chore: move out the server roles
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
0283426127
commit
c7293cd6ea
18 changed files with 8 additions and 8 deletions
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
# Name of the certificate generated by Certbot
|
# Name of the certificate generated by Certbot
|
||||||
server_nginx_certname: None
|
nginx_certname: None
|
||||||
|
|
||||||
# List of reverse proxies to be set up; objects of ‹domain›, ‹upstream› and
|
# List of reverse proxies to be set up; objects of ‹domain›, ‹upstream› and
|
||||||
# ‹protocol› for proxying, e.g.:
|
# ‹protocol› for proxying, e.g.:
|
||||||
|
@ -8,4 +8,4 @@ server_nginx_certname: None
|
||||||
# - domain: "cockpit"
|
# - domain: "cockpit"
|
||||||
# upstream: "127.0.0.1:9090"
|
# upstream: "127.0.0.1:9090"
|
||||||
# protocol: "https"
|
# protocol: "https"
|
||||||
server_nginx_reverse_proxy: []
|
nginx_reverse_proxy: []
|
|
@ -61,7 +61,7 @@
|
||||||
proxy_domain: "{{ item.domain }}"
|
proxy_domain: "{{ item.domain }}"
|
||||||
proxy_upstream: "{{ item.upstream }}"
|
proxy_upstream: "{{ item.upstream }}"
|
||||||
proxy_protocol: "{{ item.protocol }}"
|
proxy_protocol: "{{ item.protocol }}"
|
||||||
loop: "{{ server_nginx_reverse_proxy }}"
|
loop: "{{ nginx_reverse_proxy }}"
|
||||||
|
|
||||||
# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
|
# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
|
||||||
- name: Allow reverse proxy in SELinux
|
- name: Allow reverse proxy in SELinux
|
||||||
|
@ -69,7 +69,7 @@
|
||||||
name: httpd_can_network_connect
|
name: httpd_can_network_connect
|
||||||
state: true
|
state: true
|
||||||
persistent: true
|
persistent: true
|
||||||
when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy"
|
when: "ansible_facts.selinux.status == 'enabled' and nginx_reverse_proxy"
|
||||||
|
|
||||||
- name: Enable nginx on firewall
|
- name: Enable nginx on firewall
|
||||||
ansible.posix.firewalld:
|
ansible.posix.firewalld:
|
|
@ -33,8 +33,8 @@ http {
|
||||||
server_name {{ host_fqdn }};
|
server_name {{ host_fqdn }};
|
||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
|
||||||
|
|
||||||
# Allow TLS version 1.2 only, which is a recommended default these days
|
# Allow TLS version 1.2 only, which is a recommended default these days
|
||||||
# by international information security standards.
|
# by international information security standards.
|
|
@ -1,7 +1,7 @@
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
|
||||||
|
|
||||||
# Allow TLS version 1.2 only, which is a recommended default these days
|
# Allow TLS version 1.2 only, which is a recommended default these days
|
||||||
# by international information security standards.
|
# by international information security standards.
|
Loading…
Reference in a new issue