chore: move out the server roles
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
0283426127
commit
c7293cd6ea
18 changed files with 8 additions and 8 deletions
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# Name of the certificate generated by Certbot
|
||||
server_nginx_certname: None
|
||||
nginx_certname: None
|
||||
|
||||
# List of reverse proxies to be set up; objects of ‹domain›, ‹upstream› and
|
||||
# ‹protocol› for proxying, e.g.:
|
||||
|
@ -8,4 +8,4 @@ server_nginx_certname: None
|
|||
# - domain: "cockpit"
|
||||
# upstream: "127.0.0.1:9090"
|
||||
# protocol: "https"
|
||||
server_nginx_reverse_proxy: []
|
||||
nginx_reverse_proxy: []
|
|
@ -61,7 +61,7 @@
|
|||
proxy_domain: "{{ item.domain }}"
|
||||
proxy_upstream: "{{ item.upstream }}"
|
||||
proxy_protocol: "{{ item.protocol }}"
|
||||
loop: "{{ server_nginx_reverse_proxy }}"
|
||||
loop: "{{ nginx_reverse_proxy }}"
|
||||
|
||||
# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
|
||||
- name: Allow reverse proxy in SELinux
|
||||
|
@ -69,7 +69,7 @@
|
|||
name: httpd_can_network_connect
|
||||
state: true
|
||||
persistent: true
|
||||
when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy"
|
||||
when: "ansible_facts.selinux.status == 'enabled' and nginx_reverse_proxy"
|
||||
|
||||
- name: Enable nginx on firewall
|
||||
ansible.posix.firewalld:
|
|
@ -33,8 +33,8 @@ http {
|
|||
server_name {{ host_fqdn }};
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
|
||||
|
||||
# Allow TLS version 1.2 only, which is a recommended default these days
|
||||
# by international information security standards.
|
|
@ -1,7 +1,7 @@
|
|||
listen 443 ssl http2;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
|
||||
|
||||
# Allow TLS version 1.2 only, which is a recommended default these days
|
||||
# by international information security standards.
|
Loading…
Reference in a new issue