uumas/ansible-matrix
1
0
Fork 0
Code Issues 7 Pull Requests Projects Releases Wiki Activity

add nginx role

Browse Source
This commit is contained in:
uumas
2023-04-19 00:24:44 +03:00
parent b5300f445d
commit 70a4684f51
7 changed files with 276 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
roles/nginx/templates/conf/ssl-headers.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
# {{ ansible_managed }}
# Strict Transport Security (HSTS), Tell browsers to use only https (adding includeSubDomains would also force subdomains to use HSTS)
add_header Strict-Transport-Security "max-age=15552000; preload" always;
# Expect Certificate Transparency and -Stapling, Security measures for checking HTTPS-certificate validity/revocation
add_header Expect-CT 'enforce; max-age=86400;' always;
add_header Expect-Staple 'max-age=86400; preload' always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;

5
roles/nginx/templates/letsencrypt.conf.j2 Normal file
View File

@@ -0,0 +1,5 @@
# {{ ansible_managed }}
ssl_certificate /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem;

156
roles/nginx/templates/site.j2 Normal file
View File

@@ -0,0 +1,156 @@
# {{ ansible_managed }}
{% if nginx_upstreams is defined %}
# Upstreams
{% for upstream in nginx_upstreams | dict2items %}
{% if upstream.value.servers | length != 0 %}
upstream {{ upstream.key }} {
{% if upstream.value.method is defined %}
{{ upstream.value.method }};
{% endif %}
{% for server in upstream.value.servers %}
{% if server | int != 0 %}
server 127.0.0.1:{{ server }};
{% else %}
server {{ server }};
{% endif %}
{% endfor %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if nginx_maps is defined %}
{% for map in nginx_maps | dict2items %}
{% if map.value.var | length != 0 %}
map ${{ map.value.var }} ${{ map.key }} {
{% for rule in map.value.rules | dict2items %}
{{ rule.key }} {{ rule.value }};
{% endfor %}
}
{% endif %}
{% endfor %}
{% endif %}
{% if nginx_certbot %}
# HTTP -> HTTPS redirect
server {
listen 0.0.0.0:80 default_server;
{% if ansible_default_ipv6.address is defined %}
listen [::]:80 default_server;
{% endif %}
server_name {{ ansible_fqdn }};
location / {
return 301 https://$host$request_uri;
}
}
{% endif %}
# Websocket map
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for server in nginx_servers %}
server {
{% for listener in server.listen | default([{}]) %}
{% if listener.ip | default('all') == 'all' %}
listen 0.0.0.0:{{ listener.port | default('443' if nginx_certbot else '80') }} {{ 'ssl http2 ' if nginx_certbot else '' }}{{ 'default_server' if server.name is not defined or server.name == ansible_fqdn }};
{% if ansible_default_ipv6.address is defined %}
listen [::]:{{ listener.port | default('443' if nginx_certbot else '80') }} {{ 'ssl http2 ' if nginx_certbot else '' }}{{ 'default_server' if server.name is not defined or server.name == ansible_fqdn }};
{% endif %}
server_name {{ server.name | default(ansible_fqdn) }};
{% elif listener.ip == 'localhost' %}
listen 127.0.0.1:{{ listener.port }} default_server;
{% if ansible_default_ipv6.address is defined %}
listen [::1]:{{ listener.port }} default_server;
{% endif %}
server_name localhost;
{% endif %}
{% endfor %}
{% if server.return is defined %}
# Sipmle returns
{% for return in server.return %}
location {{ return.location }} {
return {{ return.type | default('200') }} '{{ return.content | to_json if return.content_type | default('plain') == 'json' else return.content }}';
{% if return.headers is mapping %}
{% for header in return.headers | dict2items %}
add_header {{ header.key }} {{ header.value }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% if server.reverse_proxy is defined %}
# Reverse proxy
{% for upstream in server.reverse_proxy %}
{% if nginx_upstreams[upstream].servers | length != 0 %}
# {{ upstream }}
{% for location in nginx_upstreams[upstream].locations | default([{'name': '/'}]) %}
{% if location.name | length != 0 %}
location {{ location.name }} {
proxy_pass http://{{ upstream }};
{% if location.proxy_headers is mapping %}
{% for header in location.proxy_headers | dict2items %}
proxy_set_header {{ header.key }} {{ header.value }};
{% endfor %}
{% endif %}
{% if nginx_proxy_headers is mapping %}
{% for header in nginx_proxy_headers | dict2items %}
{% if location.proxy_headers[header.key] is not defined %}
proxy_set_header {{ header.key }} {{ header.value }};
{% endif %}
{% endfor %}
{% endif %}
{% if location.additional_options is defined %}
{% for item in location.additional_options %}
{{ item }};
{% endfor %}
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if server.reverse_proxy_map is defined %}
# Mapping reverse proxy
{% for map in server.reverse_proxy_map %}
{% if nginx_maps[map].var | length != 0 %}
# {{ map }}
{% for location in nginx_maps[map].locations %}
{% if location.name | length != 0 %}
location {{ location.name }} {
proxy_pass http://${{ map }};
{% if nginx_proxy_headers is mapping %}
{% for header in nginx_proxy_headers | dict2items %}
proxy_set_header {{ header.key }} {{ header.value }};
{% endfor %}
{% endif %}
{% if location.additional_options is defined %}
{% for item in location.additional_options %}
{{ item }};
{% endfor %}
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}