aboutsummaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorJohannes Stoelp <johannes.stoelp@gmail.com>2022-12-07 21:48:57 +0100
committerJohannes Stoelp <johannes.stoelp@gmail.com>2022-12-07 21:48:57 +0100
commit4bdfbf725d977442ab853731f362b6a61ef242df (patch)
tree03a85ee7f2ebcc465c8c72c62044511c954bbfbe /roles
parentabda2021f9a5cdeecdf48d749d5b467aa552da12 (diff)
downloadansible-memzero-4bdfbf725d977442ab853731f362b6a61ef242df.tar.gz
ansible-memzero-4bdfbf725d977442ab853731f362b6a61ef242df.zip
baikal: add service and proxy pass
Diffstat (limited to 'roles')
-rw-r--r--roles/baikal/tasks/main.yml25
-rw-r--r--roles/webserver/files/user_conf.d/memzero.conf26
2 files changed, 51 insertions, 0 deletions
diff --git a/roles/baikal/tasks/main.yml b/roles/baikal/tasks/main.yml
new file mode 100644
index 0000000..f00e902
--- /dev/null
+++ b/roles/baikal/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Baikal needs rw permissions on *config/* for *nginx* user.
+# The *nginx* user in the container has uid=101.
+# uid mapping with userns works as follows
+# root uid=0 (rootless container) -> user uid on hosts
+# .... uid=1 (rootless container) -> user first subuid
+#
+# => uid=101 (rootless container) -> user subuid + 100
+- name: HACK to satify baikal container
+ ansible.builtin.file:
+ path: "{{ DATA_ROOT }}/baikal/config"
+ recurse: true
+ owner: 100100
+ group: 100100
+ become: true
+
+- name: Baikal
+ containers.podman.podman_container:
+ name: baikal
+ image: docker.io/ckulka/baikal:nginx
+ network: "{{ NETWORK }}"
+ volumes:
+ # Use 'Z' to privately relable selinux contexts.
+ - "{{ DATA_ROOT }}/baikal/config:/var/www/baikal/config:Z"
+ - "{{ DATA_ROOT }}/baikal/Specific:/var/www/baikal/Specific:Z"
diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf
index 4e709ce..3a9013f 100644
--- a/roles/webserver/files/user_conf.d/memzero.conf
+++ b/roles/webserver/files/user_conf.d/memzero.conf
@@ -37,6 +37,32 @@ server {
}
server {
+ # Listen to port 443 on both IPv4 and IPv6.
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ # Domain names this server should respond to.
+ server_name dav.memzero.de;
+
+ # Load the certificate files.
+ ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+ # Load the Diffie-Hellman parameter.
+ ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://baikal;
+ }
+}
+
+server {
# Drop any request that does not match any of the other server names.
listen 443 ssl default_server;
ssl_reject_handshake on;