Initial commit
This commit is contained in:
commit
63d5eabd20
5
handlers/main.yml
Normal file
5
handlers/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
18
meta/main.yml
Normal file
18
meta/main.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
role_name: nginx-config-svc
|
||||
author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
|
||||
description: Abstraction to configure nginx server
|
||||
license: GPL-3.0-or-later
|
||||
min_ansible_version: 2.9
|
||||
platforms:
|
||||
- name: Alpine
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
galaxy_tags: []
|
||||
8
tasks/main.yml
Normal file
8
tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: configure nginx for {{ instance_name }}
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: "/etc/nginx/http.d/{{ instance_name }}.conf"
|
||||
mode: 0644
|
||||
notify:
|
||||
- reload nginx
|
||||
118
templates/nginx.conf.j2
Normal file
118
templates/nginx.conf.j2
Normal file
@ -0,0 +1,118 @@
|
||||
{% if before_server is defined %}
|
||||
{{ before_server }}
|
||||
{% endif %}
|
||||
server {
|
||||
{% if listen80 is defined -%}
|
||||
{{ listen80 }}
|
||||
{% else %}
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
{% endif %}
|
||||
{% if proxy_protocol is defined %}
|
||||
|
||||
listen 81 proxy_protocol;
|
||||
listen [::]:81 proxy_protocol;
|
||||
real_ip_header proxy_protocol;
|
||||
{% for ip in proxy_protocol.ipv4 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
{% for ip in proxy_protocol.ipv6 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
|
||||
port_in_redirect off;
|
||||
{% endif %}
|
||||
server_name {{ domains | join(' ') }};
|
||||
|
||||
location / {
|
||||
# enforce https
|
||||
return 301 https://$server_name:443$request_uri;
|
||||
}
|
||||
{% if unsecure_server is defined %}
|
||||
{{ unsecure_server }}
|
||||
{% endif %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if acme_challenge is defined %}
|
||||
{{ acme_challenge }}
|
||||
{% else %}
|
||||
root /var/www/acme;
|
||||
{% endif %}
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
{% if listen443 is defined -%}
|
||||
{{ listen443 }}
|
||||
{% else %}
|
||||
listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
{% endif %}
|
||||
server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
|
||||
{% if proxy_protocol is defined %}
|
||||
|
||||
listen 442 ssl http2 proxy_protocol;
|
||||
listen [::]:442 ssl http2 proxy_protocol;
|
||||
real_ip_header proxy_protocol;
|
||||
{% for ip in proxy_protocol.ipv4 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
{% for ip in proxy_protocol.ipv6 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
|
||||
port_in_redirect off;
|
||||
{% endif %}
|
||||
|
||||
{% if ssl_certificate is defined %}
|
||||
{{ ssl_certificate }}
|
||||
{% else %}
|
||||
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
|
||||
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
|
||||
{% if headers is defined %}{{ headers }}{% endif %}
|
||||
|
||||
{% if server %}
|
||||
{{ server }}
|
||||
{% endif %}
|
||||
}
|
||||
{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
|
||||
server {
|
||||
listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {{ domains[1:] | join(' ') }};
|
||||
{% if proxy_protocol is defined %}
|
||||
|
||||
listen 442 ssl http2 proxy_protocol;
|
||||
listen [::]:442 ssl http2 proxy_protocol;
|
||||
real_ip_header proxy_protocol;
|
||||
{% for ip in proxy_protocol.ipv4 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
{% for ip in proxy_protocol.ipv6 %}
|
||||
set_real_ip_from {{ ip }};
|
||||
{% endfor %}
|
||||
|
||||
port_in_redirect off;
|
||||
{% endif %}
|
||||
|
||||
{% if ssl_certificate is defined %}
|
||||
{{ ssl_certificate }}
|
||||
{% else %}
|
||||
ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
|
||||
ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "0";
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
|
||||
|
||||
location / {
|
||||
rewrite (.*) https://{{ domains[0] }}$1;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
{% if after_server is defined %}
|
||||
{{ after_server }}
|
||||
{% endif %}
|
||||
Loading…
x
Reference in New Issue
Block a user