Rename role reverse-proxy to nginx + split configuration.
This commit is contained in:
parent
ce753e991c
commit
e3c7c4f38a
27 changed files with 344 additions and 449 deletions
9
env.yml
9
env.yml
|
@ -47,8 +47,8 @@ projects:
|
|||
- homepage
|
||||
- lldap
|
||||
- mailserver
|
||||
- nginx
|
||||
- postgres
|
||||
- reverse-proxy
|
||||
- searxng
|
||||
- synapse
|
||||
- syncthing
|
||||
|
@ -149,12 +149,5 @@ volumes:
|
|||
|
||||
|
||||
# Service-specific variables
|
||||
reverse_proxy:
|
||||
ssl_certificate_file: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
|
||||
ssl_certificate_key_file: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
|
||||
ssl_trusted_certificate_file: "/etc/letsencrypt/live/{{ domain }}/chain.pem"
|
||||
resolver: "185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]"
|
||||
|
||||
|
||||
synapse:
|
||||
max_upload_size: 50M
|
||||
|
|
60
roles/nginx/tasks/main.yml
Normal file
60
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,60 @@
|
|||
- name:
|
||||
become: true
|
||||
block:
|
||||
- name: Install package nginx
|
||||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: Delete directories in /etc/nginx/
|
||||
file:
|
||||
path: "/etc/nginx/{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- sites-enabled
|
||||
- snippets
|
||||
|
||||
- name: Create directories in /etc/nginx/
|
||||
file:
|
||||
path: "/etc/nginx/{{ item }}"
|
||||
state: directory
|
||||
loop:
|
||||
- sites-enabled
|
||||
- snippets
|
||||
|
||||
- name: Template configuration files to /etc/nginx/
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "/etc/nginx/{{ item.path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
with_filetree: ../templates/
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Get state of file /etc/nginx/dhparam.txt
|
||||
stat:
|
||||
path: /etc/nginx/dhparam.txt
|
||||
register: nginx_stat_dhparam_result
|
||||
|
||||
- name: Download dhparam file from Mozilla
|
||||
get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||
dest: /etc/nginx/dhparam.txt
|
||||
when: not nginx_stat_dhparam_result.stat.exists
|
||||
|
||||
- name: Set correct permissions on certificate directories
|
||||
file:
|
||||
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '750'
|
||||
loop:
|
||||
- live
|
||||
- archive
|
||||
|
||||
- name: Start/Reload NGINX service
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
enabled: yes
|
38
roles/nginx/templates/nginx.conf
Normal file
38
roles/nginx/templates/nginx.conf
Normal file
|
@ -0,0 +1,38 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_rlimit_nofile 1024;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 512;
|
||||
multi_accept off;
|
||||
}
|
||||
|
||||
http {
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
gzip off;
|
||||
server_tokens off;
|
||||
keepalive_timeout 30;
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
|
||||
# Needed to support websocket connections
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' "";
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
include /etc/nginx/snippets/ssl.conf;
|
||||
include /etc/nginx/snippets/ssl-headers.conf;
|
||||
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
10
roles/nginx/templates/sites-enabled/authelia.conf
Normal file
10
roles/nginx/templates/sites-enabled/authelia.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name auth.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
||||
}
|
||||
}
|
15
roles/nginx/templates/sites-enabled/default.conf
Normal file
15
roles/nginx/templates/sites-enabled/default.conf
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
return 308 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# Default HTTPS server
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
return 404;
|
||||
}
|
9
roles/nginx/templates/sites-enabled/downloads.conf
Normal file
9
roles/nginx/templates/sites-enabled/downloads.conf
Normal file
|
@ -0,0 +1,9 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name dl.{{ domain }};
|
||||
|
||||
root /var/www/html;
|
||||
autoindex on;
|
||||
}
|
16
roles/nginx/templates/sites-enabled/element.conf
Normal file
16
roles/nginx/templates/sites-enabled/element.conf
Normal file
|
@ -0,0 +1,16 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name element.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['element'] }};
|
||||
|
||||
include /etc/nginx/snippets/ssl-headers.conf;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
}
|
||||
}
|
10
roles/nginx/templates/sites-enabled/etebase.conf
Normal file
10
roles/nginx/templates/sites-enabled/etebase.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name etebase.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
|
||||
}
|
||||
}
|
16
roles/nginx/templates/sites-enabled/hedgedoc.conf
Normal file
16
roles/nginx/templates/sites-enabled/hedgedoc.conf
Normal file
|
@ -0,0 +1,16 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name hedgedoc.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||
}
|
||||
|
||||
location /socket.io/ {
|
||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||
|
||||
include /etc/nginx/snippets/websocket.conf;
|
||||
}
|
||||
}
|
25
roles/nginx/templates/sites-enabled/homepage.conf
Normal file
25
roles/nginx/templates/sites-enabled/homepage.conf
Normal file
|
@ -0,0 +1,25 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name {{ domain }};
|
||||
|
||||
location = /.well-known/matrix/server {
|
||||
default_type application/json;
|
||||
|
||||
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
|
||||
}
|
||||
|
||||
location = /.well-known/matrix/client {
|
||||
default_type application/json;
|
||||
|
||||
include /etc/nginx/snippets/ssl-headers.conf;
|
||||
add_header Access-Control-Allow-Origin '*';
|
||||
|
||||
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
