aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--memzero.yml3
-rw-r--r--roles/baikal/tasks/main.yml25
-rw-r--r--roles/webserver/files/user_conf.d/memzero.conf26
3 files changed, 53 insertions, 1 deletions
diff --git a/memzero.yml b/memzero.yml
index 720131b..c9f28bd 100644
--- a/memzero.yml
+++ b/memzero.yml
@@ -10,4 +10,5 @@
roles:
- sshd
- packages
- - webserver \ No newline at end of file
+ - baikal
+ - webserver
diff --git a/roles/baikal/tasks/main.yml b/roles/baikal/tasks/main.yml
new file mode 100644
index 0000000..f00e902
--- /dev/null
+++ b/roles/baikal/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Baikal needs rw permissions on *config/* for *nginx* user.
+# The *nginx* user in the container has uid=101.
+# uid mapping with userns works as follows
+# root uid=0 (rootless container) -> user uid on hosts
+# .... uid=1 (rootless container) -> user first subuid
+#
+# => uid=101 (rootless container) -> user subuid + 100
+- name: HACK to satify baikal container
+ ansible.builtin.file:
+ path: "{{ DATA_ROOT }}/baikal/config"
+ recurse: true
+ owner: 100100
+ group: 100100
+ become: true
+
+- name: Baikal
+ containers.podman.podman_container:
+ name: baikal
+ image: docker.io/ckulka/baikal:nginx
+ network: "{{ NETWORK }}"
+ volumes:
+ # Use 'Z' to privately relable selinux contexts.
+ - "{{ DATA_ROOT }}/baikal/config:/var/www/baikal/config:Z"
+ - "{{ DATA_ROOT }}/baikal/Specific:/var/www/baikal/Specific:Z"
diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf
index 4e709ce..3a9013f 100644
--- a/roles/webserver/files/user_conf.d/memzero.conf
+++ b/roles/webserver/files/user_conf.d/memzero.conf
@@ -37,6 +37,32 @@ server {
}
server {
+ # Listen to port 443 on both IPv4 and IPv6.
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ # Domain names this server should respond to.
+ server_name dav.memzero.de;
+
+ # Load the certificate files.
+ ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+ # Load the Diffie-Hellman parameter.
+ ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://baikal;
+ }
+}
+
+server {
# Drop any request that does not match any of the other server names.
listen 443 ssl default_server;
ssl_reject_handshake on;