misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge branch 'dev-tls_switch' into 'main'

Browse source 
TLS-Schalter

See merge request misc/ansible-base!11
This commit is contained in:
roydfalk 2024-07-30 13:29:12 +00:00
commit 576e8524d5
21 changed files with 369 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
roles/authelia-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{ {
"var_authelia_and_nginx_domain": "authelia.example.org" "var_authelia_and_nginx_domain": "authelia.example.org",
"var_authelia_and_nginx_tls_mode": "force"
} }

54
roles/authelia-and-nginx/templates/conf.j2
View file

@ -1,22 +1,4 @@
server { {% macro authelia_common() %}
server_name {{var_authelia_and_nginx_domain}};
listen [::]:80;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{var_authelia_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location / { location / {
## Headers ## Headers
proxy_set_header Host $host; proxy_set_header Host $host;
@ -28,7 +10,7 @@ server {
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection ""; proxy_set_header Connection "";
## Basic Proxy Configuration ## Basic Proxy Configuration
client_body_buffer_size 128k; client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
@ -37,7 +19,7 @@ server {
proxy_cache_bypass $cookie_session; proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session; proxy_no_cache $cookie_session;
proxy_buffers 64 256k; proxy_buffers 64 256k;
## Trusted Proxies Configuration ## Trusted Proxies Configuration
## Please read the following documentation before configuring this: ## Please read the following documentation before configuring this:
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
@ -47,7 +29,7 @@ server {
# set_real_ip_from fc00::/7; # set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
real_ip_recursive on; real_ip_recursive on;
## Advanced Proxy Configuration ## Advanced Proxy Configuration
send_timeout 5m; send_timeout 5m;
proxy_read_timeout 360; proxy_read_timeout 360;
@ -60,4 +42,32 @@ server {
location /api/verify { location /api/verify {
proxy_pass http://localhost:9091; proxy_pass http://localhost:9091;
} }
{% endmacro %}
server {
server_name {{var_authelia_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_authelia_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ authelia_common() }}
{% endif %}
} }
{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_authelia_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ authelia_common() }}
}
{% endif %}

15
roles/authelia-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

2
roles/dokuwiki-and-nginx/defaults/main.json
View file

@ -1,5 +1,5 @@
{ {
"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki", "var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org", "var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
"var_dokuwiki_and_nginx_tls_enable": true "var_dokuwiki_and_nginx_tls_mode": "force"
} }

48
roles/dokuwiki-and-nginx/templates/conf.j2
View file

@ -1,22 +1,4 @@
server { {% macro dokuwiki_common() %}
listen 80;
listen [::]:80;
server_name {{var_dokuwiki_and_nginx_domain}};
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name {{var_dokuwiki_and_nginx_domain}};
{% if var_dokuwiki_and_nginx_tls_enable %}
ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% endif %}
# Maximum file upload size is 4MB - change accordingly if needed # Maximum file upload size is 4MB - change accordingly if needed
client_max_body_size 4M; client_max_body_size 4M;
client_body_buffer_size 128k; client_body_buffer_size 128k;
@ -58,4 +40,32 @@ server {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
} }
{% endmacro %}
server {
server_name {{var_dokuwiki_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ dokuwiki_common() }}
{% endif %}
} }
{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_dokuwiki_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ dokuwiki_common() }}
}
{% endif %}

19
roles/dokuwiki-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"directory": {
"type": "string",
"mandatory": false
},
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/element-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{ {
"var_element_and_nginx_domain": "element.example.org", "var_element_and_nginx_domain": "element.example.org",
"var_element_and_nginx_path": "/opt/element" "var_element_and_nginx_path": "/opt/element",
"var_element_and_nginx_tls_mode": "force"
} }

25
roles/element-and-nginx/templates/conf.j2
View file

@ -1,14 +1,31 @@
{% macro element_common() %}
root {{var_element_and_nginx_path}};
{% endmacro %}
server { server {
server_name {{var_element_and_nginx_domain}};
listen 80; listen 80;
listen [::]:80; listen [::]:80;
{% if (var_element_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ element_common() }}
{% endif %}
}
{% if (var_element_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_element_and_nginx_domain}};
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
server_name {{var_element_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf; include /etc/nginx/ssl-hardening.conf;
root {{var_element_and_nginx_path}}; {{ element_common() }}
} }
{% endif %}

19
roles/element-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"domain": {
"mandatory": false,
"type": "string"
},
"path": {
"mandatory": false,
"type": "string"
},
"tls_mode": {
"mandatory": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
]
}
}