|
||||
}
|
||||
}
|
12
roles/nginx/templates/sites-enabled/jmap.conf
Normal file
12
roles/nginx/templates/sites-enabled/jmap.conf
Normal file
|
@ -0,0 +1,12 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name jmap.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
|
||||
|
||||
include /etc/nginx/snippets/websocket.conf;
|
||||
}
|
||||
}
|
14
roles/nginx/templates/sites-enabled/lldap.conf
Normal file
14
roles/nginx/templates/sites-enabled/lldap.conf
Normal file
|
@ -0,0 +1,14 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name ldap.{{ domain }};
|
||||
|
||||
include /etc/nginx/snippets/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
||||
|
||||
include /etc/nginx/snippets/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
13
roles/nginx/templates/sites-enabled/searxng.conf
Normal file
13
roles/nginx/templates/sites-enabled/searxng.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name searx.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
|
||||
|
||||
include /etc/nginx/snippets/ssl-headers.conf;
|
||||
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
||||
}
|
||||
}
|
12
roles/nginx/templates/sites-enabled/synapse.conf
Normal file
12
roles/nginx/templates/sites-enabled/synapse.conf
Normal file
|
@ -0,0 +1,12 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name matrix.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
|
||||
|
||||
client_max_body_size {{ synapse['max_upload_size'] }};
|
||||
}
|
||||
}
|
16
roles/nginx/templates/sites-enabled/syncthing-discovery.conf
Normal file
16
roles/nginx/templates/sites-enabled/syncthing-discovery.conf
Normal file
|
@ -0,0 +1,16 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name stdisco.{{ domain }};
|
||||
|
||||
ssl_verify_client optional_no_ca;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }};
|
||||
|
||||
proxy_set_header X-Client-Port $remote_port;
|
||||
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
||||
include /etc/nginx/snippets/websocket.conf;
|
||||
}
|
||||
}
|
14
roles/nginx/templates/sites-enabled/syncthing.conf
Normal file
14
roles/nginx/templates/sites-enabled/syncthing.conf
Normal file
|
@ -0,0 +1,14 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name syncthing.{{ domain }};
|
||||
|
||||
include /etc/nginx/snippets/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
||||
|
||||
include /etc/nginx/snippets/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
12
roles/nginx/templates/sites-enabled/uptime-kuma.conf
Normal file
12
roles/nginx/templates/sites-enabled/uptime-kuma.conf
Normal file
|
@ -0,0 +1,12 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name status.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
|
||||
|
||||
include /etc/nginx/snippets/websocket.conf;
|
||||
}
|
||||
}
|
18
roles/nginx/templates/sites-enabled/vaultwarden.conf
Normal file
18
roles/nginx/templates/sites-enabled/vaultwarden.conf
Normal file
|
@ -0,0 +1,18 @@
|
|||
upstream vaultwarden {
|
||||
zone vaultwarden 64k;
|
||||
server 127.0.0.1:{{ ports['vaultwarden'] }};
|
||||
keepalive 2;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
server_name vw.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://vaultwarden;
|
||||
|
||||
include /etc/nginx/snippets/websocket.conf;
|
||||
}
|
||||
}
|
10
roles/nginx/templates/snippets/proxy.conf
Normal file
10
roles/nginx/templates/snippets/proxy.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-URI $request_uri;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
18
roles/nginx/templates/snippets/ssl.conf
Normal file
18
roles/nginx/templates/snippets/ssl.conf
Normal file
|
@ -0,0 +1,18 @@
|
|||
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
|
||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||
ssl_dhparam /etc/nginx/dhparam.txt;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
2
roles/nginx/templates/snippets/websocket.conf
Normal file
2
roles/nginx/templates/snippets/websocket.conf
Normal file
|
@ -0,0 +1,2 @@
|
|||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
|
@ -1,79 +0,0 @@
|
|||
- name:
|
||||
become: true
|
||||
block:
|
||||
- name: Install package nginx
|
||||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: Template configuration files to /etc/nginx/
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/nginx/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
loop:
|
||||
- nginx.conf
|
||||
- authelia-location.conf
|
||||
- authelia-authrequest.conf
|
||||
|
||||
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
|
||||
template:
|
||||
src: reverse-proxy.conf
|
||||
dest: /etc/nginx/sites-available/reverse-proxy.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
|
||||
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
|
||||
copy:
|
||||
src: files/ssl-headers.conf
|
||||
dest: /etc/nginx/conf.d/ssl-headers.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
|
||||
- name: Remove all enabled NGINX sites
|
||||
file:
|
||||
state: "{{ item }}"
|
||||
path: "/etc/nginx/sites-enabled"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '755'
|
||||
loop:
|
||||
- absent
|
||||
- directory
|
||||
|
||||
- name: Enable reverse-proxy.conf site
|
||||
file:
|
||||
state: link
|
||||
src: /etc/nginx/sites-available/reverse-proxy.conf
|
||||
dest: /etc/nginx/sites-enabled/reverse-proxy.conf
|
||||
|
||||
- name: Get state of file /etc/nginx/dhparam.txt
|
||||
stat:
|
||||
path: /etc/nginx/dhparam.txt
|
||||
register: nginx_stat_dhparam_result
|
||||
|
||||
- name: Download dhparam file from Mozilla
|
||||
get_url:
|
||||
url: https://ssl-config.mozilla.org/ffdhe2048.txt
|
||||
dest: /etc/nginx/dhparam.txt
|
||||
when: not nginx_stat_dhparam_result.stat.exists
|
||||
|
||||
- name: Set correct permissions on certificate directories
|
||||
file:
|
||||
