Browse Source

bye bye relayd, hello nginx

Cullum Smith 2 years ago
parent
commit
20bbcacef0

+ 1
- 1
roles/base/defaults/main.yml View File

@@ -1,6 +1,6 @@
1 1
 ---
2 2
 prosody_proxy_port: 5000
3 3
 open_ports: null
4
-relayd_https_port: 8443
5 4
 synapse_federation_port: 8448
5
+synapse_client_port: 8008
6 6
 synapse_turn_port: 3478

+ 4
- 2
roles/base/files/newsyslog.conf View File

@@ -9,8 +9,10 @@
9 9
 /var/log/wtmp				644  7     *    $W6D4 B
10 10
 /var/log/xferlog			640  7     250  *     Z
11 11
 /var/log/pflog				600  3     250  *     ZB "pkill -HUP -u root -U root -t - -x pflogd"
12
-/var/www/logs/access.log		644  4     *    $W0   Z "pkill -USR1 -u root -U root -x httpd"
13
-/var/www/logs/error.log			644  7     250  *     Z "pkill -USR1 -u root -U root -x httpd"
12
+/var/www/logs/acme-access.log		644  4     *    $W0   Z "pkill -USR1 -u root -U root -x httpd"
13
+/var/www/logs/acme-error.log			644  7     250  *     Z "pkill -USR1 -u root -U root -x httpd"
14
+/var/www/logs/access.log		644  4     *    $W0   Z "pkill -USR1 -u root -U root -x nginx"
15
+/var/www/logs/error.log			644  7     250  *     Z "pkill -USR1 -u root -U root -x nginx"
14 16
 
15 17
 /var/log/postgresql			640  5     300  *     Z
16 18
 /var/log/prosody			640  5     300  *     Z

+ 5
- 0
roles/base/tasks/main.yml View File

@@ -112,3 +112,8 @@
112 112
   template:
113 113
     src: motd.j2
114 114
     dest: /etc/motd
115
+
116
+- name: generate dhparams
117
+  command: openssl dhparam -out /etc/ssl/dhparam.pem 2048
118
+  args:
119
+    creates: /etc/ssl/dhparam.pem

+ 1
- 5
roles/base/templates/pf.conf.j2 View File

@@ -1,4 +1,4 @@
1
-inbound_tcp = "{ http, submission, imaps, domain, xmpp-client, xmpp-server, xmpp-bosh, {{ prosody_proxy_port }}, {{ znc_port }}, {{ sshd_port }}, {{ synapse_turn_port }}, {{ synapse_federation_port }} }"
1
+inbound_tcp = "{ http, https, submission, imaps, domain, xmpp-client, xmpp-server, {{ prosody_proxy_port }}, {{ znc_port }}, {{ sshd_port }}, {{ synapse_turn_port }}, {{ synapse_federation_port }}, {{ synapse_client_port }} }"
2 2
 inbound_udp = "{ domain, {{ synapse_turn_port }} }"
3 3
 
4 4
 {% if open_ports %}
@@ -25,10 +25,6 @@ pass proto icmp6
25 25
 pass in on {{ private_interface }}
26 26
 {% endif %}
27 27
 
28
-# relayd https
29
-pass in on egress inet  proto tcp to port https divert-to 127.0.0.1 port {{ relayd_https_port }}
30
-pass in on egress inet6 proto tcp to port https divert-to ::1       port {{ relayd_https_port }}
31
-
32 28
 # smtp/spamd
33 29
 pass in on egress inet proto tcp to port smtp divert-to 127.0.0.1 port spamd
34 30
 pass in on egress inet proto tcp from { <nospamd>, <spamd-white>, <bigmailers> } to port smtp

+ 1
- 1
roles/dovecot/templates/dovecot.conf.j2 View File

@@ -12,7 +12,7 @@ userdb {
12 12
 }
13 13
 
14 14
 # mail
15
-mail_location = maildir:~/Maildir
15
+mail_location = maildir:~/Maildir:LAYOUT=fs
16 16
 namespace inbox {
17 17
   separator = /
18 18
   inbox = yes

+ 7
- 2
roles/httpd/tasks/main.yml View File

@@ -13,13 +13,18 @@
13 13
     dest: /etc/httpd.d/sites.conf
14 14
     force: no
15 15
 
