Refactor and enhance Ansible configurations for dev-02 and nginx proxy setup
- Updated host_vars for dev-02 to include login history settings and modified code server authentication. - Adjusted opencode server configurations and reduced resource allocation. - Introduced a new playbook for configuring nginx reverse proxy with TLS and OAuth2. - Enhanced linux_dev_station role defaults and tasks, including package updates and service configurations. - Removed unnecessary credential assertions in linux_dev_station tasks. - Created nginx_proxy role with tasks for certbot, nginx installation, and oauth2-proxy setup. - Added templates for nginx and oauth2-proxy configurations. - Updated terraform configuration to reflect new DNS records for ide and agent services. - Documented changes and configurations in linux_dev_station.md for clarity and future reference.
This commit is contained in:
@@ -0,0 +1,96 @@
|
||||
{% set cert_prefix = nginx_proxy_sites[0].server_name %}
|
||||
{% for item in nginx_proxy_sites %}
|
||||
server {
|
||||
listen {{ nginx_proxy_nginx_port }} ssl;
|
||||
http2 on;
|
||||
server_name {{ item.server_name }};
|
||||
|
||||
ssl_certificate {{ item.ssl_certificate | default('/etc/letsencrypt/live/' + cert_prefix + '/fullchain.pem') }};
|
||||
ssl_certificate_key {{ item.ssl_certificate_key | default('/etc/letsencrypt/live/' + cert_prefix + '/privkey.pem') }};
|
||||
ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }};
|
||||
ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }};
|
||||
ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }};
|
||||
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
# Redirect unauthenticated requests to OAuth2 sign-in
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# OAuth2 auth_request
|
||||
location = /oauth2/auth {
|
||||
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/auth;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_pass_request_body off;
|
||||
proxy_method GET;
|
||||
}
|
||||
|
||||
location = /oauth2/callback {
|
||||
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_buffers 4 32k;
|
||||
proxy_busy_buffers_size 64k;
|
||||
}
|
||||
|
||||
location = /oauth2/sign_in {
|
||||
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/sign_in;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
}
|
||||
|
||||
location /oauth2/ {
|
||||
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }};
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
}
|
||||
|
||||
location / {
|
||||
auth_request /oauth2/auth;
|
||||
auth_request_set $auth_status $upstream_status;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
|
||||
# WebSocket support
|
||||
{% if item.websocket | default(true) | bool %}
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% endif %}
|
||||
|
||||
# Timeouts
|
||||
proxy_read_timeout {{ item.proxy_read_timeout | default('3600s') }};
|
||||
proxy_send_timeout {{ item.proxy_send_timeout | default('3600s') }};
|
||||
}
|
||||
|
||||
# Extra location blocks
|
||||
{% if item.extra_locations | default([]) %}
|
||||
{% for location in item.extra_locations %}
|
||||
location {{ location.path }} {
|
||||
{% for key, value in location.config.items() %}
|
||||
{{ key }} {{ value }};
|
||||
{% endfor %}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
@@ -0,0 +1,33 @@
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
error_log {{ nginx_proxy_nginx_error_log }};
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections {{ nginx_proxy_nginx_worker_connections }};
|
||||
}
|
||||
|
||||
http {
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log {{ nginx_proxy_nginx_access_log }} main;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_bucket_size 64;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
provider = "{{ nginx_proxy_oauth2_proxy_provider }}"
|
||||
oidc_issuer_url = "{{ nginx_proxy_oauth2_proxy_provider_url }}"
|
||||
client_id = "{{ nginx_proxy_oauth2_proxy_client_id }}"
|
||||
client_secret = "{{ nginx_proxy_oauth2_proxy_client_secret }}"
|
||||
cookie_domains = [ "{{ nginx_proxy_oauth2_proxy_cookie_domain }}" ]
|
||||
cookie_name = "{{ nginx_proxy_oauth2_proxy_cookie_name }}"
|
||||
cookie_secret = "{{ nginx_proxy_oauth2_proxy_cookie_secret }}"
|
||||
cookie_expire = "{{ nginx_proxy_oauth2_proxy_cookie_expire }}"
|
||||
cookie_refresh = "{{ nginx_proxy_oauth2_proxy_cookie_refresh }}"
|
||||
redirect_url = "{{ nginx_proxy_oauth2_proxy_redirect_urls[0] }}"
|
||||
scope = "{{ nginx_proxy_oauth2_proxy_scopes }}"
|
||||
email_domains = {{ nginx_proxy_oauth2_proxy_email_domains | to_json }}
|
||||
upstreams = [ "static://200" ]
|
||||
skip_jwt_bearer_tokens = {{ nginx_proxy_oauth2_proxy_skip_jwt | lower }}
|
||||
set_basic_auth = {{ nginx_proxy_oauth2_proxy_set_basic_auth | lower }}
|
||||
set_xauthrequest = {{ nginx_proxy_oauth2_proxy_set_xauthrequest | lower }}
|
||||
ssl_insecure_skip_verify = {{ nginx_proxy_oauth2_proxy_ssl_insecure_skip_verify | lower }}
|
||||
proxy_prefix = "{{ nginx_proxy_oauth2_proxy_proxy_prefix }}"
|
||||
http_address = "{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}"
|
||||
{% if nginx_proxy_oauth2_proxy_request_logging | default(true) %}
|
||||
logging_filename = "{{ nginx_proxy_oauth2_proxy_log_file | default('/var/log/oauth2-proxy.log') }}"
|
||||
{% endif %}
|
||||
cookie_secure = false
|
||||
reverse_proxy = true
|
||||
trusted_proxy_ips = [ "127.0.0.1" ]
|
||||
proxy_websockets = true
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=oauth2-proxy
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=nginx
|
||||
ExecStart=/usr/local/bin/oauth2-proxy --config /etc/oauth2-proxy/oauth2-proxy.cfg
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user