diff options
Diffstat (limited to 'roles/webservers')
13 files changed, 38 insertions, 52 deletions
diff --git a/roles/webservers/files/levi/http.rainrain.xyz.conf b/roles/webservers/files/levi/http.rainrain.xyz.conf new file mode 100644 index 0000000..de7a872 --- /dev/null +++ b/roles/webservers/files/levi/http.rainrain.xyz.conf @@ -0,0 +1,5 @@ +server { + listen 80; + server_name *.rainrain.xyz; + return 301 https://$server_name$request_uri?; +} diff --git a/roles/webservers/files/levi/http.rainrainra.in.conf b/roles/webservers/files/levi/http.rainrainra.in.conf deleted file mode 100644 index 5681819..0000000 --- a/roles/webservers/files/levi/http.rainrainra.in.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - server_name rainrainra.in; - - location /.well-known/acme-challenge { - root /var/www/letsencrypt; - try_files $uri $uri/ =404; - } - - location / { - rewrite ^ https://rainrainra.in$request_uri? permanent; - } -} diff --git a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf index 9a0c818..d532ee1 100644 --- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf +++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; allow 10.0.0.0/8; allow 100.64.0.0/12; diff --git a/roles/webservers/files/levi/https.party.simponic.xyz.conf b/roles/webservers/files/levi/https.party.simponic.xyz.conf index 1896024..b0f85d7 100644 --- a/roles/webservers/files/levi/https.party.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.party.simponic.xyz.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name party.simponic.xyz; ssl_certificate /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem; diff --git a/roles/webservers/files/levi/https.rainrain.xyz.servconf b/roles/webservers/files/levi/https.rainrain.xyz.servconf new file mode 100644 index 0000000..5485af1 --- /dev/null +++ b/roles/webservers/files/levi/https.rainrain.xyz.servconf @@ -0,0 +1,19 @@ +stream { + map $ssl_preread_server_name $name { + *.rainrain.xyz rainrainxyz; + default proxy; + } + + upstream rainrainxyz { + server tailscale.rain.internal.simponic.xyz:443; + } + upstream proxy { + server 127.0.0.1:4443; + } + + server { + listen 443; + proxy_pass $name; + ssl_preread on; + } +} diff --git a/roles/webservers/files/levi/https.rainrainra.in.conf b/roles/webservers/files/levi/https.rainrainra.in.conf deleted file mode 100644 index 84249dc..0000000 --- a/roles/webservers/files/levi/https.rainrainra.in.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - server_name rainrainra.in; - - ssl_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/rainrainra.in/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - - ssl_dhparam /etc/nginx/dhparams.pem; - ssl_prefer_server_ciphers on; - - root /var/www/html/rainrainra.in; - - location / { - try_files $uri $uri/ $uri.html =404; - } -} diff --git a/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf b/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf index 2b8b350..707f12f 100644 --- a/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name secure.tunnel.simponic.xyz; ssl_certificate /etc/letsencrypt/live/secure.tunnel.simponic.xyz/fullchain.pem; diff --git a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf index fa0f6ab..16f31ed 100644 --- a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf +++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name simponic.hatecomputers.club; ssl_certificate /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem; diff --git a/roles/webservers/files/levi/https.simponic.xyz.conf b/roles/webservers/files/levi/https.simponic.xyz.conf index 8930168..e9b32e7 100644 --- a/roles/webservers/files/levi/https.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.simponic.xyz.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name simponic.xyz; ssl_certificate /etc/letsencrypt/live/simponic.xyz/fullchain.pem; diff --git a/roles/webservers/files/levi/https.static.simponic.xyz.conf b/roles/webservers/files/levi/https.static.simponic.xyz.conf index ca72805..01719c0 100644 --- a/roles/webservers/files/levi/https.static.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.static.simponic.xyz.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name static.simponic.xyz; ssl_certificate /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem; diff --git a/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf b/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf index 5660f29..deee0b7 100644 --- a/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf +++ b/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf @@ -1,5 +1,5 @@ server { - listen 443 ssl; + listen 4443 ssl; server_name tunnel.simponic.xyz; ssl_certificate /etc/letsencrypt/live/tunnel.simponic.xyz/fullchain.pem; diff --git a/roles/webservers/files/nginx.conf b/roles/webservers/files/nginx.conf index 2e36cdd..e4f4987 100644 --- a/roles/webservers/files/nginx.conf +++ b/roles/webservers/files/nginx.conf @@ -1,8 +1,8 @@ user www-data; worker_processes 4; pid /run/nginx.pid; -load_module modules/ndk_http_module.so; -load_module modules/ngx_http_set_misc_module.so; +# load_module modules/ndk_http_module.so; +# load_module modules/ngx_http_set_misc_module.so; events { worker_connections 768; @@ -25,5 +25,6 @@ http { gzip_disable "msie6"; include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/sites-enabled/*.conf; } +include /etc/nginx/sites-enabled/*.servconf; diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 7047baf..6c6fef4 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -17,9 +17,6 @@ - name: install nginx apt: name=nginx state=latest -- name: install libnginx-mod-http-set-misc - apt: name=libnginx-mod-http-set-misc state=latest - - name: install letsencrypt apt: name=letsencrypt state=latest @@ -45,6 +42,7 @@ dest: "/etc/nginx/sites-enabled/" with_fileglob: - "files/{{ inventory_hostname }}/http.*.conf" + - "files/{{ inventory_hostname }}/https.*.conf" - name: restart nginx to get letsencrypt certificate service: name=nginx state=restarted enabled=yes @@ -70,7 +68,7 @@ args: creates: "/etc/letsencrypt/live/{{ item.stdout }}" loop: "{{ extracted_domains.results }}" - when: 'not "hatecomputers.club" in item.stdout' + when: 'not "hatecomputers.club" in item.stdout and not "rainrain" in item.stdout' # hatecomputers.club - name: build plugin template @@ -106,6 +104,7 @@ dest: "/etc/nginx/sites-enabled/" with_fileglob: - "files/{{ inventory_hostname }}/https.*.conf" + - "files/{{ inventory_hostname }}/https.*.servconf" - name: reload nginx to activate sites service: name=nginx state=restarted |