8724360fb2
- Updated AGENTS.md to include new directories for execution plans and implemented feature reports. - Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway. - Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port. - Added OAuth2 proxy configurations to gpu-01 for enhanced security. - Removed deprecated open-webui module from Terraform app configurations. - Updated Terraform configurations to reflect changes in local variables and removed unused secrets. - Created a new sectool.json file for CloudNS integration with Bitwarden. - Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
101 lines
3.9 KiB
Django/Jinja
101 lines
3.9 KiB
Django/Jinja
{% set cert_prefix = nginx_proxy_sites[0].server_name %}
|
|
{% for item in nginx_proxy_sites %}
|
|
server {
|
|
listen {{ nginx_proxy_nginx_port }} ssl;
|
|
http2 on;
|
|
server_name {{ item.server_name }};
|
|
|
|
ssl_certificate {{ item.ssl_certificate | default('/etc/letsencrypt/live/' + cert_prefix + '/fullchain.pem') }};
|
|
ssl_certificate_key {{ item.ssl_certificate_key | default('/etc/letsencrypt/live/' + cert_prefix + '/privkey.pem') }};
|
|
ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }};
|
|
ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }};
|
|
ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }};
|
|
|
|
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
|
|
|
{% if not (item.no_auth | default(false) | bool) %}
|
|
# Redirect unauthenticated requests to OAuth2 sign-in
|
|
error_page 401 = /oauth2/sign_in;
|
|
|
|
# OAuth2 auth_request
|
|
location = /oauth2/auth {
|
|
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/auth;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
|
proxy_set_header Content-Length "";
|
|
proxy_pass_request_body off;
|
|
proxy_method GET;
|
|
}
|
|
|
|
location = /oauth2/callback {
|
|
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
|
proxy_buffer_size 16k;
|
|
proxy_buffers 4 32k;
|
|
proxy_busy_buffers_size 64k;
|
|
}
|
|
|
|
location = /oauth2/sign_in {
|
|
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/sign_in;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
}
|
|
|
|
location /oauth2/ {
|
|
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
}
|
|
{% endif %}
|
|
|
|
location / {
|
|
{% if not (item.no_auth | default(false) | bool) %}
|
|
auth_request /oauth2/auth;
|
|
auth_request_set $auth_status $upstream_status;
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
|
|
add_header Set-Cookie $auth_cookie;
|
|
{% endif %}
|
|
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
|
|
|
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# WebSocket support
|
|
{% if item.websocket | default(true) | bool %}
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
{% endif %}
|
|
|
|
# Timeouts
|
|
proxy_read_timeout {{ item.proxy_read_timeout | default('3600s') }};
|
|
proxy_send_timeout {{ item.proxy_send_timeout | default('3600s') }};
|
|
}
|
|
|
|
# Extra location blocks
|
|
{% if item.extra_locations | default([]) %}
|
|
{% for location in item.extra_locations %}
|
|
location {{ location.path }} {
|
|
{% for key, value in location.config.items() %}
|
|
{{ key }} {{ value }};
|
|
{% endfor %}
|
|
}
|
|
{% endfor %}
|
|
{% endif %}
|
|
}
|
|
|
|
{% endfor %}
|