[nginx] Fix nginx template, this is now usable

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

[nginx] Fix nginx template, this is now usable
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2b8e0dbb · ynerant · ynerant · a9897ec3 · 2b8e0dbb · 2b8e0dbb
Commit 2b8e0dbb authored 4 years ago by ynerant Committed by ynerant 4 years ago
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -25,7 +25,10 @@ loc_nginx:
        - filter: "~ ^/$"
          params:
            - "return 302 https://lists.crans.org/listinfo"
-        - filter: "~ ^/admin"
+        - filter: "/"
+          params:
+            - "include \"/etc/nginx/snippets/fastcgi.conf\""
+        - filter: "~ ^/listinfo"
          params:
            - "satisfy any"
            - "include \"/etc/nginx/snippets/fastcgi.conf\""

--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
 ---
 glob_nginx:
+  contact: contact@crans.org
+  who: "L'équipe technique du Cr@ns"
  ssl:
    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
    cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
    trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+  default_server:
+  default_ssl_server:
  servers:
+    ssl: false
    server_name:
      - "default"
      - "_"
    root: "/var/www/html"
    locations:
      - filter: "/"
+  upstreams: []
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -6,8 +6,6 @@ certbot:
  domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

 nginx:
-  contact: contact@crans.org
-  who: "l'équipe technique du Cr@ns"
  ssl:
    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
    cert_key: /etc/letsencrypt/live/crans.org/privkey.pem

--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -25,6 +25,7 @@
  template:
    src: "nginx/sites-available/{{ item }}.j2"
    dest: "/etc/nginx/sites-available/{{ item }}"
+    mode: 0644
  loop:
    - reverseproxy
    - reverseproxy_redirect_dname
@@ -49,6 +50,7 @@
  template:
    src: "nginx/sites-available/service.j2"
    dest: "/etc/nginx/sites-available/service"
+    mode: 0644
  notify: Reload nginx

 - name: Activate local nginx service site
@@ -64,12 +66,18 @@
  template:
    src: www/html/50x.html.j2
    dest: /var/www/html/50x.html
+    owner: www-data
+    group: www-data
+    mode: 0644

 - name: Copy robots.txt file
  when: nginx.deploy_robots_file
  template:
    src: www/html/robots.txt.j2
    dest: /var/www/html/robots.txt
+    owner: www-data
+    group: www-data
+    mode: 0644

 - name: Indicate role in motd
  template:
@@ -89,3 +97,6 @@
  template:
    src: www/html/401.html.j2
    dest: /var/www/html/401.html
+    owner: www-data
+    group: www-data
+    mode: 0644
--- a/roles/nginx/templates/nginx/passwd.j2
+++ b/roles/nginx/templates/nginx/passwd.j2
 {{ ansible_header | comment }}
-{% for user, hash in nginx.auth_passwd -%}
+{% for user, hash in nginx.auth_passwd.items() -%}
 {{ user }}: {{ hash }}
 {% endfor -%}
--- a/roles/nginx/templates/nginx/sites-available/service.j2
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -7,14 +7,14 @@ upstream {{ upstream.name }} {
 }
 {% endfor -%}

-{% if nginx.default_ssl_host -%}
+{% if nginx.default_ssl_server -%}
 # Redirect all services to the main site
 server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    include "/etc/nginx/snippets/options-ssl.conf";

-    server_name {{ ngix.default_ssl_server }};
+    server_name {{ nginx.default_ssl_server }};
    charset utf-8;

    # Hide Nginx version
@@ -51,20 +51,20 @@ server {
    listen 80 default;
    listen [::]:80 default;

-    server_name {{ server.server_name|join:" " }};
+    server_name {{ server.server_name|join(" ") }};
    charset utf-8;

    # Hide Nginx version
    server_tokens off;

    location / {
-        return 302 https://{{ server.server_name }}$request_uri;
+        return 302 https://$host$request_uri;
    }
 }
 {% endif -%}

 server {
-    {% if server.ssl -%}
+    {% if server.ssl is defined and server.ssl -%}
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    include "/etc/nginx/snippets/options-ssl.conf";
@@ -73,32 +73,35 @@ server {
    listen [::]:80 default;
    {% endif -%}

-    server_name {{ server.server_name }};
+    server_name {{ server.server_name|join(" ") }};
    charset utf-8;

    # Hide Nginx version
    server_tokens off;

-    {% if server.root -%}
+    {% if server.root is defined -%}
    root {{ server.root }};
    {% endif -%}
-    {% if server.index -%}
-    index {{ server.index|join:" " }};
+    {% if server.index is defined -%}
+    index {{ server.index|join(" ") }};
    {% endif -%}

-    {% if server.access_log -%}
+    {% if server.access_log is defined -%}
    access_log {{ server.access_log }};
    {% endif -%}
-    {% if server.error_log -%}
+    {% if server.error_log is defined -%}
    error_log {{ server.error_log }};
    {% endif -%}

+    {% if server.locations is defined -%}
+
    {% for location in server.locations -%}
    location {{ location.filter }} {
-        {% for param in params -%}
+        {% for param in location.params -%}
        {{ param }};
        {% endfor -%}
    }
    {% endfor -%}
+{% endif -%}
 }
 {% endfor %}
--- a/roles/nginx/templates/www/401.html.j2
+++ b/roles/nginx/templates/www/401.html.j2