Configure SSL passthrough
This commit is contained in:
parent
dbb294679c
commit
a6b2bfa467
@ -1 +0,0 @@
|
||||
../../rproxy/files/config
|
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name archive.music.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/archive.music.wojciechkozlowski.eu/fullchain.pem;
|
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name cloud.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem;
|
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name git.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/git.wojciechkozlowski.eu/fullchain.pem;
|
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name music.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/music.wojciechkozlowski.eu/fullchain.pem;
|
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name notes.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/notes.wojciechkozlowski.eu/fullchain.pem;
|
1
playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf
Symbolic link
1
playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf
Symbolic link
@ -0,0 +1 @@
|
||||
../../../rproxy/files/config/nginx.conf
|
@ -0,0 +1,22 @@
|
||||
stream {
|
||||
|
||||
map $ssl_preread_server_name $name {
|
||||
wojciechkozlowski.eu rproxy;
|
||||
www.wojciechkozlowski.eu rproxy;
|
||||
default lrproxy;
|
||||
}
|
||||
|
||||
upstream rproxy {
|
||||
server pod-rproxy:443;
|
||||
}
|
||||
|
||||
upstream lrproxy {
|
||||
server 127.0.0.1:443;
|
||||
}
|
||||
|
||||
server {
|
||||
listen pod-lrproxy:443;
|
||||
proxy_pass $name;
|
||||
ssl_preread on;
|
||||
}
|
||||
}
|
@ -27,7 +27,14 @@
|
||||
src: "./config/{{ item }}"
|
||||
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
|
||||
mode: 0644
|
||||
loop: "{{ services_rproxy_nginx_conf_d_files }}"
|
||||
loop:
|
||||
- "nginx.conf"
|
||||
- "stream.conf"
|
||||
- "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/git.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/music.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/notes.wojciechkozlowski.eu.conf"
|
||||
register: services_deploy_lrproxy_config_files
|
||||
|
||||
- name: "configure systemd service"
|
||||
@ -38,6 +45,8 @@
|
||||
loop:
|
||||
- "pod-lrproxy.service"
|
||||
- "container-lrproxy-nginx.service"
|
||||
- "container-lrproxy-certbot.service"
|
||||
- "container-lrproxy-certbot.timer"
|
||||
register: services_deploy_lrproxy_systemd_files
|
||||
|
||||
- name: "systemd user daemon reload"
|
||||
@ -47,6 +56,13 @@
|
||||
when:
|
||||
services_deploy_lrproxy_systemd_files.changed
|
||||
|
||||
- name: "enable container-lrproxy-certbot timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "container-lrproxy-certbot.timer"
|
||||
enabled: true
|
||||
scope: "user"
|
||||
register: services_deploy_lrproxy_certbot_timer
|
||||
|
||||
- name: "generate diffie hellman ephemeral parameters"
|
||||
ansible.builtin.command: >-
|
||||
openssl dhparam
|
||||
@ -57,65 +73,6 @@
|
||||
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
|
||||
register: services_deploy_lrproxy_dhparam
|
||||
|
||||
- block:
|
||||
|
||||
- name: "configure rsync-certificates service"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd/{{ item }}"
|
||||
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
|
||||
mode: 0600
|
||||
loop:
|
||||
- "rsync-certificates.service"
|
||||
- "rsync-certificates.timer"
|
||||
register: services_deploy_lrproxy_rsync_certificates_files
|
||||
|
||||
- name: "systemd user daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
scope: "user"
|
||||
when:
|
||||
services_deploy_lrproxy_rsync_certificates_files.changed
|
||||
|
||||
- name: "enable rsync-certificates timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "rsync-certificates.timer"
|
||||
enabled: true
|
||||
scope: "user"
|
||||
register: services_deploy_lrproxy_rsync_certificates_timer
|
||||
|
||||
