diff --git a/ansible/files/nginx-docker.conf b/ansible/files/nginx-docker.conf new file mode 100644 index 0000000..b6968be --- /dev/null +++ b/ansible/files/nginx-docker.conf @@ -0,0 +1,25 @@ +# {{ ansible_managed }} + +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name {{ server_name }}; + set $upstream {{ upstream }}; + + ssl_certificate {{ ssl_cert_path }}/fullchain.pem; + ssl_certificate_key {{ ssl_cert_path }}/key.pem; + ssl_trusted_certificate {{ ssl_cert_path }}/cert.pem; + include includes/ssl.conf; + + include includes/docker-resolver.conf; + + location / { + proxy_pass http://$upstream; + + {%- if location_extra is defined +%} + {{ location_extra }} + {%- endif +%} + } +} diff --git a/ansible/host_vars/walker/main.yml b/ansible/host_vars/walker/main.yml index 288c1c9..812c422 100644 --- a/ansible/host_vars/walker/main.yml +++ b/ansible/host_vars/walker/main.yml @@ -1,2 +1,4 @@ restic_backup_locations: - /opt + +nginx_https_redirect: true diff --git a/ansible/main.yml b/ansible/main.yml index aabb745..32a8e20 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -52,7 +52,6 @@ - hosts: - pve-docker - - walker roles: - traefik @@ -101,12 +100,13 @@ - hosts: walker roles: - nebula + - coredns + - nginx - plausible - restic - commento - website - remark42 - - coredns - hosts: jellyfin roles: diff --git a/ansible/roles/commento/files/docker-compose.yml b/ansible/roles/commento/files/docker-compose.yml index 9c741a7..18971e5 100644 --- a/ansible/roles/commento/files/docker-compose.yml +++ b/ansible/roles/commento/files/docker-compose.yml @@ -8,10 +8,7 @@ services: - db networks: - default - - traefik - labels: - - traefik.enable=true - - traefik.http.routers.commento.rule=Host(`commento.theorangeone.net`) + - coredns environment: - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable - COMMENTO_ORIGIN=https://commento.theorangeone.net @@ -37,5 +34,5 @@ services: - POSTGRES_USER=commento networks: - traefik: + coredns: external: true diff --git a/ansible/roles/commento/tasks/main.yml b/ansible/roles/commento/tasks/main.yml index 8f89a17..181cd3e 100644 --- a/ansible/roles/commento/tasks/main.yml +++ b/ansible/roles/commento/tasks/main.yml @@ -18,3 +18,15 @@ validate: docker-compose -f %s config notify: restart commento become: true + +- name: Install nginx config + template: + src: files/nginx-docker.conf + dest: /etc/nginx/http.d/commento.conf + mode: "0644" + notify: reload nginx + become: true + vars: + server_name: commento.theorangeone.net + upstream: commento-commento-1.docker:8080 + ssl_cert_path: /etc/nginx/ssl/theorangeone.net diff --git a/ansible/roles/coredns/files/docker-compose.yml b/ansible/roles/coredns/files/docker-compose.yml index 0dcad71..2e82ba5 100644 --- a/ansible/roles/coredns/files/docker-compose.yml +++ b/ansible/roles/coredns/files/docker-compose.yml @@ -9,8 +9,8 @@ services: - "{{ private_ip }}:5353:53/udp" networks: - default - - traefik + - coredns networks: - traefik: + coredns: external: true diff --git a/ansible/roles/coredns/tasks/main.yml b/ansible/roles/coredns/tasks/main.yml index 8c011ba..a4e5b73 100644 --- a/ansible/roles/coredns/tasks/main.yml +++ b/ansible/roles/coredns/tasks/main.yml @@ -1,3 +1,9 @@ +- name: Create network + docker_network: + name: coredns + internal: true + become: true + - name: Create install directory file: path: /opt/coredns diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml index 39e84ef..6d8af40 100644 --- a/ansible/roles/nginx/defaults/main.yml +++ b/ansible/roles/nginx/defaults/main.yml @@ -1 +1,2 @@ nginx_https_redirect: false +docker_resolver_address: "{{ private_ip }}:5353" diff --git a/ansible/roles/nginx/files/includes/docker-resolver.conf b/ansible/roles/nginx/files/includes/docker-resolver.conf