cleanup nginx configs

host_vars/srv02.yml

-nginx:
-  enabled_sites:
-    - default
-    - ffhl-status
-    - firmware
-    - git.luebeck.freifunk.net
-    - grafana
-    - hopglass-map
-    - luebeck.freifunk.net
-    - wiki
-    - ffdyndns
-    - backbone

roles/services/files/nginx/sites-available/grafana

-proxy_cache_path /var/cache/nginx levels=1:2 inactive=10m max_size=1g keys_zone=grafana:1m;
-
-server {
-	listen 80;
-	listen [::]:80;
-
-	listen localhost:443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name monitor.luebeck.freifunk.net monitor.ffhl.de monitor.ffhl;
-
-	include snippets/acme.conf;
-	include snippets/tls.conf;
-	ssl_certificate /var/lib/acme/live/luebeck.freifunk.net/fullchain;
-	ssl_certificate_key /var/lib/acme/live/luebeck.freifunk.net/privkey;
-
-	if ($ssl_protocol = "") {
-		return 301 https://$host$request_uri;
-	}
-
-	location /render/ {
-		more_clear_headers 'Pragma';
-		more_clear_headers 'Cache-Control';
-		more_clear_headers 'Expires';
-		more_clear_headers 'last-modified';
-
-		add_header X-Cache-Status $upstream_cache_status;
-		expires 10m;
-		proxy_cache_key "$host$request_uri";
-
-		proxy_connect_timeout       300;
-		proxy_send_timeout          300;
-		proxy_read_timeout          300;
-		send_timeout                300;
-		proxy_cache grafana;
-		proxy_cache_min_uses 5;
-
-		proxy_hide_header Cache-Control;
-		proxy_hide_header Expires;
-		proxy_hide_header X-Accel-Expires;
-		proxy_cache_methods GET POST;
-		proxy_pass http://monitoring.net.ffhl.de:3000;
-	}
-
-	location / {
-		proxy_connect_timeout 5;
-		proxy_send_timeout 5;
-		proxy_read_timeout 5;
-		send_timeout 5;
-		proxy_pass http://monitoring.net.ffhl.de:3000;
-	}
-}

roles/services/files/nginx/sites/grafana

+server {
+	server_name monitor.luebeck.freifunk.net monitor.ffhl.de monitor.ffhl;
+	listen 80;
+	listen [::]:80;
+	listen localhost:443 ssl http2;
+	listen [::]:443 ssl http2;
+
+
+	include snippets/acme.conf;
+	include snippets/tls.conf;
+	include snippets/https-redirect.conf;
+	ssl_certificate /var/lib/acme/live/luebeck.freifunk.net/fullchain;
+	ssl_certificate_key /var/lib/acme/live/luebeck.freifunk.net/privkey;
+
+	return 302 https://monitoring.freifunknord.de$request_uri;
+}

roles/services/files/nginx/sites-available/services → roles/services/files/nginx/sites/services

 server {
+	server_name services.ffhl.de services.luebeck.freifunk.net;
 	listen 80;
 	listen [::]:80;
-	
 	listen localhost:443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name services.ffhl.de services.luebeck.freifunk.net;
-	
-	include tls.conf;
+	include snippets/tls.conf;
+	include snippets/acme.conf;
+	include snippets/https-redirect.conf;
+
 	ssl_certificate /var/lib/acme/live/luebeck.freifunk.net/fullchain;
-        ssl_certificate_key /var/lib/acme/live/luebeck.freifunk.net/privkey;
-	
-	if ($ssl_protocol = "") {
-		return 301 https://$host$request_uri;
-	}
-	
-	location / {
-		proxy_set_header HOST $host;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass https://yunohost.luebeck.freifunk.net;
-	}
+	ssl_certificate_key /var/lib/acme/live/luebeck.freifunk.net/privkey;
+
+	return 302 https://luebeck.freifunk.net;
+
+	#location / {
+	#	proxy_set_header HOST $host;
+	#	proxy_set_header X-Forwarded-Proto $scheme;
+	#	proxy_set_header X-Real-IP $remote_addr;
+	#	proxy_pass https://yunohost.luebeck.freifunk.net;
+	#}
 }

roles/services/tasks/nginx.yml

@@ -6,10 +6,16 @@
     install_recommends: no
     update_cache: yes
     name:
+      - openssl
       - nginx-full
       - libnginx-mod-http-fancyindex
       - libnginx-mod-http-headers-more-filter
 
+- name: generate dhparams (can take a while)
+  command:
+    cmd: openssl dhparam -out /etc/nginx/dhparam.pem 4096
+    creates: /etc/nginx/dhparam.pem
+
 - name: copy snippets
   copy:
     src: nginx/snippets
@@ -19,23 +25,30 @@
   copy:
     src: "{{ item }}"
     dest: /etc/nginx/sites-available/
-  with_fileglob: 'nginx/sites-available/*'
+  with_fileglob: 'nginx/sites/*'
 
 
 - name: enable sites
   block:
     - name: remove all enabled sites
-      file: state=absent path="/etc/nginx/sites-enabled/"
+      file:
+        state: absent
+        path: "/etc/nginx/sites-enabled/"
     - name: create enabled-sites directory
-      file: state=directory path="/etc/nginx/sites-enabled"
+      file:
+        state: directory
+        path: "/etc/nginx/sites-enabled"
     - name: enable selected sites
       file:
         state: link
-        src: "../sites-available/{{ item }}"
-        dest: "/etc/nginx/sites-enabled/{{ item }}"
-      with_items: "{{ nginx.enabled_sites }}"
+        src: "../sites-available/{{ item | basename }}"
+        dest: "/etc/nginx/sites-enabled/{{ item | basename }}"
+      with_fileglob: 'nginx/sites/*'
 
 
+- name: check nginx config
+  command:
+    cmd: nginx -t
 
 - name: restart nginx
   systemd: