificate for {{ nginx_site_name }}" ansible.builtin.copy: src: "{{ item }}" - dest: "{{ tls_certs }}/{{ site }}-fullchain.crt" + dest: "{{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt" mode: "0644" owner: root group: "{{ ansible_wheel }}" validate: /usr/bin/openssl x509 -in %s -noout with_first_found: - - "/srv/letsencrypt/live/{{ site }}/fullchain.pem" - - "/srv/ca/certs/hosts/{{ site }}.crt" + - "/srv/letsencrypt/live/{{ nginx_site_name }}/fullchain.pem" + - "/srv/ca/certs/hosts/{{ nginx_site_name }}.crt" - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt" tags: certificates notify: Restart nginx diff --git a/roles/nginx_site/templates/site.conf.j2 b/roles/nginx_site/templates/site.conf.j2 index f13669c..6e4117b 100644 --- a/roles/nginx_site/templates/site.conf.j2 +++ b/roles/nginx_site/templates/site.conf.j2 @@ -1,6 +1,6 @@ -{% if proxy is defined and proxy is not string %} -upstream {{ site }} { -{% for item in proxy %} +{% if nginx_site_proxy is defined and nginx_site_proxy is not string %} +upstream {{ nginx_site_name }} { +{% for item in nginx_site_proxy %} {% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %} {% if item | regex_search(".*:[0-9]+$") %} server {{ item }}; @@ -13,52 +13,52 @@ upstream {{ site }} { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ site }}; + server_name {{ nginx_site_name }}; - access_log {{ nginx_logdir }}/{{ site }}.access.log combined; - error_log {{ nginx_logdir }}/{{ site }}.error.log warn; + access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined; + error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn; add_header Strict-Transport-Security "max-age=63072000" always; -{% if ssl_config is defined %} -{% if ssl_config == "old" %} +{% if nginx_site_ssl_config is defined %} +{% if nginx_site_ssl_config == "old" %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; {% endif %} {% endif %} - ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt; - ssl_certificate_key {{ tls_private }}/{{ site }}.key; + ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt; + ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key; -{% include "./{}.conf.j2".format(site) ignore missing %} -{% if redirect is defined %} - return 301 {{ redirect }}; -{% elif proxy is defined %} +{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %} +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; +{% elif nginx_site_proxy is defined %} location / { -{% if proxy is not string %} -{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} +{% if nginx_site_proxy is not string %} +{% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %} # https://trac.nginx.org/nginx/ticket/1307 proxy_ssl_verify off; - proxy_pass https://{{ site }}{{ path }}; + proxy_pass https://{{ nginx_site_name }}{{ path }}; {% else %} - proxy_pass {{ proxy }}; + proxy_pass {{ nginx_site_proxy }}; {% endif %} } {% else %} - root /srv/web/{{ site }}; + root /srv/web/{{ nginx_site_name }}; {% endif %} } server { listen 80; listen [::]:80; - server_name {{ site }}; + server_name {{ nginx_site_name }}; location /.well-known/acme-challenge/ { proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/; } location / { -{% if redirect is defined %} - return 301 {{ redirect }}; +{% if nginx_site_redirect is defined %} + return 301 {{ nginx_site_redirect }}; {% else %} return 301 https://$host$request_uri; {% endif %}