Added custom nginx sites

2025-01-22 22:31:13 -07:00
parent 258feb3c97
commit 456a7cbeaf
4 changed files with 82 additions and 2 deletions
--- a/group_vars/ext_nginx.yml
+++ b/group_vars/ext_nginx.yml
@@ -1,3 +1,21 @@
+## Nginx ansible configuration
+#
+# Structure:
+# cert_domains: List of domains to request and maintain certificates for. These are single-domain certificates, acquired and renewed individually
+# wildcard_domains: List of domains to request and maintain wildcard certificates (*.<domain here>) for.
+# sites_available: List of site definition objects (see below)
+# streams_available: List of TCP stream definition objects (see below)
+# custom_sites: List of files to copy directly into the server's sites_enabled directory. These files should be matched by the glob 'playbooks/roles/nginx/files/custom_sites/*.conf'
+
+## sites_available
+# fqdn: The fully-qualified domain name of the site. Must be unique among sites, and is used as both the filename and the nginx server name.
+# enabled: Boolean, indicates whether the site should be active. Set this to no rather than removing site configurations outright.
+# cert_domain: Optional certificate domain basename to use, if not the FQDN. Required for when the site uses a wildcard cert
+# upstream: The URI of the usptream to proxy to
+# restricted: Boolean indicating whether this site has IP restrictions. Defaults to false.
+# allowed_ips: List of IP addresses and CIDR blocks to allow access from when restricted is true. Defaults to 10.242.0.0/16.
+# max_upload: The maximum request body size. Defaults to unset, for Nginx's default.
+
 cert_domains:
  - files.ezri.dev
  - git.ezri.dev
@@ -6,6 +24,10 @@ cert_domains:
  - mail.ezri.dev
  - navidrome.ezri.dev
  - vtt.ezri.dev
+  - ezri.dev
+
+custom_sites:
+  - well-known.conf

 sites_available:
  - fqdn: files.ezri.dev
@@ -69,6 +91,8 @@ streams_available:
    restricted: yes
    allowed_ips:
      - 10.242.200.0/24
+      - 10.242.202.90
+      - 10.242.203.90
      - 10.242.0.1
      - 10.242.203.1
      - 10.242.203.13
--- a/group_vars/int_nginx.yml
+++ b/group_vars/int_nginx.yml
@@ -1,3 +1,21 @@
+## Nginx ansible configuration
+#
+# Structure:
+# cert_domains: List of domains to request and maintain certificates for. These are single-domain certificates, acquired and renewed individually
+# wildcard_domains: List of domains to request and maintain wildcard certificates (*.<domain here>) for.
+# sites_available: List of site definition objects (see below)
+# streams_available: List of TCP stream definition objects (see below)
+# custom_sites: List of files to copy directly into the server's sites_enabled directory. These files should be matched by the glob 'playbooks/roles/nginx/files/custom_sites/*.conf'
+
+## sites_available
+# fqdn: The fully-qualified domain name of the site. Must be unique among sites, and is used as both the filename and the nginx server name.
+# enabled: Boolean, indicates whether the site should be active. Set this to no rather than removing site configurations outright.
+# cert_domain: Optional certificate domain basename to use, if not the FQDN. Required for when the site uses a wildcard cert
+# upstream: The URI of the usptream to proxy to
+# restricted: Boolean indicating whether this site has IP restrictions. Defaults to false.
+# allowed_ips: List of IP addresses and CIDR blocks to allow access from when restricted is true. Defaults to 10.242.0.0/16.
+# max_upload: The maximum request body size. Defaults to unset, for Nginx's default.
+
 cert_domains:
  - vw.ezri.dev

@@ -26,7 +44,7 @@ sites_available:
  - fqdn: sonarr.internal.ezri.dev
    enabled: yes
    cert_domain: internal.ezri.dev
-    upstream: https://10.242.201.3:8989
+    upstream: http://10.242.201.3:8989
    restricted: yes
    allowed_ips:
      - 10.242.0.0/23
--- a/playbooks/roles/nginx/files/custom_sites/well-known.conf
+++ b/playbooks/roles/nginx/files/custom_sites/well-known.conf
@@ -0,0 +1,27 @@
+# ezri.dev server initially for hosting well-known files.
+# Will likely add an upstream proxy later
+
+map $scheme $hsts_header {
+	https "max-age=63072000; preload";
+}
+
+server {
+	listen 80;
+	listen 443 ssl http2;
+
+	server_name ezri.dev;
+
+	ssl_certificate /etc/letsencrypt/live/ezri.dev/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/ezri.dev/privkey.pem;
+
+	if ($scheme = "http") {
+		return 301 https://$host$request_uri;
+	}
+
+	add_header Strict-Transport-Security $hsts_header always;
+
+	location /.well-known/matrix/server {
+		add_header Content-Type application/json;
+		return 200 '{"m.server": "matrix.ezri.dev:443"}';
+	}
+}
--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -136,8 +136,19 @@
    state: absent
  notify: Reload nginx

+- name: Deploy custom sites
+  loop: '{{ custom_sites }}'
+  when: custom_sites is defined
+  ansible.builtin.copy:
+    src: custom_sites/{{ item }}
+    dest: /etc/nginx/sites-enabled/{{ item }}
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload nginx
+
 - name: Deploy stream configurations
-  loop: '{{ streams_available }}'
+  loop: '{{ streams_available }}' 
  when: streams_available is defined
  ansible.builtin.template:
    src: stream.j2