Rename role reverse-proxy to nginx + split configuration.
This commit is contained in:
parent
ce753e991c
commit
e3c7c4f38a
27 changed files with 344 additions and 449 deletions
9
env.yml
9
env.yml
|
@ -47,8 +47,8 @@ projects:
|
||||||
- homepage
|
- homepage
|
||||||
- lldap
|
- lldap
|
||||||
- mailserver
|
- mailserver
|
||||||
|
- nginx
|
||||||
- postgres
|
- postgres
|
||||||
- reverse-proxy
|
|
||||||
- searxng
|
- searxng
|
||||||
- synapse
|
- synapse
|
||||||
- syncthing
|
- syncthing
|
||||||
|
@ -149,12 +149,5 @@ volumes:
|
||||||
|
|
||||||
|
|
||||||
# Service-specific variables
|
# Service-specific variables
|
||||||
reverse_proxy:
|
|
||||||
ssl_certificate_file: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
|
|
||||||
ssl_certificate_key_file: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
|
|
||||||
ssl_trusted_certificate_file: "/etc/letsencrypt/live/{{ domain }}/chain.pem"
|
|
||||||
resolver: "185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]"
|
|
||||||
|
|
||||||
|
|
||||||
synapse:
|
synapse:
|
||||||
max_upload_size: 50M
|
max_upload_size: 50M
|
||||||
|
|
60
roles/nginx/tasks/main.yml
Normal file
60
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
- name:
|
||||||
|
become: true
|
||||||
|
block:
|
||||||
|
- name: Install package nginx
|
||||||
|
apt:
|
||||||
|
name: nginx
|
||||||
|
|
||||||
|
- name: Delete directories in /etc/nginx/
|
||||||
|
file:
|
||||||
|
path: "/etc/nginx/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- sites-enabled
|
||||||
|
- snippets
|
||||||
|
|
||||||
|
- name: Create directories in /etc/nginx/
|
||||||
|
file:
|
||||||
|
path: "/etc/nginx/{{ item }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- sites-enabled
|
||||||
|
- snippets
|
||||||
|
|
||||||
|
- name: Template configuration files to /etc/nginx/
|
||||||
|
template:
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "/etc/nginx/{{ item.path }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '644'
|
||||||
|
with_filetree: ../templates/
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
|
- name: Get state of file /etc/nginx/dhparam.txt
|
||||||
|
stat:
|
||||||
|
path: /etc/nginx/dhparam.txt
|
||||||
|
register: nginx_stat_dhparam_result
|
||||||
|
|
||||||
|
- name: Download dhparam file from Mozilla
|
||||||
|
get_url:
|
||||||
|
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||||
|
dest: /etc/nginx/dhparam.txt
|
||||||
|
when: not nginx_stat_dhparam_result.stat.exists
|
||||||
|
|
||||||
|
- name: Set correct permissions on certificate directories
|
||||||
|
file:
|
||||||
|
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '750'
|
||||||
|
loop:
|
||||||
|
- live
|
||||||
|
- archive
|
||||||
|
|
||||||
|
- name: Start/Reload NGINX service
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
enabled: yes
|
38
roles/nginx/templates/nginx.conf
Normal file
38
roles/nginx/templates/nginx.conf
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
user www-data;
|
||||||
|
worker_processes auto;
|
||||||
|
worker_rlimit_nofile 1024;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 512;
|
||||||
|
multi_accept off;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
|
||||||
|
gzip off;
|
||||||
|
server_tokens off;
|
||||||
|
keepalive_timeout 30;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
|
||||||
|
# Needed to support websocket connections
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' "";
|
||||||
|
}
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/proxy.conf;
|
||||||
|
include /etc/nginx/snippets/ssl.conf;
|
||||||
|
include /etc/nginx/snippets/ssl-headers.conf;
|
||||||
|
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
10
roles/nginx/templates/sites-enabled/authelia.conf
Normal file
10
roles/nginx/templates/sites-enabled/authelia.conf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name auth.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
||||||
|
}
|
||||||
|
}
|
15
roles/nginx/templates/sites-enabled/default.conf
Normal file
15
roles/nginx/templates/sites-enabled/default.conf
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# Redirect HTTP to HTTPS
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
|
return 308 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Default HTTPS server
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
listen [::]:443 ssl http2 default_server;
|
||||||
|
|
||||||
|
return 404;
|
||||||
|
}
|
9
roles/nginx/templates/sites-enabled/downloads.conf
Normal file
9
roles/nginx/templates/sites-enabled/downloads.conf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name dl.{{ domain }};
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
autoindex on;
|
||||||
|
}
|
16
roles/nginx/templates/sites-enabled/element.conf
Normal file
16
roles/nginx/templates/sites-enabled/element.conf
