Housekeeping (#52)
This commit is contained in:
parent
e7be0f64f4
commit
724427bb85
4 changed files with 298 additions and 0 deletions
|
@ -0,0 +1,67 @@
|
|||
################################################################################
|
||||
# This file was generated by Ansible for {{ansible_fqdn}}
|
||||
# Do NOT modify this file by hand!
|
||||
################################################################################
|
||||
|
||||
upstream {{ item.key }}_backend {
|
||||
{% for upstream in item.value.upstreams %}
|
||||
server {{upstream.backend_address}}:{{upstream.backend_port}};
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known {
|
||||
alias /var/www/{{ item.key }}/.well-known;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
|
||||
{% if item.value.hsts_max_age is defined %}
|
||||
add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
location /.well-known {
|
||||
alias /var/www/{{ item.key }}/.well-known;
|
||||
}
|
||||
|
||||
location / {
|
||||
gzip off;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
proxy_pass http://{{ item.key }}_backend;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
################################################################################
|
||||
# This file was generated by Ansible for {{ansible_fqdn}}
|
||||
# Do NOT modify this file by hand!
|
||||
################################################################################
|
||||
|
||||
{% if item.key == "default" %}
|
||||
server {
|
||||
listen {{ item.value.listen | default(80) }} default_server;
|
||||
listen [::]:{{ item.value.listen | default(80) }} default_server;
|
||||
server_name _;
|
||||
return 444;
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
|
||||
{% else %}
|
||||
upstream {{ item.key }}_backend {
|
||||
{% for upstream in item.value.upstreams %}
|
||||
server {{upstream.backend_address}}:{{upstream.backend_port}};
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen | default(80) }};
|
||||
listen [::]:{{ item.value.listen | default(80) }};
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
|
||||
location / {
|
||||
gzip off;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
proxy_pass http://{{ item.key }}_backend;
|
||||
{% if item.value.auth is defined %}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location /.well-known {
|
||||
alias /var/www/{{ item.key }}/.well-known;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
{% endif %}
|
|
@ -0,0 +1,104 @@
|
|||
################################################################################
|
||||
# This file was generated by Ansible for {{ansible_fqdn}}
|
||||
# Do NOT modify this file by hand!
|
||||
################################################################################
|
||||
|
||||
{% if item.key == "default" %}
|
||||
server {
|
||||
listen {{ item.value.listen | default(80) }} default_server;
|
||||
listen [::]:{{ item.value.listen | default(80) }} default_server;
|
||||
server_name _;
|
||||
return 444;
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen_ssl | default(443) }} ssl http2 default_server;
|
||||
listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2 default_server;
|
||||
server_name _;
|
||||
return 444;
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
}
|
||||
|
||||
{% else %}
|
||||
upstream {{ item.key }}_backend {
|
||||
{% for upstream in item.value.upstreams %}
|
||||
server {{upstream.backend_address}}:{{upstream.backend_port}};
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen | default(80) }};
|
||||
listen [::]:{{ item.value.listen | default(80) }};
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
alias /var/www/{{ item.key }}/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen_ssl | default(443) }} ssl http2;
|
||||
listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2;
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
|
||||
{% if item.value.hsts_max_age is defined %}
|
||||
add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
alias /var/www/{{ item.key }}/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
gzip off;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend;
|
||||
{% if item.value.auth is defined %}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
|
||||
{% endif %}
|
||||
}
|
||||
}
|
||||
{% endif %}
|
|
@ -0,0 +1,71 @@
|
|||
################################################################################
|
||||
# This file was generated by Ansible for {{ansible_fqdn}}
|
||||
# Do NOT modify this file by hand!
|
||||
################################################################################
|
||||
|
||||
upstream {{ item.key }}_backend {
|
||||
{% for upstream in item.value.upstreams %}
|
||||
server {{upstream.backend_address}}:{{upstream.backend_port}};
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen | default(80) }};
|
||||
listen [::]:{{ item.value.listen | default(80) }};
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
alias /var/www/{{ item.key }}/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ item.value.listen_ssl | default(443) }} ssl http2;
|
||||
listen [::]:{{ item.value.listen_ssl | default(443) }} ssl http2;
|
||||
server_name {{ item.value.domains | join(' ') }};
|
||||
|
||||
{% if item.value.hsts_max_age is defined %}
|
||||
add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always;
|
||||
{% endif %}
|
||||
|
||||
access_log /var/log/nginx/{{ item.key }}_access.log;
|
||||
error_log /var/log/nginx/{{ item.key }}_error.log error;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
alias /var/www/{{ item.key }}/.well-known/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
gzip off;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
client_max_body_size {{ item.value.client_max_body_size | default('50M') }};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||||
proxy_pass {{ item.value.backend_protocol | default('http') }}://{{ item.key }}_backend;
|
||||
{% if item.value.auth is defined %}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /etc/nginx/{{ item.key }}_htpasswd;
|
||||
{% endif %}
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue