services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

multiple domains working

Browse Source
This commit is contained in:
Reese Wells
2024-05-22 12:31:41 -04:00
parent eb934c32e2
commit d732fffd67
7 changed files with 49 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nginx/certbot.yaml
View File

@@ -12,17 +12,11 @@
name:
- certbot
state: present
- name: Stop nginx service so we can get certs
ansible.builtin.systemd_service:
state: stopped
name: nginx
- name: Get certs for all reeseapps domains
ansible.builtin.shell: /usr/bin/certbot certonly --standalone -d '{{ item.external.domain }}' -n
loop: "{{ reeseapps }}"
- name: Get certs for all reeseseal domains
ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}' -n
loop: "{{ reeseseal }}"
- name: Get certs for all domains
ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.1 }}' -n
# Loops over every external.domains sub list
loop: "{{ http | subelements('external.domains') }}"
- name: Start nginx service
ansible.builtin.systemd_service:
state: started
state: reloaded
name: nginx

10
nginx/http.d/nextcloud-aio.conf
View File

@@ -1,10 +0,0 @@
server {
listen 127.0.0.1:80;
server_name nextcloud-aio.reeseapps.com;
location / {
access_log /var/log/nginx/nextcloud-http-443-access.log compression;
resolver 1.1.1.1;
proxy_pass http://{{ nextcloud.domain }}:443;
}
}

20
nginx/https.conf
View File

@@ -5,22 +5,16 @@ map $http_upgrade $connection_upgrade {
server {
listen 127.0.0.1:443 ssl http2;
# listen 127.0.0.1:443 ssl; # for nginx v1.25.1+
listen 127.0.0.1:443 ssl;
server_name {{ item.external.domain }};
server_name {{ item.1 }};
access_log /var/log/nginx/{{ item.external.domain }}-access.log compression;
access_log /var/log/nginx/{{ item.1 }}-access.log compression;
# http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+
# http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
http2 on;
location / {
resolver 1.1.1.1;
proxy_pass {{ item.internal.protocol }}://{{ item.internal.domain }}:{{ item.internal.port }}$request_uri;
proxy_pass {{ item.0.internal.protocol }}://{{ item.0.internal.ip }}:{{ item.0.internal.port }}$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
@@ -40,8 +34,8 @@ server {
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.1 }}/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

14
nginx/nginx.conf
View File

@@ -16,18 +16,14 @@ stream {
"" 127.0.0.1:443;
# For each domain we need to stream to a remote server, forward to internal domain
{% for domain in stream_ssl %}
{{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }};
# For each domain we need to stream to a remote server, forward to internal ip
{% for item in (stream | subelements('external.domains')) %}
{{ item.1 }} {{ item.0.internal.ip }}:{{ item.0.internal.port }};
{% endfor %}
# For each domain we want to terminate, forward to internal http server
{% for domain in reeseapps %}
{{ domain.external.domain }} 127.0.0.1:443;
{% endfor %}
{% for domain in reeseseal %}
{{ domain.external.domain }} 127.0.0.1:443;
{% for item in (http | subelements('external.domains')) %}
{{ item.1 }} 127.0.0.1:443;
{% endfor %}
default {{ nginx.defaults.domain }}:443;

16
nginx/nginx.yaml
View File

@@ -55,22 +55,16 @@
mode: '0644'
with_fileglob:
- http.d/*
- name: Template all reeseapps http configurations
- name: Template all http configurations
template:
src: https.conf
dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
dest: /etc/nginx/http.d/{{ item.1 }}.conf
owner: root
group: root
mode: '0644'
with_items: "{{ reeseapps }}"
- name: Template all reeseseal http configurations
template:
src: https.conf
dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
owner: root
group: root
mode: '0644'
with_items: "{{ reeseseal }}"
# item.0 == full dictionary
# item.1 == external domain
loop: "{{ http | subelements('external.domains') }}"
- name: Reload nginx service
ansible.builtin.systemd_service:
state: restarted

7
nginx/stream.d/nextcloud-aio-talk.conf
View File

@@ -1,7 +0,0 @@
server {
access_log /var/log/nginx/nextcloud-aio-talk-access.log basic;
resolver 1.1.1.1;
listen {{ ansible_default_ipv4.address }}:3478;
listen {{ ansible_default_ipv4.address }}:3478 udp;
proxy_pass {{ nextcloud.domain }}:3478;
}

105
nginx/vars.yaml
View File

@@ -1,5 +1,3 @@
nextcloud:
domain: nextcloud-aio.reeseapps.com
nginx:
defaults:
domain: nginx.reeselink.com
@@ -8,113 +6,64 @@ iperf:
unifi_external:
domain: unifi-server1.reeselink.com
internal_ip: 10.1.0.0/16
reeseapps:
cr10se:
- external:
domain: truenas.reeseapps.com
domains:
- cr10se.reeseseal.com
port: 443
internal:
domain: driveripper.reeselink.com
port: 8443
protocol: https
- external:
domain: nextcloud-aio.reeseapps.com
port: 443
internal:
domain: nextcloud-aio.reeselink.com
port: 11000
ip: "10.3.165.70"
port: 80
protocol: http
http:
- external:
domain: homeassistant.reeseapps.com
domains:
- homeassistant.reeseapps.com
- homeassistant.reeselink.com
port: 443
internal:
domain: homeassistant.reeselink.com
ip: "10.2.131.2"
port: 8123
protocol: https
reeseseal:
- external:
domain: cr10se.reeseseal.com
domains:
- yellow.reeselink.com
port: 443
internal:
domain: cr10se.reeselink.com
port: 80
protocol: http
- external:
domain: hue.reeseseal.com
port: 443
internal:
domain: nginx.reeselink.com
port: 80
protocol: http
- external:
domain: nextcloud-aio.reeseseal.com
port: 443
internal:
domain: nextcloud-aio.reeselink.com
port: 11000
protocol: http
- external:
domain: octoprint.reeseseal.com
port: 443
internal:
domain: replicator.reeselink.com
port: 443
protocol: https
- external:
domain: pihole-yellow.reeseseal.com
port: 443
internal:
domain: yellow.reeselink.com
port: 8081
protocol: http
- external:
domain: pihole-orange.reeseseal.com
port: 443
internal:
domain: orange.reeselink.com
port: 8081
protocol: http
- external:
domain: yellow.reeseseal.com
port: 443
internal:
domain: yellow.reeselink.com
ip: "10.1.203.197"
port: 9090
protocol: https
- external:
domain: orange.reeseseal.com
domains:
- node1.reeselink.com
port: 443
internal:
domain: orange.reeselink.com
ip: "10.1.2.13"
port: 9090
protocol: https
- external:
domain: node1.reeseseal.com
domains:
- node2.reeselink.com
port: 443
internal:
domain: node1.reeselink.com
ip: "10.1.2.14"
port: 9090
protocol: https
- external:
domain: node2.reeseseal.com
domains:
- node3.reeselink.com
port: 443
internal:
domain: node2.reeselink.com
port: 9090
protocol: https
- external:
domain: node3.reeseseal.com
port: 443
internal:
domain: node3.reeselink.com
ip: "10.1.2.15"
port: 9090
protocol: https
stream_ssl:
stream:
- external:
domain: containers.reeseapps.com
domains:
- containers.reeseapps.com
port: 443
internal:
domain: node1.reeselink.com
ip: "10.1.2.13"
port: 6443