16
+- name: create well-known directory
17
+  file:
18
+    path: /var/www/htdocs/well-known
19
+    state: directory
20
+
16 21
 - name: generate configuration
17 22
   template:
18 23
     src: '{{ item.0 }}.j2'
19 24
     dest: '{{ item.1 }}/{{ item.0 }}'
20 25
   with_together:
21
-    - [ 'httpd.conf', 'http.conf',    'https.conf'   ]
22
-    - [ '/etc',       '/etc/httpd.d', '/etc/httpd.d' ]
26
+    - [ 'httpd.conf', 'http.conf',    'https.conf',   'acme.conf'     ]
27
+    - [ '/etc',       '/etc/httpd.d', '/etc/httpd.d', '/etc/httpd.d' ]
23 28
   notify: reload httpd
24 29
 
25 30
 - name: enable daemon

+ 7
- 0
roles/httpd/templates/acme.conf.j2 View File

@@ -0,0 +1,7 @@
1
+location "/.well-known/acme-challenge/*" {
2
+  log style combined
3
+  log access "acme-access.log"
4
+  log error  "acme-error.log"
5
+  root "/acme"
6
+  request strip 2
7
+}

+ 2
- 6
roles/httpd/templates/http.conf.j2 View File

@@ -1,11 +1,7 @@
1 1
 listen on * port 80
2
+no log
2 3
 
3
-log style combined
4
-
5
-location "/.well-known/acme-challenge/*" {
6
-  root "/acme"
7
-  request strip 2
8
-}
4
+include "/etc/httpd.d/acme.conf"
9 5
 
10 6
 location * {
11 7
   block return 301 "https://$HTTP_HOST$REQUEST_URI"

+ 3
- 6
roles/httpd/templates/httpd.conf.j2 View File

@@ -4,17 +4,14 @@ types {
4 4
 
5 5
 server "default" {
6 6
   listen on * port 80
7
-  log style combined
7
+  no log
8 8
 
9 9
   root "/nonexistent"
10 10
 
11
-  location "/.well-known/acme-challenge/*" {
12
-    root "/acme"
13
-    request strip 2
14
-  }
11
+  include "/etc/httpd.d/acme.conf"
15 12
 
16 13
   location * {
17
-    block return 301 "https://www.{{ domain }}"
14
+    block return 301 "https://$HTTP_HOST$REQUEST_URI"
18 15
   }
19 16
 }
20 17
 

+ 1
- 2
roles/httpd/templates/https.conf.j2 View File

@@ -1,3 +1,2 @@
1 1
 listen on 127.0.0.1 port {{ httpd_secure_port }}
2
-
3
-log style combined
2
+no log

+ 7
- 12
roles/httpd/templates/www.conf.j2 View File

@@ -2,16 +2,12 @@ server {{ domain }} {
2 2
   listen on * port 80
3 3
   root "/nonexistent"
4 4
 
5
-  location "/.well-known/acme-challenge/*" {
6
-    root "/acme"
7
-    request strip 2
8
-  }
5
+  include "/etc/httpd.d/acme.conf"
9 6
 
10
-  {% if use_mastodon %}
11
-  location "/.well-known/host-meta" {
12
-    block return 301 "https://mastodon.{{ domain }}$REQUEST_URI"
7
+  location "/.well-known/*" {
8
+    root "/htdocs/well-known"
9
+    request strip 1
13 10
   }
14
-  {% endif %}
15 11
 
16 12
   location * {
17 13
     block return 301 "https://www.{{ domain }}$REQUEST_URI"
@@ -22,11 +18,10 @@ server {{ domain }} {
22 18
   include "/etc/httpd.d/https.conf"
23 19
   root "/nonexistent"
24 20
 
25
-  {% if use_mastodon %}
26
-  location "/.well-known/host-meta" {
27
-    block return 301 "https://mastodon.{{ domain }}$REQUEST_URI"
21
+  location "/.well-known/*" {
22
+    root "/htdocs/well-known"
23
+    request strip 1
28 24
   }
29
-  {% endif %}
30 25
 
31 26
   location * {
32 27
     block return 301 "https://www.{{ domain }}$REQUEST_URI"

