Rename role reverse-proxy to nginx + split configuration.

This commit is contained in:
Viyurz 2024-04-01 10:27:06 +02:00
parent ce753e991c
commit e3c7c4f38a
Signed by: Viyurz
SSH key fingerprint: SHA256:IskOHTmhHSJIvAt04N6aaxd5SZCVWW1Guf9tEcxIMj8
27 changed files with 344 additions and 449 deletions

View file

@ -47,8 +47,8 @@ projects:
- homepage
- lldap
- mailserver
- nginx
- postgres
- reverse-proxy
- searxng
- synapse
- syncthing
@ -149,12 +149,5 @@ volumes:
# Service-specific variables
reverse_proxy:
ssl_certificate_file: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
ssl_certificate_key_file: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
ssl_trusted_certificate_file: "/etc/letsencrypt/live/{{ domain }}/chain.pem"
resolver: "185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]"
synapse:
max_upload_size: 50M

View file

@ -0,0 +1,60 @@
- name:
become: true
block:
- name: Install package nginx
apt:
name: nginx
- name: Delete directories in /etc/nginx/
file:
path: "/etc/nginx/{{ item }}"
state: absent
loop:
- sites-enabled
- snippets
- name: Create directories in /etc/nginx/
file:
path: "/etc/nginx/{{ item }}"
state: directory
loop:
- sites-enabled
- snippets
- name: Template configuration files to /etc/nginx/
template:
src: "{{ item.src }}"
dest: "/etc/nginx/{{ item.path }}"
owner: root
group: root
mode: '644'
with_filetree: ../templates/
when: item.state == 'file'
- name: Get state of file /etc/nginx/dhparam.txt
stat:
path: /etc/nginx/dhparam.txt
register: nginx_stat_dhparam_result
- name: Download dhparam file from Mozilla
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/nginx/dhparam.txt
when: not nginx_stat_dhparam_result.stat.exists
- name: Set correct permissions on certificate directories
file:
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
state: directory
owner: root
group: root
mode: '750'
loop:
- live
- archive
- name: Start/Reload NGINX service
service:
name: nginx
state: reloaded
enabled: yes

View file

@ -0,0 +1,38 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 1024;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 512;
multi_accept off;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
server_tokens off;
keepalive_timeout 30;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/mime.types;
# Needed to support websocket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/ssl-headers.conf;
include /etc/nginx/sites-enabled/*;
}

View file

@ -0,0 +1,10 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name auth.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
}
}

View file

@ -0,0 +1,15 @@
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
return 308 https://$host$request_uri;
}
# Default HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
return 404;
}

View file

@ -0,0 +1,9 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dl.{{ domain }};
root /var/www/html;
autoindex on;
}

View file

@ -0,0 +1,16 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name element.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['element'] }};
include /etc/nginx/snippets/ssl-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}

View file

@ -0,0 +1,10 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name etebase.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
}
}

View file

@ -0,0 +1,16 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hedgedoc.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
}
location /socket.io/ {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

View file

@ -0,0 +1,25 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ domain }};
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
}
location = /.well-known/matrix/client {
default_type application/json;
include /etc/nginx/snippets/ssl-headers.conf;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
}
location / {
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
}
}

View file

@ -0,0 +1,12 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jmap.{{ domain }};
location / {
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

View file

@ -0,0 +1,14 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ldap.{{ domain }};
include /etc/nginx/snippets/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
include /etc/nginx/snippets/authelia-authrequest.conf;
}
}

View file

@ -0,0 +1,13 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name searx.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
include /etc/nginx/snippets/ssl-headers.conf;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}

View file

@ -0,0 +1,12 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
client_max_body_size {{ synapse['max_upload_size'] }};
}
}

View file

@ -0,0 +1,16 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name stdisco.{{ domain }};
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }};
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-SSL-Cert $ssl_client_cert;
include /etc/nginx/snippets/websocket.conf;
}
}

View file

@ -0,0 +1,14 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name syncthing.{{ domain }};
include /etc/nginx/snippets/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
include /etc/nginx/snippets/authelia-authrequest.conf;
}
}

View file

@ -0,0 +1,12 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name status.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
include /etc/nginx/snippets/websocket.conf;
}
}

