jonathan/infra
1
0
Fork 0
Code Actions Activity

init non ssl vhost for nginx, add to notes role

Browse Source
This commit is contained in:
Jonathan DeMasi
2026-02-03 21:34:24 -07:00
parent 21618d2e5e
commit e7f6648e4a
6 changed files with 69 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/inventories/production/host_vars/git.jthan.io/vars.yaml
View File

@@ -1,5 +1,9 @@
gitea_version: 1.25.3 gitea_version: 1.25.3
root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}" root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}"
nginx_ssl_enabled: true
olm_config_path: "/etc/olm" olm_config_path: "/etc/olm"
olm_endpoint: "https://pangolin.jthan.io" olm_endpoint: "https://pangolin.jthan.io"
olm_id: "{{ lookup('bitwarden.secrets.lookup', 'a27c5cf3-21f1-464a-b911-b3de017888cb') }}" olm_id: "{{ lookup('bitwarden.secrets.lookup', 'a27c5cf3-21f1-464a-b911-b3de017888cb') }}"

1
ansible/inventories/production/host_vars/notes.jthan.io/vars.yaml Normal file
View File

@@ -0,0 +1 @@
nginx_ssl_enabled: false

1
ansible/notes.yaml
View File

@@ -4,3 +4,4 @@
roles: roles:
- common - common
- ldap_client - ldap_client
- nginx

16
ansible/roles/nginx/tasks/main.yaml
View File

@@ -17,12 +17,14 @@
path: /etc/nginx/ssl path: /etc/nginx/ssl
state: directory state: directory
mode: '0755' mode: '0755'
when: nginx_ssl_enabled
- name: Generate dhparams - name: Generate dhparams
command: command:
cmd: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 cmd: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
creates: /etc/nginx/ssl/dhparam.pem creates: /etc/nginx/ssl/dhparam.pem
notify: Restart nginx notify: Restart nginx
when: nginx_ssl_enabled
- name: Start and enable nginx - name: Start and enable nginx
service: service:
@@ -45,13 +47,25 @@
permanent: true permanent: true
immediate: true immediate: true
offline: true offline: true
when: nginx_ssl_enabled
- name: Create nginx vhosts - name: Create nginx non-ssl vhost
template: template:
src: templates/vhost.conf.j2 src: templates/vhost.conf.j2
dest: /etc/nginx/conf.d/{{ inventory_hostname}}.conf
owner: nginx
group: nginx
mode: '0644'
notify: Restart nginx
when: not nginx_ssl_enabled
- name: Create nginx ssl vhost
template:
src: templates/vhost_ssl.conf.j2
dest: /etc/nginx/conf.d/{{ inventory_hostname }}.conf dest: /etc/nginx/conf.d/{{ inventory_hostname }}.conf
owner: nginx owner: nginx
group: nginx group: nginx
mode: '0644' mode: '0644'
notify: Restart nginx notify: Restart nginx
when: nginx_ssl_enabled

41
ansible/roles/nginx/tasks/templates/vhost.conf.j2
View File

@@ -3,46 +3,9 @@ server {
server_name {{ inventory_hostname }}; server_name {{ inventory_hostname }};
root /srv/http/{{ inventory_hostname }}/html; root /srv/http/{{ inventory_hostname }}/html;
# Allow lego to renew certs here using its own http server, we just proxy
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / { location / {
return 301 https://{{ inventory_hostname }}$request_uri;
index index.htm index.html; index index.htm index.html;
error_page 404 /404.html;
try_files $uri $uri.html $uri/ =404;
} }
}
server {
listen [::]:443 ssl ipv6only=off default_server;
http2 on;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname}}.crt;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname}}.key;
ssl_trusted_certificate /etc/nginx/ssl/{{ inventory_hostname}}.issuer.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name {{ inventory_hostname }};
location / {
client_max_body_size 512M;
proxy_pass http://localhost:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
} }

46
ansible/roles/nginx/tasks/templates/vhost_ssl.conf.j2 Normal file
View File

@@ -0,0 +1,46 @@
server {
listen [::]:80 ipv6only=off default_server;
server_name {{ inventory_hostname }};
root /srv/http/{{ inventory_hostname }}/html;
# Allow lego to renew certs here using its own http server, we just proxy
location /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://{{ inventory_hostname }}$request_uri;
index index.htm index.html;
}
}
server {
listen [::]:443 ssl ipv6only=off default_server;
http2 on;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname}}.crt;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname}}.key;
ssl_trusted_certificate /etc/nginx/ssl/{{ inventory_hostname}}.issuer.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name {{ inventory_hostname }};
location / {
client_max_body_size 512M;
proxy_pass http://localhost:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}