Yeet nginx configuration support

3ff5cc5c · Thomas Schneider · 62ee7683 · 3ff5cc5c · 3ff5cc5c · 3ff5cc5c
Commit 3ff5cc5c authored 8 months ago by Thomas Schneider
--- a/request-tracker/defaults/main.yml
+++ b/request-tracker/defaults/main.yml
 ---

-rt_enable_acmetool: false
-rt_enable_nginx: true
 rt_workers: 4
 rt_ldap_password: "{{ lookup('passwordstore', rt_ldappass) }}"
 rt_disallowexecutecode: true
--- a/request-tracker/handlers/main.yml
+++ b/request-tracker/handlers/main.yml
 ---

 - name: restart RT
-  service: name=rt4-fcgi state=restarted
-
- name: restart nginx
-  service: name=nginx state=restarted
+  service:
+    name: rt4-fcgi
+    state: restarted
--- a/request-tracker/tasks/main.yml
+++ b/request-tracker/tasks/main.yml
@@ -75,45 +75,6 @@
  tags:
    - rt

- name: Have nginx packages installed
-  apt:
-    name: nginx
-    state: present
-  when: rt_enable_nginx|default(True)
-  tags:
-    - rt
-
- name: Have nginx config for RT installed
-  template:
-    src: nginx-rt.j2
-    dest: /etc/nginx/sites-available/rt
-  when: rt_enable_nginx|default(True)
-  tags:
-    - rt
-  notify:
-    - restart nginx
-
- name: Have nginx default config removed
-  file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-  when: rt_enable_nginx|default(True)
-  tags:
-    - rt
-  notify:
-    - restart nginx
-
- name: Have nginx config for RT activated
-  file:
-    state: link
-    src: /etc/nginx/sites-available/rt
-    dest: /etc/nginx/sites-enabled/rt
-  when: rt_enable_nginx|default(True)
-  tags:
-    - rt
-  notify:
-    - restart nginx
-
 - name: Have fcgi env installed
  template:
    src: fcgi-env.j2
@@ -175,11 +136,3 @@
  tags:
    - rt

- name: Have nginx up und running
-  service:
-    name: nginx
-    state: started
-    enabled: true
-  when: rt_enable_nginx|default(True)
-  tags:
-    - rt
--- a/request-tracker/templates/nginx-rt.j2
+++ b/request-tracker/templates/nginx-rt.j2
-server {
-	listen 443 ssl;
-	ssl_certificate /etc/ssl/nginx.crt;
-	ssl_certificate_key /etc/ssl/private/nginx.key;
-	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:50m;
-	ssl_session_tickets off;
-	ssl_trusted_certificate /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem;
-	ssl_protocols TLSv1.2;
-	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-	ssl_prefer_server_ciphers on;
-	ssl_stapling on;
-	ssl_stapling_verify on;
-
-	server_name {{rt_webdomain}};
-	access_log  /var/log/nginx/access.log;
-	proxy_cookie_path / "/; secure; HttpOnly";
-
-	location / {
-		fastcgi_param  QUERY_STRING       $query_string;
-		fastcgi_param  REQUEST_METHOD     $request_method;
-		fastcgi_param  CONTENT_TYPE       $content_type;
-		fastcgi_param  CONTENT_LENGTH     $content_length;
-
-		fastcgi_param  SCRIPT_NAME        "";
-		fastcgi_param  PATH_INFO          $uri;
-		fastcgi_param  REQUEST_URI        $request_uri;
-		fastcgi_param  DOCUMENT_URI       $document_uri;
-		fastcgi_param  DOCUMENT_ROOT      $document_root;
-		fastcgi_param  SERVER_PROTOCOL    $server_protocol;
-
-		fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
-		fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
-
-		fastcgi_param  REMOTE_ADDR        $remote_addr;
-		fastcgi_param  REMOTE_PORT        $remote_port;
-		fastcgi_param  SERVER_ADDR        $server_addr;
-		fastcgi_param  SERVER_PORT        $server_port;
-		fastcgi_param  SERVER_NAME        $server_name;
-		fastcgi_pass unix:///var/run/rt4-fcgi.sock;
-	}
-	{% if rt_enable_acmetool %}
-	location /.well-known/acme-challenge {
-		alias /var/lib/acme/webroot;
-		try_files $uri =404;
-	}
-	{% endif %}
-}
-
-server {
-	listen 80;
-	server_name {{rt_webdomain}};
-	{% if rt_enable_acmetool %}
-	location /.well-known/acme-challenge {
-		alias /var/lib/acme/webroot;
-		try_files $uri =404;
-	}
-	{% endif %}
-	location / {
-		return 301 https://$server_name$request_uri;
-	}
-}