Update to 2021-12-01 19:13

roles/lemonldap_ng/templates/httpd_handler.conf.j2

@@ -0,0 +1,14 @@
+PerlOptions +GlobalRequest
+PerlModule Lemonldap::NG::Handler::ApacheMP2
+
+# ErrorDocument 403 https://{{ llng_portal_vhost }}/?lmError=403
+# ErrorDocument 404 https://{{ llng_portal_vhost }}/?lmError=404
+# ErrorDocument 500 https://{{ llng_portal_vhost }}/?lmError=500
+# ErrorDocument 502 https://{{ llng_portal_vhost }}/?lmError=502
+# ErrorDocument 503 https://{{ llng_portal_vhost }}/?lmError=503
+
+<Location /llng-reload>
+  Require ip {{ llng_reload_src_ip | join(' ') }}
+  SetHandler perl-script
+  PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
+</Location>

roles/lemonldap_ng/templates/httpd_manager.conf.j2

@@ -0,0 +1,75 @@
+<VirtualHost 0.0.0.0:80>
+  ServerName {{ llng_manager_vhost }}
+  Include ansible_conf.d/common_env.inc
+  Include ansible_conf.d/common_letsencrypt.inc
+  Include ansible_conf.d/common_force_ssl.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost 0.0.0.0:443>
+    ServerName {{ llng_manager_vhost }}
+    SSLEngine On
+    Alias /_deferror/ "/usr/share/httpd/error/"
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_letsencrypt.inc
+
+{% if llng_manager_ssl is defined %}
+{% if llng_manager_ssl.cert is defined and llng_manager_ssl.key is defined %}
+    SSLCertificateFile {{ llng_manager_ssl.cert }}
+    SSLCertificateKeyFile {{ llng_manager_ssl.key }}
+{% if llng_manager_ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ llng_manager_ssl.cert_chain }}
+{% endif %}
+{% elif llng_manager_ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ llng_manager_ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ llng_manager_ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_manager_ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+{% endif %}
+    RewriteEngine On
+
+    RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
+    RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
+
+    FcgidMaxRequestLen 2000000
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
+    <Location />
+      Require ip {{ llng_manager_src_ip | join(' ') }}
+
+      <IfModule mod_deflate.c>
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+        SetOutputFilter DEFLATE
+        BrowserMatch ^Mozilla/4 gzip-only-text/html
+        BrowserMatch ^Mozilla/4\.0[678] no-gzip
+        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+        SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+      </IfModule>
+      <IfModule mod_headers.c>
+        Header append Vary User-Agent env=!dont-vary
+      </IfModule>
+    </Location>
+
+    Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static/
+    <Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
+      Require all granted
+      Options +FollowSymLinks
+    </Directory>
+
+    Alias /doc/ /usr/share/lemonldap-ng/doc/
+    Alias /lib/ /usr/share/lemonldap-ng/doc/pages/documentation/current/lib/
+    <Directory /usr/share/lemonldap-ng/doc/>
+        Require all granted
+        ErrorDocument 404 /notfound.html
+        Options +FollowSymLinks
+        DirectoryIndex index.html start.html
+    </Directory>
+
+    Header set Strict-Transport-Security 15768000
+  </VirtualHost>
+</IfModule>

