From a6b2bfa467a53463b52a55681602a98f31601e0c Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 9 Jul 2023 22:02:51 +0200 Subject: [PATCH] Configure SSL passthrough --- .../services/deploy/lrproxy/files/config | 1 - .../archive.music.wojciechkozlowski.eu.conf | 2 +- .../cloud.wojciechkozlowski.eu.conf | 2 +- .../git.wojciechkozlowski.eu.conf | 2 +- .../music.wojciechkozlowski.eu.conf | 2 +- .../notes.wojciechkozlowski.eu.conf | 2 +- .../deploy/lrproxy/files/config/nginx.conf | 1 + .../deploy/lrproxy/files/config/stream.conf | 22 +++++ .../services/deploy/lrproxy/tasks/main.yml | 83 +++++-------------- .../systemd/container-lrproxy-certbot.service | 24 ++++++ ....timer => container-lrproxy-certbot.timer} | 6 +- .../systemd/container-lrproxy-nginx.service | 3 + .../systemd/rsync-certificates.service | 12 --- .../config/nginx-conf.d/http-default.conf | 11 +++ .../nginx-conf.d/wojciechkozlowski.eu.conf | 26 +----- .../www.wojciechkozlowski.eu.conf | 35 ++++++++ .../deploy/rproxy/files/config/nginx.conf | 2 + .../deploy/rproxy/files/config/stream.conf | 22 +++++ .../services/deploy/rproxy/tasks/main.yml | 7 +- .../systemd/container-rproxy-nginx.service | 1 + .../services/deploy/rproxy/vars/nginx.yml | 8 -- 21 files changed, 156 insertions(+), 118 deletions(-) delete mode 120000 playbooks/roles/services/deploy/lrproxy/files/config rename playbooks/roles/services/deploy/{rproxy => lrproxy}/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf (96%) rename playbooks/roles/services/deploy/{rproxy => lrproxy}/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf (98%) rename playbooks/roles/services/deploy/{rproxy => lrproxy}/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf (96%) rename playbooks/roles/services/deploy/{rproxy => lrproxy}/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf (96%) rename playbooks/roles/services/deploy/{rproxy => lrproxy}/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf (97%) create mode 120000 playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf create mode 100644 playbooks/roles/services/deploy/lrproxy/files/config/stream.conf create mode 100644 playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.service rename playbooks/roles/services/deploy/lrproxy/templates/systemd/{rsync-certificates.timer => container-lrproxy-certbot.timer} (61%) delete mode 100644 playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service create mode 100644 playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/http-default.conf create mode 100644 playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/www.wojciechkozlowski.eu.conf create mode 100644 playbooks/roles/services/deploy/rproxy/files/config/stream.conf diff --git a/playbooks/roles/services/deploy/lrproxy/files/config b/playbooks/roles/services/deploy/lrproxy/files/config deleted file mode 120000 index b2bae54..0000000 --- a/playbooks/roles/services/deploy/lrproxy/files/config +++ /dev/null @@ -1 +0,0 @@ -../../rproxy/files/config \ No newline at end of file diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf similarity index 96% rename from playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf rename to playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf index f23c0b8..794983d 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name archive.music.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/archive.music.wojciechkozlowski.eu/fullchain.pem; diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf similarity index 98% rename from playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf rename to playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf index 1894f83..cc91441 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name cloud.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem; diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf similarity index 96% rename from playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf rename to playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf index 463b6ed..e79bb2e 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name git.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/git.wojciechkozlowski.eu/fullchain.pem; diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf similarity index 96% rename from playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf rename to playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf index 79cf6f9..252ac61 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name music.