+ 2
- 0
roles/nginx/defaults/main.yml View File

@@ -0,0 +1,2 @@
1
+---
2
+httpd_secure_port: 8080

+ 5
- 0
roles/nginx/handlers/main.yml View File

@@ -0,0 +1,5 @@
1
+---
2
+- name: reload nginx
3
+  service:
4
+    name: nginx
5
+    state: reloaded

+ 52
- 0
roles/nginx/tasks/main.yml View File

@@ -0,0 +1,52 @@
1
+---
2
+- name: install nginx
3
+  openbsd_pkg:
4
+    name: nginx
5
+    state: installed
6
+
7
+- name: chown logs directory
8
+  file:
9
+    path: /var/www/logs
10
+    state: directory
11
+    owner: www
12
+    group: wheel
13
+
14
+- name: create nginx log directory
15
+  file:
16
+    path: /var/www/logs/nginx
17
+    state: directory
18
+    owner: www
19
+    group: wheel
20
+
21
+- name: create sites directory
22
+  file:
23
+    path: /etc/nginx/sites
24
+    state: directory
25
+
26
+- name: generate nginx.conf
27
+  template:
28
+    src: nginx.conf.j2
29
+    dest: /etc/nginx/nginx.conf
30
+  notify: reload nginx
31
+
32
+- include: ../../../tasks/nginx_proxy.yml
33
+  vars:
34
+    name: www
35
+    port: '{{ httpd_secure_port }}'
36
+
37
+- include: ../../../tasks/nginx_proxy.yml
38
+  vars:
39
+    bare: true
40
+    port: '{{ httpd_secure_port }}'
41
+
42
+- name: start nginx
43
+  service:
44
+    name: nginx
45
+    state: started
46
+    enabled: yes
47
+
48
+- include: ../../../tasks/acme_hook.yml
49
+  vars:
50
+    name: nginx
51
+    shell: |
52
+      rcctl reload nginx

+ 44
- 0
roles/nginx/templates/nginx.conf.j2 View File

@@ -0,0 +1,44 @@
1
+user www;
2
+worker_processes {{ ansible_processor_cores }};
3
+
4
+worker_rlimit_nofile 1024;
5
+events {
6
+  worker_connections  800;
7
+}
8
+
9
+http {
10
+  include       mime.types;
11
+  default_type  application/octet-stream;
12
+  index         index.html index.htm;
13
+
14
+  access_log /var/www/logs/access.log;
15
+  error_log  /var/www/logs/error.log;
16
+
17
+  sendfile on;
18
+  tcp_nopush on;
19
+  tcp_nodelay on;
20
+  keepalive_timeout 65;
21
+  types_hash_max_size 2048;
22
+  server_tokens off;
23
+  #client_max_body_size 50m;
24
+  gzip on;
25
+  ssl_session_timeout 1d;
26
+  ssl_session_cache shared:SSL:50m;
27
+  ssl_session_tickets off;
28
+  ssl_stapling on;
29
+  ssl_stapling_verify on;
30
+  ssl_protocols TLSv1.2 TLSv1.3;
31
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
32
+  ssl_prefer_server_ciphers on;
33
+
34
+  add_header Strict-Transport-Security "max-age=63072000;" always;
35
+
36
+  ssl_certificate /etc/ssl/{{ domain }}.fullchain.pem;
37
+  ssl_certificate_key /etc/ssl/private/{{ domain }}.key;
38
+  ssl_trusted_certificate /etc/ssl/{{ domain }}.fullchain.pem;
39
+  ssl_stapling_file /etc/ssl/{{ domain }}.der;
40
+
41
+  root /nonexistent;
42
+
43
+  include sites/*;
44
+}

+ 1
- 0
roles/prosody/defaults/main.yml View File

@@ -1,5 +1,6 @@
1 1
 ---
2 2
 prosody_proxy_port: 5000
3
+prosody_http_port: 5280
3 4
 prosody_push_anonymous: True
4 5
 prosody_upload_maxsize: 10485760   # 10 MB
5 6
 prosody_upload_expiration: 604800  # 1 week

+ 5
- 0
roles/prosody/handlers/main.yml View File

@@ -7,3 +7,8 @@
7 7
 - name: reload prosody
8 8
   command: prosodyctl reload
9 9
   become_user: _prosody
10
+
11
+- name: reload nginx
12
+  service:
13
+    name: nginx
14
+    state: reloaded

