Unify nginx configuration

This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
This commit is contained in:
Jake Howard 2023-12-16 17:47:04 +00:00
parent 943c141d59
commit 92052a3d0a
Signed by: jake
GPG key ID: 57AFB45680EDD477
16 changed files with 160 additions and 216 deletions

View file

@ -8,6 +8,7 @@
- hosts: casey - hosts: casey
roles: roles:
- nginx
- gateway - gateway
- nebula - nebula
- fail2ban_ssh - fail2ban_ssh
@ -71,8 +72,7 @@
- hosts: ingress - hosts: ingress
roles: roles:
- role: nginxinc.nginx # The nginx in debian's repos is very old - nginx
become: true
- ingress - ingress
- nebula - nebula
@ -94,6 +94,7 @@
- hosts: qbittorrent - hosts: qbittorrent
roles: roles:
- nginx
- qbittorrent - qbittorrent
- http_proxy - http_proxy
@ -131,4 +132,5 @@
- hosts: pve-dokku - hosts: pve-dokku
roles: roles:
- nginx
- dokku - dokku

View file

@ -1,19 +1,3 @@
worker_processes auto;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
# Block requests which don't have an explicit handler # Block requests which don't have an explicit handler
server { server {
listen 80 default_server; listen 80 default_server;
@ -24,6 +8,5 @@ http {
return 418; return 418;
} }
# Load configuration files for the default server block. # Load configuration files for the default server block (this directory is used by dokku).
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
}

View file

@ -1,5 +1,5 @@
- name: restart nginx - name: reload nginx
service: service:
name: nginx name: nginx
state: restarted state: reloaded
become: true become: true

View file

@ -43,13 +43,12 @@
domains: d.theorangeone.net domains: d.theorangeone.net
become: true become: true
- name: Install custom nginx config - name: Install nginx config
template: template:
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/http.d/dokku.conf
validate: nginx -t -c %s
mode: "644" mode: "644"
notify: restart nginx notify: reload nginx
become: true become: true
# https://dokku.com/docs/advanced-usage/backup-recovery/ # https://dokku.com/docs/advanced-usage/backup-recovery/
@ -61,3 +60,4 @@
user: root user: root
job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/ job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
cron_file: dokku-data-sync cron_file: dokku-data-sync
become: true

View file

@ -1,39 +1,3 @@
worker_processes auto;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server_tokens off;
server {
listen 80;
server_name _;
return 308 https://$host$request_uri;
}
}
stream {
log_format access '$remote_addr [$time_local] ' log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received ' '$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" ' '$session_time "$ssl_preread_server_name" '
@ -41,16 +5,12 @@ stream {
log_format ips '$remote_addr [$time_local] $ssl_preread_server_name'; log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
access_log /var/log/nginx/access.log access; access_log /var/log/nginx/access.log access;
access_log /var/log/nginx/ips.log ips; access_log /var/log/nginx/ips.log ips;
ssl_preread on;
server { server {
listen 443; listen 443;
listen 8448; listen 8448;
proxy_pass {{ wireguard.clients.ingress.ip }}:8443; proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
proxy_protocol on; proxy_protocol on;
} }
}

View file

@ -1,26 +1,14 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Nginx config - name: Nginx config
template: template:
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/stream.d/gateway.conf
validate: nginx -t -c %s
mode: "0644" mode: "0644"
become: true become: true
register: nginx_config register: nginx_config
- name: Enable Nginx - name: Reload Nginx
service: service:
name: nginx name: nginx
enabled: true state: reloaded
become: true
- name: Restart Nginx
service:
name: nginx
state: restarted
become: true become: true
when: nginx_config.changed when: nginx_config.changed

View file

@ -1,38 +1,3 @@
worker_processes auto;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server_tokens off;
server {
listen 80;
server_name _;
return 308 https://$host$request_uri;
}
}
stream {
log_format access '$remote_addr [$time_local] ' log_format access '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received ' '$protocol $status $bytes_sent $bytes_received '
'$session_time "$ssl_preread_server_name" ' '$session_time "$ssl_preread_server_name" '
@ -40,8 +5,6 @@ stream {
access_log /var/log/nginx/access.log access; access_log /var/log/nginx/access.log access;
ssl_preread on;
# Internal LAN route # Internal LAN route
server { server {
listen 443; listen 443;
@ -60,4 +23,3 @@ stream {
set_real_ip_from {{ wireguard.server.ip }}; set_real_ip_from {{ wireguard.server.ip }};
proxy_socket_keepalive on; proxy_socket_keepalive on;
} }
}

View file

@ -4,10 +4,10 @@
state: restarted state: restarted
become: true become: true
- name: restart nginx - name: reload nginx
service: service:
name: nginx name: nginx
state: restarted state: reloaded
become: true become: true
- name: reload nftables - name: reload nftables

View file

@ -1,19 +1,7 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Nginx config - name: Nginx config
template: template:
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/stream.d/ingress.conf
validate: nginx -t -c %s
mode: "0644" mode: "0644"
become: true become: true
notify: restart nginx notify: reload nginx
- name: Enable nginx
service:
name: nginx
enabled: true
become: true

View file

@ -0,0 +1,6 @@
server {
listen 80;
server_name _;
access_log off;
return 308 https://$server_name$request_uri;
}

View file

@ -0,0 +1,40 @@
worker_processes auto;
error_log /var/log/nginx/error.log;
pcre_jit on;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
types_hash_max_size 2048;
types_hash_bucket_size 128;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
gzip on;
gzip_vary on;
keepalive_timeout 65;
include /etc/nginx/http.d/*.conf;
}
stream {
ssl_preread on;
include /etc/nginx/stream.d/*.conf;
}

View file

@ -0,0 +1,5 @@
- name: reload nginx
service:
name: nginx
state: reloaded
become: true

View file

@ -0,0 +1,38 @@
- name: Install nginx
import_role:
name: nginxinc.nginx
when: ansible_os_family != 'Archlinux'
become: true
- name: Install nginx on Arch
package:
name: nginx
when: ansible_os_family == 'Archlinux'
become: true
- name: Create config directories
file:
path: /etc/nginx/{{ item }}
state: directory
mode: "0755"
loop:
- http.d
- stream.d
become: true
- name: Install config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
mode: "0644"
become: true
notify: reload nginx
- name: Install HTTPS redirect
template:
src: files/nginx-https-redirect.conf
dest: /etc/nginx/http.d/https-redirect.conf
mode: "0644"
become: true
notify: reload nginx

View file

@ -1,28 +1,11 @@
worker_processes auto; server {
listen 80;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip off; gzip off;
gzip_static off; gzip_static off;
server {
listen 80;
root /mnt/downloads; root /mnt/downloads;
autoindex on; autoindex on;
autoindex_exact_size off; autoindex_exact_size off;
} }
}

View file

@ -1,7 +1,7 @@
- name: restart nginx - name: reload nginx
service: service:
name: nginx name: nginx
state: restarted state: reloaded
become: true become: true
- name: restart qbittorrent - name: restart qbittorrent

View file

@ -1,18 +1,7 @@
- name: Install nginx
package:
name: nginx
become: true
- name: Enable nginx
service:
name: nginx
enabled: true
become: true
- name: Nginx config - name: Nginx config
template: template:
src: files/nginx.conf src: files/nginx.conf
dest: /etc/nginx/nginx.conf dest: /etc/nginx/http.d/downloads.conf
mode: "0600" mode: "0644"
become: true become: true
notify: restart nginx notify: reload nginx