View file

@ -0,0 +1,18 @@
upstream vaultwarden {
zone vaultwarden 64k;
server 127.0.0.1:{{ ports['vaultwarden'] }};
keepalive 2;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name vw.{{ domain }};
location / {
proxy_pass http://vaultwarden;
include /etc/nginx/snippets/websocket.conf;
}
}

View file

@ -0,0 +1,10 @@
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

View file

@ -0,0 +1,18 @@
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

View file

@ -0,0 +1,2 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

View file

@ -1,79 +0,0 @@
- name:
become: true
block:
- name: Install package nginx
apt:
name: nginx
- name: Template configuration files to /etc/nginx/
template:
src: "{{ item }}"
dest: "/etc/nginx/{{ item }}"
owner: root
group: root
mode: '644'
loop:
- nginx.conf
- authelia-location.conf
- authelia-authrequest.conf
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
template:
src: reverse-proxy.conf
dest: /etc/nginx/sites-available/reverse-proxy.conf
owner: root
group: root
mode: '644'
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
copy:
src: files/ssl-headers.conf
dest: /etc/nginx/conf.d/ssl-headers.conf
owner: root
group: root
mode: '644'
- name: Remove all enabled NGINX sites
file:
state: "{{ item }}"
path: "/etc/nginx/sites-enabled"
owner: root
group: root
mode: '755'
loop:
- absent
- directory
- name: Enable reverse-proxy.conf site
file:
state: link
src: /etc/nginx/sites-available/reverse-proxy.conf
dest: /etc/nginx/sites-enabled/reverse-proxy.conf
- name: Get state of file /etc/nginx/dhparam.txt
stat:
path: /etc/nginx/dhparam.txt
register: nginx_stat_dhparam_result
- name: Download dhparam file from Mozilla
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/nginx/dhparam.txt
when: not nginx_stat_dhparam_result.stat.exists
- name: Set correct permissions on certificate directories
file:
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
state: directory
owner: root
group: root
mode: '750'
loop:
- live
- archive
- name: Start/Reload NGINX service
service:
name: nginx
state: reloaded
enabled: yes

View file

@ -1,86 +0,0 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 1024;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 512;
multi_accept off;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
server_tokens off;
keepalive_timeout 30;
include /etc/nginx/mime.types;
##
# SSL Settings
##
ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Headers
##
resolver {{ reverse_proxy['resolver'] }};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View file

@ -1,273 +0,0 @@
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 308 https://$host$request_uri;
}
# Default HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
server_name_in_redirect off;
return 404;
}
# Homepage
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ domain }};
location = /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
}
location = /.well-known/matrix/client {
default_type application/json;
include /etc/nginx/conf.d/ssl-headers.conf;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
}
location / {
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
}
}
# Downloads
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dl.{{ domain }};
root /var/www/html;
autoindex on;
}
# Authelia
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name auth.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
}
}
# Element
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['element'] }};
include /etc/nginx/conf.d/ssl-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}
# Etebase
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name etebase.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
}
}
# Hedgedoc
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hedgedoc.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
}
location /socket.io/ {
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
# JMAP
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jmap.{{ domain }};
location / {
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
# LLDAP
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ldap.{{ domain }};
include /etc/nginx/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
include /etc/nginx/authelia-authrequest.conf;
}
}
# SearXNG
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name searx.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
include /etc/nginx/conf.d/ssl-headers.conf;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}
# Synapse
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size {{ synapse['max_upload_size'] }};
}
}
# Syncthihng
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name syncthing.{{ domain }};
include /etc/nginx/authelia-location.conf;
location / {
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
include /etc/nginx/authelia-authrequest.conf;
}
}
# Syncthing Discovery
upstream stdisco.{{ domain }} {
# Local IP address:port for discovery server
server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name stdisco.{{ domain }};
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://stdisco.{{ domain }};
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-SSL-Cert $ssl_client_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
}
# Uptime Kuma
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name status.{{ domain }};
location / {
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
# Vaultwarden
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:{{ ports['vaultwarden'] }};
keepalive 2;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vw.{{ domain }};
location / {
proxy_pass http://vaultwarden-default;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}