diff options
| -rw-r--r-- | chaos-at-home/ch-http-proxy.yml | 212 | ||||
| -rw-r--r-- | chaos-at-home/ch-imap-proxy.yml | 2 | ||||
| -rw-r--r-- | inventory/group_vars/chaos-at-home/network.yml | 1 | ||||
| -rw-r--r-- | roles/nginx/vhost/defaults/main.yml | 10 | ||||
| -rw-r--r-- | roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 | 5 |
5 files changed, 168 insertions, 62 deletions
diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 544c781c..92076588 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -9,72 +9,15 @@ - role: apt-repo/spreadspace - role: acmetool/base - role: nginx/base - - role: nginx/vhost - nginx_vhost: - default: yes - name: web - template: static-files-with-acme - acme: yes - hostnames: - - web.chaos-at-home.org - root: /var/www/default - index: index.html - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: webmail - template: generic-proxy-no-buffering-with-acme - acme: yes - hostnames: - - webmail.chaos-at-home.org - client_max_body_size: "200M" - proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: webdav - template: generic-proxy-no-buffering-with-acme - acme: yes - hostnames: - - webdav.chaos-at-home.org - proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: imap - acme: no - content: | - server { - listen 80; - listen [::]:80; - - server_name imap.chaos-at-home.org; - - location /.well-known/acme-challenge/ { - proxy_pass http://{{ network_services.imap.addr }}; - } - - location / { - return 303 https://webmail.chaos-at-home.org; - } - } - post_tasks: - name: lower minimum tls protocol version to 1.0 lineinfile: path: /etc/ssl/openssl.cnf regexp: '^MinProtocol\s*=' - line: 'MinProtocol = TLSv1.0' + line: 'MinProtocol = TLSv1' + + #### web.chaos-at-home.org (default-server) - name: create directory for default server file: path: /var/www/default @@ -100,6 +43,155 @@ </div> </body> </html> + + + - name: configure default vhost web.chaos-at-home.org + vars: + nginx_vhost: + default: yes + name: web + template: static-files-with-acme + acme: yes + hostnames: + - web.chaos-at-home.org + root: /var/www/default + index: index.html + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### passwd.chaos-at-home.org + - name: create directory for whawty auth ca cert + file: + path: /etc/ssl/whawty-auth-ca + state: directory + + - name: install whawty auth ca cert + copy: + dest: /etc/ssl/whawty-auth-ca/ca.pem + content: | + -----BEGIN CERTIFICATE----- + MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN + BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy + YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo + MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y + MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G + A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o + b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t + ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK + AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk + 1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO + mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY + dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA + VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ + REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I + RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj + KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI + GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH + mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE + cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO + BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0 + E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh + yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv + MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am + VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy + Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N + DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb + CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7 + JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC + c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP + /04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs + EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c + y8wejeuvOelX6YEzJpnebARk + -----END CERTIFICATE----- + + - name: configure vhost for passwd.chaos-at-home.org + vars: + nginx_vhost: + name: passwd + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - passwd.chaos-at-home.org + # proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/" + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-auth-legacy']) | ipaddr('address') }}:843/" + proxy_ssl: + verify: "on" + trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### webmail.chaos-at-home.org + - name: configure vhost for webmail.chaos-at-home.org + vars: + nginx_vhost: + name: webmail + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - webmail.chaos-at-home.org + client_max_body_size: "200M" + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### webdav.chaos-at-home.org + - name: configure vhost for webdav.chaos-at-home.org + vars: + nginx_vhost: + name: webdav + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - webdav.chaos-at-home.org + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### imap.chaos-at-home.or + - name: configure vhost for imap.chaos-at-home.org + vars: + nginx_vhost: + name: imap + acme: no + content: | + server { + listen 80; + listen [::]:80; + server_name imap.chaos-at-home.org; + + location /.well-known/acme-challenge/ { + proxy_pass http://{{ network_services.imap.addr }}; + } + + location / { + return 303 https://webmail.chaos-at-home.org; + } + } + include_role: + name: nginx/vhost + + + ### Service IP # - name: install systemd service unit for service-ip # copy: # dest: /etc/systemd/system/http-service-ip.service diff --git a/chaos-at-home/ch-imap-proxy.yml b/chaos-at-home/ch-imap-proxy.yml index 1a05a39f..aff3a689 100644 --- a/chaos-at-home/ch-imap-proxy.yml +++ b/chaos-at-home/ch-imap-proxy.yml @@ -19,7 +19,7 @@ lineinfile: path: /etc/ssl/openssl.cnf regexp: '^MinProtocol\s*=' - line: 'MinProtocol = TLSv1.0' + line: 'MinProtocol = TLSv1' - name: install stunnel package apt: diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index 4059a866..f3d1620d 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -60,6 +60,7 @@ network_zones: ## legacy stuff ch-stats-legacy: 10 ch-web-legacy: 80 + ch-auth-legacy: 88 ch-mail-legacy: 144 diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index eea545c8..18c9a0b9 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -1,5 +1,6 @@ --- # nginx_vhost: +# default: yes # name: example # template: generic-proxy-no-buffering-with-acme # acme: yes @@ -7,7 +8,14 @@ # - example.com # - www.example.com # proxy_pass: http://127.0.0.1:8080 -# default: yes +# proxy_redirect: +# - redirect: "http://$host/" +# replacement: "https://$host/" +# - redirect: "http://$host:8080/" +# replacement: "https://$host/" +# proxy_ssl: +# verify: on +# trusted_certificate: /path/to/ca.pem # nginx_vhost: # name: other-example diff --git a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 index b943b2e4..f74f920b 100644 --- a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 +++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 @@ -40,5 +40,10 @@ server { proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; {% endfor %} {% endif %} +{% if 'proxy_ssl' in nginx_vhost %} +{% for prop in (nginx_vhost.proxy_ssl | list | sort) %} + proxy_ssl_{{ prop }} {{ nginx_vhost.proxy_ssl[prop] }}; +{% endfor %} +{% endif %} } } |