+ 10
- 6
roles/prosody/tasks/main.yml View File

@@ -62,14 +62,18 @@
62 62
     enabled: yes
63 63
     state: started
64 64
 
65
-- name: add letsencrypt renewal hook
66
-  copy:
67
-    content: |
68
-      #!/bin/sh
65
+- include: ../../../tasks/nginx_proxy.yml
66
+  vars:
67
+    name: xmpp
68
+    port: '{{ prosody_http_port }}'
69
+    max_body_size: 50m
70
+
71
+- include: ../../../tasks/acme_hook.yml
72
+  vars:
73
+    name: prosody
74
+    shell: |
69 75
       cp /etc/ssl/{{ domain }}.fullchain.pem /etc/prosody/certs/{{ domain }}.crt
70 76
       cp /etc/ssl/private/{{ domain }}.key /etc/prosody/certs/{{ domain }}.key
71 77
       chown root:_prosody /etc/prosody/certs/*
72 78
       chmod 640 /etc/prosody/certs/*
73 79
       doas -u _prosody /usr/local/sbin/prosodyctl reload
74
-    dest: /etc/acme/hooks.d/prosody.sh
75
-    mode: 0555

+ 6
- 6
roles/prosody/templates/prosody.cfg.lua.j2 View File

@@ -62,12 +62,12 @@ storage = "sql"
62 62
 sql = { driver = "PostgreSQL", database = "prosody", username = "_prosody" }
63 63
 
64 64
 -- module configs ---
65
-http_ports = { }
66
-http_interfaces = { }
67
-https_interfaces = { "*" }
68
-https_ports = { 5280 }
69
-http_external_url = "https://xmpp.{{ domain }}:5280/"
70
-https_external_url = "https://xmpp.{{ domain }}:5280/"
65
+http_ports = { {{ prosody_http_port }} }
66
+http_interfaces = { "127.0.0.1" }
67
+https_interfaces = { }
68
+https_ports = { }
69
+http_external_url = "https://xmpp.{{ domain }}/"
70
+https_external_url = "https://xmpp.{{ domain }}/"
71 71
 proxy65_ports = { {{ prosody_proxy_port }} }
72 72
 http_upload_file_size_limit = {{ prosody_upload_maxsize }}
73 73
 http_upload_expire_after = {{ prosody_upload_expiration }}

+ 0
- 5
roles/relayd/defaults/main.yml View File

@@ -1,5 +0,0 @@
1
----
2
-relayd_https_port: 8443
3
-httpd_secure_port: 8080
4
-synapse_client_port: 8008
5
-znc_web_port: 7667

+ 0
- 5
roles/relayd/handlers/main.yml View File

@@ -1,5 +0,0 @@
1
----
2
-- name: reload relayd
3
-  service:
4
-    name: relayd
5
-    state: reloaded

+ 0
- 20
roles/relayd/tasks/main.yml View File

@@ -1,20 +0,0 @@
1
----
2
-- name: generate configuration
3
-  template:
4
-    src: relayd.conf.j2
5
-    dest: /etc/relayd.conf
6
-  notify: reload relayd
7
-
8
-- name: enable and start daemon
9
-  service:
10
-    name: relayd
11
-    enabled: yes
12
-    state: started
13
-
14
-- name: add acme hook
15
-  copy:
16
-    content: |
17
-      #!/bin/sh
18
-      rcctl reload relayd
19
-    dest: /etc/acme/hooks.d/relayd.sh
20
-    mode: 0555

