1
0
Fork 0

Add nginx proxy for radicale
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Daniele Tricoli 2021-12-23 04:01:05 +01:00
parent af2b07c577
commit 3fd2bbb16c
4 changed files with 127 additions and 0 deletions

View File

@ -5,3 +5,6 @@ radicale_become_user: root
radicale_users:
- username: admin
password: secret
radicale_nginx_root: /var/www
radicale_servername: radicale.example.org

View File

@ -5,3 +5,17 @@
state: restarted
become: "{{ radicale_become }}"
become_user: "{{ radicale_become_user }}"
- name: systemctl restart nginx
systemd:
name: nginx.service
state: restarted
become: "{{ radicale_become }}"
become_user: "{{ radicale_become_user }}"
- name: systemctl reload nginx
systemd:
name: nginx.service
state: reloaded
become: "{{ radicale_become }}"
become_user: "{{ radicale_become_user }}"

View File

@ -7,6 +7,8 @@
- radicale
- uwsgi
- uwsgi-plugin-python3
- nginx
- logrotate
state: present
update_cache: true
cache_valid_time: 3600
@ -29,6 +31,8 @@
ansible.builtin.template:
src: etc/radicale/users.j2
dest: /etc/radicale/users
owner: radicale
group: www-data
mode: 0640
- name: enable radicale uWSGI service
@ -38,5 +42,49 @@
state: link
notify: systemctl restart uwsgi
- name: create vhost directory
file:
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}"
state: directory
owner: root
group: www-data
- name: create vhost content directory
file:
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}/html"
state: directory
owner: root
group: www-data
mode: 0775
- name: create vhost logs directory
file:
path: "{{ radicale_nginx_root }}/{{ radicale_servername }}/logs"
state: directory
- name: add vhost configuration file for {{ radicale_servername }}
template:
src: etc/nginx/sites-available/site-vhost.j2
dest: "/etc/nginx/sites-available/{{ radicale_servername }}.vhost"
owner: root
group: root
mode: 0640
notify: systemctl restart nginx
- name: add vhost configuration sylink for {{ radicale_servername }}
file:
src: "/etc/nginx/sites-available/{{ radicale_servername }}.vhost"
dest: "/etc/nginx/sites-enabled/{{ radicale_servername }}.vhost"
state: link
notify: systemctl reload nginx
# - name: add logrotate configuration for {{ radicale_servername }}
# template:
# src: etc/logrotate.d/nginx.j2
# dest: "/etc/logrotate.d/{{ radicale_servername }}"
# owner: root
# group: root
# mode: 0644
become: "{{ radicale_become }}"
become_user: "{{ radicale_become_user }}"

View File

@ -0,0 +1,62 @@
# {{ ansible_managed }}
server {
server_name {{ radicale_servername }};
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
{% if radicale_acme_challenges is defined %}
location ^~ /.well-known/acme-challenge {
alias {{ radicale_acme_challenges }};
}
{% endif %}
}
server {
server_name {{ radicale_servername }};
listen 443 ssl;
listen [::]:443 ssl;
add_header Content-Security-Policy "default-src https://{{ radicale_servername }}; img-src *; style-src https://{{ radicale_servername }} 'unsafe-inline'" always;
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), notifications=(), payment=(), usb=()" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
{% if radicale_ssl_certificate is defined %}ssl_certificate {{ radicale_ssl_certificate }};{% endif %}
{% if radicale_ssl_certificate_key is defined %}ssl_certificate_key {{ radicale_ssl_certificate_key }};{% endif %}
{% if radicale_ssl_trusted_certificate is defined %}ssl_trusted_certificate {{ radicale_ssl_trusted_certificate }};{% endif %}
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
root {{ radicale_nginx_root }}/{{ radicale_servername }}/html;
index index.html index.htm;
{% if radicale_acme_challenges is defined %}
location ^~ /.well-known/acme-challenge {
alias {{ radicale_acme_challenges }};
}
{% endif %}
location / {
try_files $uri $uri/ =404;
}
location /radicale/ { # Mind trailing /.
uwsgi_pass unix:///run/uwsgi/app/radicale/socket;
include uwsgi_params;
}
error_page 404 /404.html;
access_log {{ radicale_nginx_root }}/{{ radicale_servername }}/logs/access.log;
error_log {{ radicale_nginx_root }}/{{ radicale_servername }}/logs/error.log;
}