2021-09-18 00:04:05 -05:00
|
|
|
#!/usr/bin/env ansible-playbook
|
|
|
|
# vim:ft=ansible:
|
|
|
|
|
|
|
|
# Core container configuration
|
|
|
|
ingress_container_image: jonasal/nginx-certbot:latest
|
|
|
|
ingress_container_name: ingress
|
|
|
|
|
|
|
|
# Secondary container configuration
|
2021-09-18 07:13:33 -05:00
|
|
|
ingress_container_ports:
|
|
|
|
- 80:80
|
|
|
|
- 443:443
|
2021-09-18 00:04:05 -05:00
|
|
|
ingress_container_persist_dir: "/data/nginx-certbot"
|
2021-09-27 15:19:18 -05:00
|
|
|
ingress_container_config_mount: "/etc/nginx/user_conf.d"
|
2021-09-18 00:04:05 -05:00
|
|
|
ingress_container_timezone: America/Chicago
|
|
|
|
|
|
|
|
# Network configuration
|
|
|
|
ingress_container_networks:
|
|
|
|
- name: web
|
|
|
|
aliases: [ "ingress" ]
|
|
|
|
|
|
|
|
# Certbot configuration
|
|
|
|
ingress_container_certbot_email: rehashedsalt@cock.li
|
|
|
|
|
2021-09-18 07:00:07 -05:00
|
|
|
# General Nginx configuration
|
2021-09-18 07:47:10 -05:00
|
|
|
ingress_listen_args: "443 http2 ssl"
|
2021-09-18 07:43:45 -05:00
|
|
|
ingress_resolver: 8.8.8.8
|
2021-09-18 07:13:33 -05:00
|
|
|
# This non-obvious setting controls whether directives for certificates will be added to hosts
|
|
|
|
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
|
|
|
|
# a custom container that *doesn't* automatically-provision LE certs
|
|
|
|
ingress_listen_tls: yes
|
2021-09-18 07:43:45 -05:00
|
|
|
ingress_tls_protocols: TLSv1.2 TLSv1.3
|
|
|
|
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
|
|
ingress_tls_prefer_server_ciphers: "off"
|
2021-09-18 07:00:07 -05:00
|
|
|
|
2021-09-18 00:04:05 -05:00
|
|
|
# Vhost configuration
|
|
|
|
# ingress_servers:
|
|
|
|
# - name: example.com
|
|
|
|
# proxies:
|
|
|
|
# - location: /
|
|
|
|
# pass: http://some-container:80
|
|
|
|
# locations:
|
|
|
|
# - location: "^~ /.well-known"
|
|
|
|
# contents: |
|
|
|
|
# location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
|
|
|
# location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
|
|
|
# location ^~ /.well-known { return 301 /index.php$uri; }
|
|
|
|
# try_files $uri $uri/ =404;
|
|
|
|
# - name: redirect.example.com
|
|
|
|
# directives:
|
|
|
|
# # NOTE: Do NOT suffix with a semicolon; that gets added for you
|
|
|
|
# - "return 301 $scheme://example.com$request_uri"
|
|
|
|
ingress_servers: []
|