diff --git a/inventories/chaosknoten/host_vars/www2.yaml b/inventories/chaosknoten/host_vars/www2.yaml new file mode 100644 index 0000000..a8a9ce8 --- /dev/null +++ b/inventories/chaosknoten/host_vars/www2.yaml @@ -0,0 +1,5 @@ +nginx__version_spec: "" +nginx__configurations: + - name: diday.org + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/www2/nginx/diday.org.conf') }}" + diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e7f0559..7bf4544 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -86,6 +86,14 @@ all: ansible_host: acmedns.hosts.hamburg.ccc.de ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + www2: + ansible_host: www2.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + www3: + ansible_host: www3.hosts.hamburg.ccc.de + ansible_user: chaos + ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de hypervisors: hosts: chaosknoten: @@ -113,6 +121,8 @@ base_config_hosts: renovate: spaceapiccc: mjolnir: + www2: + www3: systemd_networkd_hosts: hosts: router: @@ -158,6 +168,8 @@ nginx_hosts: ntfy: sunders: spaceapiccc: + www2: + www3: public_reverse_proxy_hosts: hosts: public-reverse-proxy: @@ -200,6 +212,8 @@ alloy_hosts: router: sunders: spaceapiccc: + www2: + www3: infrastructure_authorized_keys_hosts: hosts: ccchoir: @@ -221,6 +235,8 @@ infrastructure_authorized_keys_hosts: renovate: spaceapiccc: mjolnir: + www2: + www3: wiki_hosts: hosts: eh22-wiki: @@ -253,6 +269,8 @@ ansible_pull_hosts: ntfy: spaceapiccc: mjolnir: + # www2: + # www3: msmtp_hosts: hosts: renovate_hosts: diff --git a/resources/chaosknoten/www2/nginx/diday.org.conf b/resources/chaosknoten/www2/nginx/diday.org.conf new file mode 100644 index 0000000..8cc655c --- /dev/null +++ b/resources/chaosknoten/www2/nginx/diday.org.conf @@ -0,0 +1,80 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name diday.org; + + # use our router as resolver + resolver 10.31.208.1; + + # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the + # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol + set_real_ip_from 2a00:14b0:4200:3000:125::1; + real_ip_header proxy_protocol; + + # configure tls trustchain + ssl_certificate /dev/null; + ssl_certificate_key /dev/null; + ssl_trusted_certificate /dev/null; + + # + # configure site + # + root /var/www/diday.org; + error_page 404 /404.html; + index index.html; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # return a redirect based on the map loaded from the webroot + if ($did_redirect_target ~ ^301:(.*)$) { + return 301 $1; + } + if ($did_redirect_target ~ ^302:(.*)$) { + return 302 $1; + } + + # deny access to the redirects config file + location = /nginx-redirects.conf { + deny all; + return 404; + } + + # dynamically redirect the user to the language they prefer + location = / { + set $lang "de"; + if ($http_accept_language ~* "^en") { + set $lang "en"; + } + return 302 /$lang/; + } + + # configure decap-cms content-type and caching rules + location = /admin/cms.js { + expires -1; + add_header Cache-Control "no-store"; + } + location = /admin/config.yml { + expires -1; + add_header Cache-Control "no-store"; + types { } + default_type text/yaml; + } + + # configure asset caching + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + } + + # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews + location /admin/src/ { + log_not_found off; + return 404; + } + + location / { + try_files $uri $uri/ =404; + } +} +