Replaced nginx native with openresty for logout injection. Right now still buggy on nextcloud and espocrm

2025-08-29 15:06:26 +02:00 · 2025-07-24 03:19:16 +02:00
parent f5213fd59c
commit f62355e490
129 changed files with 515 additions and 319 deletions
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -48,8 +48,15 @@ certbot_credentials_file:                 "{{ certbot_credentials_dir }}/{{ cert
 certbot_dns_api_token:                    ""                      # Define in inventory file
 certbot_dns_propagation_wait_seconds:     40                      # How long should the script wait for DNS propagation before continuing
 certbot_flavor:                           san                     # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), deicated
-certbot_webroot_path:                     "/var/lib/letsencrypt/" # Path used by Certbot to serve HTTP-01 ACME challenges
-certbot_cert_path:                        "/etc/letsencrypt/live" # Path containing active certificate symlinks for domains
+
+# Path where Certbot stores challenge webroot files
+letsencrypt_webroot_path: "/var/lib/letsencrypt/"
+
+# Base directory containing Certbot configuration, account data, and archives
+letsencrypt_base_path: "/etc/letsencrypt/"
+
+# Symlink directory for the current active certificate and private key
+letsencrypt_live_path: "{{ letsencrypt_base_path }}live/"

 ## Docker Role Specific Parameters
 docker_restart_policy:                    "unless-stopped"
--- a/group_vars/all/06_nginx.yml
+++ b/group_vars/all/06_nginx.yml
@@ -1,20 +1,25 @@
 # Webserver Configuration

+# Helper 
+_nginx_www_dir: /var/www/
 ## Nginx-Specific Path Configurations
 nginx:
+  files:
+    configuration:   "/etc/nginx/nginx.conf"
  directories:
-    configuration:    "/etc/nginx/conf.d/"              # Configuration directory
+    configuration:    "/etc/nginx/conf.d/"                  # Configuration directory
    http:                                               
-      global:         "/etc/nginx/conf.d/http/global/"  # Contains global configurations which will be loaded into the http block
-      servers:        "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain
-      maps:           "/etc/nginx/conf.d/http/maps/"    # Contains mappings
-    streams:          "/etc/nginx/conf.d/streams/"      # Contains streams configuration e.g. for ldaps
+      global:         "/etc/nginx/conf.d/http/global/"      # Contains global configurations which will be loaded into the http block
+      servers:        "/etc/nginx/conf.d/http/servers/"     # Contains one configuration per domain
+      maps:           "/etc/nginx/conf.d/http/maps/"        # Contains mappings
+    streams:          "/etc/nginx/conf.d/streams/"          # Contains streams configuration e.g. for ldaps
    data:
-      well_known:     "/usr/share/nginx/well-known/"    # Path where well-known files are stored
-      html:           "/var/www/public_html/"           # Path where the static homepage files are stored
-      files:          "/var/www/public_files/"          # Path where the web accessable files are stored
-      global:         "/var/www/global/"                # Directory containing files which will be globaly accessable
+      www:            "{{ _nginx_www_dir }}"
+      well_known:     "/usr/share/nginx/well-known/"        # Path where well-known files are stored
+      html:           "{{ _nginx_www_dir }}public_html/"    # Path where the static homepage files are stored
+      files:          "{{ _nginx_www_dir }}public_files/"   # Path where the web accessable files are stored
+      global:         "{{ _nginx_www_dir }}global/"         # Directory containing files which will be globaly accessable
    cache:
-      general:        "/tmp/cache_nginx_general/"       # Directory which nginx uses to cache general data
-      image:          "/tmp/cache_nginx_image/"         # Directory which nginx uses to cache images
-  user:               "http"                            # Default nginx user in ArchLinux
+      general:        "/tmp/cache_nginx_general/"           # Directory which nginx uses to cache general data
+      image:          "/tmp/cache_nginx_image/"             # Directory which nginx uses to cache images
+  user:               "http"                                # Default nginx user in ArchLinux
--- a/group_vars/all/13_ldap.yml
+++ b/group_vars/all/13_ldap.yml
@@ -10,7 +10,7 @@ _ldap_docker_network_enabled:   "{{ applications | get_app_conf('svc-db-openldap
 _ldap_protocol:                 "{{ 'ldap' if _ldap_docker_network_enabled else 'ldaps' }}"
 _ldap_server_port:              "{{ ports.localhost[_ldap_protocol]['svc-db-openldap'] }}"
 _ldap_name:                     "{{ applications | get_app_conf('svc-db-openldap', 'docker.services.openldap.name') }}"
-_ldap_domain:                   "{{ domains | get_domain('svc-db-openldap') }}"
+_ldap_domain:                   "{{ primary_domain }}" # LDAP is jsut listening to a port not to a dedicated domain, so primary domain should be sufficient
 _ldap_user_id:                  "uid"
 _ldap_filters_users_all:        "(|(objectclass=inetOrgPerson))"