nginx role for git + music

bitlair.yaml

@@ -26,6 +26,7 @@
 - hosts: git
   roles:
     - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "git-server", tags: [ "git-server" ] }
 
 - hosts: monitoring

git.yaml

@@ -2,6 +2,7 @@
 
 - hosts: git
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - acme
+    - { role: "acme", tags: [ "acme" ] }
-    - git-server
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "git-server", tags: [ "git-server" ] }

group_vars/git.yaml

@@ -1,5 +1,15 @@
+---
+
 acme_domains:
   - "{{ git_server_domain }}"
 git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
+
+nginx_client_max_body_size: 4G
+
+nginx_sites:
+  - server_name: "git.bitlair.nl"
+    localproxy: "9001"
+    snippets: 
+      - "forgejo-nginx.j2"

group_vars/music.yaml

@@ -5,6 +5,8 @@ root_access:
   - foobar
   - polyfloyd
 
+nginx_client_max_body_size: 512M
+
 music_domain: music.bitlair.nl
 acme_san_domains:
   - [ music.bitlair.nl ]

roles/mqtt-internal/tasks/main.yaml

@@ -1,34 +1,32 @@
 ---
-- name: mqtt-internal
-  tags: mqtt_internal
-  block:
-    - name: Install dependencies
-      ansible.builtin.apt:
-        name:
-          - mosquitto
-          - avahi-daemon
 
-    - name: Install bambulab cafile
+- name: Install dependencies
-      # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
+  ansible.builtin.apt:
-      ansible.builtin.copy:
+    name:
-        dest: "{{ mqtt_bambulab_cafile }}"
+      - mosquitto
-        content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
+      - avahi-daemon
 
-    - name: Configure Mosquitto
+- name: Install bambulab cafile
-      ansible.builtin.template:
+  # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
-        src: "{{ item }}"
+  ansible.builtin.copy:
-        dest: "/etc/mosquitto/conf.d/{{ item }}"
+    dest: "{{ mqtt_bambulab_cafile }}"
-        owner: root
+    content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
-        group: root
-        mode: 0644
-      notify: restart mosquitto
-      with_items:
-        - bambulab.conf
-        - internal.conf
-        - public-bridge.conf
 
-    - name: Start mosquitto
+- name: Configure Mosquitto
-      ansible.builtin.systemd:
+  ansible.builtin.template:
-        name: mosquitto
+    src: "{{ item }}"
-        state: started
+    dest: "/etc/mosquitto/conf.d/{{ item }}"
-        enabled: yes
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart mosquitto
+  with_items:
+    - bambulab.conf
+    - internal.conf
+    - public-bridge.conf
+
+- name: Start mosquitto
+  ansible.builtin.systemd:
+    name: mosquitto
+    state: started
+    enabled: yes

roles/nginx/defaults/main.yaml

@@ -13,4 +13,5 @@ nginx_tls_session_timeout:  "1h"
 nginx_ssl_stapling:         "on"
 nginx_ssl_stapling_verify:  "on"
 nginx_wk_acme:              "/var/lib/dehydrated/acme-challenges"
+nginx_client_max_body_size: "32m"
 

roles/nginx/templates/site.conf.j2

@@ -10,6 +10,8 @@ server {
     ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
     ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
 
+    client_max_body_size {{ nginx_client_max_body_size }};
+
     location ~ /\.ht {
         deny all;
     }

snippets/forgejo-nginx.j2

@@ -0,0 +1,3 @@
+location ~* \.keys$ {
+    deny all;
+}