From 2b8e0dbbffcabb7f35cc5d33dbd9b57b29592567 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Sat, 2 Jan 2021 18:49:08 +0100
Subject: [PATCH] [nginx] Fix nginx template, this is now usable
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
group_vars/mailman.yml | 5 +++-
group_vars/nginx.yml | 6 +++++
group_vars/reverseproxy.yml | 2 --
roles/nginx/tasks/main.yml | 11 ++++++++
roles/nginx/templates/nginx/passwd.j2 | 2 +-
.../nginx/sites-available/service.j2 | 27 ++++++++++---------
.../templates/www/{ => html}/401.html.j2 | 0
7 files changed, 37 insertions(+), 16 deletions(-)
rename roles/nginx/templates/www/{ => html}/401.html.j2 (100%)
diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml
index 4a70e7f4..cd7d754b 100644
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -25,7 +25,10 @@ loc_nginx:
- filter: "~ ^/$"
params:
- "return 302 https://lists.crans.org/listinfo"
- - filter: "~ ^/admin"
+ - filter: "/"
+ params:
+ - "include \"/etc/nginx/snippets/fastcgi.conf\""
+ - filter: "~ ^/listinfo"
params:
- "satisfy any"
- "include \"/etc/nginx/snippets/fastcgi.conf\""
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
index 00383aea..1d97f621 100644
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@@ -1,13 +1,19 @@
---
glob_nginx:
+ contact: contact@crans.org
+ who: "L'équipe technique du Cr@ns"
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ default_server:
+ default_ssl_server:
servers:
+ ssl: false
server_name:
- "default"
- "_"
root: "/var/www/html"
locations:
- filter: "/"
+ upstreams: []
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index 49f1ed78..fb542879 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -6,8 +6,6 @@ certbot:
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
nginx:
- contact: contact@crans.org
- who: "l'équipe technique du Cr@ns"
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 441ac4dd..8d6d3823 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -25,6 +25,7 @@
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
+ mode: 0644
loop:
- reverseproxy
- reverseproxy_redirect_dname
@@ -49,6 +50,7 @@
template:
src: "nginx/sites-available/service.j2"
dest: "/etc/nginx/sites-available/service"
+ mode: 0644
notify: Reload nginx
- name: Activate local nginx service site
@@ -64,12 +66,18 @@
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
+ owner: www-data
+ group: www-data
+ mode: 0644
- name: Copy robots.txt file
when: nginx.deploy_robots_file
template:
src: www/html/robots.txt.j2
dest: /var/www/html/robots.txt
+ owner: www-data
+ group: www-data
+ mode: 0644
- name: Indicate role in motd
template:
@@ -89,3 +97,6 @@
template:
src: www/html/401.html.j2
dest: /var/www/html/401.html
+ owner: www-data
+ group: www-data
+ mode: 0644
diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2
index ea58b2da..e87369c9 100644
--- a/roles/nginx/templates/nginx/passwd.j2
+++ b/roles/nginx/templates/nginx/passwd.j2
@@ -1,4 +1,4 @@
{{ ansible_header | comment }}
-{% for user, hash in nginx.auth_passwd -%}
+{% for user, hash in nginx.auth_passwd.items() -%}
{{ user }}: {{ hash }}
{% endfor -%}
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
index 13569dcc..11afc9d5 100644
--- a/roles/nginx/templates/nginx/sites-available/service.j2
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -7,14 +7,14 @@ upstream {{ upstream.name }} {
}
{% endfor -%}
-{% if nginx.default_ssl_host -%}
+{% if nginx.default_ssl_server -%}
# Redirect all services to the main site
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
- server_name {{ ngix.default_ssl_server }};
+ server_name {{ nginx.default_ssl_server }};
charset utf-8;
# Hide Nginx version
@@ -51,20 +51,20 @@ server {
listen 80 default;
listen [::]:80 default;
- server_name {{ server.server_name|join:" " }};
+ server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
- return 302 https://{{ server.server_name }}$request_uri;
+ return 302 https://$host$request_uri;
}
}
{% endif -%}
server {
- {% if server.ssl -%}
+ {% if server.ssl is defined and server.ssl -%}
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
@@ -73,32 +73,35 @@ server {
listen [::]:80 default;
{% endif -%}
- server_name {{ server.server_name }};
+ server_name {{ server.server_name|join(" ") }};
charset utf-8;
# Hide Nginx version
server_tokens off;
- {% if server.root -%}
+ {% if server.root is defined -%}
root {{ server.root }};
{% endif -%}
- {% if server.index -%}
- index {{ server.index|join:" " }};
+ {% if server.index is defined -%}
+ index {{ server.index|join(" ") }};
{% endif -%}
- {% if server.access_log -%}
+ {% if server.access_log is defined -%}
access_log {{ server.access_log }};
{% endif -%}
- {% if server.error_log -%}
+ {% if server.error_log is defined -%}
error_log {{ server.error_log }};
{% endif -%}
+ {% if server.locations is defined -%}
+
{% for location in server.locations -%}
location {{ location.filter }} {
- {% for param in params -%}
+ {% for param in location.params -%}
{{ param }};
{% endfor -%}
}
{% endfor -%}
+{% endif -%}
}
{% endfor %}
diff --git a/roles/nginx/templates/www/401.html.j2 b/roles/nginx/templates/www/html/401.html.j2
similarity index 100%
rename from roles/nginx/templates/www/401.html.j2
rename to roles/nginx/templates/www/html/401.html.j2
--
GitLab