nginx: http2

This commit is contained in:
ben 2024-09-06 19:28:21 +02:00
parent 72188002d3
commit 5578180f6a
19 changed files with 615 additions and 600 deletions

View File

@ -1,56 +0,0 @@
---
- name: create airconnect dir
file:
path: "{{ airconnect_dir }}"
state: directory
mode: "0755"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- airconnect-dirs
- name: airconnect config files
template:
src: "{{ item.name }}.j2"
dest: "{{ airconnect_dir }}/{{ item.name }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
mode: "{{ item.mode | default('0644') }}"
notify: restart airconnect containers
with_items:
- name: airupnp.xml
loop_control:
label: "{{ item.name }}"
tags:
- airconnect-config
- airconnect
- name: "set up the airconnect containers"
docker_container:
name: airconnect-{{ item.prog }}
hostname: airconnect-{{ item.prog }}
image: git.sudo.is/ben/airconnect
detach: true
pull: true
auto_remove: false
restart_policy: "unless-stopped"
state: "{{ item.state | default('started') }}"
network_mode: host
user: "{{ owntone_user.uid }}:{{ owntone_group.gid }}"
env:
AIRCONNECT_PROG: "{{ item.prog }}"
AIRCONNECT_ARGS: "{{ item.args|default() }}"
mounts:
- type: bind
source: "{{ airconnect_dir }}/airupnp.xml"
target: /etc/airupnp.xml
read_only: true
tags:
- airconnect
- airconnect-container
- docker-containers
register: airconnect_containers_task
loop_control:
label: airconnect-{{ item.prog }}
with_items: "{{ airconnect_containers }}"

View File

@ -1,5 +1,56 @@
---
- import_tasks: airconnect.yml
tags:
- airconnect
- homeaudio
- name: create airconnect dir
file:
path: "{{ airconnect_dir }}"
state: directory
mode: "0755"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- airconnect-dirs
- name: airconnect config files
template:
src: "{{ item.name }}.j2"
dest: "{{ airconnect_dir }}/{{ item.name }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
mode: "{{ item.mode | default('0644') }}"
notify: restart airconnect containers
with_items:
- name: airupnp.xml
loop_control:
label: "{{ item.name }}"
tags:
- airconnect-config
- airconnect
- name: "set up the airconnect containers"
docker_container:
name: airconnect-{{ item.prog }}
hostname: airconnect-{{ item.prog }}
image: git.sudo.is/ben/airconnect
detach: true
pull: true
auto_remove: false
restart_policy: "unless-stopped"
state: "{{ item.state | default('started') }}"
network_mode: host
user: "{{ owntone_user.uid }}:{{ owntone_group.gid }}"
env:
AIRCONNECT_PROG: "{{ item.prog }}"
AIRCONNECT_ARGS: "{{ item.args|default() }}"
mounts:
- type: bind
source: "{{ airconnect_dir }}/airupnp.xml"
target: /etc/airupnp.xml
read_only: true
tags:
- airconnect
- airconnect-container
- docker-containers
register: airconnect_containers_task
loop_control:
label: airconnect-{{ item.prog }}
with_items: "{{ airconnect_containers }}"