- name: "create the .ssh directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ services_service_user_home }}/.ssh"
|
||||
state: "directory"
|
||||
mode: 0700
|
||||
|
||||
- name: "generate ssh keypair for rsync"
|
||||
community.crypto.openssh_keypair:
|
||||
path: "\
|
||||
{{ services_service_user_home }}/.ssh/\
|
||||
{{ services_host_services.lrproxy.rproxy_host }}-\
|
||||
{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
type: "ed25519"
|
||||
register: services_deploy_lrproxy_keypair
|
||||
|
||||
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
|
||||
ignore_unreachable: "{{ services_deploy_lrproxy_ignore_unreachable_rproxy }}"
|
||||
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
|
||||
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
state: "present"
|
||||
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
|
||||
key_options: "\
|
||||
command=\"rsync --server --sender -avz . \
|
||||
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
|
||||
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
|
||||
\",from=\"{{ vpn_wireguard_address }}\",\
|
||||
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
|
||||
|
||||
when:
|
||||
services_host_services.lrproxy.rproxy_host is defined
|
||||
|
||||
- name: "get uid"
|
||||
ansible.builtin.getent:
|
||||
database: "passwd"
|
||||
@ -138,10 +95,8 @@
|
||||
when:
|
||||
(services_deploy_lrproxy_config_files.changed or
|
||||
services_deploy_lrproxy_systemd_files.changed or
|
||||
services_deploy_lrproxy_rsync_certificates_files.changed or
|
||||
services_deploy_lrproxy_rsync_certificates_timer.changed or
|
||||
services_deploy_lrproxy_dhparam.changed or
|
||||
services_deploy_lrproxy_keypair.changed) and
|
||||
services_deploy_lrproxy_certbot_timer.changed or
|
||||
services_deploy_lrproxy_dhparam.changed) and
|
||||
services_deploy_lrproxy_service_active_state.stdout == "active"
|
||||
|
||||
become_user: "{{ services_service_user_name }}"
|
||||
|
@ -0,0 +1,24 @@
|
||||
[Unit]
|
||||
Description=Podman container-lrproxy-certbot.service
|
||||
Documentation=man:podman-generate-systemd(1)
|
||||
OnFailure=status-mail@%n.service
|
||||
|
||||
[Service]
|
||||
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||
TimeoutStopSec=70
|
||||
ExecStartPre=/bin/rm -f %t/container-lrproxy-certbot.pid %t/container-lrproxy-certbot.ctr-id
|
||||
ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot
|
||||
ExecStart=/usr/bin/podman run \
|
||||
--conmon-pidfile %t/container-lrproxy-certbot.pid \
|
||||
--cidfile %t/container-lrproxy-certbot.ctr-id \
|
||||
--cgroups=no-conmon \
|
||||
--pod-id-file %t/pod-lrproxy.pod-id \
|
||||
--replace \
|
||||
-v /etc/resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt \
|
||||
-v var-lib-letsencrypt:/var/lib/letsencrypt \
|
||||
-v var-www-html:/var/www/html \
|
||||
--name=pod-lrproxy-certbot \
|
||||
docker.io/certbot/certbot --non-interactive renew
|
||||
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-certbot.ctr-id
|
||||
Type=oneshot
|
@ -1,12 +1,12 @@
|
||||
[Unit]
|
||||
Description=Rsync certificates obtained by certbot
|
||||
Documentation=man:rsync(1)
|
||||
Description=Renew certificates with certbot
|
||||
Documentation=man:certbot(1)
|
||||
BindsTo=pod-lrproxy.service
|
||||
After=pod-lrproxy.service
|
||||
DefaultDependencies=no
|
||||
|
||||
[Timer]
|
||||
OnCalendar=Fri *-*-* 18:00:00
|
||||
OnCalendar=Fri *-*-* 06:00:00
|
||||
Persistent=true
|
||||
RandomizedDelaySec=1h
|
||||
|
@ -23,9 +23,12 @@ ExecStart=/usr/bin/podman run \
|
||||
{{ services_rproxy_nginx_add_hosts }} \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||
-v ./.config/pod-lrproxy/stream.conf:/etc/nginx/stream.conf:ro \
|
||||
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
|
||||
-v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \
|
||||
-v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \
|
||||
-v var-lib-letsencrypt:/var/lib/letsencrypt:ro \
|
||||
-v var-www-html:/var/www/html \
|
||||
--name=pod-lrproxy-nginx \
|
||||
docker.io/library/nginx:{{ services_deploy_versions.lrproxy.nginx }}
|
||||
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10
|
||||
|
@ -1,12 +0,0 @@
|
||||
[Unit]
|
||||
Description=Podman rsync-certificates.service
|
||||
Documentation=man:rsync(1)
|
||||
OnFailure=status-mail@%n.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \
|
||||
-avz \
|
||||
--delete \
|
||||
{{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \
|
||||
{{ services_data_directory }}/pod-lrproxy/etc-letsencrypt
|
@ -0,0 +1,11 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://pod-lrproxy;
|
||||
}
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name wojciechkozlowski.eu www.wojciechkozlowski.eu;
|
||||
server_name wojciechkozlowski.eu;
|
||||
|
||||
location ^~ /.well-known {
|
||||
allow all;
|
||||
@ -13,7 +13,7 @@ server {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
|
||||
@ -33,25 +33,3 @@ server {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name www.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://pod-www;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -0,0 +1,35 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name www.wojciechkozlowski.eu;
|
||||
|
||||
location ^~ /.well-known {
|
||||
allow all;
|
||||
root /var/www/html;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 127.0.0.1:443 ssl;
|
||||
server_name www.wojciechkozlowski.eu;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://pod-www;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
}
|
@ -55,3 +55,5 @@ http {
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
|
||||
include /etc/nginx/stream.conf;
|
||||
|
@ -0,0 +1,22 @@
|
||||
stream {
|
||||
|
||||
map $ssl_preread_server_name $name {
|
||||
wojciechkozlowski.eu rproxy;
|
||||
www.wojciechkozlowski.eu rproxy;
|
||||
default lrproxy;
|
||||
}
|
||||
|
||||
upstream rproxy {
|
||||
server 127.0.0.1:443;
|
||||
}
|
||||
|
||||
upstream lrproxy {
|
||||
server pod-lrproxy:443;
|
||||
}
|
||||
|
||||
server {
|
||||
listen pod-rproxy:443;
|
||||
proxy_pass $name;
|
||||
ssl_preread on;
|
||||
}
|
||||
}
|
@ -27,7 +27,12 @@
|
||||
src: "./config/{{ item }}"
|
||||
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
|
||||
mode: 0644
|
||||
loop: "{{ services_rproxy_nginx_conf_d_files }}"
|
||||
loop:
|
||||
- "nginx.conf"
|
||||
- "stream.conf"
|
||||
- "nginx-conf.d/http-default.conf"
|
||||
- "nginx-conf.d/wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/www.wojciechkozlowski.eu.conf"
|
||||
register: services_deploy_rproxy_config_files
|
||||
|
||||
- name: "configure systemd service"
|
||||
|
@ -23,6 +23,7 @@ ExecStart=/usr/bin/podman run \
|
||||
{{ services_rproxy_nginx_add_hosts }} \
|
||||
-v /etc/resolv.conf:/etc/resolv.conf:ro \
|
||||
-v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||
-v ./.config/pod-rproxy/stream.conf:/etc/nginx/stream.conf:ro \
|
||||
-v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
|
||||
-v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \
|
||||
-v {{ services_data_directory }}/pod-rproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \
|
||||
|
@ -5,11 +5,3 @@ services_rproxy_nginx_add_hosts: "\
|
||||
{{ add_host_list.append('--add-host=pod-' ~ service.key ~ ':' ~ service.value.address) }}\
|
||||
{% endfor %}\
|
||||
{{ add_host_list | join(' ') }}"
|
||||
services_rproxy_nginx_conf_d_files:
|
||||
- "nginx.conf"
|
||||
- "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/git.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/music.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/notes.wojciechkozlowski.eu.conf"
|
||||
- "nginx-conf.d/wojciechkozlowski.eu.conf"
|
||||
|
Loading…
Reference in New Issue
Block a user