From a3ab64f6a262e3bd0da4435729c2e6f9013aad5d Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 14 Aug 2023 22:11:11 +0200 Subject: gitolite/http: use generic template for vhost --- roles/gitolite/http/tasks/main.yml | 49 ++++++++++++++- roles/gitolite/http/templates/nginx-vhost.conf.j2 | 72 ----------------------- roles/nginx/vhost/defaults/main.yml | 11 ++++ roles/nginx/vhost/templates/generic.conf.j2 | 22 +++++++ 4 files changed, 81 insertions(+), 73 deletions(-) delete mode 100644 roles/gitolite/http/templates/nginx-vhost.conf.j2 diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index 1006283a..fdc86d66 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -50,13 +50,60 @@ src: "{{ gitolite_instances[gitolite_instance].http.logo }}" dest: "/usr/local/share/cgit/{{ gitolite_instance }}.png" + - name: compute nginx location directive for logo + set_fact: + nginx_locations_logo: + '= /logo.png': + alias: "/usr/local/share/cgit/{{ gitolite_instance }}.png" + +- name: compute nginx locations directives + set_fact: + nginx_locations_base: + '= /': + return: "303 /cgit/" + '/cgit-css/': + alias: "/usr/share/cgit/" + nginx_locations_main: + '/cgit/': + custom: |- + include fastcgi_params; + fastcgi_split_path_info ^(/cgit)(.*)$; + + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; + +- name: compute nginx location directive for git_backend + when: "'enable_git_backend' in gitolite_instances[gitolite_instance].http and gitolite_instances[gitolite_instance].http.enable_git_backend" + set_fact: + nginx_locations_git_backend: + '~ ^.*/git-receive-pack$': + return: "403" + '~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$': + custom: |- + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param PATH_INFO $uri; + fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance }}/repositories; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; + - name: install nginx vhost vars: nginx_vhost: name: "gitolite-{{ gitolite_instance }}" + template: generic tls: certificate_provider: "{{ acme_client }}" hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + logs: + access: "/var/log/nginx/git-{{ gitolite_instance }}_access.log" + error: "/var/log/nginx/git-{{ gitolite_instance }}_error.log" + locations: "{{ nginx_locations_base | combine(nginx_locations_logo | default({})) | combine(nginx_locations_main) | combine(nginx_locations_git_backend | default({})) }}" include_role: name: nginx/vhost diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 deleted file mode 100644 index f656d48f..00000000 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,72 +0,0 @@ - server { - listen 80; - listen [::]:80; - server_name {{ gitolite_instances[gitolite_instance].http.hostnames | join(' ') }}; - - access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; - error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - - include snippets/{{ acme_client }}.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ gitolite_instances[gitolite_instance].http.hostnames | join(' ') }}; - - access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; - error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - - include snippets/{{ acme_client }}.conf; - include snippets/tls.conf; - ssl_certificate {{ x509_certificate_path_fullchain }}; - ssl_certificate_key {{ x509_certificate_path_key }}; - include snippets/hsts.conf; - - location = / { - return 303 /cgit/; - } - - location /cgit-css/ { - alias /usr/share/cgit/; - } -{% if 'logo' in gitolite_instances[gitolite_instance].http %} - - location = /logo.png { - alias /usr/local/share/cgit/{{ gitolite_instance }}.png; - } -{% endif %} - - location /cgit/ { - include fastcgi_params; - fastcgi_split_path_info ^(/cgit)(.*)$; - - fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc; - - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; - } -{% if 'enable_git_backend' in gitolite_instances[gitolite_instance].http and gitolite_instances[gitolite_instance].http.enable_git_backend %} - - location ~ ^.*/git-receive-pack$ { - return 403; - } - - location ~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$ { - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance }}/repositories; - - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; - } -{% endif %} -} diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index 5984e623..1447fb14 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -8,6 +8,9 @@ # hostnames: # - example.com # - www.example.com +# logs: +# access: /var/log/nginx/example_access.log +# error: /var/log/nginx/example_error.log # extra_directives: |- # add_header X-Example-Header "foo"; # locations: @@ -45,8 +48,16 @@ # add_header X-Example-Header "foo"; # '/subdir/': # alias: /srv/www/foo +# '/private/': +# return: "403" # '/foo/': # proxy_pass: http://127.0.0.1:1234 +# '/custom/': +# custom: |- +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME /usr/lib/cgi/foo +# fastcgi_param PATH_INFO $uri; +# fastcgi_pass unix:/run/fcgiwrap/foo.sock; # nginx_vhost: # name: other-example diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 434fa679..f87d029d 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -3,6 +3,15 @@ server { listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if 'logs' in nginx_vhost %} +{% if 'access' in nginx_vhost.logs %} + access_log {{ nginx_vhost.logs.access }}; +{% endif %} +{% if 'error' in nginx_vhost.logs %} + error_log {{ nginx_vhost.logs.error }}; +{% endif %} + +{% endif %} {% if 'tls' in nginx_vhost %} {% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; @@ -18,6 +27,15 @@ server { listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if 'logs' in nginx_vhost %} +{% if 'access' in nginx_vhost.logs %} + access_log {{ nginx_vhost.logs.access }}; +{% endif %} +{% if 'error' in nginx_vhost.logs %} + error_log {{ nginx_vhost.logs.error }}; +{% endif %} + +{% endif %} {% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; {% endif %} @@ -55,6 +73,10 @@ server { proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; {% endfor %} {% endif %} +{% elif 'return' in location %} + return {{ location.return }}; +{% elif 'custom' in location %} + {{ location.custom | indent(8) }} {% else %} {% if 'root' in location %} root {{ location.root }}; -- cgit v1.2.3