+ 0
- 36
roles/relayd/templates/relayd.conf.j2 View File

@@ -1,36 +0,0 @@
1
-table <httpd>   { 127.0.0.1 }
2
-table <matrix>  { 127.0.0.1 }
3
-table <znc>     { 127.0.0.1 }
4
-
5
-log connection
6
-
7
-http protocol "http" {
8
-  tcp { sack, nodelay, backlog 128 }
9
-  tls { no session tickets }
10
-
11
-  match header log "Host"
12
-
13
-  match request header append "X-Forwarded-For"   value "$REMOTE_ADDR"
14
-  match request header append "X-Forwarded-By"    value "$SERVER_ADDR:$SERVER_PORT"
15
-  match request header set "X-Forwarded-Proto" value "https"
16
-  match header set "Keep-Alive"        value "$TIMEOUT"
17
-
18
-  match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
19
-
20
-  block
21
-  pass request quick header "Host" value "{{ domain }}"        forward to <httpd>
22
-  pass request quick header "Host" value "www.{{ domain }}"    forward to <httpd>
23
-  pass request quick header "Host" value "ttrss.{{ domain }}"  forward to <httpd>
24
-  pass request quick header "Host" value "matrix.{{ domain }}" forward to <matrix>
25
-  pass request quick header "Host" value "znc.{{ domain }}"    forward to <znc>
26
-}
27
-
28
-relay "www" {
29
-  listen on 127.0.0.1 port {{ relayd_https_port }} tls
30
-  listen on ::1       port {{ relayd_https_port }} tls
31
-  protocol "http"
32
-  forward to <httpd>   port {{ httpd_secure_port }}
33
-  forward to <matrix>  port {{ synapse_client_port }}
34
-  forward to <znc>     port {{ znc_web_port }}
35
-  # sadly, prosody's http server doesnt work with relayd - returns 400/malformed
36
-}

+ 4
- 6
roles/spamd/tasks/main.yml View File

@@ -48,10 +48,8 @@
48 48
     name: spamd
49 49
     state: started
50 50
 
51
-- name: add acme hook
52
-  copy:
53
-    content: |
54
-      #!/bin/sh
51
+- include: ../../../tasks/acme_hook.yml
52
+  vars:
53
+    name: spamd
54
+    shell: |
55 55
       rcctl restart spamd
56
-    dest: /etc/acme/hooks.d/spamd.sh
57
-    mode: 0555

+ 5
- 0
roles/synapse/handlers/main.yml View File

@@ -13,3 +13,8 @@
13 13
   service:
14 14
     name: httpd
15 15
     state: reloaded
16
+
17
+- name: reload nginx
18
+  service:
19
+    name: nginx
20
+    state: reloaded

+ 31
- 12
roles/synapse/tasks/main.yml View File

@@ -139,18 +139,37 @@
139 139
     enabled: yes
140 140
     state: started
141 141
 
142
-- name: generate matrix vhost
142
+- name: add well-known directory
143
+  file:
144
+    path: /var/www/htdocs/well-known/matrix
145
+    state: directory
146
+
147
+- name: add well-known json file
143 148
   copy:
144 149
     content: |
145
-      server matrix.{{ domain }} {
146
-        include "/etc/httpd.d/http.conf"
147
-        root "/nonexistent"
150
+      {
151
+        "m.homeserver": {
152
+          "base_url": "https://matrix.{{ domain }}:{{ synapse_client_port }}"
153
+        },
154
+        "m.identity_server": {
155
+          "base_url": "https://vector.im"
156
+        }
148 157
       }
149
-    dest: /etc/sites/matrix.conf
150
-  notify: reload httpd
151
-
152
-- name: enable matrix vhost
153
-  lineinfile:
154
-    path: /etc/httpd.d/sites.conf
155
-    line: include "/etc/sites/matrix.conf"
156
-  notify: reload httpd
158
+    dest: /var/www/htdocs/well-known/matrix/client
159
+
160
+- include: ../../../tasks/nginx_proxy.yml
161
+  vars:
162
+    name: matrix
163
+    port: '{{ synapse_client_port }}'
164
+    max_body_size: 50m
165
+
166
+- include: ../../../tasks/acme_hook.yml
167
+  vars:
168
+    name: synapse
169
+    shell: |
170
+      SRC="/etc/ssl/private/{{ domain }}.key"
171
+      DST="/etc/synapse/private/{{ domain }}.key"
172
+      cp "$SRC" "$DST"
173
+      chown root:_synapse "$DST"
174
+      chmod 640 "$DST"
175
+      rcctl restart synapse

