[nginx] Multiple certficates are compatible with reverse-proxy

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-02-22 14:44:44 +01:00 · 2021-02-22 14:44:44 +01:00 · de58138a22
parent 72238d79ed
commit de58138a22
6 changed files with 29 additions and 23 deletions
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -1,16 +1,21 @@
-certbot:
-  dns_rfc2136_name: certbot_challenge.
-  dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-  mail: root@crans.org
-  certname: crans.org
-  domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+loc_certbot:
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

-nginx:
+loc_nginx:
+  servers: []
  ssl:
-    cert: /etc/letsencrypt/live/crans.org/fullchain.pem
-    cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+    - name: crans.org
+      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem

+
+glob_reverseproxy:
  redirect_dnames:
    - crans.eu
    - crans.fr
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@ -3,7 +3,8 @@
 - hosts: reverseproxy
  vars:
    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
-    mirror: '{{ glob_mirror.name }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+    reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
  roles:
    - certbot
    - nginx
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -38,7 +38,7 @@
    state: absent

 - name: Copy reverse proxy sites
-  when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
+  when: reverseproxy is defined
  template:
    src: "nginx/sites-available/{{ item }}.j2"
    dest: "/etc/nginx/sites-available/{{ item }}"
@ -52,7 +52,7 @@
  notify: Reload nginx

 - name: Activate reverse proxy sites
-  when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined
+  when: reverseproxy is defined
  file:
    src: "/etc/nginx/sites-available/{{ item }}"
    dest: "/etc/nginx/sites-enabled/{{ item }}"
--- a/roles/nginx/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx/templates/nginx/sites-available/redirect.j2
@ -1,6 +1,6 @@
 {{ ansible_header | comment }}

-{% for site in nginx.redirect_sites %}
+{% for site in reverseproxy.redirect_sites %}
 # Redirect http://{{ site.from }} to http://{{ site.to }}
 server {
    listen 80;
@ -21,7 +21,7 @@ server {
    server_name {{ site.from }};

    # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";

    location / {
        return 302 https://{{ site.to }}$request_uri;
@ -31,8 +31,8 @@ server {
 {% endfor %}

 {# Also redirect for DNAMEs #}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.redirect_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.redirect_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
 {% if from != site.from %}
 # Redirect http://{{ from }} to http://{{ site.to }}
@ -55,7 +55,7 @@ server {
    server_name {{ from }};

    # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";

    location / {
        return 302 https://{{ site.to }}$request_uri;
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
    ''      close;
 }

-{% for site in nginx.reverseproxy_sites %}
+{% for site in reverseproxy.reverseproxy_sites %}
 # Redirect http://{{ site.from }} to https://{{ site.from }}
 server {
    listen 80;
@ -28,7 +28,7 @@ server {
    server_name {{ site.from }};

    # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";

    # Log into separate log files
    access_log      /var/log/nginx/{{ site.from }}.log;
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@ -1,7 +1,7 @@
 {{ ansible_header | comment }}

-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.reverseproxy_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.reverseproxy_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
 {% set to = site.from %}
 {% if from != site.from %}
@ -25,7 +25,7 @@ server {
    server_name {{ from }};

    # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";

    location / {
        return 302 https://{{ to }}$request_uri;