72 lines
2.4 KiB
YAML

#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Core container configuration
ingress_container_image: jonasal/nginx-certbot:latest
ingress_container_name: ingress
# Secondary container configuration
ingress_container_ports:
- 80:80
- 443:443
ingress_container_persist_dir: "/data/nginx-certbot"
ingress_container_config_mount: "/etc/nginx/user_conf.d"
ingress_container_timezone: America/Chicago
# Network configuration
ingress_container_networks:
- name: web
aliases: [ "ingress" ]
# Certbot configuration
ingress_container_certbot_email: rehashedsalt@cock.li
# General Nginx configuration
ingress_listen_args: "443 http2 ssl"
ingress_resolver: 8.8.8.8
# This non-obvious setting controls whether directives for certificates will be added to hosts
# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
# a custom container that *doesn't* automatically-provision LE certs
ingress_listen_tls: yes
ingress_tls_protocols: TLSv1.2 TLSv1.3
ingress_tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ingress_tls_prefer_server_ciphers: "off"
# Escape hatch for a bunch of directives
# Defaults here are for general-purpose use, like compression
ingress_directives:
- gzip on
- gzip_comp_level 5
- gzip_min_length 256
- gzip_proxied any
- gzip_vary on
- gzip_types
application/javascript
application/json
application/wasm
application/xhtml+xml
image/x-ms-bmp
image/svg+xml
image/x-icon
text/css
text/plain
text/xml
# Vhost configuration
# ingress_servers:
# - name: example.com
# proxies:
# - location: /
# pass: http://some-container:80
# locations:
# - location: "^~ /.well-known"
# contents: |
# location = /.well-known/carddav { return 301 /remote.php/dav/; }
# location = /.well-known/caldav { return 301 /remote.php/dav/; }
# location ^~ /.well-known { return 301 /index.php$uri; }
# try_files $uri $uri/ =404;
# - name: redirect.example.com
# directives:
# # NOTE: Do NOT suffix with a semicolon; that gets added for you
# - "return 301 $scheme://example.com$request_uri"
ingress_servers: []