more generic certbot

login.yaml

@@ -13,4 +13,3 @@
       - role: login
       - role: reverse_proxy
         hostname: login3
-      - role: certbot

roles/certbot/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+  webserver_name: nginx

roles/certbot/tasks/main.yaml

@@ -10,13 +10,13 @@
     - cron
 
 - name: request certificate
-  command: certbot certonly -a standalone --preferred-challenges http -d login3.lilik.it -n
+  command: certbot certonly -a standalone --agree-tos --email roots@lists.lilik.it --preferred-challenges http -d {{ server_fqdn }} -d www.{{ server_fqdn }} -n
   args:
-    creates: /etc/letsencrypt/live/login3.lilik.it/cert.pem
+    creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem
 
-- name: add certbot cron
-  cron:
-    name: "certbot cron"
-    minute: "30"
-    hour: "2"
-    job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload nginx"'
+# - name: add certbot cron
+#   cron:
+#     name: "certbot cron"
+#     minute: "30"
+#     hour: "2"
+#     job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload {{ webserver_name }}"'

roles/dokuwiki/meta/main.yaml

@@ -2,4 +2,5 @@
 dependencies:
   - role: nginx
     php: true
+    config_name: "dokuwiki"
     parent_role_path: "dokuwiki"

roles/dokuwiki/templates/dokuwiki.conf.nginx.j2

@@ -1,9 +1,3 @@
-server {
-    listen               80;
-
-    client_max_body_size 4M;
-    client_body_buffer_size 128k;
-
     root /usr/share/dokuwiki;
     index doku.php;
 
@@ -24,4 +18,3 @@ server {
         fastcgi_param REDIRECT_STATUS 200;
         fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
     }
-}

roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO

@@ -1,36 +0,0 @@
-server {
-    listen               80;
-    listen                   [::]:80;
-    server_name          wiki.domain.example;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    listen [::]:443 ssl;
-    listen 443 ssl;
-
-    client_max_body_size 4M;
-    client_body_buffer_size 128k;
-
-    root /usr/share/dokuwiki;
-    index doku.php;
-
-    location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; }
-
-    location / { try_files $uri $uri/ @dokuwiki; }
-
-    location @dokuwiki {
-        rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
-        rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
-        rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
-        rewrite ^/(.*) /doku.php?id=$1&$args last;
-    }
-
-    location ~ \.php$ {
-        try_files $uri $uri/ /doku.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param REDIRECT_STATUS 200;
-        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-    }
-}

roles/icinga2/meta/main.yaml

@@ -2,5 +2,6 @@ dependencies:
   - role: nginx
     php: true
     parent_role_path: "icinga2"
-    config_names: "icinga2"
+    config_name: "icinga2"
+    server_fqdn: "status.lilik.it"
   - role: postgresql

roles/icinga2/templates/icinga2.conf.nginx.j2

@@ -1,10 +1,6 @@
-server {
-    listen              80;
-
-    location = / {
-        return 301 http://$host/icingaweb2;
+    location / {
+      rewrite ^/$ /icingaweb2 permanent;
     }
-
     location ~ ^/icingaweb2/index\.php(.*)$ {
       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
       fastcgi_index index.php;
@@ -18,4 +14,3 @@ server {
       alias /usr/share/icingaweb2/public;
       try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
     }
-}

roles/login/meta/main.yaml

@@ -4,4 +4,5 @@ dependencies:
     is_proxy: true
     config_name: "login"
     remote_host: "http://localhost:5000"
-    server_name: "login.lilik.it"
+    server_fqdn: "login3.lilik.it"
+    parent_role_path: "login"

roles/login/templates/login.conf.nginx.j2

@@ -1,28 +1 @@
-
-server {
-  listen *:80;
-
-
-  server_name login.lilik.it;
-
-  client_max_body_size 0;
-
-
-  location / {
     rewrite ^/$ /static/index.html permanent;
-
-    proxy_http_version 1.1;
-
-    proxy_set_header Host projects.leader.lilik.it;
-    proxy_set_header X-Forwarded-Host "";
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto http;
-
-    proxy_pass http://localhost:5000;
-    proxy_hide_header    Content-Security-Policy;
-    proxy_hide_header    X-Frame-Options;
- }
-
-
-}

roles/nginx/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
   is_proxy: false
   php: false
-  config_names: []
+  config_name: null

roles/nginx/meta/main.yaml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: certbot

roles/nginx/tasks/main.yaml

@@ -34,31 +34,36 @@
   notify:
       - restart nginx
 
-- name: upload nginx proxy configuration
+- name: upload nginx configuration
   template:
-      src: proxy_nginx.j2
-      dest: "/etc/nginx/sites-available/{{ config_name }}.conf"
-  when: is_proxy | bool
+      src: base.j2
+      dest: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf"
   notify:
       - restart nginx
 
