homelab/roles/proxy/templates/server-nginx.conf.j2

server {
    listen 80;

    server_name {{ item.domain }};
    return 301 https://{{ item.domain }}$request_uri;
}

server {
  listen              443 ssl;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
{% set domain_regex = '^\*\.' + wildcard + '$' %}
{% if item.domain | regex_search(wildcard) %}
  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
{% endif %}
{% endfor %}
{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
  ssl_certificate     {{ item.tls.cert }};
  ssl_certificate_key {{ item.tls.key }};
{% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}
{% if item.client_max_body_size is defined %}
  client_max_body_size {{ item.client_max_body_size }};
{% endif %}
  location / {
{% if item.restrict is defined and item.restrict  %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
    proxy_set_header Authorization "";
{% endif %}
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass {{ item.proxy_pass }};
{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
    proxy_ssl_verify off;
{% endif %}
  }
}
Redirect HTTP to HTTPS 2022-05-27 03:32:25 +00:00			`server {`
			`listen 80;`

			`server_name {{ item.domain }};`
			`return 301 https://{{ item.domain }}$request_uri;`
			`}`

Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`server {`
			`listen 443 ssl;`
			`server_name {{ item.domain }};`
			`access_log /var/log/nginx/{{ item.domain }}.log main;`
Determine wildcard cert paths and tidy nginx role 2022-05-24 02:33:17 +00:00			`{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}`
			`{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}`
			`{% set domain_regex = '^\*\.' + wildcard + '$' %}`
			`{% if item.domain \| regex_search(wildcard) %}`
			`ssl_certificate /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;`
			`{% endif %}`
			`{% endfor %}`
			`{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}`
Use DNS-01 on Cloudflare for wildcard LE certs 2022-05-23 07:32:56 +00:00			`ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;`
Determine wildcard cert paths and tidy nginx role 2022-05-24 02:33:17 +00:00			`{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}`
Use DNS-01 on Cloudflare for wildcard LE certs 2022-05-23 07:32:56 +00:00			`ssl_certificate {{ item.tls.cert }};`
			`ssl_certificate_key {{ item.tls.key }};`
			`{% else %}`
Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;`
			`ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;`
Add client_max_body_size for Nextcloud 2022-08-19 05:27:55 +00:00			`{% endif %}`
			`{% if item.client_max_body_size is defined %}`
			`client_max_body_size {{ item.client_max_body_size }};`
Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`{% endif %}`
			`location / {`
Add basic auth and ignore backend SSL errors 2022-08-17 05:15:15 +00:00			`{% if item.restrict is defined and item.restrict %}`
			`auth_basic "{{ item.restrict_name \| default('Restricted Access') }}";`
			`auth_basic_user_file {{ item.restrict_file \| default('/etc/nginx/.htpasswd') }};`
Strip auth header and update external config 2022-08-19 04:51:05 +00:00			`proxy_set_header Authorization "";`
Add basic auth and ignore backend SSL errors 2022-08-17 05:15:15 +00:00			`{% endif %}`
Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
Add X-Forwarded-For proxy header 2022-05-28 02:33:35 +00:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`proxy_pass {{ item.proxy_pass }};`
Add basic auth and ignore backend SSL errors 2022-08-17 05:15:15 +00:00			`{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}`
			`proxy_ssl_verify off;`
			`{% endif %}`
Setup nginx reverse proxy 2022-05-22 04:19:56 +00:00			`}`
			`}`