roles/lemonldap_ng/templates/httpd_portal.conf.j2

@@ -0,0 +1,175 @@
+<VirtualHost 0.0.0.0:80>
+  ServerName {{ llng_portal_vhost }}
+  Include ansible_conf.d/common_env.inc
+  Include ansible_conf.d/common_letsencrypt.inc
+  Include ansible_conf.d/common_force_ssl.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost 0.0.0.0:443>
+    ServerName {{ llng_portal_vhost }}
+    SSLEngine On
+    Alias /_deferror/ "/usr/share/httpd/error/"
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_perf.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_letsencrypt.inc
+
+{% if llng_portal_ssl is defined %}
+{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
+    SSLCertificateFile {{ llng_portal_ssl.cert }}
+    SSLCertificateKeyFile {{ llng_portal_ssl.key }}
+{% if llng_portal_ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ llng_portal_ssl.cert_chain }}
+{% endif %}
+{% elif llng_portal_ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+{% endif %}
+
+    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
+        Require all granted
+        Options +ExecCGI +FollowSymLinks
+    </Directory>
+
+{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
+    SSLCACertificateFile {{ llng_portal_ssl.ca }}
+{% if llng_portal_ssl.crl is defined %}
+    SSLCARevocationFile {{ llng_portal_ssl.crl }}
+{% endif %}
+    <LocationMatch "^/($|\?url=.*|cas/login.*)">
+        SSLVerifyClient optional
+        SSLVerifyDepth 1
+        SSLOptions +StdEnvVars
+        SSLUserName SSL_CLIENT_S_DN_CN
+    </LocationMatch>
+{% endif %}
+
+    RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
+    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+        # Note that Content-Security-Policy header is generated by portal itself
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        #CGIPassAuth on
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    # Uncomment this if status is enabled
+    #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
+
+    # Static files
+    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static//
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
+        Require all granted
+        Options +FollowSymLinks
+    </Directory>
+    <Location /static/>
+        <IfModule mod_expires.c>
+            ExpiresActive On
+            ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.fcgi index.html
+    </IfModule>
+
+    # Enabe compression
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+  </VirtualHost>
+</IfModule>
+
+{% if (llng_soap_src_ip is defined and llng_soap_src_ip | length > 0) or (llng_soap_htpasswd is defined) %}
+<IfModule mod_ssl.c>
+  <VirtualHost 0.0.0.0:443>
+    ServerName {{ llng_soap_vhost }}
+    SSLEngine On
+    Alias /_deferror/ "/usr/share/httpd/error/"
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_letsencrypt.inc
+
+{% if llng_soap_ssl is defined %}
+{% if llng_soap_ssl.cert is defined and llng_soap_ssl.key is defined %}
+    SSLCertificateFile {{ llng_soap_ssl.cert }}
+    SSLCertificateKeyFile {{ llng_soap_ssl.key }}
+{% if llng_soap_ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ llng_soap_ssl.cert_chain }}
+{% endif %}
+{% elif llng_soap_ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+{% endif %}
+
+    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
+    <Directory /usr/share/lemonldap-ng/portal/htdocs/>
+{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
+{% if llng_soap_pass is defined %}
+        <RequireAll>
+{% endif %}
+          Require ip {{ llng_soap_src_ip | join(' ') }}
+{% endif %}
+{% if llng_soap_pass is defined %}
+          AuthName "Lemonldap::NG SOAP endpoint"
+          AuthType Basic
+          AuthBasicProvider file
+          AuthUserFile /etc/lemonldap-ng/soap.htpasswd
+          Require valid-user
+{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
+        </RequireAll>
+{% endif %}
+{% endif %}
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+
+    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
+    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
+
+    # Note that Content-Security-Policy header is generated by portal itself
+    <Files *.fcgi>
+        SetHandler fcgid-script
+        #CGIPassAuth on
+        Options +ExecCGI
+        header unset Lm-Remote-User
+    </Files>
+
+    <LocationMatch "^(?!/index\.pl/(adminSessions|sessions|config|notifications))">
+      Require all denied
+    </LocationMatch>
+
+    # Enabe compression
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+
+  </VirtualHost>
+</IfModule>
+{% endif %}

roles/lemonldap_ng/templates/lemonldap-ng-file.ini.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+[all]
+
+[configuration]
+type    = File
+dirName = /var/lib/lemonldap-ng/conf

roles/lemonldap_ng/templates/lemonldap-ng.ini.j2

@@ -0,0 +1,84 @@
+; {{ ansible_managed }}
+
+[all]
+logLevel                   = info
+logger                     = Lemonldap::NG::Common::Logger::Syslog
+{% if llng_conf_backend == 'file' %}
+globalStorage        = Apache::Session::File
+globalStorageOptions       = {                                                   \
+  'Directory'      => '/var/lib/lemonldap-ng/sessions/',                         \
+  'LockDirectory'  => '/var/lib/lemonldap-ng/sessions/lock/',                    \
+  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
+}
+{% endif %}
+localSessionStorage        = Cache::FileCache
+localSessionStorageOptions = {                        \
+  'namespace'          => 'sessions',                 \
+  'default_expires_in' => '300',                      \
+  'directory_umask'    => '007',                      \
+  'cache_root'         => '/var/cache/lemonldap-ng',  \
+  'cache_depth'        => 3                           \
+}
+{% if llng_conf_backend == 'mysql' %}
+{% for type in llng_session_tables.keys() | list %}
+{{ type }}Storage        = Apache::Session::Browseable::MySQL
+{{ type }}StorageOptions = { \
+  'DataSource'     => 'DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }};mysql_enable_utf8=1', \
+  'UserName'       => '{{ llng_handler_db_user }}', \
+  'Password'       => '{{ llng_handler_db_pass }}', \
+  'TableName'      => '{{ llng_session_tables[type].name }}', \
+{% if llng_session_tables[type].index is defined %}
+  'Index'          => '{{ llng_session_tables[type].index }}', \
+{% endif %}
+  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
+}
+{% endfor %}
+{% endif %}
+
+[configuration]
+{% if llng_conf_backend == 'file' %}
+type                = File
+dirName             = /var/lib/lemonldap-ng/conf
+{% elif llng_conf_backend == 'api' %}
+type                = REST
+baseUrl             = {{ llng_api_uri }}
+{% if llng_api_user is defined and llng_api_pass is defined %}
+User                = {{ llng_api_user }}
+Password            = {{ llng_api_pass }}
+{% endif %}
+proxyOptions        = { timeout => 5 }
+{% elif llng_conf_backend == 'mysql' %}
+type                = CDBI
+dbiChain            = DBI:mysql:database={{ llng_db_name }};host={{ llng_db_server }}
+dbiUser             = {{ (llng_manager or llng_portal) | ternary(llng_db_user,llng_handler_db_user) }}
+dbiPassword         = {{ (llng_manager or llng_portal) | ternary(llng_db_pass,llng_handler_db_pass) }}
+{% endif %}
+localStorage        = Cache::FileCache
+localStorageOptions = {                              \
+  'namespace'          => 'config',                  \
+  'default_expires_in' => '600',                     \
+  'directory_umask'    => '007',                     \
+  'cache_root'         => '/var/cache/lemonldap-ng', \
+  'cache_depth'        => 0                          \
+}
+
+{% if llng_portal %}
+[portal]
+staticPrefix = /static
+templateDir  = /usr/share/lemonldap-ng/portal/templates
+languages    = fr, en, it, es, de
+{% endif %}
+
+{% if llng_manager %}
+[manager]
+protection     = {{ llng_manager_protection }}
+staticPrefix   = /static
+languages      = fr, en, it, es, de
+templateDir    = /usr/share/lemonldap-ng/manager/htdocs/templates
+enabledModules = conf, sessions, notifications, 2ndFA
+{% endif %}
+
+[handler]
+https         = 1
+status        = 0
+hideSignature = 1

roles/lemonldap_ng/templates/llng-fastcgi-server.j2

@@ -0,0 +1,9 @@
+USER=apache
+GROUP=apache
+NPROC={{ llng_fcgi_workers }}
+SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
+PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }}
+PM_MAX_REQUESTS=5000
+PM_SIZECHECK_NUM_REQUESTS=100
+PM_MAX_SIZE=800000

roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2

@@ -0,0 +1,25 @@
+[Unit]
+Description=FastCGI server for Lemonldap::NG websso system
+After=network.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/default/llng-fastcgi-server
+PIDFile=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+User=apache
+Group=apache
+ExecStart=/usr/libexec/lemonldap-ng/sbin/llng-fastcgi-server \
+             --foreground
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit={{ llng_fcgi_workers * 250 }}M
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+

roles/lemonldap_ng/templates/llng_headers.inc.j2

@@ -0,0 +1,67 @@
+auth_request_set $headername1 $upstream_http_headername1;
+auth_request_set $headervalue1 $upstream_http_headervalue1;
+auth_request_set $headername2 $upstream_http_headername2;
+auth_request_set $headervalue2 $upstream_http_headervalue2;
+auth_request_set $headername3 $upstream_http_headername3;
+auth_request_set $headervalue3 $upstream_http_headervalue3;
+auth_request_set $headername4 $upstream_http_headername4;
+auth_request_set $headervalue4 $upstream_http_headervalue4;
+auth_request_set $headername5 $upstream_http_headername5;
+auth_request_set $headervalue5 $upstream_http_headervalue5;
+auth_request_set $headername6 $upstream_http_headername6;
+auth_request_set $headervalue6 $upstream_http_headervalue6;
+auth_request_set $headername7 $upstream_http_headername7;
+auth_request_set $headervalue7 $upstream_http_headervalue7;
+auth_request_set $headername8 $upstream_http_headername8;
+auth_request_set $headervalue8 $upstream_http_headervalue8;
+auth_request_set $headername9 $upstream_http_headername9;
+auth_request_set $headervalue9 $upstream_http_headervalue9;
+auth_request_set $headername10 $upstream_http_headername10;
+auth_request_set $headervalue10 $upstream_http_headervalue10;
+auth_request_set $headername11 $upstream_http_headername11;
+auth_request_set $headervalue11 $upstream_http_headervalue11;
+auth_request_set $headername12 $upstream_http_headername12;
+auth_request_set $headervalue12 $upstream_http_headervalue12;
+auth_request_set $headername13 $upstream_http_headername13;
+auth_request_set $headervalue13 $upstream_http_headervalue13;
+auth_request_set $headername14 $upstream_http_headername14;
+auth_request_set $headervalue14 $upstream_http_headervalue14;
+auth_request_set $headername15 $upstream_http_headername15;
+auth_request_set $headervalue15 $upstream_http_headervalue15;
+auth_request_set $deleteheader1 $upstream_http_deleteheader1;
+auth_request_set $deleteheader2 $upstream_http_deleteheader2;
+auth_request_set $deleteheader3 $upstream_http_deleteheader3;
+auth_request_set $deleteheader4 $upstream_http_deleteheader4;
+auth_request_set $deleteheader5 $upstream_http_deleteheader5;
+auth_request_set $deleteheader6 $upstream_http_deleteheader6;
+auth_request_set $deleteheader7 $upstream_http_deleteheader7;
+auth_request_set $deleteheader8 $upstream_http_deleteheader8;
+auth_request_set $deleteheader9 $upstream_http_deleteheader9;
+auth_request_set $deleteheader10 $upstream_http_deleteheader10;
+auth_request_set $deleteheader11 $upstream_http_deleteheader11;
+auth_request_set $deleteheader12 $upstream_http_deleteheader12;
+auth_request_set $deleteheader13 $upstream_http_deleteheader13;
+auth_request_set $deleteheader14 $upstream_http_deleteheader14;
+auth_request_set $deleteheader15 $upstream_http_deleteheader15;
+auth_request_set $lmcookie $upstream_http_cookie;
+access_by_lua '
+  local i = 1
+  ngx.req.set_header("Cookie",ngx.var.lmcookie)
+  while true do
+    if ngx.var["headername"..i] ~= nil then
+      ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i])
+    else
+      break
+    end
+    i = i + 1
+  end
+  i = 1
+  while true do
+    if ngx.var["deleteheader"..i] ~= nil then
+          ngx.req.clear_header(ngx.var["deleteheader"..i])
+    else
+      break
+    end
+    i = i + 1
+  end
+';

roles/lemonldap_ng/templates/nginx_handler.conf.j2

@@ -0,0 +1,9 @@
+location /llng-reload {
+{% for ip in llng_reload_src_ip | default([]) %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+  include /etc/nginx/fastcgi_params;
+  fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+  fastcgi_param LLTYPE reload;
+}

roles/lemonldap_ng/templates/nginx_manager.conf.j2

@@ -0,0 +1,53 @@
+server {
+  listen 80;
+  listen 443 ssl http2;
+  server_name {{ llng_manager_vhost }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+  include /etc/nginx/ansible_conf.d/perf.inc;
+  include /etc/nginx/ansible_conf.d/force_ssl.inc;
+  root /usr/share/lemonldap-ng/manager/htdocs/;
+
+{% if llng_manager_ssl is defined %}
+{% if llng_manager_ssl.cert is defined and llng_manager_ssl.key is defined %}
+  ssl_certificate {{ llng_manager_ssl.cert }};
+  ssl_certificate_key {{ llng_manager_ssl.key }};
+{% elif llng_manager_ssl.letsencrypt_cert is defined %}
+  ssl_certificate /var/lib/dehydrated/certificates/certs/{{ llng_manager_ssl.letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ llng_manager_ssl.letsencrypt_cert }}/privkey.pem;
+{% endif %}
+{% endif %}
+
+  if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon|\.well\-known/acme\-challenge/[^/]+)) {
+    rewrite ^/(.*)$ /manager.psgi/$1 break;
+  }
+
+  location  ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+    fastcgi_param LLTYPE manager;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+  }
+
+  location / {
+    index manager.psgi;
+{% for ip in llng_manager_src_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    try_files $uri $uri/ =404;
+  }
+
+  location /doc/ {
+    alias /usr/share/lemonldap-ng/doc/;
+    index index.html start.html;
+  }
+  location /lib/ {
+    alias /usr/share/lemonldap-ng/doc/pages/documentation/current/lib/;
+  }
+  location /static/ {
+    alias /usr/share/lemonldap-ng/manager/htdocs/static/;
+  }
+}

roles/lemonldap_ng/templates/nginx_portal.conf.j2

@@ -0,0 +1,106 @@
+server {
+  listen 80;
+  listen 443 ssl http2;
+  server_name {{ llng_portal_vhost }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+  include /etc/nginx/ansible_conf.d/perf.inc;
+  include /etc/nginx/ansible_conf.d/force_ssl.inc;
+  root /usr/share/lemonldap-ng/portal/htdocs/;
+
+{% if llng_portal_ssl is defined %}
+{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
+  ssl_certificate {{ llng_portal_ssl.cert }};
+  ssl_certificate_key {{ llng_portal_ssl.key }};
+{% elif llng_portal_ssl.letsencrypt_cert is defined %}
+  ssl_certificate /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem;
+{% endif %}
+{% endif %}
+
+  if ($uri !~ ^/((static|javascript|favicon|\.well\-known/acme\-challenge/).*|.*\.psgi)) {
+    rewrite ^/(.*)$ /index.psgi/$1 break;
+  }
+
+  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+    include /etc/nginx/fastcgi_params;
+
+    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+
+{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
+    map $ssl_client_s_dn $ssl_client_s_dn_cn {
+      default           "";
+      ~/CN=(?<CN>[^/]+) $CN;
+    }
+    fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+{% endif %}
+  }
+
+  index index.psgi;
+  location / {
+    try_files $uri $uri/ =404;
+  }
+
+  location /index.psgi/adminSessions {
+    deny all;
+  }
+
+  location /index.psgi/sessions {
+    deny all;
+  }
+
+  location /index.psgi/config {
+    deny all;
+  }
+
+  location /index.psgi/notification {
+    deny all;
+  }
+}
+
+{% if llng_api_src_ip | length > 0 or llng_api_pass is defined %}
+server {
+  listen 443 ssl http2;
+  server_name {{ llng_api_vhost }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+  include /etc/nginx/ansible_conf.d/perf.inc;
+  root /usr/share/lemonldap-ng/portal/htdocs/;
+
+{% if llng_api_ssl is defined %}
+{% if llng_api_ssl.cert is defined and llng_api_ssl.key is defined %}
+  ssl_certificate {{ llng_api_ssl.cert }};
+  ssl_certificate_key {{ llng_api_ssl.key }};
+{% elif llng_api_ssl.letsencrypt_cert is defined %}
+  ssl_certificate  /var/lib/dehydrated/certificates/certs/{{ llng_api_ssl.letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ llng_api_ssl.letsencrypt_cert }}/privkey.pem;
+{% endif %}
+{% endif %}
+
+  location ~ /index.psgi/(adminSessions|sessions|config|notification) {
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+{% for ip in llng_api_src_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+{% if llng_api_pass is defined %}
+    auth_basic "Lemonldap::NG SOAP endpoint";
+    auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
+    satisfy all;
+{% endif %}
+  }
+
+  location / {
+    deny all;
+  }
+}
+{% endif %}