From e4c3b3a287f4d91328e9fa76643bd5141bbe1416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 24 Jun 2024 20:19:04 +0200 Subject: [PATCH 01/28] [int] --- roles/element-and-nginx/defaults/main.json | 3 +- roles/element-and-nginx/templates/conf.j2 | 23 +++++++-- roles/gitlab-and-nginx/defaults/main.json | 5 +- roles/gitlab-and-nginx/templates/conf.j2 | 56 ++++++++++++---------- 4 files changed, 56 insertions(+), 31 deletions(-) diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index c7db00b..64929d1 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_element_and_nginx_domain": "element.example.org", - "var_element_and_nginx_path": "/opt/element" + "var_element_and_nginx_path": "/opt/element", + "var_element_and_nginx_tls": "enable" } diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 08330a6..bc9c035 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,14 +1,31 @@ +boilerplate element { + root {{var_element_and_nginx_path}}; +} + server { + server_name {{var_element_and_nginx_domain}}; + listen 80; listen [::]:80; + +{% if (var_element_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke element; +{% endif %} +} + +{% if (var_element_and_nginx_tls != "disable") %} +server { + server_name {{var_element_and_nginx_domain}}; + listen 443 ssl; listen [::]:443 ssl; - server_name {{var_element_and_nginx_domain}}; - ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - root {{var_element_and_nginx_path}}; + invoke element; } +{% endif %} diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..c51d108 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_domain": "gitlab.example.org", + "var_gitlab_and_nginx_path": "/opt/gitlab", + "var_gitlab_and_nginx_tls": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..1033ae6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -29,34 +29,11 @@ map $http_referer $gitlab_ssl_filtered_http_referer { ~^(?.*)\? $temp; } -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +boilerplate gitlab_common { real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { @@ -92,3 +69,32 @@ server { } } +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + +{% if (var_gitlab_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke gitlab_common; +{% endif %} +} + +{% if (var_gitlab_and_nginx_tls != "disable") %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2 default_server; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + invoke gitlab_common; +} +{% endif %} From 82e9f8e806ba96654a3c2985a7c9f47d2ecb0b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:32:36 +0200 Subject: [PATCH 02/28] [mod] role:tlscert_existing:remove var for ssl-path and unify domain vars --- roles/tlscert_existing/defaults/main.json | 6 ++---- roles/tlscert_existing/tasks/main.json | 16 ++++++++-------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/roles/tlscert_existing/defaults/main.json b/roles/tlscert_existing/defaults/main.json index 66473bb..b47e0a2 100644 --- a/roles/tlscert_existing/defaults/main.json +++ b/roles/tlscert_existing/defaults/main.json @@ -1,8 +1,6 @@ { + "var_tlscert_existing_domain": "foo.example.org", "var_tlscert_existing_key_path": "/tmp/key.pem", "var_tlscert_existing_cert_path": "/tmp/cert.pem", - "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem", - "var_tlscert_existing_domain_base": "example.org", - "var_tlscert_existing_domain_path": "foo", - "var_tlscert_existing_ssl_directory": "/etc/ssl" + "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem" } diff --git a/roles/tlscert_existing/tasks/main.json b/roles/tlscert_existing/tasks/main.json index 28ebd49..bc4354a 100644 --- a/roles/tlscert_existing/tasks/main.json +++ b/roles/tlscert_existing/tasks/main.json @@ -3,10 +3,10 @@ "name": "directories", "become": true, "loop": [ - "{{var_tlscert_existing_ssl_directory}}/private", - "{{var_tlscert_existing_ssl_directory}}/csr", - "{{var_tlscert_existing_ssl_directory}}/certs", - "{{var_tlscert_existing_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -18,7 +18,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_key_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/private/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/private/{{var_tlscert_existing_domain}}.pem" } }, { @@ -26,7 +26,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_cert_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/certs/{{var_tlscert_existing_domain}}.pem" } }, { @@ -35,7 +35,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_fullchain_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } }, { @@ -43,7 +43,7 @@ "when": "var_tlscert_existing_fullchain_path == None", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_existing_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } } ] From c997a202760c413d8a7d9d087e6d963604624954 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:33:12 +0200 Subject: [PATCH 03/28] [mod] role:tlscert_selfsigned:remove var for ssl-path and unify domain vars --- roles/tlscert_selfsigned/defaults/main.json | 4 +--- roles/tlscert_selfsigned/tasks/main.json | 26 ++++++++++----------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json index 23e7808..06c1a9a 100644 --- a/roles/tlscert_selfsigned/defaults/main.json +++ b/roles/tlscert_selfsigned/defaults/main.json @@ -1,5 +1,3 @@ { - "var_tlscert_selfsigned_domain_base": "example.org", - "var_tlscert_selfsigned_domain_path": "foo", - "var_tlscert_selfsigned_ssl_directory": "/etc/ssl" + "var_tlscert_selfsigned_domain": "foo.example.org" } diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json index 5b816f3..bed8255 100644 --- a/roles/tlscert_selfsigned/tasks/main.json +++ b/roles/tlscert_selfsigned/tasks/main.json @@ -14,10 +14,10 @@ "name": "setup directories", "become": true, "loop": [ - "{{var_tlscert_selfsigned_ssl_directory}}/private", - "{{var_tlscert_selfsigned_ssl_directory}}/csr", - "{{var_tlscert_selfsigned_ssl_directory}}/certs", - "{{var_tlscert_selfsigned_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -28,19 +28,19 @@ "name": "csr | generate private key", "become": true, "community.crypto.openssl_privatekey": { - "path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "csr | execute", "become": true, "community.crypto.openssl_csr": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "common_name": "{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "common_name": "{{var_tlscert_selfsigned_domain}}", "subject_alt_name": [ - "DNS:{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}" + "DNS:{{var_tlscert_selfsigned_domain}}" ], - "path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem" }, "register": "temp_csr" }, @@ -48,17 +48,17 @@ "name": "generate certificate", "become": true, "community.crypto.x509_certificate": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "csr_path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem", "provider": "selfsigned", - "path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "compose fullchain", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem > {{var_tlscert_selfsigned_ssl_directory}}/fullchains/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem" } } ] From 1bf66c5c23348bf8ed652866d602a2c8ca928a30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:42:01 +0200 Subject: [PATCH 04/28] =?UTF-8?q?[mod]=20role:element-and-nginx:Abh=C3=A4n?= =?UTF-8?q?gigkeiten=20nutzen=20und=20TLS-Schalter=20einbauen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/element-and-nginx/defaults/main.json | 12 +++- roles/element-and-nginx/meta/main.json | 32 +++++++++++ roles/element-and-nginx/templates/conf.j2 | 13 ++--- roles/element-and-nginx/vardef.json | 64 ++++++++++++++++++++++ 4 files changed, 113 insertions(+), 8 deletions(-) create mode 100644 roles/element-and-nginx/meta/main.json create mode 100644 roles/element-and-nginx/vardef.json diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index 64929d1..aa43d9e 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,5 +1,15 @@ { "var_element_and_nginx_domain": "element.example.org", "var_element_and_nginx_path": "/opt/element", - "var_element_and_nginx_tls": "enable" + "var_element_and_nginx_element_version": "v1.11.47", + "var_element_and_nginx_element_matrix_baseurl": "https://matrix.example.org", + "var_element_and_nginx_element_server_name": "example" + "var_element_and_nginx_tls_mode": "disable", + "var_element_and_nginx_tls_cert_kind": "none", + "var_element_and_nginx_tls_cert_data_existing_key_path": "/tmp/key.pem", + "var_element_and_nginx_tls_cert_data_existing_cert_path": "/tmp/cert.pem", + "var_element_and_nginx_tls_cert_data_existing_fullchain_path": "/tmp/fullchain.pem", + "var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email": "REPLACE_ME", + "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username": "REPLACE_ME", + "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password": "REPLACE_ME" } diff --git a/roles/element-and-nginx/meta/main.json b/roles/element-and-nginx/meta/main.json new file mode 100644 index 0000000..3b5f228 --- /dev/null +++ b/roles/element-and-nginx/meta/main.json @@ -0,0 +1,32 @@ +{ + "dependencies": [ + { + "role": "element", + "var_element_version": "{{var_element_and_nginx_element_version}}", + "var_element_path": "{{var_element_and_nginx_path}}", + "var_element_matrix_baseurl": "{{var_element_and_nginx_element_matrix_baseurl}}", + "var_element_server_name": "{{var_element_and_nginx_element_server_name}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'existing'", + "role": "tlscert_existing", + "var_tlscert_existing_domain": "{{var_element_and_nginx_domain}}", + "var_tlscert_existing_key_path": "{{var_element_and_nginx_tls_cert_data_existing_key_path}}", + "var_tlscert_existing_cert_path": "{{var_element_and_nginx_tls_cert_data_existing_cert_path}}", + "var_tlscert_existing_fullchain_path": "{{var_element_and_nginx_tls_cert_data_existing_fullchain_path}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'selfsigned'", + "role": "tlscert_selfsigned", + "var_tlscert_selfsigned": "{{var_element_and_nginx_domain}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'acme_inwx'", + "role": "tlscert_acme_inwx", + "var_tlscert_acme_inwx_domain": "{{var_element_and_nginx_domain}}", + "var_tlscert_acme_inwx_acme_account_email": "{{var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email}}", + "var_tlscert_acme_inwx_inwx_account_username": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username}}", + "var_tlscert_acme_inwx_inwx_account_password": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password}}" + } + ] +} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index bc9c035..6df3e18 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,21 +1,20 @@ -boilerplate element { +{% macro element_common() %} root {{var_element_and_nginx_path}}; -} - +{% endmacro %} server { server_name {{var_element_and_nginx_domain}}; listen 80; listen [::]:80; -{% if (var_element_and_nginx_tls == "force") %} +{% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - invoke element; + {{ element_common() }} {% endif %} } +{% if (var_element_and_nginx_tls_mode != "disable") %} -{% if (var_element_and_nginx_tls != "disable") %} server { server_name {{var_element_and_nginx_domain}}; @@ -26,6 +25,6 @@ server { ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - invoke element; + {{ element_common() }} } {% endif %} diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json new file mode 100644 index 0000000..a51eccf --- /dev/null +++ b/roles/element-and-nginx/vardef.json @@ -0,0 +1,64 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "path": { + "type": "string", + "mandatory": false + }, + "element_version": { + "type": "string", + "mandatory": false + }, + "element_matrix_baseurl": { + "type": "string", + "mandatory": false + }, + "element_server_name": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + }, + "tls_cert_kind": { + "type": "string", + "options": [ + "none", + "selfsigned", + "acme_inwx" + ], + "mandatory": false + }, + "tls_cert_data_existing_key_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_existing_cert_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_existing_fullchain_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_acme_account_email": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_inwx_account_username": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_inwx_account_password": { + "type": "string", + "mandatory": false + } +} From 61b39794e8c61451891ccd4bd3cc06f88f1c74fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:32:36 +0200 Subject: [PATCH 05/28] [mod] role:tlscert_existing:remove var for ssl-path and unify