From d732fffd676638c40fc8adc7a1cbaed8c6db9f57 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Wed, 22 May 2024 12:31:41 -0400 Subject: [PATCH] multiple domains working --- nginx/certbot.yaml | 16 ++-- nginx/http.d/nextcloud-aio.conf | 10 --- nginx/https.conf | 20 ++--- nginx/nginx.conf | 14 ++-- nginx/nginx.yaml | 16 ++-- nginx/stream.d/nextcloud-aio-talk.conf | 7 -- nginx/vars.yaml | 105 +++++++------------------ 7 files changed, 49 insertions(+), 139 deletions(-) delete mode 100644 nginx/http.d/nextcloud-aio.conf delete mode 100644 nginx/stream.d/nextcloud-aio-talk.conf diff --git a/nginx/certbot.yaml b/nginx/certbot.yaml index d93dae9..6671797 100644 --- a/nginx/certbot.yaml +++ b/nginx/certbot.yaml @@ -12,17 +12,11 @@ name: - certbot state: present - - name: Stop nginx service so we can get certs - ansible.builtin.systemd_service: - state: stopped - name: nginx - - name: Get certs for all reeseapps domains - ansible.builtin.shell: /usr/bin/certbot certonly --standalone -d '{{ item.external.domain }}' -n - loop: "{{ reeseapps }}" - - name: Get certs for all reeseseal domains - ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}' -n - loop: "{{ reeseseal }}" + - name: Get certs for all domains + ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.1 }}' -n + # Loops over every external.domains sub list + loop: "{{ http | subelements('external.domains') }}" - name: Start nginx service ansible.builtin.systemd_service: - state: started + state: reloaded name: nginx diff --git a/nginx/http.d/nextcloud-aio.conf b/nginx/http.d/nextcloud-aio.conf deleted file mode 100644 index bb63520..0000000 --- a/nginx/http.d/nextcloud-aio.conf +++ /dev/null @@ -1,10 +0,0 @@ -server { - listen 127.0.0.1:80; - server_name nextcloud-aio.reeseapps.com; - - location / { - access_log /var/log/nginx/nextcloud-http-443-access.log compression; - resolver 1.1.1.1; - proxy_pass http://{{ nextcloud.domain }}:443; - } -} diff --git a/nginx/https.conf b/nginx/https.conf index 7cc5efa..36bef59 100644 --- a/nginx/https.conf +++ b/nginx/https.conf @@ -5,22 +5,16 @@ map $http_upgrade $connection_upgrade { server { - listen 127.0.0.1:443 ssl http2; - # listen 127.0.0.1:443 ssl; # for nginx v1.25.1+ + listen 127.0.0.1:443 ssl; - server_name {{ item.external.domain }}; + server_name {{ item.1 }}; - access_log /var/log/nginx/{{ item.external.domain }}-access.log compression; + access_log /var/log/nginx/{{ item.1 }}-access.log compression; - # http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+ - # http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - # quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - # listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport + http2 on; location / { - resolver 1.1.1.1; - proxy_pass {{ item.internal.protocol }}://{{ item.internal.domain }}:{{ item.internal.port }}$request_uri; + proxy_pass {{ item.0.internal.protocol }}://{{ item.0.internal.ip }}:{{ item.0.internal.port }}$request_uri; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; @@ -40,8 +34,8 @@ server { proxy_set_header Connection $connection_upgrade; } - ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}/fullchain.pem; # managed by certbot on host machine - ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem; # managed by certbot on host machine + ssl_certificate_key /etc/letsencrypt/live/{{ item.1 }}/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions diff --git a/nginx/nginx.conf b/nginx/nginx.conf index c67a52d..386f333 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -16,18 +16,14 @@ stream { "" 127.0.0.1:443; - # For each domain we need to stream to a remote server, forward to internal domain - {% for domain in stream_ssl %} - {{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }}; + # For each domain we need to stream to a remote server, forward to internal ip + {% for item in (stream | subelements('external.domains')) %} + {{ item.1 }} {{ item.0.internal.ip }}:{{ item.0.internal.port }}; {% endfor %} # For each domain we want to terminate, forward to internal http server - {% for domain in reeseapps %} - {{ domain.external.domain }} 127.0.0.1:443; - {% endfor %} - - {% for domain in reeseseal %} - {{ domain.external.domain }} 127.0.0.1:443; + {% for item