path: "/etc/letsencrypt/{{ item }}/{{ domain }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '750'
|
||||
loop:
|
||||
- live
|
||||
- archive
|
||||
|
||||
- name: Start/Reload NGINX service
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
enabled: yes
|
|
@ -1,86 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_rlimit_nofile 1024;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 512;
|
||||
multi_accept off;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
gzip off;
|
||||
server_tokens off;
|
||||
keepalive_timeout 30;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
|
||||
ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
|
||||
ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||
ssl_dhparam /etc/nginx/dhparam.txt;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
||||
# Headers
|
||||
##
|
||||
|
||||
resolver {{ reverse_proxy['resolver'] }};
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-URI $request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
# Needed to support websocket connections
|
||||
# See: https://nginx.org/en/docs/http/websocket.html
|
||||
# Instead of "close" as stated in the above link we send an empty value.
|
||||
# Else all keepalive connections will not work.
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' "";
|
||||
}
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
|
@ -1,273 +0,0 @@
|
|||
# Redirect HTTP to HTTPS
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
server_name _;
|
||||
|
||||
return 308 https://$host$request_uri;
|
||||
}
|
||||
|
||||
|
||||
# Default HTTPS server
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
server_name _;
|
||||
server_name_in_redirect off;
|
||||
|
||||
return 404;
|
||||
}
|
||||
|
||||
|
||||
# Homepage
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ domain }};
|
||||
|
||||
location = /.well-known/matrix/server {
|
||||
default_type application/json;
|
||||
|
||||
return 200 '{ "m.server": "matrix.{{ domain }}:443" }';
|
||||
}
|
||||
|
||||
location = /.well-known/matrix/client {
|
||||
default_type application/json;
|
||||
|
||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
||||
add_header Access-Control-Allow-Origin '*';
|
||||
|
||||
return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }';
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['homepage'] }};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Downloads
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name dl.{{ domain }};
|
||||
|
||||
root /var/www/html;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
|
||||
# Authelia
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name auth.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Element
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name element.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['element'] }};
|
||||
|
||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Etebase
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name etebase.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['etebase'] }};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Hedgedoc
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name hedgedoc.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||
}
|
||||
|
||||
location /socket.io/ {
|
||||
proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }};
|
||||
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# JMAP
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name jmap.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass https://127.0.0.1:{{ ports['mailserver_jmap'] }};
|
||||
|
||||
# Websocket
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# LLDAP
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name ldap.{{ domain }};
|
||||
|
||||
include /etc/nginx/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
||||
include /etc/nginx/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# SearXNG
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name searx.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['searxng'] }};
|
||||
|
||||
include /etc/nginx/conf.d/ssl-headers.conf;
|
||||
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Synapse
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name matrix.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['synapse'] }};
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size {{ synapse['max_upload_size'] }};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Syncthihng
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name syncthing.{{ domain }};
|
||||
|
||||
include /etc/nginx/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
||||
include /etc/nginx/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Syncthing Discovery
|
||||
upstream stdisco.{{ domain }} {
|
||||
# Local IP address:port for discovery server
|
||||
server 127.0.0.1:{{ ports['syncthing_discosrv'] }};
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name stdisco.{{ domain }};
|
||||
|
||||
ssl_verify_client optional_no_ca;
|
||||
|
||||
location / {
|
||||
proxy_pass http://stdisco.{{ domain }};
|
||||
|
||||
proxy_set_header X-Client-Port $remote_port;
|
||||
proxy_set_header X-SSL-Cert $ssl_client_cert;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Uptime Kuma
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name status.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }};
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Vaultwarden
|
||||
upstream vaultwarden-default {
|
||||
zone vaultwarden-default 64k;
|
||||
server 127.0.0.1:{{ ports['vaultwarden'] }};
|
||||
keepalive 2;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name vw.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://vaultwarden-default;
|
||||
|
||||
# Websocket
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue