commit 25-05-2026_13:32

2026-05-25 13:32:29 +04:00 · 2026-05-25 13:32:29 +04:00 · 889bf19319
commit 889bf19319
parent ba82ec5dff
10 changed files with 357 additions and 1 deletions
--- a/MY/hosts.yaml
+++ b/MY/hosts.yaml
@ -12,7 +12,8 @@ all_servers:
    hip:
      hosts:
        #france#        83.171.226.120
-        93.177.116.129
+        93.177.116.129:
          ansible_port: 35130
      vars:
        ansible_user: pycm1k
        docker_overlay_net_subnet: 11.101.0.0/24
--- a/MY/nginx/nginx.conf
+++ b/MY/nginx/nginx.conf
@ -0,0 +1,68 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 events {
        worker_connections 768;
        # multi_accept on;
 }
 http {
        ##
        # Basic Settings
        ##
        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ##
        # SSL Settings
        ##
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
        ##
        # Logging Settings
        ##
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        ##
        # Gzip Settings
        ##
        gzip on;
        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
 }
 stream {
        include /etc/nginx/stream-enabled/*.conf;
 }
--- a/MY/nginx/sites-enabled/moamo.duckdns.org
+++ b/MY/nginx/sites-enabled/moamo.duckdns.org
@ -0,0 +1,11 @@
 server {
    server_name moamo.duckdns.org;
    listen moamo.duckdns.org:80;
    include acme;
    location / {
        return 404;
    }
 }
--- a/MY/nginx/sites-enabled/tormob.duckdns.org
+++ b/MY/nginx/sites-enabled/tormob.duckdns.org
@ -0,0 +1,45 @@
 server {
    server_name tormob.duckdns.org;
    index index.html;
    include acme;
    location / {
 #        proxy_pass http://11.101.0.3:8090/;
        proxy_pass http://11.200.0.2:8090/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        client_max_body_size 0;
    }
    location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
 #    listen [::]:443 ssl http2; # managed by Certbot
    listen 7443 ssl; 
    #http2 on; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem;
 }
 server {
    if ($host = tormob.duckdns.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen 80;
 #        listen [::]:80;
        server_name tormob.duckdns.org;
    return 404; # managed by Certbot
 }
--- a/MY/nginx/stream-enabled/proxy.conf
+++ b/MY/nginx/stream-enabled/proxy.conf
@ -0,0 +1,34 @@
 map $ssl_preread_server_name $sni_name {
    hostnames;
    www.vk.com      xray;
    vk.com          xray;
    www.eh.vk.com   xray;
    eh.vk.com       xray;
    tshk.duckdns.org    openconnect;
    duckdns.org           www;
    *.duckdns.org         www;
    default              vk;
 }
 upstream xray {
    server 11.101.0.254:6443;
 }
 upstream www {
    server 127.0.0.1:7443;
 }
 upstream vk {
    server 87.240.137.164:443;
 }
 upstream openconnect {
    server 127.0.0.1:5443;
 }
 server {
    listen          443;
    proxy_pass      $sni_name;
    ssl_preread     on;
 }
--- a/MY/nginx_install.yaml
+++ b/MY/nginx_install.yaml
@ -0,0 +1,69 @@
 ---
 - name: Install and configure nginx with stream module
  hosts: hip
  become: yes
  gather_facts: yes
  tasks:
    - name: Update apt cache
      apt:
        update_cache: yes
        cache_valid_time: 3600
      when: ansible_os_family == "Debian"
    - name: Install nginx with stream module
      apt:
        name: 
          - nginx
          - libnginx-mod-stream
        state: present
      when: ansible_os_family == "Debian"
    - name: Create stream log directory
      file:
        path: /var/log/nginx/stream
        state: directory
        owner: www-data
        group: adm
        mode: '0755'
    - name: Create stream config directory
      file:
        path: /etc/nginx/stream-conf.d
        state: directory
        owner: root
