commit 25-05-2026_13:32

2026-05-25 13:32:29 +04:00 · 2026-05-25 13:32:29 +04:00 · 889bf19319
commit 889bf19319
parent ba82ec5dff
10 changed files with 357 additions and 1 deletions
--- a/MY/hosts.yaml
+++ b/MY/hosts.yaml
@ -12,7 +12,8 @@ all_servers:
    hip:
      hosts:
        #france#        83.171.226.120
-        93.177.116.129
+        93.177.116.129:
+          ansible_port: 35130
      vars:
        ansible_user: pycm1k
        docker_overlay_net_subnet: 11.101.0.0/24
--- a/MY/nginx/nginx.conf
+++ b/MY/nginx/nginx.conf
@ -0,0 +1,68 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+stream {
+        include /etc/nginx/stream-enabled/*.conf;
+
+
+}
+
+
--- a/MY/nginx/sites-enabled/moamo.duckdns.org
+++ b/MY/nginx/sites-enabled/moamo.duckdns.org
@ -0,0 +1,11 @@
+server {
+    server_name moamo.duckdns.org;
+    listen moamo.duckdns.org:80;
+
+    include acme;
+
+    location / {
+        return 404;
+    }
+}
+
--- a/MY/nginx/sites-enabled/tormob.duckdns.org
+++ b/MY/nginx/sites-enabled/tormob.duckdns.org
@ -0,0 +1,45 @@
+server {
+    server_name tormob.duckdns.org;
+
+    index index.html;
+    include acme;
+    location / {
+#        proxy_pass http://11.101.0.3:8090/;
+        proxy_pass http://11.200.0.2:8090/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+        client_max_body_size 0;
+
+    }
+
+    location /.well-known/carddav {
+      return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+      return 301 $scheme://$host/remote.php/dav;
+    }
+
+#    listen [::]:443 ssl http2; # managed by Certbot
+    listen 7443 ssl; 
+    #http2 on; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot
+    ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem;
+}
+
+server {
+    if ($host = tormob.duckdns.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+        listen 80;
+#        listen [::]:80;
+
+        server_name tormob.duckdns.org;
+    return 404; # managed by Certbot
+}
--- a/MY/nginx/stream-enabled/proxy.conf
+++ b/MY/nginx/stream-enabled/proxy.conf
@ -0,0 +1,34 @@
+map $ssl_preread_server_name $sni_name {
+    hostnames;
+    www.vk.com      xray;
+    vk.com          xray;
+    www.eh.vk.com   xray;
+    eh.vk.com       xray;
+    tshk.duckdns.org    openconnect;
+    duckdns.org           www;
+    *.duckdns.org         www;
+    default              vk;
+}
+
+upstream xray {
+    server 11.101.0.254:6443;
+}
+
+upstream www {
+    server 127.0.0.1:7443;
+}
+
+upstream vk {
+    server 87.240.137.164:443;
+}
+
+upstream openconnect {
+    server 127.0.0.1:5443;
+}
+
+server {
+    listen          443;
+    proxy_pass      $sni_name;
+    ssl_preread     on;
+}
+
--- a/MY/nginx_install.yaml
+++ b/MY/nginx_install.yaml
@ -0,0 +1,69 @@
+---
+- name: Install and configure nginx with stream module
+  hosts: hip
+  become: yes
+  gather_facts: yes
+
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+      when: ansible_os_family == "Debian"
+
+    - name: Install nginx with stream module
+      apt:
+        name: 
+          - nginx
+          - libnginx-mod-stream
+        state: present
+      when: ansible_os_family == "Debian"
+
+    - name: Create stream log directory
+      file:
+        path: /var/log/nginx/stream
+        state: directory
+        owner: www-data
+        group: adm
+        mode: '0755'
+
+    - name: Create stream config directory
+      file:
+        path: /etc/nginx/stream-conf.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Deploy stream configuration
+      template:
+        src: templates/nginx/nginx-stream.conf.j2
+        dest: /etc/nginx/stream-conf.d/default.conf
+        owner: root
+        group: root
+        mode: '0644'
+      notify: restart nginx
+
+    - name: Configure main stream block in nginx.conf
+      blockinfile:
