From 92052a3d0ab9445b67a83f8abdb5d0d41a33fcaf Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 16 Dec 2023 17:47:04 +0000 Subject: [PATCH] Unify nginx configuration This creates a simple base configuration skeleton, that other configuration can be easily loaded into. --- ansible/main.yml | 6 +- ansible/roles/dokku/files/nginx.conf | 35 +++----- ansible/roles/dokku/handlers/main.yml | 4 +- ansible/roles/dokku/tasks/main.yml | 8 +- ansible/roles/gateway/files/nginx.conf | 68 ++++------------ ansible/roles/gateway/tasks/nginx.yml | 18 +---- ansible/roles/ingress/files/nginx.conf | 80 +++++-------------- ansible/roles/ingress/handlers/main.yml | 4 +- ansible/roles/ingress/tasks/nginx.yml | 16 +--- .../nginx/files/nginx-https-redirect.conf | 6 ++ ansible/roles/nginx/files/nginx.conf | 40 ++++++++++ ansible/roles/nginx/handlers/main.yml | 5 ++ ansible/roles/nginx/tasks/main.yml | 38 +++++++++ ansible/roles/qbittorrent/files/nginx.conf | 27 ++----- ansible/roles/qbittorrent/handlers/main.yml | 4 +- ansible/roles/qbittorrent/tasks/nginx.yml | 17 +--- 16 files changed, 160 insertions(+), 216 deletions(-) create mode 100644 ansible/roles/nginx/files/nginx-https-redirect.conf create mode 100644 ansible/roles/nginx/files/nginx.conf create mode 100644 ansible/roles/nginx/handlers/main.yml create mode 100644 ansible/roles/nginx/tasks/main.yml diff --git a/ansible/main.yml b/ansible/main.yml index c8fad9c..aabb745 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -8,6 +8,7 @@ - hosts: casey roles: + - nginx - gateway - nebula - fail2ban_ssh @@ -71,8 +72,7 @@ - hosts: ingress roles: - - role: nginxinc.nginx # The nginx in debian's repos is very old - become: true + - nginx - ingress - nebula @@ -94,6 +94,7 @@ - hosts: qbittorrent roles: + - nginx - qbittorrent - http_proxy @@ -131,4 +132,5 @@ - hosts: pve-dokku roles: + - nginx - dokku diff --git a/ansible/roles/dokku/files/nginx.conf b/ansible/roles/dokku/files/nginx.conf index c55b670..89e4e55 100644 --- a/ansible/roles/dokku/files/nginx.conf +++ b/ansible/roles/dokku/files/nginx.conf @@ -1,29 +1,12 @@ -worker_processes auto; + # Block requests which don't have an explicit handler +server { + listen 80 default_server; + listen [::]:80 default_server; -events { - worker_connections 1024; + server_name _; + access_log off; + return 418; } -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - sendfile on; - - keepalive_timeout 65; - - gzip on; - - # Block requests which don't have an explicit handler - server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - access_log off; - return 418; - } - - # Load configuration files for the default server block. - include /etc/nginx/conf.d/*.conf; -} +# Load configuration files for the default server block (this directory is used by dokku). +include /etc/nginx/conf.d/*.conf; diff --git a/ansible/roles/dokku/handlers/main.yml b/ansible/roles/dokku/handlers/main.yml index 460c29a..d5b7b4c 100644 --- a/ansible/roles/dokku/handlers/main.yml +++ b/ansible/roles/dokku/handlers/main.yml @@ -1,5 +1,5 @@ -- name: restart nginx +- name: reload nginx service: name: nginx - state: restarted + state: reloaded become: true diff --git a/ansible/roles/dokku/tasks/main.yml b/ansible/roles/dokku/tasks/main.yml index 4b3fe4f..30d646e 100644 --- a/ansible/roles/dokku/tasks/main.yml +++ b/ansible/roles/dokku/tasks/main.yml @@ -43,13 +43,12 @@ domains: d.theorangeone.net become: true -- name: Install custom nginx config +- name: Install nginx config template: src: files/nginx.conf - dest: /etc/nginx/nginx.conf - validate: nginx -t -c %s + dest: /etc/nginx/http.d/dokku.conf mode: "644" - notify: restart nginx + notify: reload nginx become: true # https://dokku.com/docs/advanced-usage/backup-recovery/ @@ -61,3 +60,4 @@ user: root job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/ cron_file: dokku-data-sync + become: true diff --git a/ansible/roles/gateway/files/nginx.conf b/ansible/roles/gateway/files/nginx.conf index 3f53ada..8f16b37 100644 --- a/ansible/roles/gateway/files/nginx.conf +++ b/ansible/roles/gateway/files/nginx.conf @@ -1,56 +1,16 @@ -worker_processes auto; +log_format access '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$ssl_preread_server_name" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log logs/access.log main; - - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - #gzip on; - - server_tokens off; - - server { - listen 80; - server_name _; - return 308 https://$host$request_uri; - } -} - -stream { - - log_format access '$remote_addr [$time_local] ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time "$ssl_preread_server_name" ' - '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; - - log_format ips '$remote_addr [$time_local] $ssl_preread_server_name'; - - - access_log /var/log/nginx/access.log access; - access_log /var/log/nginx/ips.log ips; - - ssl_preread on; - - server { - listen 443; - listen 8448; - proxy_pass {{ wireguard.clients.ingress.ip }}:8443; - proxy_protocol on; - } +log_format ips '$remote_addr [$time_local] $ssl_preread_server_name'; + +access_log /var/log/nginx/access.log access; +access_log /var/log/nginx/ips.log ips; + +server { + listen 443; + listen 8448; + proxy_pass {{ wireguard.clients.ingress.ip }}:8443; + proxy_protocol on; } diff --git a/ansible/roles/gateway/tasks/nginx.yml b/ansible/roles/gateway/tasks/nginx.yml index a6711a6..63a0160 100644 --- a/ansible/roles/gateway/tasks/nginx.yml +++ b/ansible/roles/gateway/tasks/nginx.yml @@ -1,26 +1,14 @@ -- name: Install nginx - package: - name: nginx - become: true - - name: Nginx config template: src: files/nginx.conf - dest: /etc/nginx/nginx.conf - validate: nginx -t -c %s + dest: /etc/nginx/stream.d/gateway.conf mode: "0644" become: true register: nginx_config -- name: Enable Nginx +- name: Reload Nginx service: name: nginx - enabled: true - become: true - -- name: Restart Nginx - service: - name: nginx - state: restarted + state: reloaded become: true when: nginx_config.changed diff --git a/ansible/roles/ingress/files/nginx.conf b/ansible/roles/ingress/files/nginx.conf index 00ca2a2..2b14cb8 100644 --- a/ansible/roles/ingress/files/nginx.conf +++ b/ansible/roles/ingress/files/nginx.conf @@ -1,63 +1,25 @@ -worker_processes auto; +log_format access '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$ssl_preread_server_name" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; -events { - worker_connections 1024; +access_log /var/log/nginx/access.log access; + +# Internal LAN route +server { + listen 443; + listen 8448; + proxy_pass {{ pve_hosts.docker.ip }}:443; + proxy_protocol on; + proxy_socket_keepalive on; + proxy_timeout 1h; } -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log logs/access.log main; - - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - #gzip on; - - server_tokens off; - - server { - listen 80; - server_name _; - return 308 https://$host$request_uri; - } -} - -stream { - - log_format access '$remote_addr [$time_local] ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time "$ssl_preread_server_name" ' - '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; - - access_log /var/log/nginx/access.log access; - - ssl_preread on; - - # Internal LAN route - server { - listen 443; - listen 8448; - proxy_pass {{ pve_hosts.docker.ip }}:443; - proxy_protocol on; - proxy_socket_keepalive on; - proxy_timeout 1h; - } - - # External routes - server { - listen 8443 proxy_protocol; - proxy_protocol on; - proxy_pass {{ pve_hosts.docker.ip }}:443; - set_real_ip_from {{ wireguard.server.ip }}; - proxy_socket_keepalive on; - } +# External routes +server { + listen 8443 proxy_protocol; + proxy_protocol on; + proxy_pass {{ pve_hosts.docker.ip }}:443; + set_real_ip_from {{ wireguard.server.ip }}; + proxy_socket_keepalive on; } diff --git a/ansible/roles/ingress/handlers/main.yml b/ansible/roles/ingress/handlers/main.yml index 741b4e8..31559f2 100644 --- a/ansible/roles/ingress/handlers/main.yml +++ b/ansible/roles/ingress/handlers/main.yml @@ -4,10 +4,10 @@ state: restarted become: true -- name: restart nginx +- name: reload nginx service: name: nginx - state: restarted + state: reloaded become: true - name: reload nftables diff --git a/ansible/roles/ingress/tasks/nginx.yml b/ansible/roles/ingress/tasks/nginx.yml index