Added custom nginx sites
This commit is contained in:
@@ -1,3 +1,21 @@
|
||||
## Nginx ansible configuration
|
||||
#
|
||||
# Structure:
|
||||
# cert_domains: List of domains to request and maintain certificates for. These are single-domain certificates, acquired and renewed individually
|
||||
# wildcard_domains: List of domains to request and maintain wildcard certificates (*.<domain here>) for.
|
||||
# sites_available: List of site definition objects (see below)
|
||||
# streams_available: List of TCP stream definition objects (see below)
|
||||
# custom_sites: List of files to copy directly into the server's sites_enabled directory. These files should be matched by the glob 'playbooks/roles/nginx/files/custom_sites/*.conf'
|
||||
|
||||
## sites_available
|
||||
# fqdn: The fully-qualified domain name of the site. Must be unique among sites, and is used as both the filename and the nginx server name.
|
||||
# enabled: Boolean, indicates whether the site should be active. Set this to no rather than removing site configurations outright.
|
||||
# cert_domain: Optional certificate domain basename to use, if not the FQDN. Required for when the site uses a wildcard cert
|
||||
# upstream: The URI of the usptream to proxy to
|
||||
# restricted: Boolean indicating whether this site has IP restrictions. Defaults to false.
|
||||
# allowed_ips: List of IP addresses and CIDR blocks to allow access from when restricted is true. Defaults to 10.242.0.0/16.
|
||||
# max_upload: The maximum request body size. Defaults to unset, for Nginx's default.
|
||||
|
||||
cert_domains:
|
||||
- files.ezri.dev
|
||||
- git.ezri.dev
|
||||
@@ -6,6 +24,10 @@ cert_domains:
|
||||
- mail.ezri.dev
|
||||
- navidrome.ezri.dev
|
||||
- vtt.ezri.dev
|
||||
- ezri.dev
|
||||
|
||||
custom_sites:
|
||||
- well-known.conf
|
||||
|
||||
sites_available:
|
||||
- fqdn: files.ezri.dev
|
||||
@@ -69,6 +91,8 @@ streams_available:
|
||||
restricted: yes
|
||||
allowed_ips:
|
||||
- 10.242.200.0/24
|
||||
- 10.242.202.90
|
||||
- 10.242.203.90
|
||||
- 10.242.0.1
|
||||
- 10.242.203.1
|
||||
- 10.242.203.13
|
||||
|
||||
@@ -1,3 +1,21 @@
|
||||
## Nginx ansible configuration
|
||||
#
|
||||
# Structure:
|
||||
# cert_domains: List of domains to request and maintain certificates for. These are single-domain certificates, acquired and renewed individually
|
||||
# wildcard_domains: List of domains to request and maintain wildcard certificates (*.<domain here>) for.
|
||||
# sites_available: List of site definition objects (see below)
|
||||
# streams_available: List of TCP stream definition objects (see below)
|
||||
# custom_sites: List of files to copy directly into the server's sites_enabled directory. These files should be matched by the glob 'playbooks/roles/nginx/files/custom_sites/*.conf'
|
||||
|
||||
## sites_available
|
||||
# fqdn: The fully-qualified domain name of the site. Must be unique among sites, and is used as both the filename and the nginx server name.
|
||||
# enabled: Boolean, indicates whether the site should be active. Set this to no rather than removing site configurations outright.
|
||||
# cert_domain: Optional certificate domain basename to use, if not the FQDN. Required for when the site uses a wildcard cert
|
||||
# upstream: The URI of the usptream to proxy to
|
||||
# restricted: Boolean indicating whether this site has IP restrictions. Defaults to false.
|
||||
# allowed_ips: List of IP addresses and CIDR blocks to allow access from when restricted is true. Defaults to 10.242.0.0/16.
|
||||
# max_upload: The maximum request body size. Defaults to unset, for Nginx's default.
|
||||
|
||||
cert_domains:
|
||||
- vw.ezri.dev
|
||||
|
||||
@@ -26,7 +44,7 @@ sites_available:
|
||||
- fqdn: sonarr.internal.ezri.dev
|
||||
enabled: yes
|
||||
cert_domain: internal.ezri.dev
|
||||
upstream: https://10.242.201.3:8989
|
||||
upstream: http://10.242.201.3:8989
|
||||
restricted: yes
|
||||
allowed_ips:
|
||||
- 10.242.0.0/23
|
||||
|
||||
27
playbooks/roles/nginx/files/custom_sites/well-known.conf
Normal file
27
playbooks/roles/nginx/files/custom_sites/well-known.conf
Normal file
@@ -0,0 +1,27 @@
|
||||
# ezri.dev server initially for hosting well-known files.
|
||||
# Will likely add an upstream proxy later
|
||||
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=63072000; preload";
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl http2;
|
||||
|
||||
server_name ezri.dev;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ezri.dev/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ezri.dev/privkey.pem;
|
||||
|
||||
if ($scheme = "http") {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
add_header Strict-Transport-Security $hsts_header always;
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
add_header Content-Type application/json;
|
||||
return 200 '{"m.server": "matrix.ezri.dev:443"}';
|
||||
}
|
||||
}
|
||||
@@ -136,8 +136,19 @@
|
||||
state: absent
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Deploy custom sites
|
||||
loop: '{{ custom_sites }}'
|
||||
when: custom_sites is defined
|
||||
ansible.builtin.copy:
|
||||
src: custom_sites/{{ item }}
|
||||
dest: /etc/nginx/sites-enabled/{{ item }}
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Reload nginx
|
||||
|
||||
- name: Deploy stream configurations
|
||||
loop: '{{ streams_available }}'
|
||||
loop: '{{ streams_available }}'
|
||||
when: streams_available is defined
|
||||
ansible.builtin.template:
|
||||
src: stream.j2
|
||||
|
||||
Reference in New Issue
Block a user