ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/pihole/templates/01-pihole.conf.j2

64 lines
2.2 KiB
Django/Jinja
Raw Permalink Blame History

{% set pihole_domain = inventory_hostname.split(".")[1:] | join(".") %}
{% set pihole_url_main = pihole_url.split(".")[0] ~ "." ~ pihole_domain %}
server {
listen 443 ssl http2;
{% if inventory_hostname in wg_clients -%}
{% if wg_clients[inventory_hostname].ip == pihole_listen_addr -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%}
{% endif -%}
include /etc/nginx/authelia_internal.conf;
include /etc/nginx/require_auth.conf;
include listen-proxy-protocol.conf;
include /etc/nginx/sudo-known.conf;
server_name {{ pihole_url }} {{ inventory_hostname }} ;
location / {
return 302 https://$host/admin/;
}
location /admin {
# wtf..why is there? breaks json responses (and changes conent-type)
#add_before_body /.sudo-known/info.html;
proxy_pass http://{{pihole_http_inet}}:{{ pihole_http_port }};
include /etc/nginx/require_auth_proxy.conf;
proxy_set_header Host $host;
proxy_set_header Origin $host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
# Timeouts are in seconds, 300s == 5min
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
access_log /var/log/nginx/access_{{ pihole_url }}.log main;
error_log /var/log/nginx/error_{{ pihole_url }}.log warn;
ssl_session_timeout 5m;
ssl_certificate /usr/local/etc/certs/{{ pihole_ssl }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ pihole_ssl }}/privkey.pem;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
}
View Git Blame Copy Permalink