+ 16
- 5
roles/synapse/templates/homeserver.yaml.j2 View File

@@ -1,16 +1,16 @@
1 1
 # vim:ft=yaml
2 2
 server_name: {{ domain }}
3 3
 
4
-tls_certificate_path: "{{ synapse_config_dir }}/homeserver.tls.crt"
5
-tls_private_key_path: "{{ synapse_config_dir }}/private/homeserver.tls.key"
6
-tls_dh_params_path: "{{ synapse_config_dir }}/homeserver.tls.dh"
4
+tls_certificate_path: "/etc/ssl/{{ domain }}.fullchain.pem"
5
+tls_private_key_path: "{{ synapse_config_dir }}/private/{{ domain }}.key"
6
+tls_dh_params_path: "/etc/ssl/dhparam.pem"
7 7
 no_tls: False
8 8
 tls_fingerprints: []
9 9
 
10 10
 pid_file: "{{ synapse_home }}/synapse.pid"
11 11
 
12 12
 web_client: False
13
-public_baseurl: https://matrix.{{ domain }}:{{ synapse_federation_port }}/
13
+public_baseurl: https://matrix.{{ domain }}/
14 14
 soft_file_limit: 0
15 15
 
16 16
 listeners:
@@ -27,9 +27,20 @@ listeners:
27 27
 
28 28
   - port: {{ synapse_client_port }}
29 29
     tls: false
30
-    bind_addresses: ['127.0.0.1']
30
+    bind_addresses: ['127.0.0.1', '::1']
31 31
     type: http
32 32
     x_forwarded: true
33
+    resources:
34
+      - names: [client]
35
+        compress: false
36
+      - names: [federation]
37
+        compress: false
38
+
39
+  - port: {{ synapse_client_port }}
40
+    tls: true
41
+    bind_addresses: ['{{ ip }}', '{{ ip6 }}']
42
+    type: http
43
+    x_forwarded: false
33 44
     resources:
34 45
       - names: [client]
35 46
         compress: true

+ 1
- 0
roles/ttrss/defaults/main.yml View File

@@ -1,3 +1,4 @@
1 1
 ---
2 2
 ttrss_uid: 902
3 3
 ttrss_repo: https://git.tt-rss.org/fox/tt-rss.git
4
+httpd_secure_port: 8080

+ 5
- 0
roles/ttrss/handlers/main.yml View File

@@ -4,6 +4,11 @@
4 4
     name: httpd
5 5
     state: reloaded
6 6
 
7
+- name: reload nginx
8
+  service:
9
+    name: nginx
10
+    state: reloaded
11
+
7 12
 - name: restart php-fpm
8 13
   service:
9 14
     name: php72_fpm

+ 17
- 1
roles/ttrss/tasks/main.yml View File

@@ -24,7 +24,7 @@
24 24
     owner: _ttrss
25 25
   become_user: _postgresql
26 26
 
27
-- name: generate ttrss vhost
27
+- name: generate httpd vhost
28 28
   template:
29 29
      src: httpd/ttrss.conf.j2
30 30
      dest: /etc/sites/ttrss.conf
@@ -36,6 +36,22 @@
36 36
     line: include "/etc/sites/ttrss.conf"
37 37
   notify: reload httpd
38 38
 
39
+- name: generate nginx vhost
40
+  copy:
41
+    content: |
42
+      server {
43
+        listen      443 ssl http2;
44
+        listen      [::]:443 ssl http2;
45
+        server_name ttrss.{{ domain }};
46
+        location / {
47
+          proxy_pass  http://127.0.0.1:{{ httpd_secure_port }}
48
+          proxy_set_header Host            $host;
49
+          proxy_set_header X-Forwarded-For $remote_addr;
50
+        }
51
+      }
52
+    dest: /usr/local/share/nginx/sites/ttrss.conf
53
+  notify: reload nginx
54
+
39 55
 - name: create php directories
40 56
   file:
41 57
     path: /var/www/cache/{{ item }}

+ 0
- 5
roles/ttrss/templates/httpd/ttrss.conf.j2 View File

@@ -1,8 +1,3 @@
1
-server ttrss.{{ domain }} {
2
-  include "/etc/httpd.d/http.conf"
3
-  root "/nonexistent"
4
-}
5
-
6 1
 server ttrss.{{ domain }} {
7 2
   include "/etc/httpd.d/https.conf"
8 3
   root "/htdocs/ttrss"

