wetgit/meta
1
0
Fork 0
Code Issues 18 Pull requests Projects Releases Packages Wiki Activity Actions
meta/ansible/roles/wetgit-nginx/tasks/main.yml
Coornhert c481ebf9e7 feat: ansible deployment setup voor dt-prod-01 
- Forgejo + Redis Docker stack (wetgit-forgejo role)
- FastAPI + Celery systemd services (wetgit-app role)
- Nginx vhosts voor git.wetgit.nl en api.wetgit.nl (wetgit-nginx role)
- SSL via Let's Encrypt (certbot webroot)
- Backup script (forgejo dump, geen downtime)
- Codeberg mirror script
- Cron jobs voor backup/mirror/log cleanup
- Ansible vault voor secrets (encrypted)

Geïsoleerd van dt-platform: eigen poorten, users, directories.
2026-03-29 21:24:47 +02:00

118 lines
3.3 KiB
YAML
Raw Blame History

---
# Nginx vhosts for WetGIT
# IMPORTANT: Only adds vhost configs. Does NOT touch global nginx.conf
# (managed by dt-platform's nginx role).
#
# Strategy: Deploy HTTP-only first → get SSL certs → deploy full HTTPS config.
# --- Step 1: Check existing SSL certificates ---
- name: Check if API SSL certificate exists
stat:
path: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"
register: ssl_cert_api
- name: Check if Forgejo SSL certificate exists
stat:
path: "/etc/letsencrypt/live/{{ forgejo_domain }}/fullchain.pem"
register: ssl_cert_git
# --- Step 2: Deploy HTTP-only configs for domains without certs ---
- name: Deploy API HTTP-only vhost (pre-SSL)
copy:
content: |
# Temporary HTTP-only config for SSL provisioning — managed by Ansible
server {
listen 80;
listen [::]:80;
server_name {{ server_name }};
location /.well-known/acme-challenge/ { root /var/www/certbot; }
location / { return 503; }
}
dest: /etc/nginx/sites-available/wetgit-api.conf
owner: root
group: root
mode: "0644"
when: not ssl_cert_api.stat.exists
notify: reload nginx
- name: Deploy Forgejo HTTP-only vhost (pre-SSL)
copy:
content: |
# Temporary HTTP-only config for SSL provisioning — managed by Ansible
server {
listen 80;
listen [::]:80;
server_name {{ forgejo_domain }};
location /.well-known/acme-challenge/ { root /var/www/certbot; }
location / { return 503; }
}
dest: /etc/nginx/sites-available/wetgit-git.conf
owner: root
group: root
mode: "0644"
when: not ssl_cert_git.stat.exists
notify: reload nginx
# --- Step 3: Enable vhosts and reload nginx ---
- name: Enable API vhost
file:
src: /etc/nginx/sites-available/wetgit-api.conf
dest: /etc/nginx/sites-enabled/wetgit-api.conf
state: link
notify: reload nginx
- name: Enable Forgejo vhost
file:
src: /etc/nginx/sites-available/wetgit-git.conf
dest: /etc/nginx/sites-enabled/wetgit-git.conf
state: link
notify: reload nginx
# Force handler to run now so nginx has the HTTP configs before certbot
- name: Flush handlers (reload nginx for certbot)
meta: flush_handlers
# --- Step 4: Obtain SSL certificates via webroot ---
- name: Obtain SSL certificate for {{ server_name }}
command: >
certbot certonly --webroot
-w /var/www/certbot
-d {{ server_name }}
--non-interactive --agree-tos
--email coornhert@wetgit.nl
when: not ssl_cert_api.stat.exists
register: certbot_api
- name: Obtain SSL certificate for {{ forgejo_domain }}
command: >
certbot certonly --webroot
-w /var/www/certbot
-d {{ forgejo_domain }}
--non-interactive --agree-tos
--email coornhert@wetgit.nl
when: not ssl_cert_git.stat.exists
register: certbot_git
# --- Step 5: Deploy full HTTPS configs ---
- name: Deploy API nginx vhost (full HTTPS)
template:
src: wetgit-api.conf.j2
dest: /etc/nginx/sites-available/wetgit-api.conf
owner: root
group: root
mode: "0644"
notify: reload nginx
- name: Deploy Forgejo nginx vhost (full HTTPS)
template:
src: wetgit-git.conf.j2
dest: /etc/nginx/sites-available/wetgit-git.conf
owner: root
group: root
mode: "0644"
notify: reload nginx
Reference in a new issue View git blame Copy permalink