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name element.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['element'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/ssl-headers.conf;
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||||
|
}
|
||||||
|
}
|
10
roles/nginx/templates/sites-enabled/etebase.conf
Normal file
10
roles/nginx/templates/sites-enabled/etebase.conf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name etebase.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
|
||||||
|
}
|
||||||
|
}
|
16
roles/nginx/templates/sites-enabled/hedgedoc.conf
Normal file
16
roles/nginx/templates/sites-enabled/hedgedoc.conf
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name hedgedoc.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||||
|
}
|
||||||
|
|
||||||
|
location /socket.io/ {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/websocket.conf;
|
||||||
|
}
|
||||||
|
}
|
25
roles/nginx/templates/sites-enabled/homepage.conf
Normal file
25
roles/nginx/templates/sites-enabled/homepage.conf
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name {{ domain }};
|
||||||
|
|
||||||
|
location = /.well-known/matrix/server {
|
||||||
|
default_type application/json;
|
||||||
|
|
||||||
|
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /.well-known/matrix/client {
|
||||||
|
default_type application/json;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/ssl-headers.conf;
|
||||||
|
add_header Access-Control-Allow-Origin '*';
|
||||||
|
|
||||||
|
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
|
||||||
|
}
|
||||||
|
}
|
12
roles/nginx/templates/sites-enabled/jmap.conf
Normal file
12
roles/nginx/templates/sites-enabled/jmap.conf
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name jmap.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/websocket.conf;
|
||||||
|
}
|
||||||
|
}
|
14
roles/nginx/templates/sites-enabled/lldap.conf
Normal file
14
roles/nginx/templates/sites-enabled/lldap.conf
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name ldap.{{ domain }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/authelia-location.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/authelia-authrequest.conf;
|
||||||
|
}
|
||||||
|
}
|
13
roles/nginx/templates/sites-enabled/searxng.conf
Normal file
13
roles/nginx/templates/sites-enabled/searxng.conf
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name searx.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/ssl-headers.conf;
|
||||||
|
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
||||||
|
}
|
||||||
|
}
|
12
roles/nginx/templates/sites-enabled/synapse.conf
Normal file
12
roles/nginx/templates/sites-enabled/synapse.conf
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name matrix.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
|
||||||
|
|
||||||
|
client_max_body_size {{ synapse['max_upload_size'] }};
|
||||||
|
}
|
||||||
|
}
|
16
roles/nginx/templates/sites-enabled/syncthing-discovery.conf
Normal file
16
roles/nginx/templates/sites-enabled/syncthing-discovery.conf
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name stdisco.{{ domain }};
|
||||||
|
|
||||||
|
ssl_verify_client optional_no_ca;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }};
|
||||||
|
|
||||||
|
proxy_set_header X-Client-Port $remote_port;
|
||||||
|
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
||||||
|
include /etc/nginx/snippets/websocket.conf;
|
||||||
|
}
|
||||||
|
}
|
14
roles/nginx/templates/sites-enabled/syncthing.conf
Normal file
14
roles/nginx/templates/sites-enabled/syncthing.conf
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name syncthing.{{ domain }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/authelia-location.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/authelia-authrequest.conf;
|
||||||
|
}
|
||||||
|
}
|
12
roles/nginx/templates/sites-enabled/uptime-kuma.conf
Normal file
12
roles/nginx/templates/sites-enabled/uptime-kuma.conf
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name status.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/websocket.conf;
|
||||||
|
}
|
||||||
|
}
|
18
roles/nginx/templates/sites-enabled/vaultwarden.conf
Normal file
18
roles/nginx/templates/sites-enabled/vaultwarden.conf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
upstream vaultwarden {
|
||||||
|
zone vaultwarden 64k;
|
||||||
|
server 127.0.0.1:{{ ports['vaultwarden'] }};
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name vw.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://vaultwarden;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/websocket.conf;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,15 +1,15 @@
|
||||||
location /internal/authelia/authz {
|
location /internal/authelia/authz {
|
||||||
internal;
|
internal;
|
||||||
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request;
|
proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request;
|
||||||
|
|
||||||
proxy_set_header X-Original-Method $request_method;
|
proxy_set_header X-Original-Method $request_method;
|
||||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
proxy_set_header Connection "";
|
proxy_set_header Connection "";
|
||||||
|
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_cache_bypass $cookie_session;
|
proxy_cache_bypass $cookie_session;
|
||||||
proxy_no_cache $cookie_session;
|
proxy_no_cache $cookie_session;
|
10
roles/nginx/templates/snippets/proxy.conf
Normal file
10
roles/nginx/templates/snippets/proxy.conf
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||||
|
proxy_set_header X-Forwarded-URI $request_uri;
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
18
roles/nginx/templates/snippets/ssl.conf
Normal file
18
roles/nginx/templates/snippets/ssl.conf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||||
|
|
||||||
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||||
|
ssl_dhparam /etc/nginx/dhparam.txt;
|
||||||
|
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
2
roles/nginx/templates/snippets/websocket.conf
Normal file
2
roles/nginx/templates/snippets/websocket.conf
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
|
@ -1,79 +0,0 @@
|
||||||
- name:
|
|
||||||
become: true
|
|
||||||
block:
|
|
||||||
- name: Install package nginx
|
|
||||||
apt:
|
|
||||||
name: nginx
|
|
||||||
|
|
||||||
- name: Template configuration files to /etc/nginx/
|
|
||||||
template:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: "/etc/nginx/{{ item }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '644'
|
|
||||||
loop:
|
|
||||||
- nginx.conf
|
|
||||||
- authelia-location.conf
|
|
||||||
- authelia-authrequest.conf
|
|
||||||
|
|
||||||
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
|
|
||||||
template:
|
|
||||||
src: reverse-proxy.conf
|
|
||||||
dest: /etc/nginx/sites-available/reverse-proxy.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '644'
|
|
||||||
|
|
||||||
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
|
|
||||||
copy:
|
|
||||||
src: files/ssl-headers.conf
|
|
||||||
dest: /etc/nginx/conf.d/ssl-headers.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '644'
|
|
||||||
|
|
||||||
- name: Remove all enabled NGINX sites
|
|
||||||
file:
|
|
||||||
state: "{{ item }}"
|
|
||||||
path: "/etc/nginx/sites-enabled"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '755'
|
|
||||||
loop:
|
|
||||||
- absent
|
|
||||||
- directory
|
|
||||||
|
|
||||||
- name: Enable reverse-proxy.conf site
|
|
||||||
file:
|
|
||||||
state: link
|
|
||||||
src: /etc/nginx/sites-available/reverse-proxy.conf
|
|
||||||
dest: /etc/nginx/sites-enabled/reverse-proxy.conf
|
|
||||||
|
|
||||||
- name: Get state of file /etc/nginx/dhparam.txt
|
|
||||||
stat:
|
|
||||||
path: /etc/nginx/dhparam.txt
|
|
||||||
register: nginx_stat_dhparam_result
|
|
||||||
|
|
||||||
- name: Download dhparam file from Mozilla
|
|
||||||
get_url:
|
|
||||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
|
||||||
dest: /etc/nginx/dhparam.txt
|
|
||||||
when: not nginx_stat_dhparam_result.stat.exists
|
|
||||||
|
|
||||||
- name: Set correct permissions on certificate directories
|
|
||||||
file:
|
|
||||||
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '750'
|
|
||||||
loop:
|
|
||||||
- live
|
|
||||||
- archive
|
|
||||||
|
|
||||||
- name: Start/Reload NGINX service
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: reloaded
|
|
||||||
enabled: yes
|
|
|
@ -1,86 +0,0 @@
|
||||||
user www-data;
|
|
||||||
worker_processes auto;
|
|
||||||
worker_rlimit_nofile 1024;
|
|
||||||
include /etc/nginx/modules-enabled/*.conf;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 512;
|
|
||||||
multi_accept off;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
|
|
||||||
##
|
|
||||||
# Basic Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
tcp_nodelay on;
|
|
||||||
|
|
||||||
gzip off;
|
|
||||||
server_tokens off;
|
|
||||||
keepalive_timeout 30;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
|
|
||||||
##
|
|
||||||
# SSL Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
|
|
||||||
ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
|
|
||||||
ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
|
||||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
|
||||||
ssl_dhparam /etc/nginx/dhparam.txt;
|
|
||||||
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Logging Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log;
|
|
||||||
error_log /var/log/nginx/error.log;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Headers
|
|
||||||
##
|
|
||||||
|
|
||||||
resolver {{ reverse_proxy['resolver'] }};
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
|
||||||
proxy_set_header X-Forwarded-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