domain vars --- roles/tlscert_existing/defaults/main.json | 6 ++---- roles/tlscert_existing/tasks/main.json | 16 ++++++++-------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/roles/tlscert_existing/defaults/main.json b/roles/tlscert_existing/defaults/main.json index 66473bb..b47e0a2 100644 --- a/roles/tlscert_existing/defaults/main.json +++ b/roles/tlscert_existing/defaults/main.json @@ -1,8 +1,6 @@ { + "var_tlscert_existing_domain": "foo.example.org", "var_tlscert_existing_key_path": "/tmp/key.pem", "var_tlscert_existing_cert_path": "/tmp/cert.pem", - "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem", - "var_tlscert_existing_domain_base": "example.org", - "var_tlscert_existing_domain_path": "foo", - "var_tlscert_existing_ssl_directory": "/etc/ssl" + "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem" } diff --git a/roles/tlscert_existing/tasks/main.json b/roles/tlscert_existing/tasks/main.json index 28ebd49..bc4354a 100644 --- a/roles/tlscert_existing/tasks/main.json +++ b/roles/tlscert_existing/tasks/main.json @@ -3,10 +3,10 @@ "name": "directories", "become": true, "loop": [ - "{{var_tlscert_existing_ssl_directory}}/private", - "{{var_tlscert_existing_ssl_directory}}/csr", - "{{var_tlscert_existing_ssl_directory}}/certs", - "{{var_tlscert_existing_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -18,7 +18,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_key_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/private/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/private/{{var_tlscert_existing_domain}}.pem" } }, { @@ -26,7 +26,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_cert_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/certs/{{var_tlscert_existing_domain}}.pem" } }, { @@ -35,7 +35,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_fullchain_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } }, { @@ -43,7 +43,7 @@ "when": "var_tlscert_existing_fullchain_path == None", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_existing_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } } ] From b3cd34f0ac50c9269266646b8e3ae845c3824471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:33:12 +0200 Subject: [PATCH 06/28] [mod] role:tlscert_selfsigned:remove var for ssl-path and unify domain vars --- roles/tlscert_selfsigned/defaults/main.json | 4 +--- roles/tlscert_selfsigned/tasks/main.json | 26 ++++++++++----------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json index 23e7808..06c1a9a 100644 --- a/roles/tlscert_selfsigned/defaults/main.json +++ b/roles/tlscert_selfsigned/defaults/main.json @@ -1,5 +1,3 @@ { - "var_tlscert_selfsigned_domain_base": "example.org", - "var_tlscert_selfsigned_domain_path": "foo", - "var_tlscert_selfsigned_ssl_directory": "/etc/ssl" + "var_tlscert_selfsigned_domain": "foo.example.org" } diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json index 5b816f3..bed8255 100644 --- a/roles/tlscert_selfsigned/tasks/main.json +++ b/roles/tlscert_selfsigned/tasks/main.json @@ -14,10 +14,10 @@ "name": "setup directories", "become": true, "loop": [ - "{{var_tlscert_selfsigned_ssl_directory}}/private", - "{{var_tlscert_selfsigned_ssl_directory}}/csr", - "{{var_tlscert_selfsigned_ssl_directory}}/certs", - "{{var_tlscert_selfsigned_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -28,19 +28,19 @@ "name": "csr | generate private key", "become": true, "community.crypto.openssl_privatekey": { - "path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "csr | execute", "become": true, "community.crypto.openssl_csr": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "common_name": "{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "common_name": "{{var_tlscert_selfsigned_domain}}", "subject_alt_name": [ - "DNS:{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}" + "DNS:{{var_tlscert_selfsigned_domain}}" ], - "path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem" }, "register": "temp_csr" }, @@ -48,17 +48,17 @@ "name": "generate certificate", "become": true, "community.crypto.x509_certificate": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "csr_path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem", "provider": "selfsigned", - "path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "compose fullchain", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem > {{var_tlscert_selfsigned_ssl_directory}}/fullchains/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem" } } ] From a3509ca37b63cec09d92625c679046868a7b5bff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:44:29 +0200 Subject: [PATCH 07/28] [int] --- roles/gitlab-and-nginx/defaults/main.json | 5 +- roles/gitlab-and-nginx/templates/conf.j2 | 56 ++++++++++------------- 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index c51d108..6bffbd7 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,5 +1,4 @@ { - "var_gitlab_and_nginx_domain": "gitlab.example.org", - "var_gitlab_and_nginx_path": "/opt/gitlab", - "var_gitlab_and_nginx_tls": "enable" + "var_gitlab_and_nginx_domain": "element.example.org", + "var_gitlab_and_nginx_path": "/opt/element" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 1033ae6..4208162 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -29,11 +29,34 @@ map $http_referer $gitlab_ssl_filtered_http_referer { ~^(?.*)\? $temp; } -boilerplate gitlab_common { +server { + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + return 301 https://$http_host$request_uri; + + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + error_log /var/log/nginx/gitlab_error.log; +} + +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2 default_server; + + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access; + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { @@ -69,32 +92,3 @@ boilerplate gitlab_common { } } -server { - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - -{% if (var_gitlab_and_nginx_tls == "force") %} - return 301 https://$http_host$request_uri; -{% else %} - invoke gitlab_common; -{% endif %} -} - -{% if (var_gitlab_and_nginx_tls != "disable") %} -server { - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - - invoke gitlab_common; -} -{% endif %} From 99a2fd0ea7daf8d8d02da90f94148ba68b2676f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 27 Jun 2024 19:08:25 +0200 