Add all the nginx ssl config

host_vars/gabriel.c3heaven.de

@@ -8,24 +8,130 @@ acmetool_cert_domains:
  - sso.c3heaven.de
  - wiki.c3heaven.de
 
+nginx_https_sites:
+ - name: "c3heaven.de"
+   locations:
+    - location: "/"
+      config: "root /var/www/html;"
+    - location: "~ /wiki(.*)$"
+      config: "return 301 https://wiki.c3heaven.de$1?$args;"
+    - location: "~ /kanboard(.*)$"
+      config: "return 301 https://kanboard.c3heaven.de$1?$args;"
+ - name: "gabriel.c3heaven.de"
+   locations:
+    - location: "/"
+      config: "root /var/www/html;"
+ - name: "kanboard.c3heaven.de"
+   options:
+    - "client_max_body_size 100M;"
+    - "client_body_buffer_size 128k;"
+    - "root /var/www/kanboard;"
+    - "index index.php;"
+   locations:
+    - location: "/"
+      config: "try_files $uri $uri/ /index.php$is_args$args;"
+    - location: '~ \.php$'
+      config: |-
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include fastcgi_params;
+    - location: '~* ^.+\.(log|sqlite)$'
+      config: "return 404;"
+    - location: '~ /\.ht'
+      config: "return 404;"
+    - location: '~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$'
+      config: |-
+        log_not_found off;
+        expires 7d;
+        etag on;
+ - name: "lists.c3heaven.de"
+   locations:
+    - location: "/cgi-bin/mailman"
+      config: |-
+        root /usr/lib/;
+        fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+        fastcgi_intercept_errors on;
+        fastcgi_pass unix:/var/run/fcgiwrap.socket;
+    - location: "/images/mailman"
+      config: "alias /usr/share/images/mailman;"
+    - location: "= /"
+      config: "return 301 https://lists.c3heaven.de/cgi-bin/mailman/listinfo/;"
+ - name: "md.c3heaven.de"
+   locations:
+    - location: "/"
+      config: |-
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_cache_bypass $http_upgrade;
+        proxy_redirect off;
+ - name: "sso.c3heaven.de"
+   locations:
+    - location: "/"
+      config: |-
+        proxy_pass http://127.0.0.1:8080/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port   443;
+    - location: "= /"
+      config: "return 301 https://sso.c3heaven.de/auth/realms/master/account;"
+ - name: "wiki.c3heaven.de"
+   options:
+    - "client_max_body_size 100M;"
+    - "client_body_buffer_size 128k;"
+    - "root /var/www/dokuwiki;"
+    - "index doku.php;"
+   locations:
+    - location: "~ /(conf/|bin/|inc/|install.php)"
+      config: "deny all;"
+    - location: "~ ^/data/"
+      config: "internal;"
+    - location: '~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$'
+      config: "expires 365d;"
+    - location: "/"
+      config: "try_files $uri $uri/ @dokuwiki;"
+    - location: "@dokuwiki"
+      config: |-
+        rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+        rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+        rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+        rewrite ^/(.*) /doku.php?id=$1&$args last;
+    - location: '~ \.php$'
+      config: |-
+        try_files $uri $uri/ /doku.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param REDIRECT_STATUS 200;
+        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+
 nginx_http_locations:
  - location: "/"
-   config: |
+   config: |-
      access_log off;
      log_not_found off;
      return 301 https://$host$request_uri;
 
 nginx_https_default_headers:
- - name: "Strict-Transport-Security"
-   value: "max-age=31536000; includeSubDomains"
- - name: "X-XSS-Protection"
-   value: "1; mode=block"
- - name: "X-Frame-Options"
-   value: "DENY"
- - name: "X-Content-Type-Options"
-   value: "nosniff"
- - name: "Referrer-Policy"
-   value: "same-origin"
+ - 'Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+ - 'X-XSS-Protection "1; mode=block"'
+ - 'X-Frame-Options "DENY"'
+ - 'X-Content-Type-Options "nosniff"'
+ - 'Referrer-Policy "same-origin"'
 
 rspamd_enabled: true
 

roles/nginx-http/defaults/main.yml

@@ -2,7 +2,7 @@ acmetool_webroot: "/var/lib/acme/webroot"
 
 nginx_http_locations:
  - location: "/"
-   config: |
+   config: |-
      root /var/www/html;
 
 nginx_worker_processes: "auto"

roles/nginx-http/templates/default.j2

@@ -4,8 +4,8 @@ server {
 
   listen 80;
   listen [::]:80;
-
 {% for location in nginx_http_locations %}
+
   location {{ location.location }} {
 {{ location.config | indent(width=4, indentfirst=True) }}
   }

roles/nginx-https/defaults/main.yml

@@ -11,4 +11,3 @@ nginx_https_sites:
     - location: "/"
       config: |
         root /var/www/html;
-   headers: null

roles/nginx-https/tasks/main.yml

@@ -3,6 +3,12 @@
   args:
     creates: "{{ nginx_ssl_dhparam }}"
 
+- name: generic ssl configuration
+  template:
+    src: "ssl.conf.j2"
+    dest: "/etc/nginx/ssl.conf"
+  notify: restart nginx
+
 - name: configure the https sites
   template:
     src: "https-site.j2"

roles/nginx-https/templates/https-site.j2

@@ -2,34 +2,30 @@
 
 server {
 
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-
   server_name {{ item.name }};
-
   ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
   ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
-  ssl_dhparam {{ nginx_ssl_dhparam }};
-  ssl_protocols {{ nginx_ssl_protocols }};
-  ssl_ciphers {{ nginx_ssl_ciphers }};
-  ssl_prefer_server_ciphers on;
 
-{% if nginx_https_default_headers %}
-{% for header in nginx_https_default_headers %}
-  add_header {{ header.name }} "{{ header.value }}";
+  include ssl.conf;
+{% if "options" in item %}
+
+{% for option in item.options %}
+  {{ option }}
 {% endfor %}
 {% endif %}
+{% if "headers" in item %}
 
-{% if item.headers %}
 {% for header in item.headers %}
-  add_header {{ header.name }} "{{ header.value }}";
+  add_header {{ header }};
 {% endfor %}
 {% endif %}
-
+{% if "locations" in item %}
 {% for location in item.locations %}
+
   location {{ location.location }} {
 {{ location.config | indent(width=4, indentfirst=True) }}
   }
 {% endfor %}
+{% endif %}
 
 }

roles/nginx-https/templates/ssl.conf.j2

+# {{ ansible_managed }}
+
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+ssl_dhparam {{ nginx_ssl_dhparam }};
+ssl_protocols {{ nginx_ssl_protocols }};
+ssl_ciphers {{ nginx_ssl_ciphers }};
+ssl_prefer_server_ciphers on;
+
+{% if nginx_https_default_headers %}
+{% for header in nginx_https_default_headers %}
+add_header {{ header }};
+{% endfor %}
+{% endif %}