From 88f9ccc57964d8530dd23952f4ef3d85bab2438b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 17 Aug 2022 20:05:00 +0200 Subject: nginx/vhost: combine templates to one generic version --- chaos-at-home/ch-http-proxy.yml | 8 ++-- chaos-at-home/ch-mon.yml | 2 +- dan/ele-calypso.yml | 2 +- roles/apps/jitsi/meet/tasks/main.yml | 2 +- roles/apps/keycloak/tasks/main.yml | 2 +- roles/apps/nextcloud/tasks/main.yml | 2 +- roles/apps/onlyoffice/tasks/main.yml | 2 +- roles/apps/pigallery2/tasks/main.yml | 2 +- roles/elevate/liquidtruth/tasks/main.yml | 2 +- roles/elevate/media/tasks/nextcloud-app.yml | 2 +- roles/nginx/vhost/defaults/main.yml | 16 ++++--- roles/nginx/vhost/templates/generic.conf.j2 | 74 +++++++++++++++++++++++++++++ spreadspace/glt-stream.yml | 2 +- spreadspace/sgg-icecast.yml | 4 +- 14 files changed, 99 insertions(+), 23 deletions(-) create mode 100644 roles/nginx/vhost/templates/generic.conf.j2 diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 507e8906..a969dbc0 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -42,7 +42,7 @@ nginx_vhost: default: yes name: web - template: static-files-with-acme + template: generic acme: yes hostnames: - web.chaos-at-home.org @@ -107,7 +107,7 @@ vars: nginx_vhost: name: passwd - template: generic-proxy-no-buffering-with-acme + template: generic acme: yes hostnames: - passwd.chaos-at-home.org @@ -174,7 +174,7 @@ vars: nginx_vhost: name: webmail - template: generic-proxy-no-buffering-with-acme + template: generic acme: yes hostnames: - webmail.chaos-at-home.org @@ -199,7 +199,7 @@ vars: nginx_vhost: name: webdav - template: generic-proxy-no-buffering-with-acme + template: generic acme: yes hostnames: - webdav.chaos-at-home.org diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index 90fa0a69..46c0b928 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -18,7 +18,7 @@ - role: nginx/vhost nginx_vhost: name: monitoring - template: generic-proxy-no-buffering + template: generic hostnames: - "_" locations: diff --git a/dan/ele-calypso.yml b/dan/ele-calypso.yml index 07dd5a6d..818e8f3a 100644 --- a/dan/ele-calypso.yml +++ b/dan/ele-calypso.yml @@ -27,7 +27,7 @@ - role: nginx/vhost nginx_vhost: name: monitoring - template: generic-proxy-no-buffering + template: generic hostnames: - "_" locations: diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index b16fad07..eff8232b 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -150,7 +150,7 @@ vars: nginx_vhost: name: "jitsi-meet-{{ jitsi_meet_inst_name }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: - "{{ jitsi_meet_hostname }}" diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml index a54f0397..68806458 100644 --- a/roles/apps/keycloak/tasks/main.yml +++ b/roles/apps/keycloak/tasks/main.yml @@ -95,7 +95,7 @@ vars: nginx_vhost: name: "keycloak-{{ item.key }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: - "{{ item.value.hostname }}" diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index e7a2fe78..8d91b398 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -159,7 +159,7 @@ vars: nginx_vhost: name: "nextcloud-{{ item.key }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: "{{ item.value.hostnames }}" locations: diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml index a41dd96d..957d8afe 100644 --- a/roles/apps/onlyoffice/tasks/main.yml +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -139,7 +139,7 @@ vars: nginx_vhost: name: "onlyoffice-{{ item.key }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: - "{{ item.value.hostname }}" diff --git a/roles/apps/pigallery2/tasks/main.yml b/roles/apps/pigallery2/tasks/main.yml index f3a3acbc..b8b0166d 100644 --- a/roles/apps/pigallery2/tasks/main.yml +++ b/roles/apps/pigallery2/tasks/main.yml @@ -66,7 +66,7 @@ vars: nginx_vhost: name: "pigallery2-{{ item.key }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: - "{{ item.value.hostname }}" diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml index 2c61f372..837d2fd0 100644 --- a/roles/elevate/liquidtruth/tasks/main.yml +++ b/roles/elevate/liquidtruth/tasks/main.yml @@ -17,7 +17,7 @@ vars: nginx_vhost: name: liquidtruth - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: "{{ liquidtruth_hostnames }}" locations: diff --git