c31af97..a403504 100644 --- a/ansible/roles/ingress/tasks/nginx.yml +++ b/ansible/roles/ingress/tasks/nginx.yml @@ -1,19 +1,7 @@ -- name: Install nginx - package: - name: nginx - become: true - - name: Nginx config template: src: files/nginx.conf - dest: /etc/nginx/nginx.conf - validate: nginx -t -c %s + dest: /etc/nginx/stream.d/ingress.conf mode: "0644" become: true - notify: restart nginx - -- name: Enable nginx - service: - name: nginx - enabled: true - become: true + notify: reload nginx diff --git a/ansible/roles/nginx/files/nginx-https-redirect.conf b/ansible/roles/nginx/files/nginx-https-redirect.conf new file mode 100644 index 0000000..0b94fbe --- /dev/null +++ b/ansible/roles/nginx/files/nginx-https-redirect.conf @@ -0,0 +1,6 @@ +server { + listen 80; + server_name _; + access_log off; + return 308 https://$server_name$request_uri; +} diff --git a/ansible/roles/nginx/files/nginx.conf b/ansible/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..b1ecd9f --- /dev/null +++ b/ansible/roles/nginx/files/nginx.conf @@ -0,0 +1,40 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log; + +pcre_jit on; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_tokens off; + + types_hash_max_size 2048; + types_hash_bucket_size 128; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + gzip on; + gzip_vary on; + + keepalive_timeout 65; + + include /etc/nginx/http.d/*.conf; +} + +stream { + ssl_preread on; + + include /etc/nginx/stream.d/*.conf; +} diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..d5b7b4c --- /dev/null +++ b/ansible/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +- name: reload nginx + service: + name: nginx + state: reloaded + become: true diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..801a908 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Install nginx + import_role: + name: nginxinc.nginx + when: ansible_os_family != 'Archlinux' + become: true + +- name: Install nginx on Arch + package: + name: nginx + when: ansible_os_family == 'Archlinux' + become: true + +- name: Create config directories + file: + path: /etc/nginx/{{ item }} + state: directory + mode: "0755" + loop: + - http.d + - stream.d + become: true + +- name: Install config + template: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + validate: nginx -t -c %s + mode: "0644" + become: true + notify: reload nginx + +- name: Install HTTPS redirect + template: + src: files/nginx-https-redirect.conf + dest: /etc/nginx/http.d/https-redirect.conf + mode: "0644" + become: true + notify: reload nginx diff --git a/ansible/roles/qbittorrent/files/nginx.conf b/ansible/roles/qbittorrent/files/nginx.conf index eac023f..eb8a4b6 100644 --- a/ansible/roles/qbittorrent/files/nginx.conf +++ b/ansible/roles/qbittorrent/files/nginx.conf @@ -1,28 +1,11 @@ -worker_processes auto; - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - - sendfile on; - tcp_nopush on; - - keepalive_timeout 65; +server { + listen 80; gzip off; gzip_static off; - server { - listen 80; + root /mnt/downloads; - root /mnt/downloads; - - - autoindex on; - autoindex_exact_size off; - } + autoindex on; + autoindex_exact_size off; } diff --git a/ansible/roles/qbittorrent/handlers/main.yml b/ansible/roles/qbittorrent/handlers/main.yml index 1350833..687331f 100644 --- a/ansible/roles/qbittorrent/handlers/main.yml +++ b/ansible/roles/qbittorrent/handlers/main.yml @@ -1,7 +1,7 @@ -- name: restart nginx +- name: reload nginx service: name: nginx - state: restarted + state: reloaded become: true - name: restart qbittorrent diff --git a/ansible/roles/qbittorrent/tasks/nginx.yml b/ansible/roles/qbittorrent/tasks/nginx.yml index f8c8373..4ed9cdd 100644 --- a/ansible/roles/qbittorrent/tasks/nginx.yml +++ b/ansible/roles/qbittorrent/tasks/nginx.yml @@ -1,18 +1,7 @@ -- name: Install nginx - package: - name: nginx - become: true - -- name: Enable nginx - service: - name: nginx - enabled: true - become: true - - name: Nginx config template: src: files/nginx.conf - dest: /etc/nginx/nginx.conf - mode: "0600" + dest: /etc/nginx/http.d/downloads.conf + mode: "0644" become: true - notify: restart nginx + notify: reload nginx