chore: move out the server roles

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-07-12 21:06:00 +02:00
parent 0283426127
commit c7293cd6ea
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
18 changed files with 8 additions and 8 deletions

View file

@ -1,6 +1,6 @@
--- ---
# Name of the certificate generated by Certbot # Name of the certificate generated by Certbot
server_nginx_certname: None nginx_certname: None
# List of reverse proxies to be set up; objects of domain, upstream and # List of reverse proxies to be set up; objects of domain, upstream and
# protocol for proxying, e.g.: # protocol for proxying, e.g.:
@ -8,4 +8,4 @@ server_nginx_certname: None
# - domain: "cockpit" # - domain: "cockpit"
# upstream: "127.0.0.1:9090" # upstream: "127.0.0.1:9090"
# protocol: "https" # protocol: "https"
server_nginx_reverse_proxy: [] nginx_reverse_proxy: []

View file

@ -61,7 +61,7 @@
proxy_domain: "{{ item.domain }}" proxy_domain: "{{ item.domain }}"
proxy_upstream: "{{ item.upstream }}" proxy_upstream: "{{ item.upstream }}"
proxy_protocol: "{{ item.protocol }}" proxy_protocol: "{{ item.protocol }}"
loop: "{{ server_nginx_reverse_proxy }}" loop: "{{ nginx_reverse_proxy }}"
# httpd_can_network_relay was not enough for the ubiquiti reverse proxy # httpd_can_network_relay was not enough for the ubiquiti reverse proxy
- name: Allow reverse proxy in SELinux - name: Allow reverse proxy in SELinux
@ -69,7 +69,7 @@
name: httpd_can_network_connect name: httpd_can_network_connect
state: true state: true
persistent: true persistent: true
when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy" when: "ansible_facts.selinux.status == 'enabled' and nginx_reverse_proxy"
- name: Enable nginx on firewall - name: Enable nginx on firewall
ansible.posix.firewalld: ansible.posix.firewalld:

View file

@ -33,8 +33,8 @@ http {
server_name {{ host_fqdn }}; server_name {{ host_fqdn }};
root /usr/share/nginx/html; root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
# Allow TLS version 1.2 only, which is a recommended default these days # Allow TLS version 1.2 only, which is a recommended default these days
# by international information security standards. # by international information security standards.

View file

@ -1,7 +1,7 @@
listen 443 ssl http2; listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ nginx_certname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ nginx_certname }}/privkey.pem;
# Allow TLS version 1.2 only, which is a recommended default these days # Allow TLS version 1.2 only, which is a recommended default these days
# by international information security standards. # by international information security standards.