a/roles/elevate/media/tasks/nextcloud-app.yml b/roles/elevate/media/tasks/nextcloud-app.yml index 22e3f693..45a777a1 100644 --- a/roles/elevate/media/tasks/nextcloud-app.yml +++ b/roles/elevate/media/tasks/nextcloud-app.yml @@ -101,7 +101,7 @@ vars: nginx_vhost: name: "nextcloud-{{ elevate_media_nextcloud_instance_name }}" - template: generic-proxy-no-buffering-with-acme + template: generic acme: true hostnames: "{{ elevate_media_nextcloud_instance.hostnames }}" locations: diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index 233015be..b80a5442 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -2,7 +2,7 @@ # nginx_vhost: # default: yes # name: example -# template: generic-proxy-no-buffering-with-acme +# template: generic # acme: yes # hostnames: # - example.com @@ -24,12 +24,8 @@ # trusted_certificate: /path/to/ca.pem # nginx_vhost: -# name: other-example -# content: "<<< content of vhost >>>" - -# nginx_vhost: -# name: static -# template: static-files-with-acme +# name: mixed-static-and-proxy +# template: generic # acme: yes # hostnames: # - static.example.com @@ -45,3 +41,9 @@ # add_header X-Example-Header "foo"; # '/subdir/': # alias: /srv/www/foo +# '/foo/': +# proxy_pass: http://127.0.0.1:1234 + +# nginx_vhost: +# name: other-example +# content: "<<< content of vhost >>>" diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 new file mode 100644 index 00000000..08bf7a60 --- /dev/null +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -0,0 +1,74 @@ +server { + listen 80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + server_name {{ nginx_vhost.hostnames | join(' ') }}; + +{% if 'acme' in nginx_vhost and nginx_vhost.acme %} + include snippets/acmetool.conf; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + server_name {{ nginx_vhost.hostnames | join(' ') }}; + + include snippets/acmetool.conf; + include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf; + ssl_certificate /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/fullchain; + ssl_certificate_key /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/privkey; + include snippets/hsts.conf; + +{% endif %} +{% if 'extra_directives' in nginx_vhost %} + {{ nginx_vhost.extra_directives | indent(4) }} + +{% endif %} +{% for path, location in nginx_vhost.locations.items() %} + location {{ path }} { +{% if 'proxy_pass' in location %} + include snippets/proxy-nobuff.conf; + proxy_set_header Host $host; + include snippets/proxy-forward-headers.conf; + + # for websockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass {{ location.proxy_pass }}; +{% if 'proxy_redirect' in location %} +{% for entry in location.proxy_redirect %} + proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; +{% endfor %} +{% endif %} +{% if 'proxy_ssl' in location %} +{% for prop in (location.proxy_ssl | list | sort) %} + proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; +{% endfor %} +{% endif %} +{% else %} +{% if 'root' in location %} + root {{ location.root }}; +{% elif 'alias' in location %} + alias {{ location.alias }}; +{% endif %} +{% if 'index' in location %} + index {{ location.index }}; +{% endif %} +{% if 'autoindex' in location %} + autoindex on; +{% if 'format' in location.autoindex %} + autoindex_format {{ nginx_vhost.autoindex.format }}; +{% endif %} +{% endif %} +{% endif %} +{% if 'extra_directives' in location %} + + {{ location.extra_directives | indent(8) }} +{% endif %} + } +{% endfor %} +} diff --git a/spreadspace/glt-stream.yml b/spreadspace/glt-stream.yml index 8d3ea790..bff0f67e 100644 --- a/spreadspace/glt-stream.yml +++ b/spreadspace/glt-stream.yml @@ -28,7 +28,7 @@ nginx_vhost: default: yes name: stream - template: static-files-with-acme + template: generic acme: yes hostnames: - stream.linuxtage.at diff --git a/spreadspace/sgg-icecast.yml b/spreadspace/sgg-icecast.yml index 8d5b02fa..92349d24 100644 --- a/spreadspace/sgg-icecast.yml +++ b/spreadspace/sgg-icecast.yml @@ -31,7 +31,7 @@ nginx_vhost: default: yes name: radio - template: static-files-with-acme + template: generic acme: yes hostnames: - radiogloria.at @@ -47,7 +47,7 @@ vars: nginx_vhost: name: radio-stream - template: generic-proxy-no-buffering-with-acme + template: generic acme: yes hostnames: - live.radiogloria.at -- cgit v1.2.3