From bb988dd35468ac463dff5287f0b7d4cc80db24b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Thu, 16 Jun 2022 14:02:53 +0200
Subject: [PATCH] nginx: Configure templated snippets

For now only a config that allows internal access to critical parts of a
page. In this case that means the server itself and the VPN subnet.
---
 roles/nginx/tasks/main.yml                    | 11 +++++++++++
 roles/nginx/templates/internal_access.conf.j2 |  5 +++++
 2 files changed, 16 insertions(+)
 create mode 100644 roles/nginx/templates/internal_access.conf.j2

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 5e347fc..072a463 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -31,6 +31,17 @@
   with_fileglob: files/snippets/*
   notify: restart nginx
 
+- name: Copy templated snippets
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - internal_access.conf
+  notify: restart nginx
+
 - name: create nginx.d directory
   ansible.builtin.file:
     state: directory
diff --git a/roles/nginx/templates/internal_access.conf.j2 b/roles/nginx/templates/internal_access.conf.j2
new file mode 100644
index 0000000..fe523bb
--- /dev/null
+++ b/roles/nginx/templates/internal_access.conf.j2
@@ -0,0 +1,5 @@
+allow 127.0.0.1;
+allow {{ ipv4_address }};
+allow {{ ipv6_address }};
+allow {{ wireguard_vpn_subnet }};
+deny all;
-- 
2.44.0