From 5e0e0ac3a00a218e3cfd76748c9aee8e42023bef Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Sun, 6 Oct 2024 17:45:18 +0200 Subject: [PATCH] web_svc: add uisp config to ansible --- group_vars/all/vars.yml | 3 +++ roles/web_svc/tasks/main.yml | 1 + roles/web_svc/templates/uisp_certs.j2 | 15 +++++++++++ roles/web_svc/templates/uisp_vhost.j2 | 38 +++++++++++++++++++++++++++ 4 files changed, 57 insertions(+) create mode 100644 roles/web_svc/templates/uisp_certs.j2 create mode 100644 roles/web_svc/templates/uisp_vhost.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 1df12ec..6db469a 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -83,3 +83,6 @@ speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net speedtest_secret: "{{ vault_speedtest_secret }}" tileserver_domain: tiles.regensburg.freifunk.net + +web_services: +- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net } diff --git a/roles/web_svc/tasks/main.yml b/roles/web_svc/tasks/main.yml index 12e341f..f21c6f0 100644 --- a/roles/web_svc/tasks/main.yml +++ b/roles/web_svc/tasks/main.yml @@ -5,4 +5,5 @@ with_items: "{{ web_services }}" vars: domain: "{{ item.domain }}" + domains: "{{ item.domains }}" web_svc: "{{ item.id }}" diff --git a/roles/web_svc/templates/uisp_certs.j2 b/roles/web_svc/templates/uisp_certs.j2 new file mode 100644 index 0000000..584b5ea --- /dev/null +++ b/roles/web_svc/templates/uisp_certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ domains }}: +- path: /etc/nginx/ssl/{{ domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/web_svc/templates/uisp_vhost.j2 b/roles/web_svc/templates/uisp_vhost.j2 new file mode 100644 index 0000000..fdfb211 --- /dev/null +++ b/roles/web_svc/templates/uisp_vhost.j2 @@ -0,0 +1,38 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ domains }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://$host$request_uri; + } +} + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ domains }}; + + ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ domain }}.crt; + + allow 2001:678:ddc::/48; + deny all; + + location /nms { + proxy_pass https://10.90.224.101:443/nms; + + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + } +}