Add nginx proxy for radicale
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
af2b07c577
commit
3fd2bbb16c
|
@ -5,3 +5,6 @@ radicale_become_user: root
|
|||
radicale_users:
|
||||
- username: admin
|
||||
password: secret
|
||||
|
||||
radicale_nginx_root: /var/www
|
||||
radicale_servername: radicale.example.org
|
||||
|
|
|
@ -5,3 +5,17 @@
|
|||
state: restarted
|
||||
become: "{{ radicale_become }}"
|
||||
become_user: "{{ radicale_become_user }}"
|
||||
|
||||
- name: systemctl restart nginx
|
||||
systemd:
|
||||
name: nginx.service
|
||||
state: restarted
|
||||
become: "{{ radicale_become }}"
|
||||
become_user: "{{ radicale_become_user }}"
|
||||
|
||||
- name: systemctl reload nginx
|
||||
systemd:
|
||||
name: nginx.service
|
||||
state: reloaded
|
||||
become: "{{ radicale_become }}"
|
||||
become_user: "{{ radicale_become_user }}"
|
||||
|
|
|
@ -7,6 +7,8 @@
|
|||
- radicale
|
||||
- uwsgi
|
||||
- uwsgi-plugin-python3
|
||||
- nginx
|
||||
- logrotate
|
||||
state: present
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
|
@ -29,6 +31,8 @@
|
|||
ansible.builtin.template:
|
||||
src: etc/radicale/users.j2
|
||||
dest: /etc/radicale/users
|
||||
owner: radicale
|
||||
group: www-data
|
||||
mode: 0640
|
||||
|
||||
- name: enable radicale uWSGI service
|
||||
|
@ -38,5 +42,49 @@
|
|||
state: link
|
||||
notify: systemctl restart uwsgi
|
||||
|
||||
- name: create vhost directory
|
||||
file:
|
||||
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: www-data
|
||||
|
||||
- name: create vhost content directory
|
||||
file:
|
||||
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}/html"
|
||||
state: directory
|
||||
owner: root
|
||||
group: www-data
|
||||
mode: 0775
|
||||
|
||||
- name: create vhost logs directory
|
||||
file:
|
||||
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}/logs"
|
||||
state: directory
|
||||
|
||||
- name: add vhost configuration file for {{ radicale_servername }}
|
||||
template:
|
||||
src: etc/nginx/sites-available/site-vhost.j2
|
||||
dest: "/etc/nginx/sites-available/{{ radicale_servername }}.vhost"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: systemctl restart nginx
|
||||
|
||||
- name: add vhost configuration sylink for {{ radicale_servername }}
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ radicale_servername }}.vhost"
|
||||
dest: "/etc/nginx/sites-enabled/{{ radicale_servername }}.vhost"
|
||||
state: link
|
||||
notify: systemctl reload nginx
|
||||
|
||||
# - name: add logrotate configuration for {{ radicale_servername }}
|
||||
# template:
|
||||
# src: etc/logrotate.d/nginx.j2
|
||||
# dest: "/etc/logrotate.d/{{ radicale_servername }}"
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 0644
|
||||
|
||||
become: "{{ radicale_become }}"
|
||||
become_user: "{{ radicale_become_user }}"
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
server_name {{ radicale_servername }};
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
{% if radicale_acme_challenges is defined %}
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
alias {{ radicale_acme_challenges }};
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ radicale_servername }};
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
add_header Content-Security-Policy "default-src https://{{ radicale_servername }}; img-src *; style-src https://{{ radicale_servername }} 'unsafe-inline'" always;
|
||||
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), notifications=(), payment=(), usb=()" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
{% if radicale_ssl_certificate is defined %}ssl_certificate {{ radicale_ssl_certificate }};{% endif %}
|
||||
|
||||
{% if radicale_ssl_certificate_key is defined %}ssl_certificate_key {{ radicale_ssl_certificate_key }};{% endif %}
|
||||
|
||||
{% if radicale_ssl_trusted_certificate is defined %}ssl_trusted_certificate {{ radicale_ssl_trusted_certificate }};{% endif %}
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
root {{ radicale_nginx_root }}/{{ radicale_servername }}/html;
|
||||
index index.html index.htm;
|
||||
|
||||
{% if radicale_acme_challenges is defined %}
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
alias {{ radicale_acme_challenges }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /radicale/ { # Mind trailing /.
|
||||
uwsgi_pass unix:///run/uwsgi/app/radicale/socket;
|
||||
include uwsgi_params;
|
||||
}
|
||||
|
||||
error_page 404 /404.html;
|
||||
|
||||
access_log {{ radicale_nginx_root }}/{{ radicale_servername }}/logs/access.log;
|
||||
error_log {{ radicale_nginx_root }}/{{ radicale_servername }}/logs/error.log;
|
||||
}
|
||||
|
Loading…
Reference in New Issue