View File

@ -1,108 +0,0 @@
---
- name: install certs
copy:
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
dest: "/usr/local/etc/certs/"
owner: root
group: root
mode: 0755
tags:
- letsencrypt-certs
notify: reload nginx
vars:
prediff_cmd: echo
with_items:
- "{{ domain }}"
- "{{ inventory_hostname.split('.')[1:] | join('.') }}"
- name: create dir structure
file:
path: "/var/www/{{ item }}"
state: directory
mode: 0755
owner: hass
group: hass
tags:
- hass-dirs
- hass-nginx-dirs
loop_control:
label: "{{ item }}"
with_items:
- hass
- hass/entity_pictures
- name: copy entity picture files
copy:
src: "entity_pictures/{{ item }}"
dest: "/var/www/hass/entity_pictures/{{ item }}"
mode: 0644
owner: hass
group: hass
loop_control:
label: "{{ item }}"
with_items:
- sonos_dark.png
tags:
- hass-entity-pictures
- name: copy static files
copy:
src: "{{ item }}"
dest: /var/www/hass/{{ item }}
mode: 0644
owner: www-data
group: www-data
loop_control:
label: "{{ item }}"
with_items:
- valetudo-api.json
- dev.png
no_log: false
- name: template nginx vhosts for hass and friends
template:
src: "01-{{ item }}.conf.j2"
dest: /etc/nginx/sites-enabled/{{ item }}.conf
owner: root
group: root
mode: 0644
with_items:
- hass
- zwavejs
- valetudo
when:
- item in hass_nginx_vhosts
tags:
- nginx
- hass-nginx
- hass-vhosts
- hass-nginx-vhosts
- zwave-nginx
- hass-zwave
- hass-zwavejs
- hass-zigbee
- hass-zigbee2mqtt
- hass-deconz
notify: reload nginx
# different task because its better for the hass config to restart nginx
- name: template nginx vhost for grafana-proxy
template:
src: 01-grafana-proxy.j2
dest: /etc/nginx/sites-enabled/01-grafana
owner: root
group: root
mode: 0644
when:
- hass_grafana_proxy_vhost == true
tags:
- nginx
- grafana-proxy-nginx
notify: reload nginx
- name: start and enable nginx
service:
name: nginx
state: started
enabled: true

View File

@ -1,5 +1,108 @@
---
- import_tasks: hass-nginx.yml
tags:
- hass
- hass-nginx
- name: install certs
copy:
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
dest: "/usr/local/etc/certs/"
owner: root
group: root
mode: 0755
tags:
- letsencrypt-certs
notify: reload nginx
vars:
prediff_cmd: echo
with_items:
- "{{ domain }}"
- "{{ inventory_hostname.split('.')[1:] | join('.') }}"
- name: create dir structure
file:
path: "/var/www/{{ item }}"
state: directory
mode: 0755
owner: hass
group: hass
tags:
- hass-dirs
- hass-nginx-dirs
loop_control:
label: "{{ item }}"
with_items:
- hass
- hass/entity_pictures
- name: copy entity picture files
copy:
src: "entity_pictures/{{ item }}"
dest: "/var/www/hass/entity_pictures/{{ item }}"
mode: 0644
owner: hass
group: hass
loop_control:
label: "{{ item }}"
with_items:
- sonos_dark.png
tags:
- hass-entity-pictures
- name: copy static files
copy:
src: "{{ item }}"
dest: /var/www/hass/{{ item }}
mode: 0644
owner: www-data
group: www-data
loop_control:
label: "{{ item }}"
with_items:
- valetudo-api.json
- dev.png
no_log: false
- name: template nginx vhosts for hass and friends
template:
src: "01-{{ item }}.conf.j2"
dest: /etc/nginx/sites-enabled/{{ item }}.conf
owner: root
group: root
mode: 0644
with_items:
- hass
- zwavejs
- valetudo
when:
- item in hass_nginx_vhosts
tags:
- nginx
- hass-nginx
- hass-vhosts
- hass-nginx-vhosts
- zwave-nginx
- hass-zwave
- hass-zwavejs
- hass-zigbee
- hass-zigbee2mqtt
- hass-deconz
notify: reload nginx
# different task because its better for the hass config to restart nginx
- name: template nginx vhost for grafana-proxy
template:
src: 01-grafana-proxy.j2
dest: /etc/nginx/sites-enabled/01-grafana
owner: root
group: root
mode: 0644
when:
- hass_grafana_proxy_vhost == true
tags:
- nginx
- grafana-proxy-nginx
notify: reload nginx
- name: start and enable nginx
service:
name: nginx
state: started
enabled: true

View File

@ -1,5 +1,10 @@
server {
listen 443 ssl http2;
listen 443 ssl;
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
include /etc/nginx/sudo-known.conf;

