diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index fb542879fccedd07327ac2ec7d22ecbfdd36e320..3be4680eb6ef6a4526e71bb131077cbdf85356f3 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -1,16 +1,21 @@
-certbot:
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+loc_certbot:
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
-nginx:
+loc_nginx:
+ servers: []
ssl:
- cert: /etc/letsencrypt/live/crans.org/fullchain.pem
- cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
- trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ - name: crans.org
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+
+glob_reverseproxy:
redirect_dnames:
- crans.eu
- crans.fr
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index c81106c459d906c0428e2c6769fe863e10d2787b..3b03f0a9f2cb56b963aad38f15d51d55a6504e30 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -3,7 +3,8 @@
- hosts: reverseproxy
vars:
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
- mirror: '{{ glob_mirror.name }}'
+ nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+ reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
roles:
- certbot
- nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 847e397babe0b739254e7d2b2cbd88e1a39b057a..c437106264a6e639950449ef711f46857f4bd0ab 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -38,7 +38,7 @@
state: absent
- name: Copy reverse proxy sites
- when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
+ when: reverseproxy is defined
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
@@ -52,7 +52,7 @@
notify: Reload nginx
- name: Activate reverse proxy sites
- when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
+ when: reverseproxy is defined
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2
index 9cdb545bb715f629254783cd6841ed76877a0f6e..44cce7983937290ccc431669a82324ea0632bf84 100644
--- a/roles/nginx/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx/templates/nginx/sites-available/redirect.j2
@@ -1,6 +1,6 @@
{{ ansible_header | comment }}
-{% for site in nginx.redirect_sites %}
+{% for site in reverseproxy.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
@@ -21,7 +21,7 @@ server {
server_name {{ site.from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
@@ -31,8 +31,8 @@ server {
{% endfor %}
{# Also redirect for DNAMEs #}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.redirect_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
@@ -55,7 +55,7 @@ server {
server_name {{ from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
index 0898da05222c522210d390831f00c521f9d24dd0..dc8ae1b41b6a91df2f45b33ead4b88f3d0daf9fe 100644
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
@@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
'' close;
}
-{% for site in nginx.reverseproxy_sites %}
+{% for site in reverseproxy.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
@@ -28,7 +28,7 @@ server {
server_name {{ site.from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index db2084a433ce387349debb0a82604d8a3a553e1b..0ca20f57813eea65e4e82be3089f6378d69c6734 100644
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.reverseproxy_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.reverseproxy_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% set to = site.from %}
{% if from != site.from %}
@@ -25,7 +25,7 @@ server {
server_name {{ from }};
# SSL common conf
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
location / {
return 302 https://{{ to }}$request_uri;