From 4bdfbf725d977442ab853731f362b6a61ef242df Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Wed, 7 Dec 2022 21:48:57 +0100 Subject: baikal: add service and proxy pass --- memzero.yml | 3 ++- roles/baikal/tasks/main.yml | 25 +++++++++++++++++++++++++ roles/webserver/files/user_conf.d/memzero.conf | 26 ++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 roles/baikal/tasks/main.yml diff --git a/memzero.yml b/memzero.yml index 720131b..c9f28bd 100644 --- a/memzero.yml +++ b/memzero.yml @@ -10,4 +10,5 @@ roles: - sshd - packages - - webserver \ No newline at end of file + - baikal + - webserver diff --git a/roles/baikal/tasks/main.yml b/roles/baikal/tasks/main.yml new file mode 100644 index 0000000..f00e902 --- /dev/null +++ b/roles/baikal/tasks/main.yml @@ -0,0 +1,25 @@ +--- +# Baikal needs rw permissions on *config/* for *nginx* user. +# The *nginx* user in the container has uid=101. +# uid mapping with userns works as follows +# root uid=0 (rootless container) -> user uid on hosts +# .... uid=1 (rootless container) -> user first subuid +# +# => uid=101 (rootless container) -> user subuid + 100 +- name: HACK to satify baikal container + ansible.builtin.file: + path: "{{ DATA_ROOT }}/baikal/config" + recurse: true + owner: 100100 + group: 100100 + become: true + +- name: Baikal + containers.podman.podman_container: + name: baikal + image: docker.io/ckulka/baikal:nginx + network: "{{ NETWORK }}" + volumes: + # Use 'Z' to privately relable selinux contexts. + - "{{ DATA_ROOT }}/baikal/config:/var/www/baikal/config:Z" + - "{{ DATA_ROOT }}/baikal/Specific:/var/www/baikal/Specific:Z" diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf index 4e709ce..3a9013f 100644 --- a/roles/webserver/files/user_conf.d/memzero.conf +++ b/roles/webserver/files/user_conf.d/memzero.conf @@ -36,6 +36,32 @@ server { root /www/blog; } +server { + # Listen to port 443 on both IPv4 and IPv6. + listen 443 ssl; + listen [::]:443 ssl; + + # Domain names this server should respond to. + server_name dav.memzero.de; + + # Load the certificate files. + ssl_certificate /etc/letsencrypt/live/memzero/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/memzero/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem; + + # Load the Diffie-Hellman parameter. + ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://baikal; + } +} + server { # Drop any request that does not match any of the other server names. listen 443 ssl default_server; -- cgit v1.2.3