diff --git a/plays/mailman.yml b/plays/mailman.yml
index 6a84058baaa48fb0f27dd1c613ac9f1bc165172b..56008f2ab7e159fa14d19990bb77107cf90a5088 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -24,6 +24,7 @@
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
roles:
- mailman
+ - nginx
- nginx-mailman
# Deploy Mailman3
diff --git a/plays/mirror.yml b/plays/mirror.yml
index d776c8c8abbe38f809f450db3d3965412f2662b9..b7a1f219a8aa84890ca7aabd048d61aef3142d87 100755
--- a/plays/mirror.yml
+++ b/plays/mirror.yml
@@ -74,4 +74,5 @@
roles:
- ftpsync
- rsync-mirror
+ - nginx
- nginx-pubftp
diff --git a/roles/nginx-mailman/tasks/main.yml b/roles/nginx-mailman/tasks/main.yml
index e2036b6bc2963f225db9f0d17c5df6c4300e2866..2e4cef6eb02c0fe8ecbd0e3c53d3a5ae066a7f01 100644
--- a/roles/nginx-mailman/tasks/main.yml
+++ b/roles/nginx-mailman/tasks/main.yml
@@ -1,13 +1,4 @@
---
-- name: Install NGINX
- apt:
- update_cache: true
- name:
- - nginx
- register: apt_result
- retries: 3
- until: apt_result is succeeded
-
- name: Copy configuration files
template:
src: "{{ item.src }}"
@@ -35,9 +26,3 @@
force: true
when: not ansible_check_mode
notify: Reload nginx
-
-- name: Indicate role in motd
- template:
- src: update-motd.d/05-service.j2
- dest: /etc/update-motd.d/05-nginx-mailman
- mode: 0755
diff --git a/roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~ b/roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~
deleted file mode 100644
index 3ce2f9237d596cbd5acc9336c5e2040830aa49c0..0000000000000000000000000000000000000000
--- a/roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~
+++ /dev/null
@@ -1,18 +0,0 @@
-{{ ansible_header | comment }}
-
-# regex to split $uri to $fastcgi_script_name and $fastcgi_path
-fastcgi_split_path_info (^/[^/]*)(.*)$;
-
-# check that the PHP script exists before passing it
-try_files $fastcgi_script_name =404;
-
-# Bypass the fact that try_files resets $fastcgi_path_info
-# see: http://trac.nginx.org/nginx/ticket/321
-set $path_info $fastcgi_path_info;
-fastcgi_param PATH_INFO $path_info;
-
-# Let NGINX handle errors
-fastcgi_intercept_errors on;
-
-include /etc/nginx/fastcgi.conf;
-fastcgi_pass unix:/var/run/fcgiwrap.socket;
\ No newline at end of file
diff --git a/roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2
deleted file mode 100644
index 79d75395b48d40803b71faaec467eebe837c9467..0000000000000000000000000000000000000000
--- a/roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-{{ ansible_header | comment }}
-
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.key }};
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;
-ssl_session_tickets off;
-ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-ssl_protocols TLSv1.2 TLSv1.3;
-
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-ssl_prefer_server_ciphers off;
-
-# Enable OCSP Stapling, point to certificate chain
-ssl_stapling on;
-ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
diff --git a/roles/nginx-mailman/templates/update-motd.d/05-service.j2 b/roles/nginx-mailman/templates/update-motd.d/05-service.j2
deleted file mode 100755
index 82373d0b38e8376f20e82c033c12241c94018582..0000000000000000000000000000000000000000
--- a/roles/nginx-mailman/templates/update-motd.d/05-service.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/usr/bin/tail +14
-{{ ansible_header | comment }}
-�[0m> �[38;5;82mNGINX�[0m a été déployé sur cette machine. Voir �[38;5;6m/etc/nginx/�[0m.
diff --git a/roles/nginx-pubftp/tasks/main.yml b/roles/nginx-pubftp/tasks/main.yml
index 2d5ccd7ae77e0d1b55f7e421437c9a7b9820873b..d4e0a1f9505b6216f8c9b0fb9bed0701fca1ed88 100644
--- a/roles/nginx-pubftp/tasks/main.yml
+++ b/roles/nginx-pubftp/tasks/main.yml
@@ -1,12 +1,4 @@
---
-- name: Install NGINX
- apt:
- update_cache: true
- name: nginx
- register: apt_result
- retries: 3
- until: apt_result is succeeded
-
- name: Copy configuration files
template:
src: "{{ item.src }}"
@@ -20,9 +12,3 @@
dest: /pubftp/.html/FOOTER.html
- src: html/style.min.css.j2
dest: /pubftp/.html/style.min.css
-
-- name: Indicate role in motd
- template:
- src: update-motd.d/05-service.j2
- dest: /etc/update-motd.d/05-nginx-pubftp
- mode: 0755
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a7b3bacb1fec0542f1721c3de47d1bd0f8b5d7c8
--- /dev/null
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -0,0 +1,102 @@
+{{ ansible_header | comment }}
+
+{% for upstream in nginx.upstreams -%}
+upstream {{ upstream.name }} {
+ # Path of the server
+ server {{ upstream.server }};
+}
+{% endfor -%}
+
+{% if nginx.default_ssl_host -%}
+# Redirect all services to the main site
+server {
+ listen 443 default_server ssl;
+ listen [::]:443 default_server ssl;
+ include "/etc/nginx/snippets/options-ssl.conf";
+
+ server_name {{ ngix.default_ssl_host }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+ location / {
+ return 302 https://{{ nginx.default_ssl_host }}$request_uri;
+ }
+}
+{% endif -%}
+
+{% if nginx.default_host -%}
+# Redirect all services to the main site
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name {{ nginx.default_host }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+ location / {
+ return 302 http://{{ nginx.default_host }}$request_uri;
+ }
+}
+{% endif -%}
+
+{% for server in nginx.servers %}
+{% if server.ssl -%}
+# Redirect HTTP to HTTPS
+server {
+ listen 80 default;
+ listen [::]:80 default;
+
+ server_name {{ server.server_name|join:" " }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+ location / {
+ return 302 https://{{ server.server_name }}$request_uri;
+ }
+}
+{% endif -%}
+
+server {
+ {% if server.ssl -%}
+ listen 443 default_server ssl;
+ listen [::]:443 default_server ssl;
+ include "/etc/nginx/snippets/options-ssl.conf";
+ {% else -%}
+ listen 80 default;
+ listen [::]:80 default;
+ {% endif -%}
+
+ server_name {{ server.server_name }};
+ charset utf-8;
+
+ # Hide Nginx version
+ server_tokens off;
+
+ {% if server.root -%}
+ root {{ server.root }};
+ {% endif -%}
+ {% if server.index -%}
+ index {{ server.index }};
+ {% endif -%}
+
+ {% if server.access_log -%}
+ access_log {{ server.access_log }};
+ {% endif -%}
+ {% if server.error_log -%}
+ error_log {{ server.error_log }};
+ {% endif -%}
+
+ {% for location in server.locations -%}
+ location {{ location.filter }} {
+ {{ location.params|join:"\n "|unsafe }}
+ }
+ {% endfor -%}
+}
+{% endfor %}
diff --git a/roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2 b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
similarity index 100%
rename from roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2
rename to roles/nginx/templates/nginx/snippets/fastcgi.conf.j2