3
roles/gitlab-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{ {
"var_gitlab_and_nginx_domain": "element.example.org", "var_gitlab_and_nginx_domain": "element.example.org",
"var_gitlab_and_nginx_path": "/opt/element" "var_gitlab_and_nginx_path": "/opt/element",
"var_gitlab_and_nginx_tls_mode": "force"
} }

125
roles/gitlab-and-nginx/templates/conf.j2
View file

@ -1,64 +1,7 @@
upstream gitlab-workhorse { {% macro gitlab_common() %}
server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
}
map $http_upgrade $connection_upgrade_gitlab_ssl {
default upgrade;
'' close;
}
log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
map $request_uri $gitlab_ssl_temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
default $gitlab_ssl_temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
default $gitlab_ssl_temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $http_referer $gitlab_ssl_filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ipv6only=on ssl http2 default_server;
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
real_ip_header X-Real-IP; real_ip_header X-Real-IP;
real_ip_recursive off; real_ip_recursive off;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
location / { location / {
client_max_body_size 0; client_max_body_size 0;
gzip off; gzip off;
@ -90,5 +33,71 @@ server {
root /home/git/gitlab/public; root /home/git/gitlab/public;
internal; internal;
} }
{% endmacro %}
upstream gitlab-workhorse {
server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
} }
map $http_upgrade $connection_upgrade_gitlab_ssl {
default upgrade;
'' close;
}
log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
map $request_uri $gitlab_ssl_temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
default $gitlab_ssl_temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
default $gitlab_ssl_temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $http_referer $gitlab_ssl_filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
server {
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
listen 80;
listen [::]:80 ipv6only=on;
{% if (var_gitlab_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
{{ gitlab_common() }}
{% endif %}
}
{% if (var_gitlab_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
listen 443 ssl http2;
listen [::]:443 ipv6only=on ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
{{ gitlab_common() }}
}
{% endif %}

19
roles/gitlab-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"domain": {
"mandatory": false,
"type": "string"
},
"path": {
"mandatory": false,
"type": "string"
},
"tls_mode": {
"mandatory": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
]
}
}

3
roles/hedgedoc-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{ {
"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org" "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
"var_hedgedoc_and_nginx_tls_mode": "force"
} }

38
roles/hedgedoc-and-nginx/templates/conf.j2
View file

@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade {
'' close; '' close;
} }
server { {% macro hedgedoc_common() %}
server_name {{var_hedgedoc_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location / { location / {
proxy_pass http://localhost:3000; proxy_pass http://localhost:3000;
proxy_set_header Host $host; proxy_set_header Host $host;
@ -30,4 +21,31 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
} }
{% endmacro %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_element_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ hedgedoc_common() }}
{% endif %}
}
{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ hedgedoc_common() }}
} }

15
roles/hedgedoc-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/synapse-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{ {
"var_synapse_and_nginx_domain": "REPLACE_ME" "var_synapse_and_nginx_domain": "REPLACE_ME",
"var_synapse_and_nginx_tls_mode": "force"
} }

49
roles/synapse-and-nginx/templates/conf.j2
View file

@ -1,19 +1,4 @@
server { {% macro synapse_common() %}
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
## For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name {{var_synapse_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location ~ ^(/_matrix|/_synapse/client) { location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008; proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
@ -24,4 +9,36 @@ server {
proxy_http_version 1.1; proxy_http_version 1.1;
} }
{% endmacro %}
server {
server_name {{var_synapse_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_synapse_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ synapse_common() }}
{% endif %}
} }
{% if (var_synapse_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_synapse_and_nginx_domain}};
listen 443 ssl http2;
listen [::]:443 ssl http2;
## For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ synapse_common() }}
}
{% endif %}

15
roles/synapse-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/vikunja-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{ {
"var_vikunja_and_nginx_domain": "vikunja.example.org" "var_vikunja_and_nginx_domain": "vikunja.example.org",
"var_vikunja_and_nginx_tls_mode": "force"
} }

41
roles/vikunja-and-nginx/templates/conf.j2
View file

@ -1,17 +1,34 @@
server { {% macro vikunja_common() %}
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name {{var_vikunja_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
location / { location / {
proxy_pass http://localhost:3456; proxy_pass http://localhost:3456;
client_max_body_size 20M; client_max_body_size 20M;
} }
{% endmacro %}
server {
server_name {{var_vikunja_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_vikunja_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ vikunja_common() }}
{% endif %}
} }
{% if (var_vikunja_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_vikunja_and_nginx_domain}};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ vikunja_common() }}
}
{% endif %}

15
roles/vikunja-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}