kotovalexarian
/
fedihub-ansible
Archived
1
0
Fork 0
Code

Configure Nginx

This commit is contained in:
Alex Kotov 2020-10-22 11:06:53 +05:00
parent c2ba328ba2
commit 2269ad0d15
Signed by: kotovalexarian
GPG Key ID: 553C0EBBEB5D5F08
7 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
host_vars/website.fedihub.com.yml
View File

@ -34,3 +34,9 @@ common__iptables__v4_filter: |
-A OUTPUT -p tcp -m multiport --sport 80,443 -j REJECT
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'
fedihub__website__host: 'fedihub.com'
fedihub__website__port: 8000
fedihub__website__public_dir: '/opt/fedihub/website/public'
fedihub__website__nginx__ssl_cert: '/etc/letsencrypt/live/website.fedihub.com/fullchain.pem'
fedihub__website__nginx__ssl_key: '/etc/letsencrypt/live/website.fedihub.com/privkey.pem'

1
playbooks/deploy/website.yml
View File

@ -8,3 +8,4 @@
roles:
- name: kotovalexarian.common
tags: common
- ../../roles/website

6
roles/website/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
fedihub__website__host: 'example.com'
fedihub__website__port: 8000
fedihub__website__public_dir: '/opt/fedihub/website/public'
fedihub__website__nginx__ssl_cert: '/etc/letsencrypt/live/website.example.com/fullchain.pem'
fedihub__website__nginx__ssl_key: '/etc/letsencrypt/live/website.example.com/privkey.pem'

5
roles/website/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Restart Nginx
systemd:
name: nginx
state: restarted

3
roles/website/tasks/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- include_tasks: nginx.yml
- meta: flush_handlers

18
roles/website/tasks/nginx.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: Create Nginx server configuration
template:
src: '../templates/nginx/website.conf'
dest: '/etc/nginx/sites-available/website.conf'
mode: 'u=rw,g=rw,o=r'
owner: root
group: root
notify: Restart Nginx
- name: Enable Nginx server configuration
file:
state: link
src: '/etc/nginx/sites-available/website.conf'
dest: '/etc/nginx/sites-enabled/website.conf'
owner: root
group: root
notify: Restart Nginx

62
roles/website/templates/nginx/website.conf Normal file
View File

@ -0,0 +1,62 @@
server {
listen 80;
listen [::]:80;
server_name {{ fedihub__website__host }} www.{{ fedihub__website__host }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'none';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ fedihub__website__host }} www.{{ fedihub__website__host }}};
ssl_certificate {{ fedihub__website__nginx__ssl_cert }};
ssl_certificate_key {{ fedihub__website__nginx__ssl_key }};
set $CSP "";
set $CSP "${CSP}object-src 'none';";
set $CSP "${CSP}frame-src 'none';";
set $CSP "${CSP}connect-src 'self';";
set $CSP "${CSP}form-action 'none';";
add_header Content-Security-Policy $CSP always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
client_max_body_size 100M;
if_modified_since off;
expires off;
etag off;
sendfile off;
root {{ fedihub__website__public_dir }};
index index.html;
location / {
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:{{ fedihub__website__port }};
}
}