aboutsummaryrefslogtreecommitdiff
path: root/roles/host/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/host/templates')
-rw-r--r--roles/host/templates/nginx-reload.sh.j23
-rw-r--r--roles/host/templates/nginx.conf.j267
-rw-r--r--roles/host/templates/nspawn.j210
3 files changed, 80 insertions, 0 deletions
diff --git a/roles/host/templates/nginx-reload.sh.j2 b/roles/host/templates/nginx-reload.sh.j2
new file mode 100644
index 0000000..f248776
--- /dev/null
+++ b/roles/host/templates/nginx-reload.sh.j2
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+systemctl reload nginx
diff --git a/roles/host/templates/nginx.conf.j2 b/roles/host/templates/nginx.conf.j2
new file mode 100644
index 0000000..7360cae
--- /dev/null
+++ b/roles/host/templates/nginx.conf.j2
@@ -0,0 +1,67 @@
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+
+events {
+ worker_connections 4096;
+}
+
+http {
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ tcp_nopush on;
+ keepalive_timeout 65;
+ types_hash_max_size 4096;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ # Modern SSL configuration
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 1d;
+ ssl_session_tickets off;
+
+ # Redirect all HTTP traffic to HTTPS
+ server {
+ listen 80 default_server;
+ server_name _;
+ return 301 https://$host$request_uri;
+ }
+
+{% for name, config in containers.items() %}
+{% if config.web_subdomain is defined %}
+ server {
+ listen 443 ssl; # TCP for HTTP/1.1 & HTTP/2
+ listen 443 quic; # UDP for HTTP/3 QUIC
+ http2 on; # Enable HTTP/2 over TCP
+
+ server_name {{ config.web_subdomain }}.{{ vault_public_domain }};
+
+ # Nginx reads them natively, no combining needed
+ ssl_certificate /etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem;
+
+ # Advertise HTTP/3 availability to browsers
+ add_header Alt-Svc 'h3=":443"; ma=2592000' always;
+
+ location / {
+ proxy_pass http://{{ config.ip }}:80;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ }
+ }
+{% endif %}
+{% endfor %}
+}
diff --git a/roles/host/templates/nspawn.j2 b/roles/host/templates/nspawn.j2
new file mode 100644
index 0000000..15faf53
--- /dev/null
+++ b/roles/host/templates/nspawn.j2
@@ -0,0 +1,10 @@
+[Exec]
+Boot=yes
+Hostname={{ item.key }}.{{ vault_public_domain }}
+
+[Files]
+BindReadOnly=/etc/letsencrypt/live/{{ vault_public_domain }}:/etc/letsencrypt/live/{{ vault_public_domain }}
+BindReadOnly=/etc/letsencrypt/archive/{{ vault_public_domain }}:/etc/letsencrypt/archive/{{ vault_public_domain }}
+
+[Network]
+Bridge=nspawn-br0