services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

multiple domains working

Browse Source
This commit is contained in:
Reese Wells
2024-05-22 12:31:41 -04:00
parent eb934c32e2
commit d732fffd67
7 changed files with 49 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nginx/certbot.yaml
View File

@@ -12,17 +12,11 @@
name: name:
- certbot - certbot
state: present state: present
- name: Stop nginx service so we can get certs - name: Get certs for all domains
ansible.builtin.systemd_service: ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.1 }}' -n
state: stopped # Loops over every external.domains sub list
name: nginx loop: "{{ http | subelements('external.domains') }}"
- name: Get certs for all reeseapps domains
ansible.builtin.shell: /usr/bin/certbot certonly --standalone -d '{{ item.external.domain }}' -n
loop: "{{ reeseapps }}"
- name: Get certs for all reeseseal domains
ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}' -n
loop: "{{ reeseseal }}"
- name: Start nginx service - name: Start nginx service
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
state: started state: reloaded
name: nginx name: nginx

10
nginx/http.d/nextcloud-aio.conf
View File

@@ -1,10 +0,0 @@
server {
listen 127.0.0.1:80;
server_name nextcloud-aio.reeseapps.com;
location / {
access_log /var/log/nginx/nextcloud-http-443-access.log compression;
resolver 1.1.1.1;
proxy_pass http://{{ nextcloud.domain }}:443;
}
}

20
nginx/https.conf
View File

@@ -5,22 +5,16 @@ map $http_upgrade $connection_upgrade {
server { server {
listen 127.0.0.1:443 ssl http2; listen 127.0.0.1:443 ssl;
# listen 127.0.0.1:443 ssl; # for nginx v1.25.1+
server_name {{ item.external.domain }}; server_name {{ item.1 }};
access_log /var/log/nginx/{{ item.external.domain }}-access.log compression; access_log /var/log/nginx/{{ item.1 }}-access.log compression;
# http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+ http2 on;
# http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
# listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
location / { location / {
resolver 1.1.1.1; proxy_pass {{ item.0.internal.protocol }}://{{ item.0.internal.ip }}:{{ item.0.internal.port }}$request_uri;
proxy_pass {{ item.internal.protocol }}://{{ item.internal.domain }}:{{ item.internal.port }}$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $server_port;
@@ -40,8 +34,8 @@ server {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
} }
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}/fullchain.pem; # managed by certbot on host machine ssl_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item.1 }}/privkey.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

14
nginx/nginx.conf
View File

@@ -16,18 +16,14 @@ stream {
"" 127.0.0.1:443; "" 127.0.0.1:443;
# For each domain we need to stream to a remote server, forward to internal domain # For each domain we need to stream to a remote server, forward to internal ip
{% for domain in stream_ssl %} {% for item in (stream | subelements('external.domains')) %}
{{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }}; {{ item.1 }} {{ item.0.internal.ip }}:{{ item.0.internal.port }};
{% endfor %} {% endfor %}
# For each domain we want to terminate, forward to internal http server # For each domain we want to terminate, forward to internal http server
{% for domain in reeseapps %} {% for item in (http | subelements('external.domains')) %}
{{ domain.external.domain }} 127.0.0.1:443; {{ item.1 }} 127.0.0.1:443;
{% endfor %}
{% for domain in reeseseal %}
{{ domain.external.domain }} 127.0.0.1:443;
{% endfor %} {% endfor %}
default {{ nginx.defaults.domain }}:443; default {{ nginx.defaults.domain }}:443;

16
nginx/nginx.yaml
View File

@@ -55,22 +55,16 @@
mode: '0644' mode: '0644'
with_fileglob: with_fileglob:
- http.d/* - http.d/*
- name: Template all reeseapps http configurations - name: Template all http configurations
template: template:
src: https.conf src: https.conf
dest: /etc/nginx/http.d/{{ item.external.domain }}.conf dest: /etc/nginx/http.d/{{ item.1 }}.conf
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
with_items: "{{ reeseapps }}" # item.0 == full dictionary
- name: Template all reeseseal http configurations # item.1 == external domain
template: loop: "{{ http | subelements('external.domains') }}"
src: https.conf
dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
owner: root
group: root
mode: '0644'
with_items: "{{ reeseseal }}"
- name: Reload nginx service - name: Reload nginx service
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
state: restarted state: restarted

