improve nginx and certbot roles

2020-12-28 17:39:41 +01:00 · 2020-12-28 17:39:41 +01:00 · e932842b8d
commit e932842b8d
parent 9a2ec6caab
6 changed files with 20 additions and 15 deletions
--- a/inventory.yml
+++ b/inventory.yml
@ -11,7 +11,7 @@ frontend:
  hosts: 172.172.0.3

 test:
-  hosts: jolly.roger
+  hosts: 45.156.24.144
  vars:
    ansible_user: debian

--- a/roles/stable/nginx/tasks/certbot.yml
+++ b/roles/stable/nginx/tasks/certbot.yml
@ -17,6 +17,6 @@

 - name: Generate certificate if needed
  become: yes
-  command: certbot-auto --nginx --non-interactive --agree-tos
+  command: /snap/bin/certbot --nginx --non-interactive --agree-tos
      --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
      --email {{certbot_email}}
--- a/roles/stable/nginx/tasks/main.yml
+++ b/roles/stable/nginx/tasks/main.yml
@ -4,6 +4,19 @@
  apt:
    name: nginx

+- name: Default Configuration
+  become: yes
+  template:
+    src: default.j2
+    dest: /etc/nginx/sites-available/default
+
+- name: Link Default NGINX Configuration
+  become: yes
+  file:
+    src: "/etc/nginx/sites-available/default"
+    dest: "/etc/nginx/sites-enabled/default"
+    state: link
+
 - name: Configure Reverse Proxies
  become: yes
  template:
--- a/roles/stable/nginx/templates/default.j2
+++ b/roles/stable/nginx/templates/default.j2
@ -1,7 +1,6 @@

 	# cache
-	# proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=1g;
-  keepalive 30;
+	proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=10g use_temp_path=off;

 	# redirect all http traffic to https
 	server {
--- a/roles/stable/nginx/templates/reverse_proxy.conf.j2
+++ b/roles/stable/nginx/templates/reverse_proxy.conf.j2
@ -1,4 +1,3 @@
-# nginx ssl file

 server {
  listen 80;
@ -12,12 +11,10 @@ server {
    proxy_pass {{item.proxy_pass}};
    proxy_http_version 1.1;

-    # hide client ip to backend
-    proxy_set_header X-Real-IP         42.42.42.42;

-    # set host 
+    # set host
    proxy_set_header Host              $host;
-    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-For   42.42.42.42;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;
@ -27,7 +24,7 @@ server {
    proxy_set_header Connection        "upgrade";

    # cache
-    # proxy_cache {{item.server_name}}
+    proxy_cache STATIC;
  }
 }

--- a/vars/frontend.yml
+++ b/vars/frontend.yml
@ -7,8 +7,4 @@ servers:
    proxy_pass: http://192.168.199.105:8080
    custom_config: |
      sendfile             on;
-      client_max_body_size 80m;
-
-  - gancio:
-    server_name: sblinda.cisti.org
-    proxy_pass: http://192.168.199.104:8000
+      client_max_body_size 500m;