roles/archweb: Change the nginx template to handle the includes and rework the alternate domains

Changed the nginx template to handle includes and also reworked the way the dict is used, by using the dict2items filter on the template directly. We also have create a custom template for ipxe.archlinux.org using weaker ciphers.

roles/archweb: Change the nginx template to handle the includes and rework the alternate domains
Changed the nginx template to handle includes and also reworked the way the dict is used, by using the dict2items filter on the template directly. We also have create a custom template for ipxe.archlinux.org using weaker ciphers.
cc3cc143 · Giancarlo Razzolini · be8ff7e5 · cc3cc143 · cc3cc143
Verified Commit cc3cc143 authored Dec 20, 2019 by Giancarlo Razzolini
--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ domain['domain_name'] }};
+
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ domain['domain_name'] }};
+
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
+
+    ssl_ciphers AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
+
+    location /releng/netboot {
+        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+        include uwsgi_params;
+        uwsgi_pass archweb;
+    }
+
+    # Cache django's css, js and png files.
+    location /static {
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+        alias /srv/http/archweb/collected_static;
+    }
+
+    location / {
+        access_log off;
+        return 301 https://{{ archweb_domain }}$request_uri;
+    }
+}
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
 upstream archweb {
    server unix:///run/uwsgi/archweb.sock;
 }
-{% if archweb_alternate_domains %}
-{% for domain in archweb_alternate_domains %}
+
+{% if archweb_domains_templates -%}
+{% for domain in archweb_domains_templates | dict2items(key_name='domain_name', value_name='template_name') %}
+{% include domain['template_name'] %}
+{% endfor %}
+{%- endif %}
+
+{% if archweb_domains_redirects %}
+{% for domain in archweb_domains_redirects | dict2items(key_name='domain', value_name='redirect') %}

 server {
    listen       80;
    listen       [::]:80;
-    server_name  {{ domain }};
+    server_name  {{ domain['domain'] }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
@@ -23,7 +30,7 @@ server {
 server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
-    server_name  {{ domain }};
+    server_name  {{ domain['domain'] }};

    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;
@@ -34,12 +41,7 @@ server {

    location / {
        access_log off;
-        return 301 https://{{ archweb_domain }}
-        {%- if archweb_domains_redirects -%}
-            {{ archweb_domains_redirects[domain]|default('$request_uri') }}
-        {%- else -%}
-           $request_uri
-        {%- endif %};
+        return 301 https://{{ archweb_domain }}{{ domain['redirect']|default('$request_uri') }};
    }
 }
 {% endfor %}