[mod] role:authelia-and-nginx:tls mode

2024-07-03 22:02:06 +02:00 · 2024-07-03 22:02:06 +02:00 · fc03370b19
commit fc03370b19
parent dc28d22a90
3 changed files with 49 additions and 23 deletions
--- a/roles/authelia-and-nginx/defaults/main.json
+++ b/roles/authelia-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_authelia_and_nginx_domain": "authelia.example.org"
+	"var_authelia_and_nginx_domain": "authelia.example.org",
 	"var_authelia_and_nginx_tls_mode": "enable"
 }
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -1,22 +1,4 @@
-server {
+{% macro authelia_common() %}
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:80;
 	listen 80;
 	return 301 https://$server_name$request_uri;
 }
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@ -28,7 +10,7 @@ server {
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Connection "";
-
+		
 		## Basic Proxy Configuration
 		client_body_buffer_size 128k;
 		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
@ -37,7 +19,7 @@ server {
 		proxy_cache_bypass $cookie_session;
 		proxy_no_cache $cookie_session;
 		proxy_buffers 64 256k;
-
+		
 		## Trusted Proxies Configuration
 		## Please read the following documentation before configuring this:
 		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
@ -47,7 +29,7 @@ server {
 		# set_real_ip_from fc00::/7;
 		real_ip_header X-Forwarded-For;
 		real_ip_recursive on;
-
+		
 		## Advanced Proxy Configuration
 		send_timeout 5m;
 		proxy_read_timeout 360;
@ -60,4 +42,32 @@ server {
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
 {% endmacro %}
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_authelia_and_nginx_tls_mode == "force") %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 	{{ authelia_common() }}
 {% endif %}
 }
 {% if (var_element_and_nginx_tls_mode != "disable") %}
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	{{ authelia_common() }}
 }
 {% endif %}
--- a/roles/authelia-and-nginx/vardef.json
+++ b/roles/authelia-and-nginx/vardef.json
@ -0,0 +1,15 @@
 {
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }