Coornhert
d3536c74a4
- Meilisearch v1.12 + Qdrant v1.13 toegevoegd aan docker-compose
- Env vars voor MEILI_URL/QDRANT_URL/MISTRAL_API_KEY/FORGEJO_API_TOKEN
- Nieuwe web vhost (wetgit.nl) via wetgit-web.conf.j2
- Systemd service-paden:
- wetgit.service → uvicorn wetgit.api.app:app
- wetgit-celery.service → celery -A wetgit.tasks
- WETGIT_GIT_REPOS_DIR verplaatst naar {{ app_dir }}/app
(data leeft op /opt/wetgit/app/rijk/)
- Nieuwe vault-secrets: meili_master_key, qdrant_api_key, mistral_api_key
216 lines
6.1 KiB
YAML
216 lines
6.1 KiB
YAML
---
|
|
# Nginx vhosts for WetGIT
|
|
# IMPORTANT: Only adds vhost configs. Does NOT touch global nginx.conf
|
|
# (managed by dt-platform's nginx role).
|
|
#
|
|
# Strategy:
|
|
# 1. Check if SSL certs exist
|
|
# 2. If no cert: deploy HTTP-only config → certbot → deploy HTTPS
|
|
# 3. If cert exists: deploy HTTPS config directly
|
|
# 4. Enable vhosts (symlinks) after config files exist
|
|
|
|
# --- Step 1: Check existing SSL certificates ---
|
|
|
|
- name: Check if API SSL certificate exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"
|
|
register: ssl_cert_api
|
|
|
|
- name: Check if Forgejo SSL certificate exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ forgejo_domain }}/fullchain.pem"
|
|
register: ssl_cert_git
|
|
|
|
- name: Check if Web SSL certificate exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ web_domain }}/fullchain.pem"
|
|
register: ssl_cert_web
|
|
|
|
# --- Step 2: Deploy HTTP-only configs for domains that need new certs ---
|
|
|
|
- name: Deploy API HTTP-only vhost (pre-SSL)
|
|
copy:
|
|
content: |
|
|
# Temporary HTTP-only config for SSL provisioning — managed by Ansible
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ server_name }};
|
|
location /.well-known/acme-challenge/ { root /var/www/certbot; }
|
|
location / { return 503; }
|
|
}
|
|
dest: /etc/nginx/sites-available/wetgit-api.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: not ssl_cert_api.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Deploy Forgejo HTTP-only vhost (pre-SSL)
|
|
copy:
|
|
content: |
|
|
# Temporary HTTP-only config for SSL provisioning — managed by Ansible
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ forgejo_domain }};
|
|
location /.well-known/acme-challenge/ { root /var/www/certbot; }
|
|
location / { return 503; }
|
|
}
|
|
dest: /etc/nginx/sites-available/wetgit-git.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: not ssl_cert_git.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Deploy Web HTTP-only vhost (pre-SSL)
|
|
copy:
|
|
content: |
|
|
# Temporary HTTP-only config for SSL provisioning — managed by Ansible
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ web_domain }};
|
|
location /.well-known/acme-challenge/ { root /var/www/certbot; }
|
|
location / { return 503; }
|
|
}
|
|
dest: /etc/nginx/sites-available/wetgit-web.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: not ssl_cert_web.stat.exists
|
|
notify: reload nginx
|
|
|
|
# --- Step 3: Enable vhosts that need new certs + reload for certbot ---
|
|
|
|
- name: Enable API vhost (pre-SSL)
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-api.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-api.conf
|
|
state: link
|
|
when: not ssl_cert_api.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Enable Forgejo vhost (pre-SSL)
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-git.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-git.conf
|
|
state: link
|
|
when: not ssl_cert_git.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Enable Web vhost (pre-SSL)
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-web.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-web.conf
|
|
state: link
|
|
when: not ssl_cert_web.stat.exists
|
|
notify: reload nginx
|
|
|
|
# Force handler to run so nginx has the HTTP configs before certbot
|
|
- name: Flush handlers (reload nginx for certbot)
|
|
meta: flush_handlers
|
|
|
|
# --- Step 4: Obtain SSL certificates via webroot ---
|
|
|
|
- name: Obtain SSL certificate for {{ server_name }}
|
|
command: >
|
|
certbot certonly --webroot
|
|
-w /var/www/certbot
|
|
-d {{ server_name }}
|
|
--non-interactive --agree-tos
|
|
--email coornhert@wetgit.nl
|
|
when: not ssl_cert_api.stat.exists
|
|
register: certbot_api
|
|
|
|
- name: Obtain SSL certificate for {{ forgejo_domain }}
|
|
command: >
|
|
certbot certonly --webroot
|
|
-w /var/www/certbot
|
|
-d {{ forgejo_domain }}
|
|
--non-interactive --agree-tos
|
|
--email coornhert@wetgit.nl
|
|
when: not ssl_cert_git.stat.exists
|
|
register: certbot_git
|
|
|
|
- name: Obtain SSL certificate for {{ web_domain }}
|
|
command: >
|
|
certbot certonly --webroot
|
|
-w /var/www/certbot
|
|
-d {{ web_domain }}
|
|
--non-interactive --agree-tos
|
|
--email coornhert@wetgit.nl
|
|
when: not ssl_cert_web.stat.exists
|
|
register: certbot_web
|
|
|
|
# --- Step 5: Re-check SSL certs after certbot ---
|
|
|
|
- name: Re-check API SSL certificate
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"
|
|
register: ssl_cert_api_final
|
|
|
|
- name: Re-check Forgejo SSL certificate
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ forgejo_domain }}/fullchain.pem"
|
|
register: ssl_cert_git_final
|
|
|
|
- name: Re-check Web SSL certificate
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ web_domain }}/fullchain.pem"
|
|
register: ssl_cert_web_final
|
|
|
|
# --- Step 6: Deploy full HTTPS configs + enable vhosts ---
|
|
|
|
- name: Deploy API nginx vhost (full HTTPS)
|
|
template:
|
|
src: wetgit-api.conf.j2
|
|
dest: /etc/nginx/sites-available/wetgit-api.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: ssl_cert_api_final.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Deploy Forgejo nginx vhost (full HTTPS)
|
|
template:
|
|
src: wetgit-git.conf.j2
|
|
dest: /etc/nginx/sites-available/wetgit-git.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: ssl_cert_git_final.stat.exists
|
|
notify: reload nginx
|
|
|
|
- name: Deploy Web nginx vhost (full HTTPS)
|
|
template:
|
|
src: wetgit-web.conf.j2
|
|
dest: /etc/nginx/sites-available/wetgit-web.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: ssl_cert_web_final.stat.exists
|
|
notify: reload nginx
|
|
|
|
# Enable all vhosts (idempotent — creates symlink if not exists)
|
|
- name: Enable API vhost
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-api.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-api.conf
|
|
state: link
|
|
notify: reload nginx
|
|
|
|
- name: Enable Forgejo vhost
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-git.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-git.conf
|
|
state: link
|
|
notify: reload nginx
|
|
|
|
- name: Enable Web vhost
|
|
file:
|
|
src: /etc/nginx/sites-available/wetgit-web.conf
|
|
dest: /etc/nginx/sites-enabled/wetgit-web.conf
|
|
state: link
|
|
notify: reload nginx
|