diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2 index b4d4d7a..3ef2e52 100644 --- a/roles/nginx/templates/etc-nginx.conf.j2 +++ b/roles/nginx/templates/etc-nginx.conf.j2 @@ -6,6 +6,10 @@ pid /run/nginx.pid; worker_rlimit_nofile 16384; include {{ nginx_modules_dir }}/*.conf; +events { + worker_connections 768; +} + http { sendfile on; tcp_nopush on; diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 09e4e0c..f0fec0c 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -8,7 +8,7 @@ server { include /etc/nginx/tls_params; ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem; location ~ /\.ht { deny all; @@ -26,8 +26,8 @@ server { # Include snippets {% for file in site.snippets | default([]) %} -{% include "../../../snippets/" . file %} -{% endif %} +{% include "snippets/" ~ file %} +{% endfor %} # Per site configuration {% for line in site.config | default([]) %} diff --git a/roles/nginx/templates/snippets b/roles/nginx/templates/snippets new file mode 120000 index 0000000..ce62fd7 --- /dev/null +++ b/roles/nginx/templates/snippets @@ -0,0 +1 @@ +../../../snippets/ \ No newline at end of file diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2 index a38e527..ca8ed55 100644 --- a/snippets/prometheus-nginx.j2 +++ b/snippets/prometheus-nginx.j2 @@ -4,10 +4,10 @@ location /prometheus/ { proxy_pass http://localhost:9090/prometheus/; include proxy_params; -{% for host in bitlair_ip_whitelist %} - allow {{ host }}; -{% endif %} - allow "127.0.0.0/8" +{% for host in trusted_ranges | default([]) %} + allow {{ host.cidr }}; +{% endfor %} + allow "127.0.0.0/8"; allow "::1"; deny all; }