        group: root
        mode: '0755'
    - name: Deploy stream configuration
      template:
        src: templates/nginx/nginx-stream.conf.j2
        dest: /etc/nginx/stream-conf.d/default.conf
        owner: root
        group: root
        mode: '0644'
      notify: restart nginx
    - name: Configure main stream block in nginx.conf
      blockinfile:
        path: /etc/nginx/nginx.conf
        insertafter: EOF
        block: |
          stream {
              include /etc/nginx/stream-conf.d/*.conf;
          }
        marker: "### {mark} ANSIBLE MANAGED STREAM BLOCK ###"
      notify: restart nginx
    - name: Enable nginx service
      systemd:
        name: nginx
        enabled: yes
        state: started
  handlers:
    - name: restart nginx
      systemd:
        name: nginx
        state: restarted
        daemon_reload: yes
--- a/MY/nginx_sites.yaml
+++ b/MY/nginx_sites.yaml
@ -0,0 +1,22 @@
 ---
 - name: Deploy Nginx site configurations
  hosts: hip
  become: yes
  vars:
    nginx_sites_enabled_path: /etc/nginx/sites-enabled
  tasks:
    - name: Copy all configs from templates to sites-enabled
      copy:
        src: "templates/nginx/sites-enabled/"
        dest: "{{ nginx_sites_enabled_path }}/"
        owner: root
        group: root
        mode: '0644'
      notify: reload nginx
  handlers:
    - name: reload nginx
      service:
        name: nginx
        state: reloaded
--- a/MY/templates/nginx/nginx-stream.conf.j2
+++ b/MY/templates/nginx/nginx-stream.conf.j2
@ -0,0 +1,46 @@
 log_format stream_log '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received '
                      '$session_time "$ssl_preread_server_name" "$upstream_addr" '
                      '$upstream_bytes_sent $upstream_bytes_received';
 access_log /var/log/nginx/stream/access.log stream_log;
 error_log /var/log/nginx/stream/error.log;
 map $ssl_preread_server_name $sni_name {
    www.vk.com      xray;
    vk.com          xray;
    www.eh.vk.com   xray;
    eh.vk.com       xray;
    tshk.duckdns.org    openconnect;
    moamo.duckdns.org   telemt;
    duckdns.org           www;
    ~^[^.]+\.duckdns\.org$  www;
    default              vk;
 }
 upstream xray {
    server 11.101.0.254:6443;
 }
 upstream www {
    server 127.0.0.1:7443;
 }
 upstream vk {
    server 87.240.137.164:443;
 }
 upstream openconnect {
    server 127.0.0.1:5443;
 }
 upstream telemt {
    server 11.101.0.254:9443;
 }
 server {
    listen          443;
    proxy_pass      $sni_name;
    ssl_preread     on;
    proxy_connect_timeout 5s;
    proxy_timeout   24h;
 }
--- a/MY/templates/nginx/sites-enabled/default
+++ b/MY/templates/nginx/sites-enabled/default
@ -0,0 +1,15 @@
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    # Дефолтная локация Certbot'а работает "из коробки"
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    # Всё остальное — молчок
    location / {
        return 444;
    }
 }
--- a/MY/templates/nginx/sites-enabled/tormob.duckdns.org
+++ b/MY/templates/nginx/sites-enabled/tormob.duckdns.org
@ -0,0 +1,45 @@
 server {
    server_name tormob.duckdns.org;
    index index.html;
    include acme;
    location / {
 #        proxy_pass http://11.101.0.3:8090/;
        proxy_pass http://11.200.0.2:8090/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        client_max_body_size 0;
    }
    location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
 #    listen [::]:443 ssl http2; # managed by Certbot
    listen 7443 ssl; 
    #http2 on; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem;
 }
 server {
    if ($host = tormob.duckdns.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen 80;
 #        listen [::]:80;
        server_name tormob.duckdns.org;
    return 404; # managed by Certbot
 }