+        path: /etc/nginx/nginx.conf
+        insertafter: EOF
+        block: |
+          stream {
+              include /etc/nginx/stream-conf.d/*.conf;
+          }
+        marker: "### {mark} ANSIBLE MANAGED STREAM BLOCK ###"
+      notify: restart nginx
+
+    - name: Enable nginx service
+      systemd:
+        name: nginx
+        enabled: yes
+        state: started
+
+  handlers:
+    - name: restart nginx
+      systemd:
+        name: nginx
+        state: restarted
+        daemon_reload: yes
--- a/MY/nginx_sites.yaml
+++ b/MY/nginx_sites.yaml
@ -0,0 +1,22 @@
+---
+- name: Deploy Nginx site configurations
+  hosts: hip
+  become: yes
+  vars:
+    nginx_sites_enabled_path: /etc/nginx/sites-enabled
+
+  tasks:
+    - name: Copy all configs from templates to sites-enabled
+      copy:
+        src: "templates/nginx/sites-enabled/"
+        dest: "{{ nginx_sites_enabled_path }}/"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: reload nginx
+
+  handlers:
+    - name: reload nginx
+      service:
+        name: nginx
+        state: reloaded
--- a/MY/templates/nginx/nginx-stream.conf.j2
+++ b/MY/templates/nginx/nginx-stream.conf.j2
@ -0,0 +1,46 @@
+log_format stream_log '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received '
+                      '$session_time "$ssl_preread_server_name" "$upstream_addr" '
+                      '$upstream_bytes_sent $upstream_bytes_received';
+
+access_log /var/log/nginx/stream/access.log stream_log;
+error_log /var/log/nginx/stream/error.log;
+
+map $ssl_preread_server_name $sni_name {
+    www.vk.com      xray;
+    vk.com          xray;
+    www.eh.vk.com   xray;
+    eh.vk.com       xray;
+    tshk.duckdns.org    openconnect;
+    moamo.duckdns.org   telemt;
+    duckdns.org           www;
+    ~^[^.]+\.duckdns\.org$  www;
+    default              vk;
+}
+
+upstream xray {
+    server 11.101.0.254:6443;
+}
+
+upstream www {
+    server 127.0.0.1:7443;
+}
+
+upstream vk {
+    server 87.240.137.164:443;
+}
+
+upstream openconnect {
+    server 127.0.0.1:5443;
+}
+
+upstream telemt {
+    server 11.101.0.254:9443;
+}
+
+server {
+    listen          443;
+    proxy_pass      $sni_name;
+    ssl_preread     on;
+    proxy_connect_timeout 5s;
+    proxy_timeout   24h;
+}
--- a/MY/templates/nginx/sites-enabled/default
+++ b/MY/templates/nginx/sites-enabled/default
@ -0,0 +1,15 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+    
+    # Дефолтная локация Certbot'а работает "из коробки"
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+    
+    # Всё остальное — молчок
+    location / {
+        return 444;
+    }
+}
--- a/MY/templates/nginx/sites-enabled/tormob.duckdns.org
+++ b/MY/templates/nginx/sites-enabled/tormob.duckdns.org
@ -0,0 +1,45 @@
+server {
+    server_name tormob.duckdns.org;
+
+    index index.html;
+    include acme;
+    location / {
+#        proxy_pass http://11.101.0.3:8090/;
+        proxy_pass http://11.200.0.2:8090/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+        client_max_body_size 0;
+
+    }
+
+    location /.well-known/carddav {
+      return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+      return 301 $scheme://$host/remote.php/dav;
+    }
+
+#    listen [::]:443 ssl http2; # managed by Certbot
+    listen 7443 ssl; 
+    #http2 on; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/pycm1k/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/pycm1k/privkey.pem; # managed by Certbot
+    ssl_trusted_certificate /etc/letsencrypt/live/pycm1k/chain.pem;
+}
+
+server {
+    if ($host = tormob.duckdns.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+        listen 80;
+#        listen [::]:80;
+
+        server_name tormob.duckdns.org;
+    return 404; # managed by Certbot
+}