Merge branch 'nginx_default_vhost' of 'https://github.com/zhquan/bap-deployment-toolkit'

jjmerchante · web-flow · commit 9f011b3eab6d · 2025-04-16T09:43:24.000+02:00
Merges #119 Closes #119
diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml
@@ -73,3 +73,9 @@ gcloud_apt_deb_ubuntu_repository: >-
 
 docker_network_name: bap_network
 docker_log_max_size: 500m
+
+# Uncomment to add NGINX default configuration
+#nginx_default_host: default.example.com
+
+# NGINX ssl_ciphers list from Mozilla https://wiki.mozilla.org/Security/Server_Side_TLS
+nginx_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
diff --git a/ansible/roles/nginx/files/default.conf b/ansible/roles/nginx/files/default.conf
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
@@ -65,6 +65,13 @@
     loop_var: instance
   when: custom_cert is undefined and instance.nginx is defined
 
+- name: "Configure virtualhost (certbot with acme-challenge) for default host"
+  template:
+    src: vhost_port_80.j2
+    dest: "{{ nginx_virtualhosts_workdir }}/default.conf"
+    backup: true
+  when: custom_cert is undefined and nginx_default_host is defined
+
 - name: "Create a docker network: {{ docker_network_name }}"
   docker_network:
     name: "{{ docker_network_name }}"
@@ -99,7 +106,11 @@
   with_items:
     - bitergia-logo.png
     - custom_404.html
-    - default.conf
+  when: nginx_default_host is defined
+
+- name: Confgure virtualhost for default host
+  include_tasks: virtualhost_default.yml
+  when: nginx_default_host is defined
 
 - name: Start NGINX container with virtualhost(s)
   docker_container:
diff --git a/ansible/roles/nginx/tasks/virtualhost_default.yml b/ansible/roles/nginx/tasks/virtualhost_default.yml
@@ -0,0 +1,48 @@
+---
+
+- name: "Get {{ nginx_default_host }} certificate info"
+  shell: openssl x509 -in "{{ nginx_letsencrypt_configdir }}/live/{{ nginx_default_host }}/cert.pem" -noout -dates | awk -F= '/notAfter=/ {print $2}'
+  register: cert_info
+  when: custom_cert is undefined
+
+- name: "Show {{ nginx_default_host }} certificate info"
+  debug:
+    msg: "{{ cert_info }}"
+  when: custom_cert is undefined
+
+- name: "Create certificate for {{ nginx_default_host }}"
+  command: "certbot -n certonly --webroot -w {{ nginx_letsencrypt_webroot_path }} -d {{ nginx_default_host }} --work-dir {{ nginx_letsencrypt_workdir }} --logs-dir {{ nginx_letsencrypt_logsdir }} --config-dir {{ nginx_letsencrypt_configdir }}"
+  args:
+    creates: "{{ nginx_letsencrypt_workdir }}/live/{{ nginx_default_host }}"
+  ignore_errors: true
+  when: custom_cert is undefined and cert_info.stderr
+
+- name: "Copy custom SSL certificates"
+  run_once: true
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - src: "{{ custom_cert.cert if custom_cert is defined else 'cert.crt' }}"
+      dest: "{{ nginx_certs_dir }}/custom.crt"
+      owner: '1000'
+      group: '1000'
+      mode: '0644'
+    - src: "{{ custom_cert.key if custom_cert is defined else 'cert.key' }}"
+      dest: "{{ nginx_certs_dir }}/custom.key"
+      owner: '1000'
+      group: '1000'
+      mode: '0600'
+  loop_control:
+    label: "{{ item.dest }}"
+  when: custom_cert is defined
+
+- name: "Create virtualhost configuration for default.conf"
+  template:
+    src: default.conf.j2
+    dest: "{{ nginx_virtualhosts_workdir }}/default.conf"
+    backup: true
+  when: nginx_default_host is defined
diff --git a/ansible/roles/nginx/templates/default.conf.j2 b/ansible/roles/nginx/templates/default.conf.j2
@@ -0,0 +1,35 @@
+{% include 'vhost_port_80.j2' %}
+
+server {
+    listen 443 ssl default_server;
+    http2 on;
+
+    server_name {{ nginx_default_host}};
+
+{% if custom_cert is defined %}
+    ssl_certificate /etc/ssl/certs/custom.crt;
+    ssl_certificate_key /etc/ssl/certs/custom.key;
+{% else %}
+    ssl_certificate /etc/ssl/certbot_certs/live/{{ nginx_default_host }}/fullchain.pem;
+    ssl_certificate_key /etc/ssl/certbot_certs/live/{{ nginx_default_host }}/privkey.pem;
+{% endif %}
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers {{ nginx_ssl_ciphers }};
+    ssl_prefer_server_ciphers off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    error_page 404 /custom_404.html;
+
+    location = /custom_404.html {
+        root /etc/nginx/conf.d;
+        internal;
+    }
+
+    location /bitergia-logo.png {
+        root /etc/nginx/conf.d;
+    }
+}
diff --git a/ansible/roles/nginx/templates/vhost.j2 b/ansible/roles/nginx/templates/vhost.j2
@@ -20,7 +20,7 @@ server {
 {% endif %}
     ssl_protocols TLSv1.3 TLSv1.2;
     ssl_ecdh_curve X25519:prime256v1:secp384r1;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
+    ssl_ciphers {{ nginx_ssl_ciphers }};
     ssl_prefer_server_ciphers off;
     ssl_stapling on;
     ssl_stapling_verify on;
diff --git a/ansible/roles/nginx/templates/vhost_port_80.j2 b/ansible/roles/nginx/templates/vhost_port_80.j2
@@ -1,7 +1,11 @@
 server {
+{% if instance is undefined and nginx_default_host is defined %}
+    listen 80 default_server;
+    server_name {{ nginx_default_host}};
+{% else %}
     listen 80;
-
     server_name {{ instance.nginx.fqdn }};
+{% endif %}
 
 {% if custom_cert is undefined %}
     location /.well-known/acme-challenge/ {
@@ -12,4 +16,13 @@ server {
     location / {
         return 301 https://$server_name$request_uri;
     }
+
+{% if instance is undefined and nginx_default_host is defined %}
+    error_page 404 /custom_404.html;
+
+    location = /custom_404.html {
+        root /etc/nginx/conf.d;
+        internal;
+    }
+{% endif %}
 }
diff --git a/docs/deployment_and_config.md b/docs/deployment_and_config.md
@@ -155,9 +155,12 @@ all:
     # Mordred Settings
     mordred_setups_repo_url: <repo_mordred_config.git>
 
-    # Ngninx Certbot
+    # Nginx Certbot
     letsencrypt_register_email: <letsencrypt_register_email>
 
+    ## Uncomment to define an Nginx Default host
+    #nginx_default_host: <nginx_defualt_fqdn>
+
     ## Uncomment to define custom certificates. Otherwise it will create Let's Encrypt certificates.
     #custom_cert:
     #  cert: custom.crt
@@ -257,6 +260,7 @@ Replace the entries in `<>` with your values:
   to the proxied server (by default is `75`).
 - `letsencrypt_register_email`: email used for registration, recovery contact,
   and warnings about expired certs on Let's Encrypt.
+- `nginx_defualt_fqdn` (optional): enable a default host (404 page not found).
 
 After configuring these parameters, you need to configure the instances of the
 task scheduler (Mordred) and Nginx virtual host. You need a task scheduler for each project
