Unify nginx configuration
This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
This commit is contained in:
parent
943c141d59
commit
92052a3d0a
16 changed files with 160 additions and 216 deletions
|
@ -8,6 +8,7 @@
|
||||||
|
|
||||||
- hosts: casey
|
- hosts: casey
|
||||||
roles:
|
roles:
|
||||||
|
- nginx
|
||||||
- gateway
|
- gateway
|
||||||
- nebula
|
- nebula
|
||||||
- fail2ban_ssh
|
- fail2ban_ssh
|
||||||
|
@ -71,8 +72,7 @@
|
||||||
|
|
||||||
- hosts: ingress
|
- hosts: ingress
|
||||||
roles:
|
roles:
|
||||||
- role: nginxinc.nginx # The nginx in debian's repos is very old
|
- nginx
|
||||||
become: true
|
|
||||||
- ingress
|
- ingress
|
||||||
- nebula
|
- nebula
|
||||||
|
|
||||||
|
@ -94,6 +94,7 @@
|
||||||
|
|
||||||
- hosts: qbittorrent
|
- hosts: qbittorrent
|
||||||
roles:
|
roles:
|
||||||
|
- nginx
|
||||||
- qbittorrent
|
- qbittorrent
|
||||||
- http_proxy
|
- http_proxy
|
||||||
|
|
||||||
|
@ -131,4 +132,5 @@
|
||||||
|
|
||||||
- hosts: pve-dokku
|
- hosts: pve-dokku
|
||||||
roles:
|
roles:
|
||||||
|
- nginx
|
||||||
- dokku
|
- dokku
|
||||||
|
|
|
@ -1,19 +1,3 @@
|
||||||
worker_processes auto;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
gzip on;
|
|
||||||
|
|
||||||
# Block requests which don't have an explicit handler
|
# Block requests which don't have an explicit handler
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
|
@ -24,6 +8,5 @@ http {
|
||||||
return 418;
|
return 418;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Load configuration files for the default server block.
|
# Load configuration files for the default server block (this directory is used by dokku).
|
||||||
include /etc/nginx/conf.d/*.conf;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
}
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: restart nginx
|
- name: reload nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: restarted
|
state: reloaded
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -43,13 +43,12 @@
|
||||||
domains: d.theorangeone.net
|
domains: d.theorangeone.net
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: Install custom nginx config
|
- name: Install nginx config
|
||||||
template:
|
template:
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/http.d/dokku.conf
|
||||||
validate: nginx -t -c %s
|
|
||||||
mode: "644"
|
mode: "644"
|
||||||
notify: restart nginx
|
notify: reload nginx
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
# https://dokku.com/docs/advanced-usage/backup-recovery/
|
# https://dokku.com/docs/advanced-usage/backup-recovery/
|
||||||
|
@ -61,3 +60,4 @@
|
||||||
user: root
|
user: root
|
||||||
job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
|
job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
|
||||||
cron_file: dokku-data-sync
|
cron_file: dokku-data-sync
|
||||||
|
become: true
|
||||||
|
|
|
@ -1,39 +1,3 @@
|
||||||
worker_processes auto;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
# '$status $body_bytes_sent "$http_referer" '
|
|
||||||
# '"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
#access_log logs/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
|
|
||||||
#keepalive_timeout 0;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name _;
|
|
||||||
return 308 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
stream {
|
|
||||||
|
|
||||||
log_format access '$remote_addr [$time_local] '
|
log_format access '$remote_addr [$time_local] '
|
||||||
'$protocol $status $bytes_sent $bytes_received '
|
'$protocol $status $bytes_sent $bytes_received '
|
||||||
'$session_time "$ssl_preread_server_name" '
|
'$session_time "$ssl_preread_server_name" '
|
||||||
|
@ -41,16 +5,12 @@ stream {
|
||||||
|
|
||||||
log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
|
log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
|
||||||
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log access;
|
access_log /var/log/nginx/access.log access;
|
||||||
access_log /var/log/nginx/ips.log ips;
|
access_log /var/log/nginx/ips.log ips;
|
||||||
|
|
||||||
ssl_preread on;
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443;
|
||||||
listen 8448;
|
listen 8448;
|
||||||
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
|
proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
|
||||||
proxy_protocol on;
|
proxy_protocol on;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
|
@ -1,26 +1,14 @@
|
||||||
- name: Install nginx
|
|
||||||
package:
|
|
||||||
name: nginx
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Nginx config
|
- name: Nginx config
|
||||||
template:
|
template:
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/stream.d/gateway.conf
|
||||||
validate: nginx -t -c %s
|
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
become: true
|
||||||
register: nginx_config
|
register: nginx_config
|
||||||
|
|
||||||
- name: Enable Nginx
|
- name: Reload Nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
enabled: true
|
state: reloaded
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Restart Nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: restarted
|
|
||||||
become: true
|
become: true
|
||||||
when: nginx_config.changed
|
when: nginx_config.changed
|
||||||
|
|
|
@ -1,38 +1,3 @@
|
||||||
worker_processes auto;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
# '$status $body_bytes_sent "$http_referer" '
|
|
||||||
# '"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
#access_log logs/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
|
|
||||||
#keepalive_timeout 0;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name _;
|
|
||||||
