ansible
/
xoxys.pve
1
0
Fork 0
Code Issues Pull Requests Releases Activity

prepare nginx vhost deployment

This commit is contained in:
Robert Kaussow 2018-11-01 23:35:53 +01:00
parent 182fcd0ae5
commit 9d1f23581b
4 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
defaults/main.yml
View File

@ -6,3 +6,16 @@ pve_tls_source_use_content: False
pve_tls_source_use_files: True
pve_tls_cert_source: mycert.pem
pve_tls_key_source: mykey.pem
pve_nginx_vhost_enabled: False
pve_server_name: pve.example.com
pve_server_ip: 127.0.0.1
pve_server_port: 8006
pve_nginx_server: myinventoryname
pve_nginx_vhost_dir: /etc/nginx/sites-available
pve_nginx_vhost_symlink: /etc/nginx/sites-enabled
pve_nginx_iptables_enabled: False
pve_nginx_tls_enabled: True
pve_nginx_tls_cert_file: mycert.pem
pve_nginx_tls_key_file: mykey.pem

2
tasks/main.yml
View File

@ -2,3 +2,5 @@
- import_tasks: tls.yml
when: pve_tls_enabled
tags: tls_renewal
- import_tasks: nginx.yml
when: unifi_nginx_vhost_enabled

62
tasks/nginx.yml Normal file
View File

@ -0,0 +1,62 @@
---
- block:
- name: Copy certs and private key to nginx proxy (content)
copy:
content: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ pve_tls_key_source }}", dest: '/etc/pki/tls/private/{{ pve_nginx_tls_key_file }}', mode: '0600' }
- { src: "{{ pve_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: pve_tls_source_use_content
- name: Copy certs and private key to nginx proxy (files)
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ pve_tls_key_source }}", dest: '/etc/pki/tls/private/{{ pve_nginx_tls_key_file }}', mode: '0600' }
- { src: "{{ pve_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: pve_tls_source_use_files
delegate_to: "{{ pve_nginx_server }}"
when: pve_nginx_tls_enabled
become: True
become_user: root
tags: tls_renewal
- block:
- name: Add vhost configuration file
template:
src: nginx/vhost.j2
dest: "{{ pve_nginx_vhost_dir }}/pve"
owner: root
group: root
mode: 0640
notify: __nginx_reload
- name: Enable pve vhost
file:
src: "{{ pve_nginx_vhost_dir }}/pve"
dest: "{{ pve_nginx_vhost_symlink }}/pve"
owner: root
group: root
state: link
notify: __nginx_reload
when: pve_nginx_vhost_symlink is defined
- name: Open ports in iptables
iptables_raw:
name: allow_pve_nginx_proxy
state: present
rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ pve_server_ip }} --dport {{ pve_server_port }} -j ACCEPT'
when: pve_nginx_iptables_enabled
delegate_to: "{{ pve_nginx_server }}"
become: True
become_user: root

55
templates/nginx/vhost.j2
View File

@ -0,0 +1,55 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
upstream backend_pve {
server {{ pve_server_ip }}:{{ pve_server_port }};
}
server {
listen 80;
server_name {{ pve_server_name }};
{% if pve_nginx_tls_enabled %}
return 301 https://$server_name$request_uri;
{% else %}
proxy_redirect off;
location / {
proxy_pass https://backend_pve;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
{% endif %}
}
{% if pve_nginx_tls_enabled %}
server {
listen 443 ssl;
server_name {{ pve_server_name }};
proxy_redirect off;
location / {
proxy_pass https://backend_pve;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
ssl_certificate /etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }};
ssl_certificate_key /etc/pki/tls/private/{{ pve_nginx_tls_key_file }};
}
{% endif %}