7
nginx/stream.d/nextcloud-aio-talk.conf
View File

@@ -1,7 +0,0 @@
server {
access_log /var/log/nginx/nextcloud-aio-talk-access.log basic;
resolver 1.1.1.1;
listen {{ ansible_default_ipv4.address }}:3478;
listen {{ ansible_default_ipv4.address }}:3478 udp;
proxy_pass {{ nextcloud.domain }}:3478;
}

105
nginx/vars.yaml
View File

@@ -1,5 +1,3 @@
nextcloud:
domain: nextcloud-aio.reeseapps.com
nginx: nginx:
defaults: defaults:
domain: nginx.reeselink.com domain: nginx.reeselink.com
@@ -8,113 +6,64 @@ iperf:
unifi_external: unifi_external:
domain: unifi-server1.reeselink.com domain: unifi-server1.reeselink.com
internal_ip: 10.1.0.0/16 internal_ip: 10.1.0.0/16
cr10se:
reeseapps:
- external: - external:
domain: truenas.reeseapps.com domains:
- cr10se.reeseseal.com
port: 443 port: 443
internal: internal:
domain: driveripper.reeselink.com ip: "10.3.165.70"
port: 8443 port: 80
protocol: https
- external:
domain: nextcloud-aio.reeseapps.com
port: 443
internal:
domain: nextcloud-aio.reeselink.com
port: 11000
protocol: http protocol: http
http:
- external: - external:
domain: homeassistant.reeseapps.com domains:
- homeassistant.reeseapps.com
- homeassistant.reeselink.com
port: 443 port: 443
internal: internal:
domain: homeassistant.reeselink.com ip: "10.2.131.2"
port: 8123 port: 8123
protocol: https protocol: https
reeseseal:
- external: - external:
domain: cr10se.reeseseal.com domains:
- yellow.reeselink.com
port: 443 port: 443
internal: internal:
domain: cr10se.reeselink.com ip: "10.1.203.197"
port: 80
protocol: http
- external:
domain: hue.reeseseal.com
port: 443
internal:
domain: nginx.reeselink.com
port: 80
protocol: http
- external:
domain: nextcloud-aio.reeseseal.com
port: 443
internal:
domain: nextcloud-aio.reeselink.com
port: 11000
protocol: http
- external:
domain: octoprint.reeseseal.com
port: 443
internal:
domain: replicator.reeselink.com
port: 443
protocol: https
- external:
domain: pihole-yellow.reeseseal.com
port: 443
internal:
domain: yellow.reeselink.com
port: 8081
protocol: http
- external:
domain: pihole-orange.reeseseal.com
port: 443
internal:
domain: orange.reeselink.com
port: 8081
protocol: http
- external:
domain: yellow.reeseseal.com
port: 443
internal:
domain: yellow.reeselink.com
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domain: orange.reeseseal.com domains:
- node1.reeselink.com
port: 443 port: 443
internal: internal:
domain: orange.reeselink.com ip: "10.1.2.13"
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domain: node1.reeseseal.com domains:
- node2.reeselink.com
port: 443 port: 443
internal: internal:
domain: node1.reeselink.com ip: "10.1.2.14"
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domain: node2.reeseseal.com domains:
- node3.reeselink.com
port: 443 port: 443
internal: internal:
domain: node2.reeselink.com ip: "10.1.2.15"
port: 9090
protocol: https
- external:
domain: node3.reeseseal.com
port: 443
internal:
domain: node3.reeselink.com
port: 9090 port: 9090
protocol: https protocol: https
stream_ssl: stream:
- external: - external:
domain: containers.reeseapps.com domains:
- containers.reeseapps.com
port: 443 port: 443
internal: internal:
domain: node1.reeselink.com ip: "10.1.2.13"
port: 6443 port: 6443