prepare nginx vhost deployment
This commit is contained in:
parent
182fcd0ae5
commit
9d1f23581b
|
@ -6,3 +6,16 @@ pve_tls_source_use_content: False
|
|||
pve_tls_source_use_files: True
|
||||
pve_tls_cert_source: mycert.pem
|
||||
pve_tls_key_source: mykey.pem
|
||||
|
||||
pve_nginx_vhost_enabled: False
|
||||
pve_server_name: pve.example.com
|
||||
pve_server_ip: 127.0.0.1
|
||||
pve_server_port: 8006
|
||||
pve_nginx_server: myinventoryname
|
||||
pve_nginx_vhost_dir: /etc/nginx/sites-available
|
||||
pve_nginx_vhost_symlink: /etc/nginx/sites-enabled
|
||||
pve_nginx_iptables_enabled: False
|
||||
|
||||
pve_nginx_tls_enabled: True
|
||||
pve_nginx_tls_cert_file: mycert.pem
|
||||
pve_nginx_tls_key_file: mykey.pem
|
||||
|
|
|
@ -2,3 +2,5 @@
|
|||
- import_tasks: tls.yml
|
||||
when: pve_tls_enabled
|
||||
tags: tls_renewal
|
||||
- import_tasks: nginx.yml
|
||||
when: unifi_nginx_vhost_enabled
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
- block:
|
||||
- name: Copy certs and private key to nginx proxy (content)
|
||||
copy:
|
||||
content: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ pve_tls_key_source }}", dest: '/etc/pki/tls/private/{{ pve_nginx_tls_key_file }}', mode: '0600' }
|
||||
- { src: "{{ pve_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
notify: __nginx_reload
|
||||
when: pve_tls_source_use_content
|
||||
|
||||
- name: Copy certs and private key to nginx proxy (files)
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ pve_tls_key_source }}", dest: '/etc/pki/tls/private/{{ pve_nginx_tls_key_file }}', mode: '0600' }
|
||||
- { src: "{{ pve_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
notify: __nginx_reload
|
||||
when: pve_tls_source_use_files
|
||||
delegate_to: "{{ pve_nginx_server }}"
|
||||
when: pve_nginx_tls_enabled
|
||||
become: True
|
||||
become_user: root
|
||||
tags: tls_renewal
|
||||
|
||||
- block:
|
||||
- name: Add vhost configuration file
|
||||
template:
|
||||
src: nginx/vhost.j2
|
||||
dest: "{{ pve_nginx_vhost_dir }}/pve"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Enable pve vhost
|
||||
file:
|
||||
src: "{{ pve_nginx_vhost_dir }}/pve"
|
||||
dest: "{{ pve_nginx_vhost_symlink }}/pve"
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
notify: __nginx_reload
|
||||
when: pve_nginx_vhost_symlink is defined
|
||||
|
||||
- name: Open ports in iptables
|
||||
iptables_raw:
|
||||
name: allow_pve_nginx_proxy
|
||||
state: present
|
||||
rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ pve_server_ip }} --dport {{ pve_server_port }} -j ACCEPT'
|
||||
when: pve_nginx_iptables_enabled
|
||||
delegate_to: "{{ pve_nginx_server }}"
|
||||
become: True
|
||||
become_user: root
|
|
@ -0,0 +1,55 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
upstream backend_pve {
|
||||
server {{ pve_server_ip }}:{{ pve_server_port }};
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ pve_server_name }};
|
||||
|
||||
{% if pve_nginx_tls_enabled %}
|
||||
return 301 https://$server_name$request_uri;
|
||||
{% else %}
|
||||
proxy_redirect off;
|
||||
location / {
|
||||
proxy_pass https://backend_pve;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_buffering off;
|
||||
client_max_body_size 0;
|
||||
proxy_connect_timeout 3600s;
|
||||
proxy_read_timeout 3600s;
|
||||
proxy_send_timeout 3600s;
|
||||
send_timeout 3600s;
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if pve_nginx_tls_enabled %}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name {{ pve_server_name }};
|
||||
|
||||
proxy_redirect off;
|
||||
|
||||
location / {
|
||||
proxy_pass https://backend_pve;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_buffering off;
|
||||
client_max_body_size 0;
|
||||
proxy_connect_timeout 3600s;
|
||||
proxy_read_timeout 3600s;
|
||||
proxy_send_timeout 3600s;
|
||||
send_timeout 3600s;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/pki/tls/certs/{{ pve_nginx_tls_cert_file }};
|
||||
ssl_certificate_key /etc/pki/tls/private/{{ pve_nginx_tls_key_file }};
|
||||
}
|
||||
{% endif %}
|
Loading…
Reference in New Issue