new file mode 100644 index 0000000..1378798 --- /dev/null +++ b/ansible/roles/nginx/files/includes/docker-resolver.conf @@ -0,0 +1,2 @@ +resolver {{ docker_resolver_address }} valid=2s; +resolver_timeout 5s; diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index a16b5a1..3851ecf 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -46,9 +46,9 @@ - name: Copy config files template: src: "{{ item }}" - dest: "/etc/nginx/includes/{{ item | basename }}" + dest: /etc/nginx/includes/{{ item | basename }} mode: "0644" - with_fileglob: 'files/includes/*.conf' + with_fileglob: files/includes/*.conf become: true notify: reload nginx diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index 4f20fdd..75119f8 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -10,20 +10,7 @@ services: - clickhouse networks: - default - - traefik - labels: - - traefik.enable=true - - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`) - - traefik.http.services.plausible-plausible.loadbalancer.server.port=8000 # https://github.com/plausible/analytics/pull/237 - - - traefik.http.routers.plausible-embed.rule=Host(`elbisualp.theorangeone.net`) - - traefik.http.routers.plausible-embed.service=plausible-plausible - - # https://github.com/plausible/analytics/pull/340 - - traefik.http.middlewares.plausible-index.replacepathregex.regex=/js/index.js - - traefik.http.middlewares.plausible-index.replacepathregex.replacement=/js/plausible.js - - traefik.http.routers.plausible-embed.middlewares=plausible-index - + - coredns environment: - SECRET_KEY_BASE={{ vault_plausible_secret_key }} - SIGNING_SALT={{ vault_plausible_signing_salt }} @@ -66,5 +53,5 @@ services: - POSTGRES_USER=plausible networks: - traefik: + coredns: external: true diff --git a/ansible/roles/plausible/tasks/main.yml b/ansible/roles/plausible/tasks/main.yml index 4c431a7..a17fc7c 100644 --- a/ansible/roles/plausible/tasks/main.yml +++ b/ansible/roles/plausible/tasks/main.yml @@ -34,3 +34,17 @@ validate: docker-compose -f %s config notify: restart plausible become: true + +- name: Install nginx config + template: + src: files/nginx-docker.conf + dest: /etc/nginx/http.d/plausible.conf + mode: "0644" + notify: reload nginx + become: true + vars: + server_name: plausible.theorangeone.net elbisualp.theorangeone.net + upstream: plausible-plausible-1.docker:8000 + ssl_cert_path: /etc/nginx/ssl/theorangeone.net + location_extra: | + rewrite ^/js/index.js$ /js/plausible.js last; diff --git a/ansible/roles/website/files/docker-compose.yml b/ansible/roles/website/files/docker-compose.yml index b662403..e164600 100644 --- a/ansible/roles/website/files/docker-compose.yml +++ b/ansible/roles/website/files/docker-compose.yml @@ -30,12 +30,9 @@ services: <<: *website user: root command: /app/etc/entrypoints/nginx - labels: - - traefik.enable=true - - traefik.http.routers.website.rule=Host(`theorangeone.net`) || Host(`jakehoward.tech`) networks: - default - - traefik + - coredns depends_on: - django @@ -85,5 +82,5 @@ services: - SENTRY_DSN={{ vault_spotify_sentry_dsn }} networks: - traefik: + coredns: external: true diff --git a/ansible/roles/website/tasks/main.yml b/ansible/roles/website/tasks/main.yml index 0e94285..fd7d81f 100644 --- a/ansible/roles/website/tasks/main.yml +++ b/ansible/roles/website/tasks/main.yml @@ -18,3 +18,17 @@ validate: docker-compose -f %s config notify: restart website become: true + +- name: Install nginx config + template: + src: files/nginx-docker.conf + dest: /etc/nginx/http.d/website.conf + mode: "0644" + notify: reload nginx + become: true + vars: + server_name: theorangeone.net + upstream: website-nginx-1.docker:8000 + ssl_cert_path: /etc/nginx/ssl/theorangeone.net + location_extra: | + more_set_headers "Server: $upstream_http_server";