From e7f6648e4a0f2cd8b5f4a51703542c1f73c695ca Mon Sep 17 00:00:00 2001 From: Jonathan DeMasi Date: Tue, 3 Feb 2026 21:34:24 -0700 Subject: [PATCH] init non ssl vhost for nginx, add to notes role --- .../host_vars/git.jthan.io/vars.yaml | 4 ++ .../host_vars/notes.jthan.io/vars.yaml | 1 + ansible/notes.yaml | 1 + ansible/roles/nginx/tasks/main.yaml | 16 ++++++- .../roles/nginx/tasks/templates/vhost.conf.j2 | 41 +---------------- .../nginx/tasks/templates/vhost_ssl.conf.j2 | 46 +++++++++++++++++++ 6 files changed, 69 insertions(+), 40 deletions(-) create mode 100644 ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml create mode 100644 ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2 diff --git a/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml b/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml index 74b1838..77dd049 100644 --- a/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml +++ b/ansible/inventories/production/host_vars/git.jthan.io/vars.yaml @@ -1,5 +1,9 @@ gitea_version: 1.25.3 + root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}" + +nginx_ssl_enabled: true + olm_config_path: "/etc/olm" olm_endpoint: "https://pangolin.jthan.io" olm_id: "{{ lookup('bitwarden.secrets.lookup', 'a27c5cf3-21f1-464a-b911-b3de017888cb') }}" diff --git a/ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml b/ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml new file mode 100644 index 0000000..9d59c91 --- /dev/null +++ b/ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml @@ -0,0 +1 @@ +nginx_ssl_enabled: false diff --git a/ansible/notes.yaml b/ansible/notes.yaml index 52b6127..c170ac4 100644 --- a/ansible/notes.yaml +++ b/ansible/notes.yaml @@ -4,3 +4,4 @@ roles: - common - ldap_client + - nginx diff --git a/ansible/roles/nginx/tasks/main.yaml b/ansible/roles/nginx/tasks/main.yaml index fd830a2..4ade7bf 100644 --- a/ansible/roles/nginx/tasks/main.yaml +++ b/ansible/roles/nginx/tasks/main.yaml @@ -17,12 +17,14 @@ path: /etc/nginx/ssl state: directory mode: '0755' + when: nginx_ssl_enabled - name: Generate dhparams command: cmd: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 creates: /etc/nginx/ssl/dhparam.pem notify: Restart nginx + when: nginx_ssl_enabled - name: Start and enable nginx service: @@ -45,13 +47,25 @@ permanent: true immediate: true offline: true + when: nginx_ssl_enabled -- name: Create nginx vhosts +- name: Create nginx non-ssl vhost template: src: templates/vhost.conf.j2 + dest: /etc/nginx/conf.d/{{ inventory_hostname}}.conf + owner: nginx + group: nginx + mode: '0644' + notify: Restart nginx + when: not nginx_ssl_enabled + +- name: Create nginx ssl vhost + template: + src: templates/vhost_ssl.conf.j2 dest: /etc/nginx/conf.d/{{ inventory_hostname }}.conf owner: nginx group: nginx mode: '0644' notify: Restart nginx + when: nginx_ssl_enabled diff --git a/ansible/roles/nginx/tasks/templates/vhost.conf.j2 b/ansible/roles/nginx/tasks/templates/vhost.conf.j2 index 3b17627..9db1988 100644 --- a/ansible/roles/nginx/tasks/templates/vhost.conf.j2 +++ b/ansible/roles/nginx/tasks/templates/vhost.conf.j2 @@ -3,46 +3,9 @@ server { server_name {{ inventory_hostname }}; root /srv/http/{{ inventory_hostname }}/html; - # Allow lego to renew certs here using its own http server, we just proxy - location /.well-known/acme-challenge { - proxy_pass http://127.0.0.1:81; - proxy_set_header Host $host; - } - location / { - return 301 https://{{ inventory_hostname }}$request_uri; index index.htm index.html; + error_page 404 /404.html; + try_files $uri $uri.html $uri/ =404; } - -} - -server { - listen [::]:443 ssl ipv6only=off default_server; - http2 on; - ssl_certificate /etc/nginx/ssl/{{ inventory_hostname}}.crt; - ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname}}.key; - ssl_trusted_certificate /etc/nginx/ssl/{{ inventory_hostname}}.issuer.crt; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - ssl_protocols TLSv1.3; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; - server_name {{ inventory_hostname }}; - - location / { - client_max_body_size 512M; - proxy_pass http://localhost:3000; - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - } diff --git a/ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2 b/ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2 new file mode 100644 index 0000000..e2543c1 --- /dev/null +++ b/ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2 @@ -0,0 +1,46 @@ +server { + listen [::]:80 ipv6only=off default_server; + server_name {{ inventory_hostname }}; + root /srv/http/{{ inventory_hostname }}/html; + + # Allow lego to renew certs here using its own http server, we just proxy + location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:81; + proxy_set_header Host $host; + } + + location / { + return 301 https://{{ inventory_hostname }}$request_uri; + index index.htm index.html; + } +} + +server { + listen [::]:443 ssl ipv6only=off default_server; + http2 on; + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname}}.crt; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname}}.key; + ssl_trusted_certificate /etc/nginx/ssl/{{ inventory_hostname}}.issuer.crt; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; + server_name {{ inventory_hostname }}; + + location / { + client_max_body_size 512M; + proxy_pass http://localhost:3000; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +}