Disroot-Ansible/nginx
11
1
Fork 0
Code Pull requests Projects Releases 1 Activity
No description
98 commits 7 branches 1 tag 377 KiB
Jinja 100%
Find a file
meaz 387091e719 Merge branch 'main' into staging
2025-01-07 21:08:24 +01:00
defaults Some clarification about ssl.yml task (#70) 2024-08-02 10:16:14 +02:00
handlers tor (#38) 2023-01-17 14:25:11 +00:00
tasks Wildcard for home machine (#57) 2024-09-05 07:12:16 +02:00
templates/etc Update cryptpad to 2024.12.0 (#74) 2025-01-07 21:07:47 +01:00
LICENSE Migration commit; fresh start 2021-03-14 11:20:09 +01:00
README.MD Wildcard for home machine (#57) 2024-09-05 07:12:16 +02:00

README.MD

Nginx role

This role, installs nginx webserver and manages all vhosts. The role is released under MIT Licence and we give no warranty for this piece of software. Currently supported OS - Debian.

Apart from installing and configuring nginx, you can also make use of bundeled vhost templates for many FLOSS services which helps out setup your server. Check templates/etc/nginx/sites-available for more details. Multiple Vhosts can be deployed and make use of templates. By default role does not deploy any Vhost. Example vhosts:

nginx_vhosts:
  - name: 'devchat'
    template: 'conversejs'
    proto: 'http'
    listen: '80'
    root: 'conversejs'
    index: 'index.php'
    use_access_log: 'true'
    use_error_log: 'true'
    nginx_error_log_level: 'warn'
    http_upload_url: 'https://example.org'
    bosh_url: 'https://example.org'
    headers: 'none'
    state: 'enable'
    letsencrypt: 'false'
  - name: 'framadate'
    template: 'framadate'
    proto: 'http'
    listen: '80'
    root: 'framadate/{{ framadate_version }}/framadate'
    index: 'index.php'
    use_access_log: 'true'
    use_error_log: 'true'
    nginx_error_log_level: 'warn'
    upstream_params:
      - 'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;'
      - 'fastcgi_index index.php;'
      - 'include /etc/nginx/fastcgi_params;'
      - 'fastcgi_pass unix:{{ pool_listen }};'
    state: 'enable'
    letsencrypt: 'false'

TLS/SSL Settings

Role currently supports three ways of obtaining Certificates:

  • Selfsigned - where one can create self signed certificate (note since it isn't signed by any Certificate Authority and it won't be recognized as trusted by web browsers)
  • Letsencrypt - With connection with our letsencrypt role
  • Other Commercial CA - Where obtained certificate at third party can be copied over to your nginx host

SelfSigned cert

To generate selfsigned certificate for specific domain name and add it to nginx vhost you need to add following vars:

  • selfsigned: 'true'
  • ssl_name: 'example.com'

Letsencrypt

if used with our letsencrypt role (or any other role), specyfying letsencrypt: 'true' will create a ACME challange location on nginx vhost.

Other commercial CA

If you happen to use other CA and have obtained a key pair, you can save it on your ansible host in a directory you specify in ssl_src_path. Crrect full path schema is "{{ ssl_src_path }}/{{ item.ssl_name }}/ where:

  • ssl_src_path - directory where your certificates are located on ansible host
  • ssl_name - Name of the vhost Currently to make things more unified, certificate file names are same across all methods and are compatible with letsencrypt. And so privkey.pem is the filename for private key, and fullchain.pem is the name of the certificate file (and all intermediete certs from trusted CA). Those file names are hardcoded and so you need to make sure your filenames correspond.

Selfsigned cert example:

  • name: 'privatebin.example.com' template: 'privatebin' proto: 'https' listen: '443' root: 'privatebin' index: 'index.php' ssl_name: 'bin.example.com' selfsigned: 'true' use_access_log: 'false' use_error_log: 'true' nginx_error_log_level: 'warn' upstream_params:
    • 'fastcgi_pass unix:{{ pool_listen }};'
    • 'fastcgi_index index.php;'
    • 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;' header_xframe: 'none' header_cto: 'none' file_cache:
    • cache: 'max=1000 inactive=20s' valid: '30s' min_users: '2' cache_errors: 'on' state: 'enable' letsencrypt: 'false'

Selfsigned wildcard cert example:

  • name: 'privatebin.example.com' template: 'privatebin' proto: 'https' listen: '443' root: 'privatebin' index: 'index.php' wildcard: 'true' #enable wildcard ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert domain_name: 'example.com' #domain name to create the cert for: *.example.com selfsigned: 'true' use_access_log: 'false' use_error_log: 'true' nginx_error_log_level: 'warn' upstream_params:
    • 'fastcgi_pass unix:{{ pool_listen }};'
    • 'fastcgi_index index.php;'
    • 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;' header_xframe: 'none' header_cto: 'none' file_cache:
    • cache: 'max=1000 inactive=20s' valid: '30s' min_users: '2' cache_errors: 'on' state: 'enable' letsencrypt: 'false'