diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index f102ee4..0f2fbba 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -47,14 +47,8 @@ pve_targets: - pve01.ffrgb - pve02.ffrgb -rev_proxy: -- domain: tiles.regensburg.freifunk.net - aliases: - - 1.omt.regensburg.freifunk.net - - 2.omt.regensburg.freifunk.net - - 3.omt.regensburg.freifunk.net - - 4.omt.regensburg.freifunk.net - target: "http://10.90.224.104:8080" - site: ffrgb site_domain: regensburg.freifunk.net + +web_services: +- { id: tiles, domain: tiles.regensburg.freifunk.net } diff --git a/roles/web-svc/tasks/main.yml b/roles/web-svc/tasks/main.yml index d777177..12e341f 100644 --- a/roles/web-svc/tasks/main.yml +++ b/roles/web-svc/tasks/main.yml @@ -1,9 +1,8 @@ --- -- name: Setup reverse proxy - include_tasks: reverse.yml - with_items: "{{ rev_proxy }}" +- name: Setup web service + include_tasks: websvc.yml + with_items: "{{ web_services }}" vars: - rev_domain: "{{ item.domain }}" - rev_aliases: "{{ item.aliases }}" - rev_target: "{{ item.target }}" + domain: "{{ item.domain }}" + web_svc: "{{ item.id }}" diff --git a/roles/web-svc/tasks/reverse.yml b/roles/web-svc/tasks/reverse.yml deleted file mode 100644 index 9d6fef0..0000000 --- a/roles/web-svc/tasks/reverse.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: Ensure certificates are available - command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ rev_domain }}.key -out /etc/nginx/ssl/{{ rev_domain }}.crt -days 730 -subj "/CN={{ rev_domain }}" creates=/etc/nginx/ssl/{{ rev_domain }}.crt - notify: Restart nginx - -- name: Configure certificate manager - template: src=rev_certs.j2 dest=/etc/acertmgr/{{ rev_domain }}.conf - notify: Run acertmgr - -- name: Configure vhosts - template: src=rev_vhost.j2 dest=/etc/nginx/sites-available/{{ rev_domain }} - notify: Restart nginx - -- name: Enable vhosts - file: src=/etc/nginx/sites-available/{{ rev_domain }} dest=/etc/nginx/sites-enabled/{{ rev_domain }} state=link - notify: Restart nginx diff --git a/roles/web-svc/tasks/websvc.yml b/roles/web-svc/tasks/websvc.yml new file mode 100644 index 0000000..a82d68a --- /dev/null +++ b/roles/web-svc/tasks/websvc.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ domain }}.key -out /etc/nginx/ssl/{{ domain }}.crt -days 730 -subj "/CN={{ domain }}" creates=/etc/nginx/ssl/{{ domain }}.crt + notify: Restart nginx + +- name: Configure certificate manager + template: src={{ web_svc }}_certs.j2 dest=/etc/acertmgr/{{ domain }}.conf + notify: Run acertmgr + +- name: Configure vhosts + template: src={{ web_svc }}_vhost.j2 dest=/etc/nginx/sites-available/{{ web_svc }} + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/{{ web_svc }} dest=/etc/nginx/sites-enabled/{{ web_svc }} state=link + notify: Restart nginx diff --git a/roles/web-svc/templates/rev_certs.j2 b/roles/web-svc/templates/rev_certs.j2 deleted file mode 100644 index a7d0067..0000000 --- a/roles/web-svc/templates/rev_certs.j2 +++ /dev/null @@ -1,15 +0,0 @@ ---- - -{{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}: -- path: /etc/nginx/ssl/{{ rev_domain }}.crt - user: root - group: root - perm: '400' - format: crt,ca - action: '/usr/sbin/service nginx restart' -- path: /etc/nginx/ssl/{{ rev_domain }}.key - user: root - group: root - perm: '400' - format: key - action: '/usr/sbin/service nginx restart' diff --git a/roles/web-svc/templates/rev_vhost.j2 b/roles/web-svc/templates/rev_vhost.j2 deleted file mode 100644 index d88b7d2..0000000 --- a/roles/web-svc/templates/rev_vhost.j2 +++ /dev/null @@ -1,30 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name {{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}; - - location /.well-known/acme-challenge { - default_type "text/plain"; - alias /var/www/acme-challenge; - } - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ rev_domain }}{% if rev_aliases %}{% for alias in rev_aliases %} {{ alias }}{% endfor %}{% endif %}; - - ssl_certificate_key /etc/nginx/ssl/{{ rev_domain }}.key; - ssl_certificate /etc/nginx/ssl/{{ rev_domain }}.crt; - - location / { - proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass {{ rev_target }}; - } -} diff --git a/roles/web-svc/templates/tiles_certs.j2 b/roles/web-svc/templates/tiles_certs.j2 new file mode 100644 index 0000000..279409b --- /dev/null +++ b/roles/web-svc/templates/tiles_certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ domain }} 1.omt.regensburg.freifunk.net 2.omt.regensburg.freifunk.net 3.omt.regensburg.freifunk.net 4.omt.regensburg.freifunk.net: +- path: /etc/nginx/ssl/{{ domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/web-svc/templates/tiles_vhost.j2 b/roles/web-svc/templates/tiles_vhost.j2 new file mode 100644 index 0000000..c8f1479 --- /dev/null +++ b/roles/web-svc/templates/tiles_vhost.j2 @@ -0,0 +1,30 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ domain }} 1.omt.regensburg.freifunk.net 2.omt.regensburg.freifunk.net 3.omt.regensburg.freifunk.net 4.omt.regensburg.freifunk.net; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ domain }} 1.omt.regensburg.freifunk.net 2.omt.regensburg.freifunk.net 3.omt.regensburg.freifunk.net 4.omt.regensburg.freifunk.net; + + ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ domain }}.crt; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://10.90.224.104:8080; + } +}