View File

@ -1,14 +1,19 @@
map $http_upgrade $connection_upgrade {
default Upgrade;
default upgrade;
'' close;
}
#default $http_connection;
server {
listen 443 ssl http2;
listen 443 ssl;
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
# include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;
@ -27,35 +32,30 @@ server {
location / {
#proxy_set_header Host $host;
proxy_set_header Host "{{ hass_url }}";
proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Protocol $scheme;
#proxy_set_header X-Forwarded-Host $http_host;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header Host "{{ hass_url }}";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_redirect http:// https://;
#proxy_http_version 1.1;
#proxy_buffering off;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8123;
}
location = /api/websocket {
#proxy_set_header Host $host;
proxy_set_header Host "{{ hass_url }}";
proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Protocol $scheme;
#proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Connection "Upgrade";
#proxy_redirect http:// https://;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_http_version 1.1;
#proxy_buffering off;
proxy_pass http://127.0.0.1:8123;
}

View File

@ -6,10 +6,15 @@ map $http_upgrade $connection_upgrade {
server {
{% set domain = valetudo_url.split('.')[1:] | join('.') %}
listen 443 ssl http2;
listen 443 ssl;
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
# include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;

View File

@ -4,10 +4,15 @@ map $http_upgrade $connection_upgrade {
'' close;
}
server {
listen 443 ssl http2;
listen 443 ssl;
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
# include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;

View File

@ -5,4 +5,4 @@ nginx_vhosts: []
nginx_subdirs: {}
nginx_cleanup: true
nginx_http2: true

View File

@ -81,7 +81,7 @@
- uploadsize.conf
tags:
- nginx-conf
- nginx-conf
- nginx.d
notify: reload nginx
- name: template config files
@ -97,6 +97,7 @@
- sudo-known.conf
- well-known.conf
tags:
- nginx.conf
- nginx-conf
- authelia-nginx
- well-known

View File

@ -18,7 +18,12 @@ server {
}
server {
listen 443 ssl http2 default_server;
listen 443 ssl default_server;
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
# listen [::]:443 ssl; # listen for ipv6

View File

@ -1,4 +1,9 @@
listen 40443 ssl http2 proxy_protocol;
listen 40443 ssl proxy_protocol;
{% if nginx_http2 -%}
#http2 on;
{% else -%}
#http2 off;
{% endif %}
real_ip_header proxy_protocol;

View File

@ -44,6 +44,7 @@ http {
' "authelia_email": "$authelia_email", '
' "authelia_groups": "$authelia_groups", '
' "time_local": "$time_local", '
' "timestamp": "$time_iso8601", '
' "request": "$request", '
' "request_method": "$request_method", '
' "request_uri": "$request_uri", '

View File

@ -1,54 +1,58 @@
{% for vhost in nginx_vhost_proxies %}
server {
{% if vhost.interface is defined %}
listen {{ vhost.interface }}:443 ssl http2;
listen {{ vhost.interface }}:443 ssl;
{% else %}
listen 443 ssl http2;
listen 443 ssl;
# listen [::]:443 ssl; # listen for ipv6
{% endif %}
server_name {{ vhost.name }} {{ vhost.aliases | default([]) | join(" ") }};
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
{% if 'ws' in vhost %}
location /{{ vhost.ws }}/ {
proxy_pass {{ vhost.upstream }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
{% endif %}
server_name {{ vhost.name }} {{ vhost.aliases | default([]) | join(" ") }};
location / {
proxy_pass {{ vhost.upstream }}/;
{% if 'ws' in vhost %}
location /{{ vhost.ws }}/ {
proxy_pass {{ vhost.upstream }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
{% endif %}
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass {{ vhost.upstream }}/;
}
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/access_{{ vhost.name }}.log main;
error_log /var/log/nginx/error_{{ vhost.name }}.log warn;
access_log /var/log/nginx/access_{{ vhost.name }}.log main;
error_log /var/log/nginx/error_{{ vhost.name }}.log warn;
ssl_session_timeout 5m;
ssl_session_timeout 5m;
ssl_certificate /usr/local/etc/certs/{{ inventory_hostname.split('.')[-2:] | join(".") }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ inventory_hostname.split('.')[-2:] | join(".") }}/privkey.pem;
ssl_certificate /usr/local/etc/certs/{{ inventory_hostname.split('.')[-2:] | join(".") }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ inventory_hostname.split('.')[-2:] | join(".") }}/privkey.pem;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-Powered-By;
}
{% endfor %}

