Unify nginx configuration

This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
2023-12-16 17:47:04 +00:00 · 2023-12-16 17:47:04 +00:00 · 92052a3d0a
commit 92052a3d0a
parent 943c141d59
16 changed files with 160 additions and 216 deletions
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -8,6 +8,7 @@
 - hosts: casey
  roles:
    - nginx
    - gateway
    - nebula
    - fail2ban_ssh
@ -71,8 +72,7 @@
 - hosts: ingress
  roles:
-    - role: nginxinc.nginx  # The nginx in debian's repos is very old
+    - nginx
      become: true
    - ingress
    - nebula
@ -94,6 +94,7 @@
 - hosts: qbittorrent
  roles:
    - nginx
    - qbittorrent
    - http_proxy
@ -131,4 +132,5 @@
 - hosts: pve-dokku
  roles:
    - nginx
    - dokku
--- a/ansible/roles/dokku/files/nginx.conf
+++ b/ansible/roles/dokku/files/nginx.conf
@ -1,29 +1,12 @@
-worker_processes  auto;
+ # Block requests which don't have an explicit handler
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
-events {
+    server_name _;
-    worker_connections  1024;
+    access_log off;
    return 418;
 }
-http {
+# Load configuration files for the default server block (this directory is used by dokku).
-    include       /etc/nginx/mime.types;
+include /etc/nginx/conf.d/*.conf;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    # Block requests which don't have an explicit handler
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        access_log off;
        return 418;
    }
    # Load configuration files for the default server block.
    include /etc/nginx/conf.d/*.conf;
 }
--- a/ansible/roles/dokku/handlers/main.yml
+++ b/ansible/roles/dokku/handlers/main.yml
@ -1,5 +1,5 @@
- name: restart nginx
+- name: reload nginx
  service:
    name: nginx
-    state: restarted
+    state: reloaded
  become: true
--- a/ansible/roles/dokku/tasks/main.yml
+++ b/ansible/roles/dokku/tasks/main.yml
@ -43,13 +43,12 @@
    domains: d.theorangeone.net
  become: true
- name: Install custom nginx config
+- name: Install nginx config
  template:
    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
+    dest: /etc/nginx/http.d/dokku.conf
    validate: nginx -t -c %s
    mode: "644"
-  notify: restart nginx
+  notify: reload nginx
  become: true
 # https://dokku.com/docs/advanced-usage/backup-recovery/
@ -61,3 +60,4 @@
    user: root
    job: rsync --archive --progress -h /var/lib/dokku/{config,data,services} /home/dokku --exclude '/home/dokku/**/cache/*' /mnt/tank/app-data/dokku/
    cron_file: dokku-data-sync
  become: true
--- a/ansible/roles/gateway/files/nginx.conf
+++ b/ansible/roles/gateway/files/nginx.conf
@ -1,56 +1,16 @@
-worker_processes auto;
+log_format access '$remote_addr [$time_local] '
                '$protocol $status $bytes_sent $bytes_received '
                '$session_time "$ssl_preread_server_name" '
                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
-events {
+log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
-    worker_connections  1024;
+
-}
+access_log /var/log/nginx/access.log access;
-
+access_log /var/log/nginx/ips.log ips;
-
+
-http {
+server {
-    include       /etc/nginx/mime.types;
+    listen 443;
-    default_type  application/octet-stream;
+    listen 8448;
-
+    proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    proxy_protocol on;
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    server_tokens off;
    server {
        listen 80;
        server_name _;
        return 308 https://$host$request_uri;
    }
 }
 stream {
    log_format access '$remote_addr [$time_local] '
                    '$protocol $status $bytes_sent $bytes_received '
                    '$session_time "$ssl_preread_server_name" '
                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
    log_format ips '$remote_addr [$time_local] $ssl_preread_server_name';
    access_log /var/log/nginx/access.log access;
    access_log /var/log/nginx/ips.log ips;
    ssl_preread on;
    server {
        listen 443;
        listen 8448;
        proxy_pass {{ wireguard.clients.ingress.ip }}:8443;
        proxy_protocol on;
    }
 }
--- a/ansible/roles/gateway/tasks/nginx.yml
+++ b/ansible/roles/gateway/tasks/nginx.yml
@ -1,26 +1,14 @@
 - name: Install nginx
  package:
    name: nginx
  become: true
 - name: Nginx config
  template:
    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
+    dest: /etc/nginx/stream.d/gateway.conf
    validate: nginx -t -c %s
    mode: "0644"
  become: true
  register: nginx_config
- name: Enable Nginx
+- name: Reload Nginx
  service:
    name: nginx
-    enabled: true
+    state: reloaded
  become: true
 - name: Restart Nginx
  service:
    name: nginx
    state: restarted
  become: true
  when: nginx_config.changed
--- a/ansible/roles/ingress/files/nginx.conf
+++ b/ansible/roles/ingress/files/nginx.conf
@ -1,63 +1,25 @@
-worker_processes auto;
+log_format access '$remote_addr [$time_local] '
                '$protocol $status $bytes_sent $bytes_received '
                '$session_time "$ssl_preread_server_name" '
                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
-events {
+access_log /var/log/nginx/access.log access;
-    worker_connections  1024;
+
 # Internal LAN route
 server {
    listen 443;
    listen 8448;
    proxy_pass {{ pve_hosts.docker.ip }}:443;
    proxy_protocol on;
    proxy_socket_keepalive on;
    proxy_timeout 1h;