+ 2
- 2
roles/znc/handlers/main.yml View File

@@ -4,7 +4,7 @@
4 4
     name: znc
5 5
     state: restarted
6 6
 
7
-- name: reload httpd
7
+- name: reload nginx
8 8
   service:
9
-    name: httpd
9
+    name: nginx
10 10
     state: reloaded

+ 9
- 22
roles/znc/tasks/main.yml View File

@@ -60,27 +60,14 @@
60 60
     enabled: yes
61 61
     state: started
62 62
 
63
-- name: add letsencrypt renewal hook
64
-  copy:
65
-    content: |
66
-      #!/bin/sh
63
+- include: ../../../tasks/nginx_proxy.yml
64
+  vars:
65
+    name: znc
66
+    port: '{{ znc_web_port }}'
67
+
68
+- include: ../../../tasks/acme_hook.yml
69
+  vars:
70
+    name: znc
71
+    shell: |
67 72
       cat /etc/ssl/private/{{ domain }}.key /etc/ssl/{{ domain }}.crt /etc/ssl/{{ domain }}.chain.pem > /var/znc/znc.pem
68 73
       echo "znc.pem regenerated"
69
-    dest: /etc/acme/hooks.d/znc.sh
70
-    mode: 0555
71
-
72
-- name: enable znc vhost
73
-  lineinfile:
74
-    path: /etc/httpd.d/sites.conf
75
-    line: include "/etc/sites/znc.conf"
76
-  notify: reload httpd
77
-
78
-- name: enable http to https redirect
79
-  copy:
80
-    content: |
81
-      server znc.{{ domain }} {
82
-        include "/etc/httpd.d/http.conf"
83
-        root "/nonexistent"
84
-      }
85
-    dest: /etc/sites/znc.conf
86
-  notify: reload httpd

+ 1
- 1
site.yml View File

@@ -11,7 +11,7 @@
11 11
     - { role: nsd,        tags: ['nsd']        }
12 12
     - { role: httpd,      tags: ['httpd']      }
13 13
     - { role: acme,       tags: ['acme']       }
14
-    - { role: relayd,     tags: ['relayd']     }
14
+    - { role: nginx,      tags: ['nginx']      }
15 15
     - { role: dovecot,    tags: ['dovecot']    }
16 16
     - { role: smtpd,      tags: ['smtpd']      }
17 17
     - { role: spamd,      tags: ['spamd']      }

+ 8
- 0
tasks/acme_hook.yml View File

@@ -0,0 +1,8 @@
1
+- name: add letsencrypt renewal hook
2
+  copy:
3
+    content: |
4
+      #!/bin/sh
5
+      {{ shell }}
6
+    dest: /etc/acme/hooks.d/{{ name }}.sh
7
+    mode: 0555
8
+

+ 32
- 0
tasks/nginx_proxy.yml View File

@@ -0,0 +1,32 @@
1
+- name: enable nginx vhost
2
+  copy:
3
+    content: |
4
+      server {
5
+        listen      443 ssl http2;
6
+        listen      [::]:443 ssl http2;
7
+        {% if bare | default(false) %}
8
+        server_name {{ domain }};
9
+        {% else %}
10
+        server_name {{ vhost | default(name + "." + domain) }};
11
+        {% endif %}
12
+        client_max_body_size {{ max_body_size | default('5m') }};
13
+        location / {
14
+          proxy_pass  http://127.0.0.1:{{ port }};
15
+          proxy_set_header Host              $host;
16
+          proxy_set_header X-Forwarded-For   $remote_addr;
17
+          proxy_set_header X-Forwarded-Proto https;
18
+          proxy_http_version 1.1;
19
+        }
20
+        {% if bare | default(false) %}
21
+        location /.well-known {
22
+          proxy_pass  http://127.0.0.1:{{ port }};
23
+          proxy_set_header Host              $host;
24
+          proxy_set_header X-Forwarded-For   $remote_addr;
25
+          proxy_set_header X-Forwarded-Proto https;
26
+          proxy_http_version 1.1;
27
+          add_header Access-Control-Allow-Origin *;
28
+        }
29
+        {% endif %}
30
+      }
31
+    dest: /etc/nginx/sites/{{ "bare" if (bare | default(false)) else name }}.conf
32
+  notify: reload nginx

Loading…
Cancel
Save