misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge branch 'dev-tls_switch' into 'main'

Browse source 
TLS-Schalter

See merge request misc/ansible-base!11
This commit is contained in:
roydfalk 2024-07-30 13:29:12 +00:00
commit 576e8524d5
21 changed files with 369 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
roles/authelia-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{
"var_authelia_and_nginx_domain": "authelia.example.org"
"var_authelia_and_nginx_domain": "authelia.example.org",
"var_authelia_and_nginx_tls_mode": "force"
}

48
roles/authelia-and-nginx/templates/conf.j2
View file

@ -1,22 +1,4 @@
server {
server_name {{var_authelia_and_nginx_domain}};
listen [::]:80;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{var_authelia_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% macro authelia_common() %}
location / {
## Headers
proxy_set_header Host $host;
@ -60,4 +42,32 @@ server {
location /api/verify {
proxy_pass http://localhost:9091;
}
{% endmacro %}
server {
server_name {{var_authelia_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_authelia_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ authelia_common() }}
{% endif %}
}
{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_authelia_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ authelia_common() }}
}
{% endif %}

15
roles/authelia-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

2
roles/dokuwiki-and-nginx/defaults/main.json
View file

@ -1,5 +1,5 @@
{
"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
"var_dokuwiki_and_nginx_tls_enable": true
"var_dokuwiki_and_nginx_tls_mode": "force"
}

48
roles/dokuwiki-and-nginx/templates/conf.j2
View file

@ -1,22 +1,4 @@
server {
listen 80;
listen [::]:80;
server_name {{var_dokuwiki_and_nginx_domain}};
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name {{var_dokuwiki_and_nginx_domain}};
{% if var_dokuwiki_and_nginx_tls_enable %}
ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% endif %}
{% macro dokuwiki_common() %}
# Maximum file upload size is 4MB - change accordingly if needed
client_max_body_size 4M;
client_body_buffer_size 128k;
@ -58,4 +40,32 @@ server {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
}
{% endmacro %}
server {
server_name {{var_dokuwiki_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ dokuwiki_common() }}
{% endif %}
}
{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_dokuwiki_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ dokuwiki_common() }}
}
{% endif %}

19
roles/dokuwiki-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"directory": {
"type": "string",
"mandatory": false
},
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/element-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{
"var_element_and_nginx_domain": "element.example.org",
"var_element_and_nginx_path": "/opt/element"
"var_element_and_nginx_path": "/opt/element",
"var_element_and_nginx_tls_mode": "force"
}

25
roles/element-and-nginx/templates/conf.j2
View file

@ -1,14 +1,31 @@
{% macro element_common() %}
root {{var_element_and_nginx_path}};
{% endmacro %}
server {
server_name {{var_element_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_element_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ element_common() }}
{% endif %}
}
{% if (var_element_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_element_and_nginx_domain}};
listen 443 ssl;
listen [::]:443 ssl;
server_name {{var_element_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
root {{var_element_and_nginx_path}};
{{ element_common() }}
}
{% endif %}

19
roles/element-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"domain": {
"mandatory": false,
"type": "string"
},
"path": {
"mandatory": false,
"type": "string"
},
"tls_mode": {
"mandatory": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
]
}
}

3
roles/gitlab-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{
"var_gitlab_and_nginx_domain": "element.example.org",
"var_gitlab_and_nginx_path": "/opt/element"
"var_gitlab_and_nginx_path": "/opt/element",
"var_gitlab_and_nginx_tls_mode": "force"
}

125
roles/gitlab-and-nginx/templates/conf.j2
View file

@ -1,64 +1,7 @@
upstream gitlab-workhorse {
server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
}
map $http_upgrade $connection_upgrade_gitlab_ssl {
default upgrade;
'' close;
}
log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
map $request_uri $gitlab_ssl_temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
default $gitlab_ssl_temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
default $gitlab_ssl_temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $http_referer $gitlab_ssl_filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ipv6only=on ssl http2 default_server;
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% macro gitlab_common() %}
real_ip_header X-Real-IP;
real_ip_recursive off;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
@ -90,5 +33,71 @@ server {
root /home/git/gitlab/public;
internal;
}
{% endmacro %}
upstream gitlab-workhorse {
server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
}
map $http_upgrade $connection_upgrade_gitlab_ssl {
default upgrade;
'' close;
}
log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
map $request_uri $gitlab_ssl_temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
default $gitlab_ssl_temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
default $gitlab_ssl_temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $http_referer $gitlab_ssl_filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
server {
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
listen 80;
listen [::]:80 ipv6only=on;
{% if (var_gitlab_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
{{ gitlab_common() }}
{% endif %}
}
{% if (var_gitlab_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_gitlab_and_nginx_domain}};
server_tokens off;
listen 443 ssl http2;
listen [::]:443 ipv6only=on ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
{{ gitlab_common() }}
}
{% endif %}

19
roles/gitlab-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,19 @@
{
"domain": {
"mandatory": false,
"type": "string"
},
"path": {
"mandatory": false,
"type": "string"
},
"tls_mode": {
"mandatory": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
]
}
}

3
roles/hedgedoc-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{
"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
"var_hedgedoc_and_nginx_tls_mode": "force"
}

38
roles/hedgedoc-and-nginx/templates/conf.j2
View file

@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade {
'' close;
}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% macro hedgedoc_common() %}
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
@ -30,4 +21,31 @@ server {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
{% endmacro %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_element_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ hedgedoc_common() }}
{% endif %}
}
{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ hedgedoc_common() }}
}

15
roles/hedgedoc-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/synapse-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{
"var_synapse_and_nginx_domain": "REPLACE_ME"
"var_synapse_and_nginx_domain": "REPLACE_ME",
"var_synapse_and_nginx_tls_mode": "force"
}

49
roles/synapse-and-nginx/templates/conf.j2
View file

@ -1,19 +1,4 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
## For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name {{var_synapse_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% macro synapse_common() %}
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
@ -24,4 +9,36 @@ server {
proxy_http_version 1.1;
}
{% endmacro %}
server {
server_name {{var_synapse_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_synapse_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ synapse_common() }}
{% endif %}
}
{% if (var_synapse_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_synapse_and_nginx_domain}};
listen 443 ssl http2;
listen [::]:443 ssl http2;
## For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ synapse_common() }}
}
{% endif %}

15
roles/synapse-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

3
roles/vikunja-and-nginx/defaults/main.json
View file

@ -1,3 +1,4 @@
{
"var_vikunja_and_nginx_domain": "vikunja.example.org"
"var_vikunja_and_nginx_domain": "vikunja.example.org",
"var_vikunja_and_nginx_tls_mode": "force"
}

41
roles/vikunja-and-nginx/templates/conf.j2
View file

@ -1,17 +1,34 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name {{var_vikunja_and_nginx_domain}};
ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{% macro vikunja_common() %}
location / {
proxy_pass http://localhost:3456;
client_max_body_size 20M;
}
{% endmacro %}
server {
server_name {{var_vikunja_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (var_vikunja_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ vikunja_common() }}
{% endif %}
}
{% if (var_vikunja_and_nginx_tls_mode != 'disable') %}
server {
server_name {{var_vikunja_and_nginx_domain}};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ vikunja_common() }}
}
{% endif %}

15
roles/vikunja-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}