in (http | subelements('external.domains')) %} + {{ item.1 }} 127.0.0.1:443; {% endfor %} default {{ nginx.defaults.domain }}:443; diff --git a/nginx/nginx.yaml b/nginx/nginx.yaml index 02a5c2b..e5bc2a7 100644 --- a/nginx/nginx.yaml +++ b/nginx/nginx.yaml @@ -55,22 +55,16 @@ mode: '0644' with_fileglob: - http.d/* - - name: Template all reeseapps http configurations + - name: Template all http configurations template: src: https.conf - dest: /etc/nginx/http.d/{{ item.external.domain }}.conf + dest: /etc/nginx/http.d/{{ item.1 }}.conf owner: root group: root mode: '0644' - with_items: "{{ reeseapps }}" - - name: Template all reeseseal http configurations - template: - src: https.conf - dest: /etc/nginx/http.d/{{ item.external.domain }}.conf - owner: root - group: root - mode: '0644' - with_items: "{{ reeseseal }}" + # item.0 == full dictionary + # item.1 == external domain + loop: "{{ http | subelements('external.domains') }}" - name: Reload nginx service ansible.builtin.systemd_service: state: restarted diff --git a/nginx/stream.d/nextcloud-aio-talk.conf b/nginx/stream.d/nextcloud-aio-talk.conf deleted file mode 100644 index a462dd1..0000000 --- a/nginx/stream.d/nextcloud-aio-talk.conf +++ /dev/null @@ -1,7 +0,0 @@ -server { - access_log /var/log/nginx/nextcloud-aio-talk-access.log basic; - resolver 1.1.1.1; - listen {{ ansible_default_ipv4.address }}:3478; - listen {{ ansible_default_ipv4.address }}:3478 udp; - proxy_pass {{ nextcloud.domain }}:3478; -} diff --git a/nginx/vars.yaml b/nginx/vars.yaml index cbae419..acfd2e9 100644 --- a/nginx/vars.yaml +++ b/nginx/vars.yaml @@ -1,5 +1,3 @@ -nextcloud: - domain: nextcloud-aio.reeseapps.com nginx: defaults: domain: nginx.reeselink.com @@ -8,113 +6,64 @@ iperf: unifi_external: domain: unifi-server1.reeselink.com internal_ip: 10.1.0.0/16 - -reeseapps: +cr10se: - external: - domain: truenas.reeseapps.com + domains: + - cr10se.reeseseal.com port: 443 internal: - domain: driveripper.reeselink.com - port: 8443 - protocol: https - - external: - domain: nextcloud-aio.reeseapps.com - port: 443 - internal: - domain: nextcloud-aio.reeselink.com - port: 11000 + ip: "10.3.165.70" + port: 80 protocol: http + +http: - external: - domain: homeassistant.reeseapps.com + domains: + - homeassistant.reeseapps.com + - homeassistant.reeselink.com port: 443 internal: - domain: homeassistant.reeselink.com + ip: "10.2.131.2" port: 8123 protocol: https - -reeseseal: - external: - domain: cr10se.reeseseal.com + domains: + - yellow.reeselink.com port: 443 internal: - domain: cr10se.reeselink.com - port: 80 - protocol: http - - external: - domain: hue.reeseseal.com - port: 443 - internal: - domain: nginx.reeselink.com - port: 80 - protocol: http - - external: - domain: nextcloud-aio.reeseseal.com - port: 443 - internal: - domain: nextcloud-aio.reeselink.com - port: 11000 - protocol: http - - external: - domain: octoprint.reeseseal.com - port: 443 - internal: - domain: replicator.reeselink.com - port: 443 - protocol: https - - external: - domain: pihole-yellow.reeseseal.com - port: 443 - internal: - domain: yellow.reeselink.com - port: 8081 - protocol: http - - external: - domain: pihole-orange.reeseseal.com - port: 443 - internal: - domain: orange.reeselink.com - port: 8081 - protocol: http - - external: - domain: yellow.reeseseal.com - port: 443 - internal: - domain: yellow.reeselink.com + ip: "10.1.203.197" port: 9090 protocol: https - external: - domain: orange.reeseseal.com + domains: + - node1.reeselink.com port: 443 internal: - domain: orange.reeselink.com + ip: "10.1.2.13" port: 9090 protocol: https - external: - domain: node1.reeseseal.com + domains: + - node2.reeselink.com port: 443 internal: - domain: node1.reeselink.com + ip: "10.1.2.14" port: 9090 protocol: https - external: - domain: node2.reeseseal.com + domains: + - node3.reeselink.com port: 443 internal: - domain: node2.reeselink.com - port: 9090 - protocol: https - - external: - domain: node3.reeseseal.com - port: 443 - internal: - domain: node3.reeselink.com + ip: "10.1.2.15" port: 9090 protocol: https -stream_ssl: +stream: - external: - domain: containers.reeseapps.com + domains: + - containers.reeseapps.com port: 443 internal: - domain: node1.reeselink.com + ip: "10.1.2.13" port: 6443