systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 16 Activity Actions

Unify nginx configuration

Browse source 
This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
This commit is contained in:
Jake Howard 2023-12-16 17:47:04 +00:00
parent 943c141d59
commit 92052a3d0a
Signed by: jake
GPG key ID: 57AFB45680EDD477
16 changed files with 160 additions and 216 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ansible/main.yml
View file

@ -8,6 +8,7 @@
- hosts: casey
roles:
- nginx
- gateway
- nebula
- fail2ban_ssh
@ -71,8 +72,7 @@
- hosts: ingress
roles:
- role: nginxinc.nginx # The nginx in debian's repos is very old
become: true
- nginx
- ingress
- nebula
@ -94,6 +94,7 @@
- hosts: qbittorrent
roles:
- nginx
- qbittorrent
- http_proxy
@ -131,4 +132,5 @@
- hosts: pve-dokku
roles:
- nginx
- dokku

35
ansible/roles/dokku/files/nginx.conf
View file

@ -1,29 +1,12 @@
worker_processes auto;
# Block requests which don't have an explicit handler
server {
listen 80 default_server;
listen [::]:80 default_server;
events {
worker_connections 1024;
server_name _;
access_log off;
return 418;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
# Block requests which don't have an explicit handler
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
access_log off;
return 418;
}
# Load configuration files for the default server block.
include /etc/nginx/conf.d/*.conf;
}
# Load configuration files for the default server block (this directory is used by dokku).
include /etc/nginx/conf.d/*.conf;

4
ansible/roles/dokku/handlers/main.yml
View file

@ -1,5 +1,5 @@
- name: restart nginx
- name: reload nginx
service:
name: nginx
state: restarted
state: reloaded
become: true

8
ansible/roles/dokku/tasks/main.yml
View file

@ -43,13 +43,12 @@
domains: d.theorangeone.net
become: true
- name: Install custom nginx config
- name: Install nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
dest: /etc/nginx/http.d/dokku.conf
mode: "644"
notify: restart nginx
notify: reload nginx
become: true
# https://dokku.com/docs/advanced-usage/backup-recovery/
@ -61,3 +60,4 @@
user: root
job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
cron_file: dokku-data-sync
become: true

68
ansible/roles/gateway/files/nginx.conf
View file

@ -1,56 +1,16 @@
worker_processes auto;
log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server_tokens off;
server {
listen 80;
server_name _;
return 308 https://$host$request_uri;
}
}
stream {
log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
access_log /var/log/nginx/access.log access;
access_log /var/log/nginx/ips.log ips;
ssl_preread on;
server {
listen 443;
listen 8448;
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
proxy_protocol on;
}
log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
access_log /var/log/nginx/access.log access;
access_log /var/log/nginx/ips.log ips;
server {
listen 443;
listen 8448;
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
proxy_protocol on;
}

18
ansible/roles/gateway/tasks/nginx.yml
View file

@ -1,26 +1,14 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
dest: /etc/nginx/stream.d/gateway.conf
mode: "0644"
become: true
register: nginx_config
- name: Enable Nginx
- name: Reload Nginx
service:
name: nginx
enabled: true
become: true
- name: Restart Nginx
service:
name: nginx
state: restarted
state: reloaded
become: true
when: nginx_config.changed

80
ansible/roles/ingress/files/nginx.conf
View file

@ -1,63 +1,25 @@
worker_processes auto;
log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
events {
worker_connections 1024;
access_log /var/log/nginx/access.log access;
# Internal LAN route
server {
listen 443;
listen 8448;
proxy_pass {{ pve_hosts.docker.ip }}:443;
proxy_protocol on;
proxy_socket_keepalive on;
proxy_timeout 1h;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server_tokens off;
server {
listen 80;
server_name _;
return 308 https://$host$request_uri;
}
}
stream {
log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/access.log access;
ssl_preread on;
# Internal LAN route
server {
listen 443;
listen 8448;
proxy_pass {{ pve_hosts.docker.ip }}:443;
proxy_protocol on;
proxy_socket_keepalive on;
proxy_timeout 1h;
}
# External routes
server {
listen 8443 proxy_protocol;
proxy_protocol on;
proxy_pass {{ pve_hosts.docker.ip }}:443;
set_real_ip_from {{ wireguard.server.ip }};
proxy_socket_keepalive on;
}
# External routes
server {
listen 8443 proxy_protocol;
proxy_protocol on;
proxy_pass {{ pve_hosts.docker.ip }}:443;
set_real_ip_from {{ wireguard.server.ip }};
proxy_socket_keepalive on;
}

4
ansible/roles/ingress/handlers/main.yml
View file

@ -4,10 +4,10 @@
state: restarted
become: true
- name: restart nginx
- name: reload nginx
service:
name: nginx
state: restarted
state: reloaded
become: true
- name: reload nftables

16
ansible/roles/ingress/tasks/nginx.yml
View file

@ -1,19 +1,7 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
dest: /etc/nginx/stream.d/ingress.conf
mode: "0644"
become: true
notify: restart nginx
- name: Enable nginx
service:
name: nginx
enabled: true
become: true
notify: reload nginx

6
ansible/roles/nginx/files/nginx-https-redirect.conf Normal file
View file

@ -0,0 +1,6 @@
server {
listen 80;
server_name _;
access_log off;
return 308 https://$server_name$request_uri;
}

40
ansible/roles/nginx/files/nginx.conf Normal file
View file

@ -0,0 +1,40 @@
worker_processes auto;
error_log /var/log/nginx/error.log;
pcre_jit on;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
types_hash_max_size 2048;
types_hash_bucket_size 128;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
gzip on;
gzip_vary on;
keepalive_timeout 65;
include /etc/nginx/http.d/*.conf;
}
stream {
ssl_preread on;
include /etc/nginx/stream.d/*.conf;
}

5
ansible/roles/nginx/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: reload nginx
service:
name: nginx
state: reloaded
become: true

38
ansible/roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,38 @@
- name: Install nginx
import_role:
name: nginxinc.nginx
when: ansible_os_family != 'Archlinux'
become: true
- name: Install nginx on Arch
package:
name: nginx
when: ansible_os_family == 'Archlinux'
become: true
- name: Create config directories
file:
path: /etc/nginx/{{ item }}
state: directory
mode: "0755"
loop:
- http.d
- stream.d
become: true
- name: Install config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
mode: "0644"
become: true
notify: reload nginx
- name: Install HTTPS redirect
template:
src: files/nginx-https-redirect.conf
dest: /etc/nginx/http.d/https-redirect.conf
mode: "0644"
become: true
notify: reload nginx

27
ansible/roles/qbittorrent/files/nginx.conf
View file

@ -1,28 +1,11 @@
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server {
listen 80;
gzip off;
gzip_static off;
server {
listen 80;
root /mnt/downloads;
root /mnt/downloads;
autoindex on;
autoindex_exact_size off;
}
autoindex on;
autoindex_exact_size off;
}

4
ansible/roles/qbittorrent/handlers/main.yml
View file

@ -1,7 +1,7 @@
- name: restart nginx
- name: reload nginx
service:
name: nginx
state: restarted
state: reloaded
become: true
- name: restart qbittorrent

17
ansible/roles/qbittorrent/tasks/nginx.yml
View file

@ -1,18 +1,7 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Enable nginx
service:
name: nginx
enabled: true
become: true
- name: Nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
mode: "0600"
dest: /etc/nginx/http.d/downloads.conf
mode: "0644"
become: true
notify: restart nginx
notify: reload nginx