diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index c7db00b..64929d1 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_element_and_nginx_domain": "element.example.org", - "var_element_and_nginx_path": "/opt/element" + "var_element_and_nginx_path": "/opt/element", + "var_element_and_nginx_tls": "enable" } diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 08330a6..bc9c035 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,14 +1,31 @@ +boilerplate element { + root {{var_element_and_nginx_path}}; +} + server { + server_name {{var_element_and_nginx_domain}}; + listen 80; listen [::]:80; + +{% if (var_element_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke element; +{% endif %} +} + +{% if (var_element_and_nginx_tls != "disable") %} +server { + server_name {{var_element_and_nginx_domain}}; + listen 443 ssl; listen [::]:443 ssl; - server_name {{var_element_and_nginx_domain}}; - ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - root {{var_element_and_nginx_path}}; + invoke element; } +{% endif %} diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..c51d108 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_domain": "gitlab.example.org", + "var_gitlab_and_nginx_path": "/opt/gitlab", + "var_gitlab_and_nginx_tls": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..1033ae6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -29,34 +29,11 @@ map $http_referer $gitlab_ssl_filtered_http_referer { ~^(?.*)\? $temp; } -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +boilerplate gitlab_common { real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { @@ -92,3 +69,32 @@ server { } } +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + +{% if (var_gitlab_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke gitlab_common; +{% endif %} +} + +{% if (var_gitlab_and_nginx_tls != "disable") %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2 default_server; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + invoke gitlab_common; +} +{% endif %}