#!/usr/bin/env ansible-playbook # vim:ft=ansible: # Core container configuration ingress_container_image: jonasal/nginx-certbot:latest ingress_container_name: ingress # Secondary container configuration ingress_container_ports: - 80:80 - 443:443 ingress_container_persist_dir: "/data/nginx-certbot" ingress_container_config_mount: "/etc/nginx/user_conf.d" ingress_container_timezone: America/Chicago # Network configuration ingress_container_networks: - name: web aliases: [ "ingress" ] # Certbot configuration ingress_container_certbot_email: rehashedsalt@cock.li # General Nginx configuration ingress_listen_args: "443 http2 ssl" ingress_resolver: 8.8.8.8 # This non-obvious setting controls whether directives for certificates will be added to hosts # Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using # a custom container that *doesn't* automatically-provision LE certs ingress_listen_tls: yes ingress_tls_protocols: TLSv1.2 TLSv1.3 ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ingress_tls_prefer_server_ciphers: "off" # Vhost configuration # ingress_servers: # - name: example.com # proxies: # - location: / # pass: http://some-container:80 # locations: # - location: "^~ /.well-known" # contents: | # location = /.well-known/carddav { return 301 /remote.php/dav/; } # location = /.well-known/caldav { return 301 /remote.php/dav/; } # location ^~ /.well-known { return 301 /index.php$uri; } # try_files $uri $uri/ =404; # - name: redirect.example.com # directives: # # NOTE: Do NOT suffix with a semicolon; that gets added for you # - "return 301 $scheme://example.com$request_uri" ingress_servers: []