add outward facing nginx

roles/web/tasks/main.yml

@@ -71,14 +71,7 @@
     fstype: nfs
     state: mounted
 
-- name: Install certbot
-  get_url:
-    url: https://dl.eff.org/certbot-auto
-    dest: /usr/local/bin/certbot-auto
-    mode: u=rwx,g=r,o=r
-    owner: root
-    group: root
-
+# TODO the certbot installation process probably needs fixing
 - name: Install pip
   apt:
     name: python-pip
@@ -98,10 +91,30 @@
     group: root
 
 - name: Run certbot
-  shell: certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini -d jibby.org,\*.jibby.org --preferred-challenges dns-01
+  shell: /root/.local/bin/certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini -d jibby.org,\*.jibby.org --preferred-challenges dns-01
+  ignore_errors: yes  # This fails if the certs already exist
 
-- name: Schedule certbot renewal cronjobs and copying of static cert files (for sharing with Docker)
+- name: Schedule certbot renewal cronjob
   cron:
-    name: "renew certs and copy"
+    name: "renew certs"
     special_time: weekly
-    job: '/root/.local/bin/certbot renew --post-hook "mkdir -p  /static_certs && cp -L /etc/letsencrypt/live/jibby.org/cert.pem /static_certs/jibby.org.crt && cp -L /etc/letsencrypt/live/jibby.org/privkey.pem /static_certs/jibby.org.key && cp -L /etc/letsencrypt/live/jibby.org-0001/cert.pem /static_certs/shared.crt && cp -L /etc/letsencrypt/live/jibby.org-0001/privkey.pem /static_certs/shared.key && docker restart compose_nginx_proxy_1"'
+    job: '/root/.local/bin/certbot renew'
+
+- name: Set outward facing nginx server
+  copy:
+    src: templates/web/docker.conf
+    dest: /etc/nginx/conf.d/docker.conf
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Remove default nginx site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: Start and enable Nginx
+  service:
+    name: nginx
+    state: started
+    enabled: yes

templates/web/docker.conf

@@ -0,0 +1,194 @@
+# jibby.org
+server {
+        server_name jibby.org;
+
+        location / {
+
+                set $temp $request;
+                if ($temp ~ (.*)password=[^&]*(.*)) {
+                    set $temp $1password=****$2;
+                }
+                access_log /var/log/nginx/access.log filter;
+
+                proxy_set_header Host jibby.org;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Scheme $scheme;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Nginx-Scheme $scheme;
+                proxy_set_header X-Forwarded-Port $server_port;
+                proxy_redirect    off;
+                proxy_pass http://localhost:8080;
+        }
+
+        # Used to try and trick matrix into routing jibby.org traffic to matrix
+        # location /_matrix {
+        #     proxy_pass http://localhost:8008;
+        #     proxy_set_header X-Forwarded-For $remote_addr;
+        # }
+        #
+        location /.well-known/matrix/ {
+            root /var/www/;
+            default_type application/json;
+            add_header Access-Control-Allow-Origin  *;
+        }
+
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/jibby.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/jibby.org/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+server {
+    if ($host = jibby.org) {
+        return 302 https://$host$request_uri;
+    } # managed by Certbot
+
+
+        server_name jibby.org;
+        listen 80;
+    return 404; # managed by Certbot
+
+
+}
+
+
+# *.jibby.org
+server {
+        server_name ~^(?<subdomain>.+)\.jibby\.org$;
+
+        location / {
+            set $temp $request;
+            if ($temp ~ (.*)password=[^&]*(.*)) {
+                set $temp $1password=****$2;
+            }
+            access_log /var/log/nginx/access.log filter;
+
+            proxy_set_header Host $subdomain.jibby.org;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Scheme $scheme;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Nginx-Scheme $scheme;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_redirect    off;
+            proxy_pass http://localhost:8080;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/jibby.org-0001/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/jibby.org-0001/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+
+    if ($host ~* (?<subdomain>.+)\.jibby\.org) {
+        return 302 https://$host$request_uri;
+    } # managed by Certbot
+
+
+        server_name ~^(?<subdomain>.+)\.jibby\.org$;
+        listen 80;
+    return 404; # managed by Certbot
+
+
+}
+
+
+# jossh.us
+# server {
+#         server_name jossh.us;
+#
+#         location / {
+#                 set $temp $request;
+#                 if ($temp ~ (.*)password=[^&]*(.*)) {
+#                     set $temp $1password=****$2;
+#                 }
+#                 access_log /var/log/nginx/access.log filter;
+#
+#                 proxy_set_header Host jossh.us;
+#                 proxy_set_header X-Real-IP $remote_addr;
+#                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#                 proxy_set_header X-Scheme $scheme;
+#                 proxy_set_header X-Forwarded-Proto $scheme;
+#                 proxy_set_header X-Nginx-Scheme $scheme;
+#                 proxy_set_header X-Forwarded-Port $server_port;
+#                 proxy_redirect    off;
+#                 proxy_pass http://localhost:8080;
+#         }
+#
+#
+#     listen 443 ssl; # managed by Certbot
+#     ssl_certificate /etc/letsencrypt/live/jossh.us/fullchain.pem; # managed by Certbot
+#     ssl_certificate_key /etc/letsencrypt/live/jossh.us/privkey.pem; # managed by Certbot
+#     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+#
+#
+# }
+#
+# server {
+#     if ($host = jossh.us) {
+#         return 302 https://$host$request_uri;
+#     } # managed by Certbot
+#
+#
+#         server_name jossh.us;
+#       listen 80;
+#     return 404; # managed by Certbot
+#
+#
+# }
+#
+#
+# # *.jossh.us
+# server {
+#         server_name ~^(?<subdomain>.+)\.jossh\.us$;
+#
+#         location / {
+#
+#             set $temp $request;
+#             if ($temp ~ (.*)password=[^&]*(.*)) {
+#                 set $temp $1password=****$2;
+#             }
+#             access_log /var/log/nginx/access.log filter;
+#
+#             proxy_set_header Host $subdomain.jossh.us;
+#             proxy_set_header X-Real-IP $remote_addr;
+#             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#             proxy_set_header X-Scheme $scheme;
+#             proxy_set_header X-Forwarded-Proto $scheme;
+#             proxy_set_header X-Nginx-Scheme $scheme;
+#             proxy_set_header X-Forwarded-Port $server_port;
+#             proxy_redirect    off;
+#             proxy_pass http://localhost:8080;
+#     }
+#
+#     listen 443 ssl; # managed by Certbot
+#     ssl_certificate /etc/letsencrypt/live/jossh.us-0001/fullchain.pem; # managed by Certbot
+#     ssl_certificate_key /etc/letsencrypt/live/jossh.us-0001/privkey.pem; # managed by Certbot
+#     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+#
+# }
+#
+# server {
+#
+#     if ($host ~* (?<subdomain>.+)\.jossh\.us) {
+#         return 302 https://$host$request_uri;
+#     } # managed by Certbot
+#
+#
+#         server_name ~^(?<subdomain>.+)\.jibby\.org$;
+#       listen 80;
+#     return 404; # managed by Certbot
+#
+#
+# }