foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx_site: Prefix all variables with role name

Browse source
This commit is contained in:
Timo Makinen 2023-10-13 17:14:14 +00:00
parent 15c612cb3b
commit 2119f96382
9 changed files with 103 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

44
roles/nginx_site/templates/site.conf.j2
View file

@ -1,6 +1,6 @@
{% if proxy is defined and proxy is not string %}
upstream {{ site }} {
{% for item in proxy %}
{% if nginx_site_proxy is defined and nginx_site_proxy is not string %}
upstream {{ nginx_site_name }} {
{% for item in nginx_site_proxy %}
{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %}
{% if item | regex_search(".*:[0-9]+$") %}
server {{ item }};
@ -13,52 +13,52 @@ upstream {{ site }} {
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site }};
server_name {{ nginx_site_name }};
access_log {{ nginx_logdir }}/{{ site }}.access.log combined;
error_log {{ nginx_logdir }}/{{ site }}.error.log warn;
access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined;
error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn;
add_header Strict-Transport-Security "max-age=63072000" always;
{% if ssl_config is defined %}
{% if ssl_config == "old" %}
{% if nginx_site_ssl_config is defined %}
{% if nginx_site_ssl_config == "old" %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
{% endif %}
{% endif %}
ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
ssl_certificate_key {{ tls_private }}/{{ site }}.key;
ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt;
ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key;
{% include "./{}.conf.j2".format(site) ignore missing %}
{% if redirect is defined %}
return 301 {{ redirect }};
{% elif proxy is defined %}
{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %}
{% if nginx_site_redirect is defined %}
return 301 {{ nginx_site_redirect }};
{% elif nginx_site_proxy is defined %}
location / {
{% if proxy is not string %}
{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
{% if nginx_site_proxy is not string %}
{% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
# https://trac.nginx.org/nginx/ticket/1307
proxy_ssl_verify off;
proxy_pass https://{{ site }}{{ path }};
proxy_pass https://{{ nginx_site_name }}{{ path }};
{% else %}
proxy_pass {{ proxy }};
proxy_pass {{ nginx_site_proxy }};
{% endif %}
}
{% else %}
root /srv/web/{{ site }};
root /srv/web/{{ nginx_site_name }};
{% endif %}
}
server {
listen 80;
listen [::]:80;
server_name {{ site }};
server_name {{ nginx_site_name }};
location /.well-known/acme-challenge/ {
proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
}
location / {
{% if redirect is defined %}
return 301 {{ redirect }};
{% if nginx_site_redirect is defined %}
return 301 {{ nginx_site_redirect }};
{% else %}
return 301 https://$host$request_uri;
{% endif %}