|
|
||||||
# Needed to support websocket connections
|
|
||||||
# See: https://nginx.org/en/docs/http/websocket.html
|
|
||||||
# Instead of "close" as stated in the above link we send an empty value.
|
|
||||||
# Else all keepalive connections will not work.
|
|
||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' "";
|
|
||||||
}
|
|
||||||
|
|
||||||
##
|
|
||||||
# Virtual Host Configs
|
|
||||||
##
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
include /etc/nginx/sites-enabled/*;
|
|
||||||
}
|
|
|
@ -1,273 +0,0 @@
|
||||||
# Redirect HTTP to HTTPS
|
|
||||||
server {
|
|
||||||
listen 80 default_server;
|
|
||||||
listen [::]:80 default_server;
|
|
||||||
|
|
||||||
server_name _;
|
|
||||||
|
|
||||||
return 308 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Default HTTPS server
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2 default_server;
|
|
||||||
listen [::]:443 ssl http2 default_server;
|
|
||||||
|
|
||||||
server_name _;
|
|
||||||
server_name_in_redirect off;
|
|
||||||
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Homepage
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ domain }};
|
|
||||||
|
|
||||||
location = /.well-known/matrix/server {
|
|
||||||
default_type application/json;
|
|
||||||
|
|
||||||
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /.well-known/matrix/client {
|
|
||||||
default_type application/json;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
||||||
add_header Access-Control-Allow-Origin '*';
|
|
||||||
|
|
||||||
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Downloads
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name dl.{{ domain }};
|
|
||||||
|
|
||||||
root /var/www/html;
|
|
||||||
autoindex on;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Authelia
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name auth.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Element
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name element.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['element'] }};
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Etebase
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name etebase.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Hedgedoc
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name hedgedoc.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
|
||||||
}
|
|
||||||
|
|
||||||
location /socket.io/ {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
|
||||||
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $http_connection;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# JMAP
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name jmap.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
|
|
||||||
|
|
||||||
# Websocket
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# LLDAP
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name ldap.{{ domain }};
|
|
||||||
|
|
||||||
include /etc/nginx/authelia-location.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
|
||||||
include /etc/nginx/authelia-authrequest.conf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# SearXNG
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name searx.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
|
||||||
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Synapse
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name matrix.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
|
|
||||||
|
|
||||||
# Nginx by default only allows file uploads up to 1M in size
|
|
||||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
||||||
client_max_body_size {{ synapse['max_upload_size'] }};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Syncthihng
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name syncthing.{{ domain }};
|
|
||||||
|
|
||||||
include /etc/nginx/authelia-location.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
|
||||||
include /etc/nginx/authelia-authrequest.conf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Syncthing Discovery
|
|
||||||
upstream stdisco.{{ domain }} {
|
|
||||||
# Local IP address:port for discovery server
|
|
||||||
server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name stdisco.{{ domain }};
|
|
||||||
|
|
||||||
ssl_verify_client optional_no_ca;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://stdisco.{{ domain }};
|
|
||||||
|
|
||||||
proxy_set_header X-Client-Port $remote_port;
|
|
||||||
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $http_connection;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Uptime Kuma
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name status.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
|
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Vaultwarden
|
|
||||||
upstream vaultwarden-default {
|
|
||||||
zone vaultwarden-default 64k;
|
|
||||||
server 127.0.0.1:{{ ports['vaultwarden'] }};
|
|
||||||
keepalive 2;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name vw.{{ domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://vaultwarden-default;
|
|
||||||
|
|
||||||
# Websocket
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in a new issue