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/music.wojciechkozlowski.eu/fullchain.pem; diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf similarity index 97% rename from playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf rename to playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf index aebc6aa..57509cb 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name notes.wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/notes.wojciechkozlowski.eu/fullchain.pem; diff --git a/playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf b/playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf new file mode 120000 index 0000000..82305bc --- /dev/null +++ b/playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf @@ -0,0 +1 @@ +../../../rproxy/files/config/nginx.conf \ No newline at end of file diff --git a/playbooks/roles/services/deploy/lrproxy/files/config/stream.conf b/playbooks/roles/services/deploy/lrproxy/files/config/stream.conf new file mode 100644 index 0000000..03482c1 --- /dev/null +++ b/playbooks/roles/services/deploy/lrproxy/files/config/stream.conf @@ -0,0 +1,22 @@ +stream { + + map $ssl_preread_server_name $name { + wojciechkozlowski.eu rproxy; + www.wojciechkozlowski.eu rproxy; + default lrproxy; + } + + upstream rproxy { + server pod-rproxy:443; + } + + upstream lrproxy { + server 127.0.0.1:443; + } + + server { + listen pod-lrproxy:443; + proxy_pass $name; + ssl_preread on; + } +} diff --git a/playbooks/roles/services/deploy/lrproxy/tasks/main.yml b/playbooks/roles/services/deploy/lrproxy/tasks/main.yml index aa57186..752363d 100644 --- a/playbooks/roles/services/deploy/lrproxy/tasks/main.yml +++ b/playbooks/roles/services/deploy/lrproxy/tasks/main.yml @@ -27,7 +27,14 @@ src: "./config/{{ item }}" dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}" mode: 0644 - loop: "{{ services_rproxy_nginx_conf_d_files }}" + loop: + - "nginx.conf" + - "stream.conf" + - "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf" + - "nginx-conf.d/cloud.wojciechkozlowski.eu.conf" + - "nginx-conf.d/git.wojciechkozlowski.eu.conf" + - "nginx-conf.d/music.wojciechkozlowski.eu.conf" + - "nginx-conf.d/notes.wojciechkozlowski.eu.conf" register: services_deploy_lrproxy_config_files - name: "configure systemd service" @@ -38,6 +45,8 @@ loop: - "pod-lrproxy.service" - "container-lrproxy-nginx.service" + - "container-lrproxy-certbot.service" + - "container-lrproxy-certbot.timer" register: services_deploy_lrproxy_systemd_files - name: "systemd user daemon reload" @@ -47,6 +56,13 @@ when: services_deploy_lrproxy_systemd_files.changed + - name: "enable container-lrproxy-certbot timer" + ansible.builtin.systemd: + name: "container-lrproxy-certbot.timer" + enabled: true + scope: "user" + register: services_deploy_lrproxy_certbot_timer + - name: "generate diffie hellman ephemeral parameters" ansible.builtin.command: >- openssl dhparam @@ -57,65 +73,6 @@ {{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem" register: services_deploy_lrproxy_dhparam - - block: - - - name: "configure rsync-certificates service" - ansible.builtin.template: - src: "./systemd/{{ item }}" - dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}" - mode: 0600 - loop: - - "rsync-certificates.service" - - "rsync-certificates.timer" - register: services_deploy_lrproxy_rsync_certificates_files - - - name: "systemd user daemon reload" - ansible.builtin.systemd: - daemon_reload: true - scope: "user" - when: - services_deploy_lrproxy_rsync_certificates_files.changed - - - name: "enable rsync-certificates timer" - ansible.builtin.systemd: - name: "rsync-certificates.timer" - enabled: true - scope: "user" - register: services_deploy_lrproxy_rsync_certificates_timer - - - name: "create the .ssh directory" - ansible.builtin.file: - path: "{{ services_service_user_home }}/.ssh" - state: "directory" - mode: 0700 - - - name: "generate ssh keypair for rsync" - community.crypto.openssh_keypair: - path: "\ - {{ services_service_user_home }}/.ssh/\ - {{ services_host_services.lrproxy.rproxy_host }}-\ - {{ services_host_services.lrproxy.rproxy_user }}" - type: "ed25519" - register: services_deploy_lrproxy_keypair - - - name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}" - ignore_unreachable: "{{ services_deploy_lrproxy_ignore_unreachable_rproxy }}" - delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}" - become_user: "{{ services_host_services.lrproxy.rproxy_user }}" - ansible.posix.authorized_key: - user: "{{ services_host_services.lrproxy.rproxy_user }}" - state: "present" - key: "{{ services_deploy_lrproxy_keypair.public_key }}" - key_options: "\ - command=\"rsync --server --sender -avz . \ - {{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\ - {{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\ - \",from=\"{{ vpn_wireguard_address }}\",\ - no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding" - - when: - services_host_services.lrproxy.rproxy_host is defined - - name: "get uid" ansible.builtin.getent: database: "passwd" @@ -138,10 +95,8 @@ when: (services_deploy_lrproxy_config_files.changed or services_deploy_lrproxy_systemd_files.changed or - services_deploy_lrproxy_rsync_certificates_files.changed or - services_deploy_lrproxy_rsync_certificates_timer.changed or - services_deploy_lrproxy_dhparam.changed or - services_deploy_lrproxy_keypair.changed) and + services_deploy_lrproxy_certbot_timer.changed or + services_deploy_lrproxy_dhparam.changed) and services_deploy_lrproxy_service_active_state.stdout == "active" become_user: "{{ services_service_user_name }}" diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.service b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.service new file mode 100644 index 0000000..31fd869 --- /dev/null +++ b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.service @@ -0,0 +1,24 @@ +[Unit] +Description=Podman container-lrproxy-certbot.service +Documentation=man:podman-generate-systemd(1) +OnFailure=status-mail@%n.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/container-lrproxy-certbot.pid %t/container-lrproxy-certbot.ctr-id +ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/container-lrproxy-certbot.pid \ + --cidfile %t/container-lrproxy-certbot.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/pod-lrproxy.pod-id \ + --replace \ + -v /etc/resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt \ + -v var-lib-letsencrypt:/var/lib/letsencrypt \ + -v var-www-html:/var/www/html \ + --name=pod-lrproxy-certbot \ + docker.io/certbot/certbot --non-interactive renew +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-certbot.ctr-id +Type=oneshot diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.timer b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.timer similarity index 61% rename from playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.timer rename to playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.timer index c0de345..544012c 100644 --- a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.timer +++ b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.timer @@ -1,12 +1,12 @@ [Unit] -Description=Rsync certificates obtained by certbot -Documentation=man:rsync(1) +Description=Renew certificates with certbot +Documentation=man:certbot(1) BindsTo=pod-lrproxy.service After=pod-lrproxy.service DefaultDependencies=no [Timer] -OnCalendar=Fri *-*-* 18:00:00 +OnCalendar=Fri *-*-* 06:00:00 Persistent=true RandomizedDelaySec=1h diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service index c8523b6..0371458 100644 --- a/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service +++ b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service @@ -23,9 +23,12 @@ ExecStart=/usr/bin/podman run \ {{ services_rproxy_nginx_add_hosts }} \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v ./.config/pod-lrproxy/stream.conf:/etc/nginx/stream.conf:ro \ -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \ -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \ -v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \ + -v var-lib-letsencrypt:/var/lib/letsencrypt:ro \ + -v var-www-html:/var/www/html \ --name=pod-lrproxy-nginx \ docker.io/library/nginx:{{ services_deploy_versions.lrproxy.nginx }} ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10 diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service b/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service deleted file mode 100644 index 98b46a3..0000000 --- a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Podman rsync-certificates.service -Documentation=man:rsync(1) -OnFailure=status-mail@%n.service - -[Service] -Type=oneshot -ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \ - -avz \ - --delete \ - {{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \ - {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/http-default.conf b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/http-default.conf new file mode 100644 index 0000000..704efba --- /dev/null +++ b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/http-default.conf @@ -0,0 +1,11 @@ +server { + listen 80; + server_name _; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://pod-lrproxy; + } +} diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/wojciechkozlowski.eu.conf index c5d1db0..faf9107 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/wojciechkozlowski.eu.conf +++ b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/wojciechkozlowski.eu.conf @@ -1,6 +1,6 @@ server { listen 80; - server_name wojciechkozlowski.eu www.wojciechkozlowski.eu; + server_name wojciechkozlowski.eu; location ^~ /.well-known { allow all; @@ -13,7 +13,7 @@ server { } server { - listen 443 ssl; + listen 127.0.0.1:443 ssl; server_name wojciechkozlowski.eu; ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem; @@ -33,25 +33,3 @@ server { } } - -server { - listen 443 ssl; - server_name www.wojciechkozlowski.eu; - - ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_pass http://pod-www; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - -} diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/www.wojciechkozlowski.eu.conf b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/www.wojciechkozlowski.eu.conf new file mode 100644 index 0000000..f851662 --- /dev/null +++ b/playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/www.wojciechkozlowski.eu.conf @@ -0,0 +1,35 @@ +server { + listen 80; + server_name www.wojciechkozlowski.eu; + + location ^~ /.well-known { + allow all; + root /var/www/html; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + listen 127.0.0.1:443 ssl; + server_name www.wojciechkozlowski.eu; + + ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://pod-www; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/playbooks/roles/services/deploy/rproxy/files/config/nginx.conf b/playbooks/roles/services/deploy/rproxy/files/config/nginx.conf index 51ba6e0..a6d6d60 100644 --- a/playbooks/roles/services/deploy/rproxy/files/config/nginx.conf +++ b/playbooks/roles/services/deploy/rproxy/files/config/nginx.conf @@ -55,3 +55,5 @@ http { include /etc/nginx/conf.d/*.conf; } + +include /etc/nginx/stream.conf; diff --git a/playbooks/roles/services/deploy/rproxy/files/config/stream.conf b/playbooks/roles/services/deploy/rproxy/files/config/stream.conf new file mode 100644 index 0000000..171eef6 --- /dev/null +++ b/playbooks/roles/services/deploy/rproxy/files/config/stream.conf @@ -0,0 +1,22 @@ +stream { + + map $ssl_preread_server_name $name { + wojciechkozlowski.eu rproxy; + www.wojciechkozlowski.eu rproxy; + default lrproxy; + } + + upstream rproxy { + server 127.0.0.1:443; + } + + upstream lrproxy { + server pod-lrproxy:443; + } + + server { + listen pod-rproxy:443; + proxy_pass $name; + ssl_preread on; + } +} diff --git a/playbooks/roles/services/deploy/rproxy/tasks/main.yml b/playbooks/roles/services/deploy/rproxy/tasks/main.yml index b8e8a05..6289fd8 100644 --- a/playbooks/roles/services/deploy/rproxy/tasks/main.yml +++ b/playbooks/roles/services/deploy/rproxy/tasks/main.yml @@ -27,7 +27,12 @@ src: "./config/{{ item }}" dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}" mode: 0644 - loop: "{{ services_rproxy_nginx_conf_d_files }}" + loop: + - "nginx.conf" + - "stream.conf" + - "nginx-conf.d/http-default.conf" + - "nginx-conf.d/wojciechkozlowski.eu.conf" + - "nginx-conf.d/www.wojciechkozlowski.eu.conf" register: services_deploy_rproxy_config_files - name: "configure systemd service" diff --git a/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-nginx.service b/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-nginx.service index 26d7562..7674226 100644 --- a/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-nginx.service +++ b/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-nginx.service @@ -23,6 +23,7 @@ ExecStart=/usr/bin/podman run \ {{ services_rproxy_nginx_add_hosts }} \ -v /etc/resolv.conf:/etc/resolv.conf:ro \ -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v ./.config/pod-rproxy/stream.conf:/etc/nginx/stream.conf:ro \ -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro \ -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \ -v {{ services_data_directory }}/pod-rproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \ diff --git a/playbooks/roles/services/deploy/rproxy/vars/nginx.yml b/playbooks/roles/services/deploy/rproxy/vars/nginx.yml index 873d4a0..6c1408e 100644 --- a/playbooks/roles/services/deploy/rproxy/vars/nginx.yml +++ b/playbooks/roles/services/deploy/rproxy/vars/nginx.yml @@ -5,11 +5,3 @@ services_rproxy_nginx_add_hosts: "\ {{ add_host_list.append('--add-host=pod-' ~ service.key ~ ':' ~ service.value.address) }}\ {% endfor %}\ {{ add_host_list | join(' ') }}" -services_rproxy_nginx_conf_d_files: - - "nginx.conf" - - "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf" - - "nginx-conf.d/cloud.wojciechkozlowski.eu.conf" - - "nginx-conf.d/git.wojciechkozlowski.eu.conf" - - "nginx-conf.d/music.wojciechkozlowski.eu.conf" - - "nginx-conf.d/notes.wojciechkozlowski.eu.conf" - - "nginx-conf.d/wojciechkozlowski.eu.conf"