return 308 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
stream {
|
|
||||||
|
|
||||||
log_format access '$remote_addr [$time_local] '
|
log_format access '$remote_addr [$time_local] '
|
||||||
'$protocol $status $bytes_sent $bytes_received '
|
'$protocol $status $bytes_sent $bytes_received '
|
||||||
'$session_time "$ssl_preread_server_name" '
|
'$session_time "$ssl_preread_server_name" '
|
||||||
|
@ -40,8 +5,6 @@ stream {
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log access;
|
access_log /var/log/nginx/access.log access;
|
||||||
|
|
||||||
ssl_preread on;
|
|
||||||
|
|
||||||
# Internal LAN route
|
# Internal LAN route
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443;
|
||||||
|
@ -60,4 +23,3 @@ stream {
|
||||||
set_real_ip_from {{ wireguard.server.ip }};
|
set_real_ip_from {{ wireguard.server.ip }};
|
||||||
proxy_socket_keepalive on;
|
proxy_socket_keepalive on;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
|
@ -4,10 +4,10 @@
|
||||||
state: restarted
|
state: restarted
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: restart nginx
|
- name: reload nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: restarted
|
state: reloaded
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: reload nftables
|
- name: reload nftables
|
||||||
|
|
|
@ -1,19 +1,7 @@
|
||||||
- name: Install nginx
|
|
||||||
package:
|
|
||||||
name: nginx
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Nginx config
|
- name: Nginx config
|
||||||
template:
|
template:
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/stream.d/ingress.conf
|
||||||
validate: nginx -t -c %s
|
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
become: true
|
become: true
|
||||||
notify: restart nginx
|
notify: reload nginx
|
||||||
|
|
||||||
- name: Enable nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
enabled: true
|
|
||||||
become: true
|
|
||||||
|
|
6
ansible/roles/nginx/files/nginx-https-redirect.conf
Normal file
6
ansible/roles/nginx/files/nginx-https-redirect.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name _;
|
||||||
|
access_log off;
|
||||||
|
return 308 https://$server_name$request_uri;
|
||||||
|
}
|
40
ansible/roles/nginx/files/nginx.conf
Normal file
40
ansible/roles/nginx/files/nginx.conf
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
worker_processes auto;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
pcre_jit on;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
types_hash_bucket_size 128;
|
||||||
|
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
gzip on;
|
||||||
|
gzip_vary on;
|
||||||
|
|
||||||
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
include /etc/nginx/http.d/*.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
stream {
|
||||||
|
ssl_preread on;
|
||||||
|
|
||||||
|
include /etc/nginx/stream.d/*.conf;
|
||||||
|
}
|
5
ansible/roles/nginx/handlers/main.yml
Normal file
5
ansible/roles/nginx/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
- name: reload nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
become: true
|
38
ansible/roles/nginx/tasks/main.yml
Normal file
38
ansible/roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
- name: Install nginx
|
||||||
|
import_role:
|
||||||
|
name: nginxinc.nginx
|
||||||
|
when: ansible_os_family != 'Archlinux'
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Install nginx on Arch
|
||||||
|
package:
|
||||||
|
name: nginx
|
||||||
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Create config directories
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/{{ item }}
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
loop:
|
||||||
|
- http.d
|
||||||
|
- stream.d
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Install config
|
||||||
|
template:
|
||||||
|
src: files/nginx.conf
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
validate: nginx -t -c %s
|
||||||
|
mode: "0644"
|
||||||
|
become: true
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
|
- name: Install HTTPS redirect
|
||||||
|
template:
|
||||||
|
src: files/nginx-https-redirect.conf
|
||||||
|
dest: /etc/nginx/http.d/https-redirect.conf
|
||||||
|
mode: "0644"
|
||||||
|
become: true
|
||||||
|
notify: reload nginx
|
|
@ -1,28 +1,11 @@
|
||||||
worker_processes auto;
|
server {
|
||||||
|
listen 80;
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
include mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
gzip off;
|
gzip off;
|
||||||
gzip_static off;
|
gzip_static off;
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
|
|
||||||
root /mnt/downloads;
|
root /mnt/downloads;
|
||||||
|
|
||||||
|
|
||||||
autoindex on;
|
autoindex on;
|
||||||
autoindex_exact_size off;
|
autoindex_exact_size off;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
- name: restart nginx
|
- name: reload nginx
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: restarted
|
state: reloaded
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: restart qbittorrent
|
- name: restart qbittorrent
|
||||||
|
|
|
@ -1,18 +1,7 @@
|
||||||
- name: Install nginx
|
|
||||||
package:
|
|
||||||
name: nginx
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Enable nginx
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
enabled: true
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Nginx config
|
- name: Nginx config
|
||||||
template:
|
template:
|
||||||
src: files/nginx.conf
|
src: files/nginx.conf
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/http.d/downloads.conf
|
||||||
mode: "0600"
|
mode: "0644"
|
||||||
become: true
|
become: true
|
||||||
notify: restart nginx
|
notify: reload nginx
|
||||||
|
|
Loading…
Reference in a new issue