ansible/roles/ingress/defaults/main.yml

#!/usr/bin/env ansible-playbook
# vim:ft=ansible:

# Core container configuration
ingress_container_image: jonasal/nginx-certbot:latest
ingress_container_name: ingress

# Secondary container configuration
ingress_container_ports:
  - 80:80
  - 443:443
ingress_container_persist_dir: "/data/nginx-certbot"
ingress_container_config_mount: "/etc/nginx/user_conf.d"
ingress_container_timezone: America/Chicago

# Network configuration
ingress_container_networks:
  - name: web
    aliases: [ "ingress" ]

# Certbot configuration
ingress_container_certbot_email: rehashedsalt@cock.li

# General Nginx configuration
ingress_listen_args: "443 http2 ssl"
ingress_resolver: 8.8.8.8
# This non-obvious setting controls whether directives for certificates will be added to hosts
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
# a custom container that *doesn't* automatically-provision LE certs
ingress_listen_tls: yes
ingress_tls_protocols: TLSv1.2 TLSv1.3
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ingress_tls_prefer_server_ciphers: "off"
# Escape hatch for a bunch of directives
# Defaults here are for general-purpose use, like compression
ingress_directives:
  - gzip on
  - gzip_comp_level 5
  - gzip_min_length 256
  - gzip_proxied any
  - gzip_vary on
  - gzip_types
      application/javascript
      application/json
      application/wasm
      application/xhtml+xml
      image/x-ms-bmp
      image/svg+xml
      image/x-icon
      text/css
      text/plain
      text/xml

# Vhost configuration
# ingress_servers:
#   - name: example.com
#     proxies:
#       - location: /
#         pass: http://some-container:80
#     locations:
#       - location: "^~ /.well-known"
#         contents: |
#           location = /.well-known/carddav { return 301 /remote.php/dav/; }
#           location = /.well-known/caldav  { return 301 /remote.php/dav/; }
#           location ^~ /.well-known        { return 301 /index.php$uri; }
#           try_files $uri $uri/ =404;
#   - name: redirect.example.com
#     directives:
#       # NOTE: Do NOT suffix with a semicolon; that gets added for you
#       - "return 301 $scheme://example.com$request_uri"
ingress_servers: []
Add role for ingress controller, move configuration into it and its data structures 2021-09-18 00:04:05 -05:00			`#!/usr/bin/env ansible-playbook`
			`# vim:ft=ansible:`

			`# Core container configuration`
			`ingress_container_image: jonasal/nginx-certbot:latest`
			`ingress_container_name: ingress`

			`# Secondary container configuration`
Fix some configuration errors in ingress, make some changes to better facilitate disabling TLS 2021-09-18 07:13:33 -05:00			`ingress_container_ports:`
			`- 80:80`
			`- 443:443`
Add role for ingress controller, move configuration into it and its data structures 2021-09-18 00:04:05 -05:00			`ingress_container_persist_dir: "/data/nginx-certbot"`
Add option to change where conf.d gets mounted on ingress Whups 2021-09-27 15:19:18 -05:00			`ingress_container_config_mount: "/etc/nginx/user_conf.d"`
Add role for ingress controller, move configuration into it and its data structures 2021-09-18 00:04:05 -05:00			`ingress_container_timezone: America/Chicago`

			`# Network configuration`
			`ingress_container_networks:`
			`- name: web`
			`aliases: [ "ingress" ]`

			`# Certbot configuration`
			`ingress_container_certbot_email: rehashedsalt@cock.li`

Add missing args to listen whups 2021-09-18 07:00:07 -05:00			`# General Nginx configuration`
Add http2 to default listen args 2021-09-18 07:47:10 -05:00			`ingress_listen_args: "443 http2 ssl"`
Add more nginx configuration, specifically with regard to TLS 2021-09-18 07:43:45 -05:00			`ingress_resolver: 8.8.8.8`
Fix some configuration errors in ingress, make some changes to better facilitate disabling TLS 2021-09-18 07:13:33 -05:00			`# This non-obvious setting controls whether directives for certificates will be added to hosts`
			`# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using`
			`# a custom container that doesn't automatically-provision LE certs`
			`ingress_listen_tls: yes`
Add more nginx configuration, specifically with regard to TLS 2021-09-18 07:43:45 -05:00			`ingress_tls_protocols: TLSv1.2 TLSv1.3`
			`ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
			`ingress_tls_prefer_server_ciphers: "off"`
Add gzip compression to ingress containers 2022-01-13 13:19:06 -06:00			`# Escape hatch for a bunch of directives`
			`# Defaults here are for general-purpose use, like compression`
			`ingress_directives:`
			`- gzip on`
			`- gzip_comp_level 5`
			`- gzip_min_length 256`
			`- gzip_proxied any`
			`- gzip_vary on`
			`- gzip_types`
			`application/javascript`
			`application/json`
			`application/wasm`
			`application/xhtml+xml`
			`image/x-ms-bmp`
			`image/svg+xml`
			`image/x-icon`
			`text/css`
			`text/plain`
			`text/xml`
Add missing args to listen whups 2021-09-18 07:00:07 -05:00
Add role for ingress controller, move configuration into it and its data structures 2021-09-18 00:04:05 -05:00			`# Vhost configuration`
			`# ingress_servers:`
			`# - name: example.com`
			`# proxies:`
			`# - location: /`
			`# pass: http://some-container:80`
			`# locations:`
			`# - location: "^~ /.well-known"`
			`# contents: \|`
			`# location = /.well-known/carddav { return 301 /remote.php/dav/; }`
			`# location = /.well-known/caldav { return 301 /remote.php/dav/; }`
			`# location ^~ /.well-known { return 301 /index.php$uri; }`
			`# try_files $uri $uri/ =404;`
			`# - name: redirect.example.com`
			`# directives:`
			`# # NOTE: Do NOT suffix with a semicolon; that gets added for you`
			`# - "return 301 $scheme://example.com$request_uri"`
			`ingress_servers: []`