web_svc: add uisp config to ansible

group_vars/all/vars.yml

@@ -83,3 +83,6 @@ speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
 speedtest_secret: "{{ vault_speedtest_secret }}"
 
 tileserver_domain: tiles.regensburg.freifunk.net
+
+web_services:
+- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }

roles/web_svc/tasks/main.yml

@@ -5,4 +5,5 @@
   with_items: "{{ web_services }}"
   vars:
     domain: "{{ item.domain }}"
+    domains: "{{ item.domains }}"
     web_svc: "{{ item.id }}"

roles/web_svc/templates/uisp_certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ domains }}:
+- path: /etc/nginx/ssl/{{ domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/web_svc/templates/uisp_vhost.j2

@@ -0,0 +1,38 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ domains }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ domains }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ domain }}.crt;
+
+	allow 2001:678:ddc::/48;
+	deny all;
+
+	location /nms {
+		proxy_pass https://10.90.224.101:443/nms;
+
+		proxy_set_header Host $host;
+		proxy_set_header Connection $http_connection;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Scheme $scheme;
+	}
+}