From 9b5da334fa74cb994e41a778713c8670f50c1690 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 9 Oct 2023 16:07:55 +0200 Subject: nginx/vhost: refactor templates and add tlsonly variant --- roles/nginx/vhost/templates/generic.conf.j2 | 57 +--------------------------- roles/nginx/vhost/templates/includes/body.j2 | 56 +++++++++++++++++++++++++++ roles/nginx/vhost/templates/tlsonly.conf.j2 | 26 +++++++++++++ 3 files changed, 83 insertions(+), 56 deletions(-) create mode 100644 roles/nginx/vhost/templates/includes/body.j2 create mode 100644 roles/nginx/vhost/templates/tlsonly.conf.j2 (limited to 'roles/nginx') diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index dae84a2f..97cb8269 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -47,60 +47,5 @@ server { {% endif %} {% endif %} -{% if 'custom' in nginx_vhost %} - {{ nginx_vhost.custom | trim | indent(4) }} -{% else %} -{% if 'extra_directives' in nginx_vhost %} - {{ nginx_vhost.extra_directives | trim | indent(4) }} - -{% endif %} -{% for path, location in nginx_vhost.locations.items() %} - location {{ path }} { -{% if 'proxy_pass' in location %} - include snippets/proxy-nobuff.conf; - proxy_set_header Host $host; - include snippets/proxy-forward-headers.conf; - - # for websockets - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass {{ location.proxy_pass }}; -{% if 'proxy_redirect' in location %} -{% for entry in location.proxy_redirect %} - proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; -{% endfor %} -{% endif %} -{% if 'proxy_ssl' in location %} -{% for prop in (location.proxy_ssl | list | sort) %} - proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; -{% endfor %} -{% endif %} -{% elif 'return' in location %} - return {{ location.return }}; -{% elif 'custom' in location %} - {{ location.custom | trim | indent(8) }} -{% else %} -{% if 'root' in location %} - root {{ location.root }}; -{% elif 'alias' in location %} - alias {{ location.alias }}; -{% endif %} -{% if 'index' in location %} - index {{ location.index }}; -{% endif %} -{% if 'autoindex' in location %} - autoindex on; -{% if 'format' in location.autoindex %} - autoindex_format {{ nginx_vhost.autoindex.format }}; -{% endif %} -{% endif %} -{% endif %} -{% if 'extra_directives' in location %} - - {{ location.extra_directives | trim | indent(8) }} -{% endif %} - } -{% endfor %} -{% endif %} +{% include 'includes/body.j2' %} } diff --git a/roles/nginx/vhost/templates/includes/body.j2 b/roles/nginx/vhost/templates/includes/body.j2 new file mode 100644 index 00000000..a80bcc2c --- /dev/null +++ b/roles/nginx/vhost/templates/includes/body.j2 @@ -0,0 +1,56 @@ +{% if 'custom' in nginx_vhost %} + {{ nginx_vhost.custom | trim | indent(4) }} +{% else %} +{% if 'extra_directives' in nginx_vhost %} + {{ nginx_vhost.extra_directives | trim | indent(4) }} + +{% endif %} +{% for path, location in nginx_vhost.locations.items() %} + location {{ path }} { +{% if 'proxy_pass' in location %} + include snippets/proxy-nobuff.conf; + proxy_set_header Host $host; + include snippets/proxy-forward-headers.conf; + + # for websockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass {{ location.proxy_pass }}; +{% if 'proxy_redirect' in location %} +{% for entry in location.proxy_redirect %} + proxy_redirect {{ entry.redirect }} {{ entry.replacement }}; +{% endfor %} +{% endif %} +{% if 'proxy_ssl' in location %} +{% for prop in (location.proxy_ssl | list | sort) %} + proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; +{% endfor %} +{% endif %} +{% elif 'return' in location %} + return {{ location.return }}; +{% elif 'custom' in location %} + {{ location.custom | trim | indent(8) }} +{% else %} +{% if 'root' in location %} + root {{ location.root }}; +{% elif 'alias' in location %} + alias {{ location.alias }}; +{% endif %} +{% if 'index' in location %} + index {{ location.index }}; +{% endif %} +{% if 'autoindex' in location %} + autoindex on; +{% if 'format' in location.autoindex %} + autoindex_format {{ nginx_vhost.autoindex.format }}; +{% endif %} +{% endif %} +{% endif %} +{% if 'extra_directives' in location %} + + {{ location.extra_directives | trim | indent(8) }} +{% endif %} + } +{% endfor %} +{% endif %} diff --git a/roles/nginx/vhost/templates/tlsonly.conf.j2 b/roles/nginx/vhost/templates/tlsonly.conf.j2 new file mode 100644 index 00000000..2af0e7ad --- /dev/null +++ b/roles/nginx/vhost/templates/tlsonly.conf.j2 @@ -0,0 +1,26 @@ +server { + listen {{ nginx_vhost.tls.port | default(443) }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + listen [::]:{{ nginx_vhost.tls.port | default(443) }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; + server_name {{ nginx_vhost.hostnames | join(' ') }}; + +{% if 'logs' in nginx_vhost %} +{% if 'access' in nginx_vhost.logs %} + access_log {{ nginx_vhost.logs.access }}; +{% endif %} +{% if 'error' in nginx_vhost.logs %} + error_log {{ nginx_vhost.logs.error }}; +{% endif %} + +{% endif %} +{% if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %} + include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf; +{% endif %} + include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; +{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %} + include snippets/hsts.conf; +{% endif %} + +{% include 'includes/body.j2' %} +} -- cgit v1.2.3