View File

@ -1,6 +1,325 @@
---
- import_tasks: owntone.yml
- name: create dir structure
file:
state: directory
path: "{{ owntone_path }}/{{ item.name }}"
mode: "{{ item.mode | default('0770') }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-dirs
loop_control:
label: "{{ owntone_path }}/{{ item.name }}"
with_items:
- name: ''
mode: '0750'
- name: config
- name: log
- name: fifo
- name: create log dir (used when running as systemd service)
file:
state: directory
path: /var/log/owntone
mode: '0775'
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-log-dir
- owntone-dirs
- name: create pulseaudio dirs
file:
state: directory
path: "{{ item }}"
mode: '0644'
owner: root
group: root
loop_control:
label: "{{ item }}"
tags:
- owntone-pulseaudio
with_items:
- /etc/pulse/system.pa.d
- name: ensure podcast audiobooks, and database dirs exists in {{ deadspace_root }}
file:
state: directory
path: "{{ deadspace_root }}/{{ item.name }}"
mode: "{{ item.mode | default('0750') }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-dirs
ignore_errors: "{{ item.mounted|default(false) }}"
loop_control:
label: "{{ deadspace_root }}/{{ item.name }}"
with_items:
- name: audiobooks
- name: podcasts
- name: music
- name: playlists
- name: local
- name: local/music
- name: local/compilations
- name: local/owntone
- name: local/owntone/pipes
- name: owntone
mode: '0750'
- name: owntone/data
- name: owntone/data/db
- name: create input pipe
command:
cmd: mkfifo "{{ deadspace_root }}/local/owntone/pipes/{{ item }}"
creates: "{{ deadspace_root }}/local/owntone/pipes/{{ item }}"
become_user: "{{ owntone_user.username }}"
loop_control:
label: "{{ item }}"
with_items:
- shairport-output.fifo
- shairport-metadata.fifo
tags:
- input.fifo
# disabled
when: false
- name: install certs
copy:
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
dest: "/usr/local/etc/certs/"
owner: root
group: root
mode: 0755
tags:
- letsencrypt-certs
notify: reload nginx
vars:
prediff_cmd: echo
with_items:
- "{{ domain }}"
- name: template nginx vhost
template:
src: 01-owntone.conf.j2
dest: /etc/nginx/sites-enabled/01-owntone.conf
owner: root
group: root
mode: 0644
tags:
- nginx
- owntone-nginx
notify: reload nginx
- name: template config file
template:
src: owntone.conf.j2
dest: "/etc/owntone.conf"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
mode: 0644
notify:
- restart owntone
tags:
- owntone.conf
- name: rescan script for cronjob
template:
src: "{{ item }}.j2"
dest: /usr/local/bin/{{ item }}
owner: root
group: root
mode: 0755
tags:
- cron
- owntone-cron
with_items:
- owntone-trigger-rescan.sh
- name: cron file
template:
src: owntone-cron.j2
dest: /etc/cron.d/owntone
owner: root
group: root
mode: 0600
tags:
- cron
- owntone-cron
- name: copy radio playlists
copy:
src: playlists/
dest: "{{ deadspace_root }}/playlists/"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
directory_mode: "0755"
mode: "0644"
tags:
- owntone-playlists
- owntone-radio
- name: fuse allow other
lineinfile:
path: /etc/fuse.conf
line: user_allow_other
state: present
- name: install owntone and pulseaudio
when: not owntone_docker
apt:
name:
- owntone-server
- pulseaudio
- pulseaudio-dlna
update_cache: true
state: latest
tags:
- owntone-packages
- owntone-pulseaudio
- packages