-- name: add nginx configurations
-  template:
-      src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
-      dest: /etc/nginx/sites-available/{{ item }}.conf
-  with_items: "{{ config_names }}"
-  notify:
-      - restart nginx
+# - name: add nginx configurations
+#   template:
+#       src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
+#       dest: /etc/nginx/sites-available/{{ item }}.conf
+#   with_items: "{{ config_names }}"
+#   notify:
+#       - restart nginx
 
-- name: add proxy to config_names
-  set_fact:
-    config_names: "{{ config_names | union( [config_name])}}"
-  when: is_proxy | bool
+# - name: add proxy to config_names
+#   set_fact:
+#     config_names: "{{ config_names | union( [config_name])}}"
+#   when: is_proxy | bool
+
+- name: create Diffie Hellman exchange parameters
+  command: openssl dhparam -out /etc/nginx/dhparam.pem 2048
+  args:
+    creates: /etc/nginx/dhparam.pem
+  notify: restart nginx
 
 - name: enable nginx configurations
   file:
-      src: "/etc/nginx/sites-available/{{ item }}.conf"
-      dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
+      src: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf"
+      dest: "/etc/nginx/sites-enabled/{{ config_name|default('proxy') }}.conf"
       state: link
-  with_items: "{{ config_names }}"
+  # with_items: "{{ config_names }}"
   notify: restart nginx

roles/nginx/templates/proxy.conf.nginx.j2

@@ -0,0 +1,11 @@
+    location / {
+        client_max_body_size 50M;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_pass {{ remote_host }};
+    }

roles/reverse_proxy/templates/http.j2

@@ -10,6 +10,7 @@ server {
       proxy_set_header X-NginX-Proxy true;
       proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
     }
+
     location / {
       if ($request_method = POST) {
         return 307 https://$server_name$request_uri;

roles/roundcube/meta/main.yaml

@@ -2,4 +2,6 @@
 dependencies:
   - role: nginx
     php: true
+    config_name: "roundcube"
+    server_fqdn: "webmail.lilik.it"
     parent_role_path: "roundcube"

roles/roundcube/templates/roundcube.conf.nginx.j2

@@ -1,6 +1,3 @@
-server {
-    listen              80;
-    
     # support roundcubemail secure urls
     rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1;
 
@@ -20,4 +17,3 @@ server {
     location ~ /\.ht {
             deny all;
     }
-}

roles/sympa/meta/main.yaml

@@ -1,6 +1,8 @@
 ---
 dependencies:
   - role: nginx
+    config_name: "sympa"
+    server_fqdn: "lists.lilik.it"
     parent_role_path: "sympa"
   - role: exim4
     stmp_relay: "{{ hostvars['mail'].ansible_host }}"

roles/sympa/templates/sympa.conf.nginx.j2

@@ -1,12 +1,5 @@
-# based on https://gist.github.com/bjacint/7862912
-
-server {
-    listen       80;
-
-    server_name  *.*;
+    # based on https://gist.github.com/bjacint/7862912
     root         /usr/lib/cgi-bin/sympa;
-    access_log   /var/log/nginx/sympa.access.log;
-    error_log    /var/log/nginx/sympa.error.log;
     error_page   403 500 502 503 504 /50x.html;
 
     rewrite ^/$ /wws permanent;
@@ -62,4 +55,3 @@ server {
         fastcgi_param  HTTP_HOST           $http_host;
         fastcgi_intercept_errors on;
     }
-}

roles/wordpress/meta/main.yaml

@@ -1,6 +1,8 @@
 ---
 dependencies:
-    - role: apache2
+    - role: nginx
       php: true
       parent_role_path: "wordpress"
+      config_name: "wordpress"
+      server_fqdn: "blog.lilik.it"
     - role: mysql

roles/wordpress/templates/wordpress.apache2.j2

@@ -1,11 +0,0 @@
-<VirtualHost *:80>
-  ServerName {{ item }}.lilik.it
-  DocumentRoot /usr/share/wordpress
-  DirectoryIndex index.php
-  Alias /wp-content/ "/srv/www/wp-content/{{ item }}.lilik.it/"
-  <Directory /usr/share/wordpress>
-    AllowOverride All
-    Order Deny,Allow
-    Allow from all
-  </Directory>
-</VirtualHost>

roles/wordpress/templates/wordpress.conf.nginx.j2

@@ -0,0 +1,28 @@
+root /usr/share/wordpress;
+
+index index.php;
+
+location /wp-content/ {
+  alias /srv/www/wp-content/$host/;
+}
+
+location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+
+        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+}
+
+#deny access to .htaccess files, if Apache's document root
+#concurs with nginx's one
+location ~ /\.ht {
+        deny all;
+}
+
+location /files {
+  rewrite ^/files/(.+) /wp-includes/ms-files.php?file=$1 break;
+}
+location / {
+  if (-e $request_filename){
+    rewrite ^(.*)$ /index.php break;
+  }
+}