Initial commit

2023-03-14 16:38:06 +01:00 · 2023-03-14 16:38:06 +01:00 · 63d5eabd20
commit 63d5eabd20
4 changed files with 149 additions and 0 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: restarted
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,18 @@
+---
+
+dependencies: []
+
+galaxy_info:
+  role_name: nginx-config-svc
+  author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
+  description: Abstraction to configure nginx server
+  license: GPL-3.0-or-later
+  min_ansible_version: 2.9
+  platforms:
+    - name: Alpine
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: configure nginx for {{ instance_name }}
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/http.d/{{ instance_name }}.conf"
+    mode: 0644
+  notify:
+    - reload nginx
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@ -0,0 +1,118 @@
+{% if before_server is defined %}
+{{ before_server }}
+{% endif %}
+server {
+  {% if listen80 is defined -%}
+    {{ listen80 }}
+  {% else %}
+    listen 80;
+    listen [::]:80;
+  {% endif %}
+{% if proxy_protocol is defined %}
+
+    listen 81 proxy_protocol;
+    listen [::]:81 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+    server_name {{ domains | join(' ') }};
+
+    location / {
+        # enforce https
+        return 301 https://$server_name:443$request_uri;
+    }
+    {% if unsecure_server is defined %}
+    {{ unsecure_server }}
+    {% endif %}
+    location /.well-known/acme-challenge {
+    {% if acme_challenge is defined %}
+        {{ acme_challenge }}
+    {% else %}
+        root /var/www/acme;
+    {% endif %}
+    }
+}
+
+server {
+  {% if listen443 is defined -%}
+    {{ listen443 }}
+  {% else %}
+    listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
+    listen [::]:443 ssl http2;
+    {% endif %}
+    server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
+{% if proxy_protocol is defined %}
+
+    listen 442 ssl http2 proxy_protocol;
+    listen [::]:442 ssl http2 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+
+    {% if ssl_certificate is defined %}
+    {{ ssl_certificate }}
+    {% else %}
+    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
+    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
+    {% endif %}
+
+    add_header X-XSS-Protection "0";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
+    {% if headers is defined %}{{ headers }}{% endif %}
+
+    {% if server %}
+    {{ server }}
+    {% endif %}
+}
+{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
+server {
+    listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ domains[1:] | join(' ') }};
+{% if proxy_protocol is defined %}
+
+    listen 442 ssl http2 proxy_protocol;
+    listen [::]:442 ssl http2 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+
+    {% if ssl_certificate is defined %}
+    {{ ssl_certificate }}
+    {% else %}
+    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
+    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
+    {% endif %}
+
+    add_header X-XSS-Protection "0";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
+
+    location / {
+        rewrite (.*) https://{{ domains[0] }}$1;
+    }
+}
+{% endif %}
+{% if after_server is defined %}
+{{ after_server }}
+{% endif %}