# may not be needed, pacakge already proides other systemd unit files
# /etc/systemd/system/multi-user.target.wants/pulseaudio.service
# /etc/systemd/user/default.target.wants/pulseaudio.service
# /etc/systemd/user/sockets.target.wants/pulseaudio.socket
- name: template systemd unit files for pulseaudio
when: not owntone_docker
template:
src: "{{ item }}.j2"
dest: /etc/systemd/system/{{ item }}
owner: root
group: root
mode: 0644
notify: systemctl daemon-reload
loop_control:
label: "{{ item }}"
with_items:
- pulseaudio.service
- pulseaudio-dlna.service
tags:
- owntone-pulseaudio
- systemd
- name: start and enable pulseaudio services
when: not owntone_docker
service:
name: "{{ item }}"
state: started
enabled: true
loop_control:
label: "{{ item }}"
notify: restart dbus
with_items:
- pulseaudio
- pulseaudio-dlna
tags:
- owntone-pulseaudio
- systemd
- name: start and enable owntone service
when: not owntone_docker
service:
name: owntone
state: started
enabled: true
tags:
- systemd
register: owntone_service
- name: start owntone container
when: owntone_docker == true
docker_container:
name: owntone
#image: git.sudo.is/ben/owntone:latest
#image: git.sudo.is/ben/owntone:file-scan-dir-path
image: git.sudo.is/ben/owntone-server:latest
detach: true
pull: true
auto_remove: false
restart_policy: "unless-stopped"
state: "started"
container_default_behavior: compatibility
networks_cli_compatible: false
# not needed, owntone drop privileges to {{ owntone_user }}, set in owntone.conf
user: "{{ owntone_user.uid }}:{{ owntone_group.gid }}"
network_mode: host
privileged: false
security_opts: "apparmor=unconfined"
# network_mode: bridgewithdns
# networks:
# - name: bridgewithdns
# ipv4_address: "{{ bridgewithdns.owntone }}"
env:
VITE_OWNTONE_URL: "https://{{ owntone_url }}"
mounts:
- type: bind
source: /run/dbus
target: /run/dbus
- type: bind
source: /run/avahi-daemon/socket
target: /run/avahi-daemon/socket
- type: bind
source: "/etc/owntone.conf"
target: "/etc/owntone.conf"
- type: bind
source: "{{ owntone_path }}/config"
target: "/config"
- type: bind
source: "{{ owntone_path }}/fifo"
target: "/fifo"
- type: bind
source: "{{ owntone_path }}/log"
target: "/log"
- type: bind
source: "{{ deadspace_root }}/podcasts"
target: "{{ deadspace_root }}/podcasts"
- type: bind
source: "{{ deadspace_root }}/audiobooks"
target: "{{ deadspace_root }}/audiobooks"
- type: bind
source: "{{ deadspace_root }}/music"
target: "{{ deadspace_root }}/music"
- type: bind
source: "{{ deadspace_root }}/playlists"
target: "{{ deadspace_root }}/playlists"
- type: bind
source: "{{ deadspace_root }}/local"
target: "{{ deadspace_root }}/local"
- type: bind
source: "{{ deadspace_root }}/owntone"
target: "{{ deadspace_root }}/owntone"
tags:
- owntone-container
- docker-containers
- name: stop and disable owntone and services
when: owntone_docker == true
service:
name: "{{ item }}"
state: stopped
enabled: false
loop_control:
label: "{{ item }}"
with_items:
- owntone
- homeaudio
- pulseaudio
- pulseaudio-dlna
tags:
- owntone-pulseaudio
- systemd
- name: stop owntone container
when: not owntone_docker
docker_container:
name: owntone
state: stopped
ignore_errors: true
- name: clean up old config file
file:
state: absent
path: "{{ owntone_path }}/config/owntone.conf"

View File

@ -1,325 +0,0 @@
---
- name: create dir structure
file:
state: directory
path: "{{ owntone_path }}/{{ item.name }}"
mode: "{{ item.mode | default('0770') }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-dirs
loop_control:
label: "{{ owntone_path }}/{{ item.name }}"
with_items:
- name: ''
mode: '0750'
- name: config
- name: log
- name: fifo
- name: create log dir (used when running as systemd service)
file:
state: directory
path: /var/log/owntone
mode: '0775'
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-log-dir
- owntone-dirs
- name: create pulseaudio dirs
file:
state: directory
path: "{{ item }}"
mode: '0644'
owner: root
group: root
loop_control:
label: "{{ item }}"
tags:
- owntone-pulseaudio
with_items:
- /etc/pulse/system.pa.d
- name: ensure podcast audiobooks, and database dirs exists in {{ deadspace_root }}
file:
state: directory
path: "{{ deadspace_root }}/{{ item.name }}"
mode: "{{ item.mode | default('0750') }}"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
tags:
- owntone-dirs
ignore_errors: "{{ item.mounted|default(false) }}"
loop_control:
label: "{{ deadspace_root }}/{{ item.name }}"
with_items:
- name: audiobooks
- name: podcasts
- name: music
- name: playlists
- name: local
- name: local/music
- name: local/compilations
- name: local/owntone
- name: local/owntone/pipes
- name: owntone
mode: '0750'
- name: owntone/data
- name: owntone/data/db
- name: create input pipe
command:
cmd: mkfifo "{{ deadspace_root }}/local/owntone/pipes/{{ item }}"
creates: "{{ deadspace_root }}/local/owntone/pipes/{{ item }}"
become_user: "{{ owntone_user.username }}"
loop_control:
label: "{{ item }}"
with_items:
- shairport-output.fifo
- shairport-metadata.fifo
tags:
- input.fifo
# disabled
when: false
- name: install certs
copy:
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
dest: "/usr/local/etc/certs/"
owner: root
group: root
mode: 0755
tags:
- letsencrypt-certs
notify: reload nginx
vars:
prediff_cmd: echo
with_items:
- "{{ domain }}"
- name: template nginx vhost
template:
src: 01-owntone.conf.j2
dest: /etc/nginx/sites-enabled/01-owntone.conf
owner: root
group: root
mode: 0644
tags:
- nginx
- owntone-nginx
notify: reload nginx
- name: template config file
template:
src: owntone.conf.j2
dest: "/etc/owntone.conf"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
mode: 0644
notify:
- restart owntone
tags:
- owntone.conf
- name: rescan script for cronjob
template:
src: "{{ item }}.j2"
dest: /usr/local/bin/{{ item }}
owner: root
group: root
mode: 0755
tags:
- cron
- owntone-cron
with_items:
- owntone-trigger-rescan.sh
- name: cron file
template:
src: owntone-cron.j2
dest: /etc/cron.d/owntone
owner: root
group: root
mode: 0600
tags:
- cron
- owntone-cron
- name: copy radio playlists
copy:
src: playlists/
dest: "{{ deadspace_root }}/playlists/"
owner: "{{ owntone_user.uid }}"
group: "{{ owntone_group.gid }}"
directory_mode: "0755"
mode: "0644"
tags:
- owntone-playlists
- owntone-radio
- name: fuse allow other
lineinfile:
path: /etc/fuse.conf
line: user_allow_other
state: present
- name: install owntone and pulseaudio
when: not owntone_docker
apt:
name:
- owntone-server
- pulseaudio
- pulseaudio-dlna
update_cache: true
state: latest
tags:
- owntone-packages
- owntone-pulseaudio
