Migrate to NixOS: Remove Z9 Public-Reverse-Proxy host from this repo

2023-09-25 02:48:56 +02:00 · 2023-09-25 02:48:56 +02:00 · de97436706
parent c5eae99a7f
commit de97436706
4 changed files with 0 additions and 145 deletions
--- a/inventories/z9/host_vars/public-reverse-proxy.yaml
+++ b/inventories/z9/host_vars/public-reverse-proxy.yaml
@ -1,8 +0,0 @@
-nginx__version_spec: ""
-nginx__deploy_redirect_conf: false
-nginx__configurations:
-  - name: acme_challenge
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/public-reverse-proxy/nginx/acme_challenge.conf') }}"
-nginx__use_custom_nginx_conf: true
-nginx__custom_nginx_conf: |
-  {{ lookup('file', 'z9/configs/public-reverse-proxy/nginx/nginx.conf') }}
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -31,19 +31,14 @@ all:
          ansible_user: chaos
    debian_12:
      hosts:
-        public-reverse-proxy:
-          ansible_host: public-reverse-proxy.z9.ccchh.net
-          ansible_user: chaos
    nginx_hosts:
      hosts:
-        public-reverse-proxy:
        esphome:
        zigbee2mqtt:
        light:
        uptime-kuma:
    public_reverse_proxy_hosts:
      hosts:
-        public-reverse-proxy:
    cert_hosts:
      hosts:
    certbot_hosts:
@ -53,7 +48,6 @@ all:
        uptime-kuma:
    ssh_server_config_hosts:
      hosts:
-        public-reverse-proxy:
        mailserver-endpoint:
    esphome_hosts:
      hosts:
--- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf
@ -1,69 +0,0 @@
-map $host $upstream_acme_challenge_host {
-    club-assistant.ccchh.net 10.31.208.10;
-    netbox.ccchh.net 10.31.208.29;
-    light.ccchh.net 10.31.208.23;
-    thinkcccore0.ccchh.net 10.31.242.3;
-    thinkcccore1.ccchh.net 10.31.242.4;
-    thinkcccore2.ccchh.net 10.31.242.5;
-    thinkcccore3.ccchh.net 10.31.242.6;
-    zigbee2mqtt.ccchh.net 10.31.208.25:31820;
-    esphome.ccchh.net 10.31.208.24:31820;
-    proxmox-backup-server.ccchh.net 10.31.208.28;
-    status.ccchh.net 10.31.206.15:31820;
-    default "";
-}
-
-server {
-    listen 80 default_server;
-
-    location /.well-known/acme-challenge/ {
-        proxy_pass http://$upstream_acme_challenge_host;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # This is http in any case.
-        proxy_set_header X-Forwarded-Proto http;
-    }
-
-    # Better safe than sorry.
-    # Don't do a permanent redirect to avoid acme challenge pain (even tho 443
-    # still should work).
-    location / {
-        return 307 https://$host$request_uri;
-    }
-}
-
-server {
-    # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
-    # Make use of the ngx_http_realip_module to set the $remote_addr and
-    # $remote_port to the client address and client port, when using proxy
-    # protocol.
-    # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 127.0.0.1;
-    # Then tell the realip_module to get the addreses from the proxy protocol
-    # header.
-    real_ip_header proxy_protocol;
-
-    # ssl_certificate /path/to/signed_cert_plus_intermediates;
-    # ssl_certificate_key /path/to/private_key;
-    # # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
-    ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt;
-    ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key;
-
-    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    # replace with the IP address of your resolver
-    resolver 127.0.0.1;
-
-    location /.well-known/acme-challenge/ {
-        proxy_pass http://$upstream_acme_challenge_host;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # This is http in any case.
-        proxy_set_header X-Forwarded-Proto https;
-    }
-}
--- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf
+++ b/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf
@ -1,62 +0,0 @@
-# This config is based on the standard `nginx.conf` shipping with the stable
-# nginx package from the NGINX mirrors as of 2023-01.
-
-user  nginx;
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
-# upstreams.
-stream {
-    map $ssl_preread_server_name $first_jump {
-        aes.ccchh.net 212.12.48.125:443;
-        wiki.ccchh.net 212.12.48.125:443;
-        default 127.0.0.1:9443;
-    }
-
-    map $ssl_preread_server_name $address {
-        status.ccchh.net 10.31.206.15:8443;
-        default 127.0.0.1:8443;
-    }
-
-    server {
-        listen 0.0.0.0:443;
-        proxy_pass $first_jump;
-        ssl_preread on;
-    }
-
-    server {
-        listen 0.0.0.0:9443;
-        proxy_pass $address;
-        ssl_preread on;
-        proxy_protocol on;
-    }
-}
-
-# Still have the default http block, so the `acme_challenge.conf` works.
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    include /etc/nginx/conf.d/*.conf;
-}