integredete certbot and reverse proxy config

2019-09-15 19:30:01 +02:00 · 2019-09-15 19:30:01 +02:00 · d3a349157e
commit d3a349157e
parent 0150d7431f
2 changed files with 56 additions and 3 deletions
--- a/group_vars/server
+++ b/group_vars/server
@ -61,16 +61,35 @@ Gandi_API_KEYS: "{{ vault_gandi_API_Keys }}"
 Gandi_Domain: "{{ domain.name }}"
 Gandi_Record: www

+certbot_auto_renew_user: root
+certbot_create_if_missing: true
+certbot_cert_name: "{{domain.name}}"
+certbot_certs:
+  - email: "{{user.mail}}"
+    domains:
+    - www.{{domain.name}}
+    - git.{{domain.name}}
+    - supysonic.{{domain.name}}
+    - syno.{{domain.name}}
+

 nginx_vhosts:
    - listen: "80"
-      server_name: "localhost"
+      server_name: "_"
+      filename: "redirect80.conf"
+      state: "present"
+      template: "{{ nginx_vhost_template }}"
+      extra_parameters: |
+        return 301 https://$host;
+    - listen: "443 ssl"
+      server_name: "www.{{domain.name}}"
      root: "/usr/share/nginx/html/"
      error_page: "404              /404/404.html"
      filename: "default.conf"
      state: "present"
      template: "{{ nginx_vhost_template }}"
      extra_parameters: |
+        include /etc/nginx/conf.d/{{domain.name}}.ssl;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
@ -94,7 +113,40 @@ nginx_vhosts:
            include fastcgi_params;
        }
        include /etc/nginx/conf.d/*.default;
-
+    - listen: "443 ssl"
+      server_name: "git.{{domain.name}}"
+      filename: "gitea.conf"
+      state: "present"
+      template: "{{ nginx_vhost_template }}"
+      extra_parameters: |
+        include /etc/nginx/conf.d/{{domain.name}}.ssl;
+        location / {
+          #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+          proxy_pass http://localhost:3000;
+        }
+      
+    - listen: "443 ssl"
+      server_name: "syno.{{domain.name}}"
+      filename: "syno.conf"
+      state: "present"
+      template: "{{ nginx_vhost_template }}"
+      extra_parameters: |
+        include /etc/nginx/conf.d/{{domain.name}}.ssl;
+        location / {
+          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+          proxy_pass http://192.168.1.10:5000;
+        }   
+    - listen: "443 ssl"
+      server_name: "supysonic.{{domain.name}}"
+      filename: "supysonic.conf"
+      state: "present"
+      template: "{{ nginx_vhost_template }}"
+      extra_parameters: |
+        include /etc/nginx/conf.d/{{domain.name}}.ssl;
+        location / { 
+          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+          proxy_pass http://localhost:8001;
+        }

 nginx_realIP_Proxy: 192.168.1.10/24

--- a/server.yml
+++ b/server.yml
@ -16,7 +16,8 @@
  - gandi-dyn-dns
  - fail2ban
  - {role: dns , become: yes }
-  - {role: nginx, become: yes }
+  - {role: nginx, become: yes }  
+  - {role: ansible-role-certbot, become: yes} ##need to have a external connection on 80
  - {role: mariadb, become: yes }
  - php
  - tt-rss