ansible/host_vars/lovelace/nginx.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

nginx_default_cert_name: lovelace.box.pydis.wtf

nginx_configs:
  prometheus.lovelace.box.wtf.conf: |
    server {
      listen      443;
      server_name prometheus.lovelace.box.pydis.wtf;

      ssl_certificate         /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/fullchain.pem;
      ssl_certificate_key     /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/privkey.pem;

      ssl_client_certificate  /opt/pydis/ca.pem;
      ssl_verify_client       on;

      location / {
        if ($reject) { return 403; }

        proxy_pass http://localhost:9090;
      }
    }

    map $ssl_client_s_dn $reject {
      default 1;
      CN=sudo.access.tls.pydis.wtf 0;
      CN=prometheus.access.tls.pydis.wtf 0;
    }

  files.pydis.wtf.conf: |
    server {
      listen      443;
      server_name files.pydis.wtf cloud.native.is.fun.and.easy.pydis.wtf;
      root        /var/www/files.pydis.wtf;

      ssl_certificate         /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
      ssl_certificate_key     /etc/letsencrypt/live/pydis.wtf/privkey.pem;

      location / {
        try_files $uri $uri/ =404;
      }
    }

  propaganda.pydis.wtf.conf: |
    server {
      listen      443;
      server_name propaganda.pydis.wtf;
      root        /var/www/propaganda.pydis.wtf;

      ssl_certificate         /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
      ssl_certificate_key     /etc/letsencrypt/live/pydis.wtf/privkey.pem;

      add_header "X-Robots-Tag" "noindex" always;
    }