 }
-http {
+# External routes
-    include       /etc/nginx/mime.types;
+server {
-    default_type  application/octet-stream;
+    listen 8443 proxy_protocol;
-
+    proxy_protocol on;
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    proxy_pass {{ pve_hosts.docker.ip }}:443;
-    #                  '$status $body_bytes_sent "$http_referer" '
+    set_real_ip_from {{ wireguard.server.ip }};
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+    proxy_socket_keepalive on;
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    server_tokens off;
    server {
        listen 80;
        server_name _;
        return 308 https://$host$request_uri;
    }
 }
 stream {
    log_format access '$remote_addr [$time_local] '
                    '$protocol $status $bytes_sent $bytes_received '
                    '$session_time "$ssl_preread_server_name" '
                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
    access_log /var/log/nginx/access.log access;
    ssl_preread on;
    # Internal LAN route
    server {
        listen 443;
        listen 8448;
        proxy_pass {{ pve_hosts.docker.ip }}:443;
        proxy_protocol on;
        proxy_socket_keepalive on;
        proxy_timeout 1h;
    }
    # External routes
    server {
        listen 8443 proxy_protocol;
        proxy_protocol on;
        proxy_pass {{ pve_hosts.docker.ip }}:443;
        set_real_ip_from {{ wireguard.server.ip }};
        proxy_socket_keepalive on;
    }
 }
--- a/ansible/roles/ingress/handlers/main.yml
+++ b/ansible/roles/ingress/handlers/main.yml
@ -4,10 +4,10 @@
    state: restarted
  become: true
- name: restart nginx
+- name: reload nginx
  service:
    name: nginx
-    state: restarted
+    state: reloaded
  become: true
 - name: reload nftables
--- a/ansible/roles/ingress/tasks/nginx.yml
+++ b/ansible/roles/ingress/tasks/nginx.yml
@ -1,19 +1,7 @@
 - name: Install nginx
  package:
    name: nginx
  become: true
 - name: Nginx config
  template:
    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
+    dest: /etc/nginx/stream.d/ingress.conf
    validate: nginx -t -c %s
    mode: "0644"
  become: true
-  notify: restart nginx
+  notify: reload nginx
 - name: Enable nginx
  service:
    name: nginx
    enabled: true
  become: true
--- a/ansible/roles/nginx/files/nginx-https-redirect.conf
+++ b/ansible/roles/nginx/files/nginx-https-redirect.conf
@ -0,0 +1,6 @@
 server {
    listen 80;
    server_name _;
    access_log off;
    return 308 https://$server_name$request_uri;
 }
--- a/ansible/roles/nginx/files/nginx.conf
+++ b/ansible/roles/nginx/files/nginx.conf
@ -0,0 +1,40 @@
 worker_processes  auto;
 error_log  /var/log/nginx/error.log;
 pcre_jit on;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    types_hash_max_size 2048;
    types_hash_bucket_size 128;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    gzip on;
    gzip_vary on;
    keepalive_timeout  65;
    include /etc/nginx/http.d/*.conf;
 }
 stream {
    ssl_preread on;
    include /etc/nginx/stream.d/*.conf;
 }
--- a/ansible/roles/nginx/handlers/main.yml
+++ b/ansible/roles/nginx/handlers/main.yml
@ -0,0 +1,5 @@
 - name: reload nginx
  service:
    name: nginx
    state: reloaded
  become: true
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@ -0,0 +1,38 @@
 - name: Install nginx
  import_role:
    name: nginxinc.nginx
  when: ansible_os_family != 'Archlinux'
  become: true
 - name: Install nginx on Arch
  package:
    name: nginx
  when: ansible_os_family == 'Archlinux'
  become: true
 - name: Create config directories
  file:
    path: /etc/nginx/{{ item }}
    state: directory
    mode: "0755"
  loop:
    - http.d
    - stream.d
  become: true
 - name: Install config
  template:
    src: files/nginx.conf
    dest: /etc/nginx/nginx.conf
    validate: nginx -t -c %s
    mode: "0644"
  become: true
  notify: reload nginx
 - name: Install HTTPS redirect
  template:
    src: files/nginx-https-redirect.conf
    dest: /etc/nginx/http.d/https-redirect.conf
    mode: "0644"
  become: true
  notify: reload nginx
--- a/ansible/roles/qbittorrent/files/nginx.conf
+++ b/ansible/roles/qbittorrent/files/nginx.conf
@ -1,28 +1,11 @@
-worker_processes  auto;
+server {
-
+    listen 80;
 events {
    worker_connections  1024;
 }
 http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    tcp_nopush     on;
    keepalive_timeout  65;
    gzip  off;
    gzip_static off;
-    server {
+    root /mnt/downloads;
        listen 80;
-        root /mnt/downloads;
+    autoindex on;
-
+    autoindex_exact_size off;
        autoindex on;
        autoindex_exact_size off;
    }
 }
--- a/ansible/roles/qbittorrent/handlers/main.yml
+++ b/ansible/roles/qbittorrent/handlers/main.yml
@ -1,7 +1,7 @@
- name: restart nginx
+- name: reload nginx
  service:
    name: nginx
-    state: restarted
+    state: reloaded
  become: true
 - name: restart qbittorrent
--- a/ansible/roles/qbittorrent/tasks/nginx.yml
+++ b/ansible/roles/qbittorrent/tasks/nginx.yml
@ -1,18 +1,7 @@
 - name: Install nginx
  package:
    name: nginx
  become: true
 - name: Enable nginx
  service:
    name: nginx
    enabled: true
  become: true
 - name: Nginx config
  template:
    src: files/nginx.conf
-    dest: /etc/nginx/nginx.conf
+    dest: /etc/nginx/http.d/downloads.conf
-    mode: "0600"
+    mode: "0644"
  become: true
-  notify: restart nginx
+  notify: reload nginx