Subject: [PATCH 08/28] [fix] role:hedgedoc:default:domain --- roles/hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index e2a58c4..f59f7f1 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -14,7 +14,7 @@ "var_hedgedoc_authentication_kind": "authelia", "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", - "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", "var_hedgedoc_guest_allow_create": false, "var_hedgedoc_guest_allow_change": false, "var_hedgedoc_free_names_mode": "authed" From dc28d22a908966f04e67019b3cee3f701f84e3d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 21:55:57 +0200 Subject: [PATCH 09/28] [mod] role:hedgedoc-and-nginx:tls mode --- roles/hedgedoc-and-nginx/defaults/main.json | 3 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 38 +++++++++++++++------ roles/hedgedoc-and-nginx/vardef.json | 15 ++++++++ 3 files changed, 45 insertions(+), 11 deletions(-) create mode 100644 roles/hedgedoc-and-nginx/vardef.json diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json index 840159e..aab8b85 100644 --- a/roles/hedgedoc-and-nginx/defaults/main.json +++ b/roles/hedgedoc-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org" + "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org", + "var_hedgedoc_and_nginx_tls_mode": "enable" } diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 467a014..cb5480d 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade { '' close; } -server { - server_name {{var_hedgedoc_and_nginx_domain}}; - - listen [::]:443 ssl http2; - listen 443 ssl http2; - - ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro hedgedoc_common() %} location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; @@ -30,4 +21,31 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } +{% endmacro %} + +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_element_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ hedgedoc_common() }} +{% endif %} +} + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ hedgedoc_common() }} } diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/hedgedoc-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From fc03370b1942bce475b9a4eeac9b3e5e8cf86e4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:02:06 +0200 Subject: [PATCH 10/28] [mod] role:authelia-and-nginx:tls mode --- roles/authelia-and-nginx/defaults/main.json | 3 +- roles/authelia-and-nginx/templates/conf.j2 | 54 ++++++++++++--------- roles/authelia-and-nginx/vardef.json | 15 ++++++ 3 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 roles/authelia-and-nginx/vardef.json diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json index 7559dcb..e1d1396 100644 --- a/roles/authelia-and-nginx/defaults/main.json +++ b/roles/authelia-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_authelia_and_nginx_domain": "authelia.example.org" + "var_authelia_and_nginx_domain": "authelia.example.org", + "var_authelia_and_nginx_tls_mode": "enable" } diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 231a61d..8bd176e 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,22 +1,4 @@ -server { - server_name {{var_authelia_and_nginx_domain}}; - - listen [::]:80; - listen 80; - - return 301 https://$server_name$request_uri; -} - -server { - server_name {{var_authelia_and_nginx_domain}}; - - listen [::]:443 ssl http2; - listen 443 ssl http2; - - ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro authelia_common() %} location / { ## Headers proxy_set_header Host $host; @@ -28,7 +10,7 @@ server { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; - + ## Basic Proxy Configuration client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. @@ -37,7 +19,7 @@ server { proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; - + ## Trusted Proxies Configuration ## Please read the following documentation before configuring this: ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies @@ -47,7 +29,7 @@ server { # set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; - + ## Advanced Proxy Configuration send_timeout 5m; proxy_read_timeout 360; @@ -60,4 +42,32 @@ server { location /api/verify { proxy_pass http://localhost:9091; } +{% endmacro %} + +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_authelia_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ authelia_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ authelia_common() }} +} +{% endif %} diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/authelia-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 6d42a70bd411417223c9030ee7c523b577938e1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:10:07 +0200 Subject: [PATCH 11/28] [mod] roles:dokuwiki-and-nginx:tls mode --- roles/dokuwiki-and-nginx/defaults/main.json | 2 +- roles/dokuwiki-and-nginx/templates/conf.j2 | 48 +++++++++++++-------- roles/dokuwiki-and-nginx/vardef.json | 19 ++++++++ 3 files changed, 49 insertions(+), 20 deletions(-) create mode 100644 roles/dokuwiki-and-nginx/vardef.json diff --git a/roles/dokuwiki-and-nginx/defaults/main.json b/roles/dokuwiki-and-nginx/defaults/main.json index 22367fe..05e1d7f 100644 --- a/roles/dokuwiki-and-nginx/defaults/main.json +++ b/roles/dokuwiki-and-nginx/defaults/main.json @@ -1,5 +1,5 @@ { "var_dokuwiki_and_nginx_directory": "/opt/dokuwiki", "var_dokuwiki_and_nginx_domain": "dokuwiki.example.org", - "var_dokuwiki_and_nginx_tls_enable": true + "var_dokuwiki_and_nginx_tls_mode": "enable" } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 514ceab..03cbbda 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -1,22 +1,4 @@ -server { - listen 80; - listen [::]:80; - server_name {{var_dokuwiki_and_nginx_domain}}; - return 301 https://$server_name$request_uri; -} - -server { - listen [::]:443 ssl; - listen 443 ssl; - - server_name {{var_dokuwiki_and_nginx_domain}}; - -{% if var_dokuwiki_and_nginx_tls_enable %} - ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; -{% endif %} - +{% macro dokuwiki_common() %} # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; @@ -58,4 +40,32 @@ server { fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version } +{% endif %} + +server { + server_name {{var_dokuwki_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_dokuwki_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ dokuwki_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_dokuwki_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_dokuwki_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ dokuwki_common() }} +} +{% endif %} diff --git a/roles/dokuwiki-and-nginx/vardef.json b/roles/dokuwiki-and-nginx/vardef.json new file mode 100644 index 0000000..a3fa777 --- /dev/null +++ b/roles/dokuwiki-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "directory": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From d08f287d738d51b64a44b04520e9ba4a14bf5f9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:31:49 +0200 Subject: [PATCH 12/28] [mod] roles:synapse-and-nginx:tls mode --- roles/synapse-and-nginx/defaults/main.json | 3 +- roles/synapse-and-nginx/templates/conf.j2 | 49 +++++++++++++++------- roles/synapse-and-nginx/vardef.json | 15 +++++++ 3 files changed, 50 insertions(+), 17 deletions(-) create mode 100644 roles/synapse-and-nginx/vardef.json diff --git a/roles/synapse-and-nginx/defaults/main.json b/roles/synapse-and-nginx/defaults/main.json index 8a172d0..e504fa6 100644 --- a/roles/synapse-and-nginx/defaults/main.json +++ b/roles/synapse-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_synapse_and_nginx_domain": "REPLACE_ME" + "var_synapse_and_nginx_domain": "REPLACE_ME", + "var_synapse_and_nginx_tls_mode": "enable" } diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index e59fb99..d1bace3 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -1,19 +1,4 @@ -server { - listen 80; - listen [::]:80; - listen 443 ssl; - listen [::]:443 ssl; - - ## For the federation port - listen 8448 ssl http2 default_server; - listen [::]:8448 ssl http2 default_server; - - server_name {{var_synapse_and_nginx_domain}}; - - ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro synapse_common() %} location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; @@ -24,4 +9,36 @@ server { proxy_http_version 1.1; } +{% endif %} + +server { + server_name {{var_synapse_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_synapse_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ synapse_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_synapse_and_nginx_domain}}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ## For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ synapse_common() }} +} +{% endif %} diff --git a/roles/synapse-and-nginx/vardef.json b/roles/synapse-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/synapse-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 1553ea9f53a8c9f9646c2669f0182a2cd38f73e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:34:15 +0200 Subject: [PATCH 13/28] [mod] roles:vikunja-and-nginx:tls mode --- roles/vikunja-and-nginx/defaults/main.json | 3 +- roles/vikunja-and-nginx/templates/conf.j2 | 41 +++++++++++++++------- roles/vikunja-and-nginx/vardef.json | 15 ++++++++ 3 files changed, 46 insertions(+), 13 deletions(-) create mode 100644 roles/vikunja-and-nginx/vardef.json diff --git a/roles/vikunja-and-nginx/defaults/main.json b/roles/vikunja-and-nginx/defaults/main.json index e08064b..494801c 100644 --- a/roles/vikunja-and-nginx/defaults/main.json +++ b/roles/vikunja-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_vikunja_and_nginx_domain": "vikunja.example.org" + "var_vikunja_and_nginx_domain": "vikunja.example.org", + "var_vikunja_and_nginx_tls_mode": "enable" } diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index a9a8241..b7fac76 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -1,17 +1,34 @@ -server { - listen 80; - listen [::]:80; - listen 443 ssl; - listen [::]:443 ssl; - - server_name {{var_vikunja_and_nginx_domain}}; - - ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro vikunja_common() %} location / { proxy_pass http://localhost:3456; client_max_body_size 20M; } +{% endif %} + +server { + server_name {{var_vikunja_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_vikunja_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ vikunja_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_vikunja_and_nginx_domain}}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ vikunja_common() }} +} +{% endif %} diff --git a/roles/vikunja-and-nginx/vardef.json b/roles/vikunja-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/vikunja-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 37682a6e24d0ab5878a87b1384f1e95b50fe0dbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:10:50 +0200 Subject: [PATCH 14/28] [mod] role:system_basics:install package "acl" --- roles/system_basics/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/system_basics/tasks/main.json b/roles/system_basics/tasks/main.json index d19d6fb..cb39ff3 100644 --- a/roles/system_basics/tasks/main.json +++ b/roles/system_basics/tasks/main.json @@ -21,6 +21,7 @@ "become": true, "ansible.builtin.apt": { "pkg": [ + "acl", "vim", "htop", "tmux", From bceb605f6802f527d09e49737055191c6fe16a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:20 +0200 Subject: [PATCH 15/28] [mod] roles:gitlab-and-nginx:tls mode --- roles/gitlab-and-nginx/defaults/main.json | 3 +- roles/gitlab-and-nginx/templates/conf.j2 | 125 ++++++++++++---------- roles/gitlab-and-nginx/vardef.json | 19 ++++ 3 files changed, 88 insertions(+), 59 deletions(-) create mode 100644 roles/gitlab-and-nginx/vardef.json diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..4f0da06 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_path": "/opt/element", + "var_gitlab_and_nginx_tls_mode": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..abbb012 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -1,64 +1,7 @@ -upstream gitlab-workhorse { - server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; -} - -map $http_upgrade $connection_upgrade_gitlab_ssl { - default upgrade; - '' close; -} - -log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; - -map $request_uri $gitlab_ssl_temp_request_uri_1 { - default $request_uri; - ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { - default $gitlab_ssl_temp_request_uri_1; - ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { - default $gitlab_ssl_temp_request_uri_2; - ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $http_referer $gitlab_ssl_filtered_http_referer { - default $http_referer; - ~^(?.*)\? $temp; -} - -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro gitlab_common() %} real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; - location / { client_max_body_size 0; gzip off; @@ -90,5 +33,71 @@ server { root /home/git/gitlab/public; internal; } +{% endmacro %} + +upstream gitlab-workhorse { + server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; } +map $http_upgrade $connection_upgrade_gitlab_ssl { + default upgrade; + '' close; +} + +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; + +map $request_uri $gitlab_ssl_temp_request_uri_1 { + default $request_uri; + ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { + default $gitlab_ssl_temp_request_uri_1; + ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { + default $gitlab_ssl_temp_request_uri_2; + ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $http_referer $gitlab_ssl_filtered_http_referer { + default $http_referer; + ~^(?.*)\? $temp; +} + +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80; + listen [::]:80 ipv6only=on; + +{% if var_gitlab_and_nginx_tls_mode == 'force' %} + return 301 https://$http_host$request_uri; +{% else %} + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +{% endif %} +} + +{% if var_gitlab_and_nginx_tls_mode != 'disable' %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +} +{% endif %} diff --git a/roles/gitlab-and-nginx/vardef.json b/roles/gitlab-and-nginx/vardef.json new file mode 100644 index 0000000..eff28cf --- /dev/null +++ b/roles/gitlab-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "domain": { + "mandatory": false, + "type": "string" + }, + "path": { + "mandatory": false, + "type": "string" + }, + "tls_mode": { + "mandatory": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ] + } +} From e82b76cef18ef98dec7330fc3700a285871d69bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:41 +0200 Subject: [PATCH 16/28] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 03cbbda..8dbf888 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -40,7 +40,7 @@ fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version } -{% endif %} +{% endmacro %} server { server_name {{var_dokuwki_and_nginx_domain}}; From 7e0f48a332d9034d314dc690c7e153aa06eb0893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:53 +0200 Subject: [PATCH 17/28] [fix] role:synapse-and-nginx --- roles/synapse-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index d1bace3..c2b1066 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -9,7 +9,7 @@ proxy_http_version 1.1; } -{% endif %} +{% endmacro %} server { server_name {{var_synapse_and_nginx_domain}}; From 2048b1f2ce1a0fe94963c284358d79169bb98c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:12:07 +0200 Subject: [PATCH 18/28] [fix] role:vikunja-and-nginx --- roles/vikunja-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index b7fac76..bcfb5dd 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -3,7 +3,7 @@ proxy_pass http://localhost:3456; client_max_body_size 20M; } -{% endif %} +{% endmacro %} server { server_name {{var_vikunja_and_nginx_domain}}; From 71f0549191e8db2ab3d194b2f4bbc6890ad41f7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:14:52 +0200 Subject: [PATCH 19/28] [fix] role:vikunja-and-nginx --- roles/vikunja-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index bcfb5dd..2344097 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -18,7 +18,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_vikunja_and_nginx_tls_mode != "disable") %} server { server_name {{var_vikunja_and_nginx_domain}}; From 75caf79a51cb97c9c14f82f88e5ae685f6ed6c44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:19:57 +0200 Subject: [PATCH 20/28] [mod] nginx-connector-roles:conf formatting --- roles/authelia-and-nginx/templates/conf.j2 | 4 ++-- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- roles/element-and-nginx/templates/conf.j2 | 4 ++-- roles/gitlab-and-nginx/templates/conf.j2 | 4 ++-- roles/hedgedoc-and-nginx/templates/conf.j2 | 4 ++-- roles/synapse-and-nginx/templates/conf.j2 | 4 ++-- roles/vikunja-and-nginx/templates/conf.j2 | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 8bd176e..e6c60cc 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -53,7 +53,7 @@ server { {% if (var_authelia_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ authelia_common() }} +{{ authelia_common() }} {% endif %} } @@ -68,6 +68,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ authelia_common() }} +{{ authelia_common() }} } {% endif %} diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 8dbf888..da2d6d5 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -51,7 +51,7 @@ server { {% if (var_dokuwki_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ dokuwki_common() }} +{{ dokuwki_common() }} {% endif %} } @@ -66,6 +66,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ dokuwki_common() }} +{{ dokuwki_common() }} } {% endif %} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 6df3e18..875c002 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -10,7 +10,7 @@ server { {% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ element_common() }} +{{ element_common() }} {% endif %} } {% if (var_element_and_nginx_tls_mode != "disable") %} @@ -25,6 +25,6 @@ server { ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ element_common() }} +{{ element_common() }} } {% endif %} diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index abbb012..31fa777 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -79,7 +79,7 @@ server { access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; - {{ gitlab_common() }} +{{ gitlab_common() }} {% endif %} } @@ -98,6 +98,6 @@ server { access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - {{ gitlab_common() }} +{{ gitlab_common() }} } {% endif %} diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index cb5480d..6dd578e 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -32,7 +32,7 @@ server { {% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ hedgedoc_common() }} +{{ hedgedoc_common() }} {% endif %} } @@ -47,5 +47,5 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ hedgedoc_common() }} +{{ hedgedoc_common() }} } diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index c2b1066..47f6269 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -20,7 +20,7 @@ server { {% if (var_synapse_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ synapse_common() }} +{{ synapse_common() }} {% endif %} } @@ -39,6 +39,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ synapse_common() }} +{{ synapse_common() }} } {% endif %} diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index 2344097..854d39d 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -14,7 +14,7 @@ server { {% if (var_vikunja_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ vikunja_common() }} +{{ vikunja_common() }} {% endif %} } @@ -29,6 +29,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ vikunja_common() }} +{{ vikunja_common() }} } {% endif %} From 3d02e0f4fbf5626bdfe8c6cb4493661d976fdd87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:38:28 +0200 Subject: [PATCH 21/28] [mod] nginx-connector-roles:conf formatting --- roles/authelia-and-nginx/templates/conf.j2 | 4 +- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 +- roles/element-and-nginx/defaults/main.json | 12 +---- roles/element-and-nginx/meta/main.json | 32 ------------ roles/element-and-nginx/templates/conf.j2 | 11 +++-- roles/element-and-nginx/vardef.json | 57 +++------------------- roles/gitlab-and-nginx/templates/conf.j2 | 4 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 4 +- roles/synapse-and-nginx/templates/conf.j2 | 4 +- roles/vikunja-and-nginx/templates/conf.j2 | 4 +- 10 files changed, 25 insertions(+), 111 deletions(-) delete mode 100644 roles/element-and-nginx/meta/main.json diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index e6c60cc..417fb06 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -50,14 +50,14 @@ server { listen 80; listen [::]:80; -{% if (var_authelia_and_nginx_tls_mode == "force") %} +{% if (var_authelia_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ authelia_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_authelia_and_nginx_domain}}; diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index da2d6d5..4cfdac5 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -48,14 +48,14 @@ server { listen 80; listen [::]:80; -{% if (var_dokuwki_and_nginx_tls_mode == "force") %} +{% if (var_dokuwki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ dokuwki_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_dokuwki_and_nginx_domain}}; diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index aa43d9e..4c7e5b6 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,15 +1,5 @@ { "var_element_and_nginx_domain": "element.example.org", "var_element_and_nginx_path": "/opt/element", - "var_element_and_nginx_element_version": "v1.11.47", - "var_element_and_nginx_element_matrix_baseurl": "https://matrix.example.org", - "var_element_and_nginx_element_server_name": "example" - "var_element_and_nginx_tls_mode": "disable", - "var_element_and_nginx_tls_cert_kind": "none", - "var_element_and_nginx_tls_cert_data_existing_key_path": "/tmp/key.pem", - "var_element_and_nginx_tls_cert_data_existing_cert_path": "/tmp/cert.pem", - "var_element_and_nginx_tls_cert_data_existing_fullchain_path": "/tmp/fullchain.pem", - "var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email": "REPLACE_ME", - "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username": "REPLACE_ME", - "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password": "REPLACE_ME" + "var_element_and_nginx_tls_mode": "enable" } diff --git a/roles/element-and-nginx/meta/main.json b/roles/element-and-nginx/meta/main.json deleted file mode 100644 index 3b5f228..0000000 --- a/roles/element-and-nginx/meta/main.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "dependencies": [ - { - "role": "element", - "var_element_version": "{{var_element_and_nginx_element_version}}", - "var_element_path": "{{var_element_and_nginx_path}}", - "var_element_matrix_baseurl": "{{var_element_and_nginx_element_matrix_baseurl}}", - "var_element_server_name": "{{var_element_and_nginx_element_server_name}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'existing'", - "role": "tlscert_existing", - "var_tlscert_existing_domain": "{{var_element_and_nginx_domain}}", - "var_tlscert_existing_key_path": "{{var_element_and_nginx_tls_cert_data_existing_key_path}}", - "var_tlscert_existing_cert_path": "{{var_element_and_nginx_tls_cert_data_existing_cert_path}}", - "var_tlscert_existing_fullchain_path": "{{var_element_and_nginx_tls_cert_data_existing_fullchain_path}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'selfsigned'", - "role": "tlscert_selfsigned", - "var_tlscert_selfsigned": "{{var_element_and_nginx_domain}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'acme_inwx'", - "role": "tlscert_acme_inwx", - "var_tlscert_acme_inwx_domain": "{{var_element_and_nginx_domain}}", - "var_tlscert_acme_inwx_acme_account_email": "{{var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email}}", - "var_tlscert_acme_inwx_inwx_account_username": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username}}", - "var_tlscert_acme_inwx_inwx_account_password": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password}}" - } - ] -} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 875c002..2108550 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,28 +1,29 @@ {% macro element_common() %} - root {{var_element_and_nginx_path}}; +root {{var_element_and_nginx_path}}; {% endmacro %} + server { server_name {{var_element_and_nginx_domain}}; listen 80; listen [::]:80; - -{% if (var_element_and_nginx_tls_mode == "force") %} + +{% if (var_element_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ element_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_element_and_nginx_domain}}; listen 443 ssl; listen [::]:443 ssl; - ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ element_common() }} diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json index a51eccf..eff28cf 100644 --- a/roles/element-and-nginx/vardef.json +++ b/roles/element-and-nginx/vardef.json @@ -1,64 +1,19 @@ { "domain": { - "type": "string", - "mandatory": false + "mandatory": false, + "type": "string" }, "path": { - "type": "string", - "mandatory": false - }, - "element_version": { - "type": "string", - "mandatory": false - }, - "element_matrix_baseurl": { - "type": "string", - "mandatory": false - }, - "element_server_name": { - "type": "string", - "mandatory": false + "mandatory": false, + "type": "string" }, "tls_mode": { + "mandatory": false, "type": "string", "options": [ "disable", "enable", "force" - ], - "mandatory": false - }, - "tls_cert_kind": { - "type": "string", - "options": [ - "none", - "selfsigned", - "acme_inwx" - ], - "mandatory": false - }, - "tls_cert_data_existing_key_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_existing_cert_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_existing_fullchain_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_acme_account_email": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_inwx_account_username": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_inwx_account_password": { - "type": "string", - "mandatory": false + ] } } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 31fa777..fa4e246 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -73,7 +73,7 @@ server { listen 80; listen [::]:80 ipv6only=on; -{% if var_gitlab_and_nginx_tls_mode == 'force' %} +{% if (var_gitlab_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} access_log /var/log/nginx/gitlab_access.log; @@ -83,7 +83,7 @@ server { {% endif %} } -{% if var_gitlab_and_nginx_tls_mode != 'disable' %} +{% if (var_gitlab_and_nginx_tls_mode != 'disable') %} server { server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 6dd578e..d70f0fc 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -29,14 +29,14 @@ server { listen 80; listen [::]:80; -{% if (var_element_and_nginx_tls_mode == "force") %} +{% if (var_element_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ hedgedoc_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_hedgedoc_and_nginx_domain}}; diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index 47f6269..c2c40d5 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -17,14 +17,14 @@ server { listen 80; listen [::]:80; -{% if (var_synapse_and_nginx_tls_mode == "force") %} +{% if (var_synapse_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ synapse_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_synapse_and_nginx_domain}}; diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index 854d39d..211f4ea 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -11,14 +11,14 @@ server { listen 80; listen [::]:80; -{% if (var_vikunja_and_nginx_tls_mode == "force") %} +{% if (var_vikunja_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ vikunja_common() }} {% endif %} } -{% if (var_vikunja_and_nginx_tls_mode != "disable") %} +{% if (var_vikunja_and_nginx_tls_mode != 'disable') %} server { server_name {{var_vikunja_and_nginx_domain}}; From 361abc6a74f5c966605e92fe05339dc995bc038d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:42:02 +0200 Subject: [PATCH 22/28] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 4cfdac5..edfe9f2 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -43,7 +43,7 @@ {% endmacro %} server { - server_name {{var_dokuwki_and_nginx_domain}}; + server_name {{var_dokuwiki_and_nginx_domain}}; listen 80; listen [::]:80; @@ -57,13 +57,13 @@ server { {% if (var_element_and_nginx_tls_mode != 'disable') %} server { - server_name {{var_dokuwki_and_nginx_domain}}; + server_name {{var_dokuwiki_and_nginx_domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_dokuwki_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ dokuwki_common() }} From f2b4ba5fed6c2bdd4a1587d08c91bcb1d6117638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:44:06 +0200 Subject: [PATCH 23/28] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index edfe9f2..ea14fd4 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -48,14 +48,14 @@ server { listen 80; listen [::]:80; -{% if (var_dokuwki_and_nginx_tls_mode == 'force') %} +{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ dokuwki_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %} server { server_name {{var_dokuwiki_and_nginx_domain}}; From 2a96f510dfddd96e5440e71f42d95591ffe606e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:07:14 +0200 Subject: [PATCH 24/28] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index ea14fd4..e5e5252 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -51,7 +51,7 @@ server { {% if (var_dokuwiki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} -{{ dokuwki_common() }} +{{ dokuwiki_common() }} {% endif %} } @@ -66,6 +66,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; -{{ dokuwki_common() }} +{{ dokuwiki_common() }} } {% endif %} From 34c6ae6e548a77b626e0ad64fa3da9b0cb13f950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:13:47 +0200 Subject: [PATCH 25/28] [fix] authelia-and-nginx --- roles/authelia-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 417fb06..cd3b8d6 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -57,7 +57,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_authelia_and_nginx_tls_mode != 'disable') %} server { server_name {{var_authelia_and_nginx_domain}}; From 79415ee5bc5eee027da04f881073c0017a375d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:06 +0200 Subject: [PATCH 26/28] [fix] role:hedgedoc-and-nginx --- roles/hedgedoc-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index d70f0fc..e8fe34b 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -36,7 +36,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %} server { server_name {{var_hedgedoc_and_nginx_domain}}; From 6fb16d609a2f7d20f4d14bfbb65ae82dd1e5d456 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:19 +0200 Subject: [PATCH 27/28] [fix] role:synapse-and-nginx --- roles/synapse-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index c2c40d5..952b9e4 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -24,7 +24,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_synapse_and_nginx_tls_mode != 'disable') %} server { server_name {{var_synapse_and_nginx_domain}}; From bfd815e708a621b4b0e3a0eb1c883099e55d2958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:42 +0200 Subject: [PATCH 28/28] [mod] role:hedgedoc:defaults:authelia_url --- roles/hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index e2a58c4..f59f7f1 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -14,7 +14,7 @@ "var_hedgedoc_authentication_kind": "authelia", "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", - "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", "var_hedgedoc_guest_allow_create": false, "var_hedgedoc_guest_allow_change": false, "var_hedgedoc_free_names_mode": "authed"