- packages
# may not be needed, pacakge already proides other systemd unit files
# /etc/systemd/system/multi-user.target.wants/pulseaudio.service
# /etc/systemd/user/default.target.wants/pulseaudio.service
# /etc/systemd/user/sockets.target.wants/pulseaudio.socket
- name: template systemd unit files for pulseaudio
when: not owntone_docker
template:
src: "{{ item }}.j2"
dest: /etc/systemd/system/{{ item }}
owner: root
group: root
mode: 0644
notify: systemctl daemon-reload
loop_control:
label: "{{ item }}"
with_items:
- pulseaudio.service
- pulseaudio-dlna.service
tags:
- owntone-pulseaudio
- systemd
- name: start and enable pulseaudio services
when: not owntone_docker
service:
name: "{{ item }}"
state: started
enabled: true
loop_control:
label: "{{ item }}"
notify: restart dbus
with_items:
- pulseaudio
- pulseaudio-dlna
tags:
- owntone-pulseaudio
- systemd
- name: start and enable owntone service
when: not owntone_docker
service:
name: owntone
state: started
enabled: true
tags:
- systemd
register: owntone_service
- name: start owntone container
when: owntone_docker == true
docker_container:
name: owntone
#image: git.sudo.is/ben/owntone:latest
#image: git.sudo.is/ben/owntone:file-scan-dir-path
image: git.sudo.is/ben/owntone-server:latest
detach: true
pull: true
auto_remove: false
restart_policy: "unless-stopped"
state: "started"
container_default_behavior: compatibility
networks_cli_compatible: false
# not needed, owntone drop privileges to {{ owntone_user }}, set in owntone.conf
user: "{{ owntone_user.uid }}:{{ owntone_group.gid }}"
network_mode: host
privileged: false
security_opts: "apparmor=unconfined"
# network_mode: bridgewithdns
# networks:
# - name: bridgewithdns
# ipv4_address: "{{ bridgewithdns.owntone }}"
env:
VITE_OWNTONE_URL: "https://{{ owntone_url }}"
mounts:
- type: bind
source: /run/dbus
target: /run/dbus
- type: bind
source: /run/avahi-daemon/socket
target: /run/avahi-daemon/socket
- type: bind
source: "/etc/owntone.conf"
target: "/etc/owntone.conf"
- type: bind
source: "{{ owntone_path }}/config"
target: "/config"
- type: bind
source: "{{ owntone_path }}/fifo"
target: "/fifo"
- type: bind
source: "{{ owntone_path }}/log"
target: "/log"
- type: bind
source: "{{ deadspace_root }}/podcasts"
target: "{{ deadspace_root }}/podcasts"
- type: bind
source: "{{ deadspace_root }}/audiobooks"
target: "{{ deadspace_root }}/audiobooks"
- type: bind
source: "{{ deadspace_root }}/music"
target: "{{ deadspace_root }}/music"
- type: bind
source: "{{ deadspace_root }}/playlists"
target: "{{ deadspace_root }}/playlists"
- type: bind
source: "{{ deadspace_root }}/local"
target: "{{ deadspace_root }}/local"
- type: bind
source: "{{ deadspace_root }}/owntone"
target: "{{ deadspace_root }}/owntone"
tags:
- owntone-container
- docker-containers
- name: stop and disable owntone and services
when: owntone_docker == true
service:
name: "{{ item }}"
state: stopped
enabled: false
loop_control:
label: "{{ item }}"
with_items:
- owntone
- pulseaudio
- pulseaudio-dlna
tags:
- owntone-pulseaudio
- systemd
- name: stop owntone container
when: not owntone_docker
docker_container:
name: owntone
state: stopped
ignore_errors: true
- name: clean up old config file
file:
state: absent
path: "{{ owntone_path }}/config/owntone.conf"

View File

@ -17,11 +17,15 @@ server {
#listen {{ ansible_default_ipv4.address }}:443 ssl;
listen 443 ssl;
# listen 443 ssl http2;
{% if nginx_http2 -%}
http2 on;
{% else -%}
http2 off;
{% endif %}
# listen {{ owntone_port_tcp }};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
# include listen-proxy-protocol.conf;

View File

@ -1,35 +1,18 @@
{# server {
# server_name {%- for d in server_names %} {{ d }}{% endfor %};
#
# {% if inventory_hostname in wg_clients -%}
# listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
# {% endif -%}
# listen 443 ssl http2;
#
# include listen-proxy-protocol.conf;
#
# # but still include /.well-known/ and /.sudo-known/ urls.
# include /etc/nginx/well-known.conf;
# include /etc/nginx/sudo-known.conf;
#
# ssl_certificate /usr/local/etc/certs/www.{{ domain }}/fullchain.pem;
# ssl_certificate_key /usr/local/etc/certs/www.{{ domain }}/privkey.pem;
#
# location / {
# return 301 https://www.$http_host$request_uri;
# }
#
# access_log /var/log/nginx/access_{{ domain }}.log main;
# error_log /var/log/nginx/error_{{ domain }}.log warn;
# } #}
# {{ ansible_managed }}
server {
server_name docs.{{ domain }};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
listen 443 ssl http2;
{% if nginx_http2 -%}
#http2 on;
{% else -%}
#http2 off;
{% endif %}
include listen-proxy-protocol.conf;
ssl_certificate /usr/local/etc/certs/docs.{{ domain }}/fullchain.pem;
@ -50,9 +33,15 @@ server {
server {
server_name {{ domain }} {%- for d in additional_server_names %} {{ d }} www.{{ d }}{% endfor %};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
listen 443 ssl http2;
listen 443 ssl;
{% if nginx_http2 -%}
#http2 on;
{% else -%}
#http2 off;
{% endif %}
include listen-proxy-protocol.conf;
@ -243,12 +232,6 @@ server {
sub_filter 'href="rain"' 'href="rain/"';
sub_filter 'href="/docs/hass/rain"' 'href="/docs/hass/rain/"';
sub_filter '/docs/hass/rain' '/docs/hass/rain/';
#rewrite ^/docs/(.*)/index\.html$ /docs/$1/ redirect;
if ($canonical_url != "") {
include conf.d/headers-{{ domain }}.conf;
#add_header "Link" '<$canonical_url>; rel="canonical"; rel="preconnect"';
add_header "Link" '<$canonical_url>; rel="canonical"' always;
}
# results in redirect loop..?
#rewrite ^/docs/index.html /docs/ redirect;
@ -282,6 +265,7 @@ server {
#rewrite ^/docs/esphome/boards/(.*)\.html$ /docs/esphome/boards/$1/ redirect;
#rewrite ^/docs/esphome/boards/index(.*)$ /docs/esphome/boards/ redirect;
rewrite ^/docs/homeautomation/appletv.html$ /docs/hass/appletv redirect;
rewrite ^/docs/homeautomation/rain/index.html /docs/hass/rain/ redirect;
rewrite ^/docs/hass/appletv\.html$ /docs/hass/appletv/ redirect;
rewrite ^/docs/notes/cmds\.html$ /docs/notes/cmds/ redirect;
rewrite ^/docs/glossary/(.*)$ /docs/electronics/glossary/$1 redirect;
@ -317,13 +301,19 @@ server {
rewrite ^/docs/LICENSE(.*)$ /LICENSE.txt redirect;
rewrite ^/docs/.*/LICENSE(.*)$ /LICENSE.txt redirect;
#rewrite ^/docs/(.*)/index\.html$ /docs/$1/ redirect;
if ($canonical_url != "") {
include conf.d/headers-{{ domain }}.conf;
#add_header "Link" '<$canonical_url>; rel="canonical"; rel="preconnect"';
add_header "Link" '<$canonical_url>; rel="canonical"' always;
}
#rewrite ^/docs/LICENSE(.*)$ /LICENSE.txt redirect;
#rewrite ^/docs/.*/LICENSE(.*)$ /LICENSE.txt redirect;
include conf.d/headers-{{ domain }}.conf;
add_header X-Sudo-Section "docs" always;
}
location /cal/ {
location /cal/ {
include /etc/nginx/require_auth.conf;
include /etc/nginx/require_auth_proxy.conf;
@ -343,6 +333,12 @@ server {
add_header X-Remote-User $authelia_user always;
}
location /ls54/camera/ {
include /etc/nginx/require_auth.conf;
proxy_pass_request_headers on;
proxy_pass http://{{ ls54_camera_url }}/;
}
location /_media {
include conf.d/headers-{{ domain }}.conf;
include /etc/nginx/require_auth.conf;