feat: Add nginx-proxy role for nginx and certbot

roles/nginx-proxy/tasks/create_vhosts.yml

@@ -0,0 +1,10 @@
+---
+- name: Create Nginx vhost configurations
+  ansible.builtin.template:
+    src: nginx-vhost.conf.j2
+    dest: "/etc/nginx/conf.d/{{ item.key }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ servernames | dict2items }}"
+  notify: Restart Nginx

roles/nginx-proxy/tasks/generate_certs.yml

@@ -0,0 +1,23 @@
+---
+- name: Stop Nginx before Certbot (if it is running)
+  ansible.builtin.service:
+    name: nginx
+    state: stopped
+  ignore_errors: true
+
+- name: Generate Certbot certificates
+  ansible.builtin.command: >
+    certbot certonly --standalone
+    --non-interactive
+    --agree-tos
+    --email {{ certbot_email | default("admin@" + mydomain) }}
+    -d {{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}
+  loop: "{{ servernames | dict2items }}"
+  when: not item.value.internal
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}/fullchain.pem"
+
+- name: Start Nginx after Certbot
+  ansible.builtin.service:
+    name: nginx
+    state: started

roles/nginx-proxy/tasks/install_certbot.yml

@@ -0,0 +1,7 @@
+---
+- name: Install Certbot and Nginx plugin
+  ansible.builtin.apt:
+    name:
+      - certbot
+      - python3-certbot-nginx
+    state: present

roles/nginx-proxy/tasks/install_nginx.yml

@@ -0,0 +1,48 @@
+---
+- name: Install Nginx
+  ansible.builtin.apt:
+    name: nginx
+    state: present
+
+- name: Ensure Nginx is enabled and started
+  ansible.builtin.service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: Create Nginx includes directory
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/include
+    state: directory
+    mode: '0755'
+
+- name: Create proxy.conf include
+  ansible.builtin.copy:
+    content: |
+      add_header       X-Served-By $host;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Scheme $scheme;
+      proxy_set_header X-Forwarded-Proto  $scheme;
+      proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+      proxy_set_header X-Real-IP          $remote_addr;
+      proxy_pass       $forward_scheme://$server:$port$request_uri;
+    dest: /etc/nginx/conf.d/include/proxy.conf
+
+- name: Create internal.conf include (access rules)
+  ansible.builtin.copy:
+    content: |
+      deny 192.168.5.1;
+      allow 192.168.100.0/24;
+      allow 10.0.0.1/24;
+      deny all;
+      satisfy all;
+    dest: /etc/nginx/conf.d/include/internal.conf
+
+- name: Create upgrade.conf include
+  ansible.builtin.copy:
+    content: |
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_pass_header   X-Transmission-Session-Id;
+    dest: /etc/nginx/conf.d/include/upgrade.conf
+

roles/nginx-proxy/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Include Nginx installation and configuration tasks
+  ansible.builtin.include_tasks:
+    file: install_nginx.yml
+
+- name: Include Certbot installation and configuration tasks
+  ansible.builtin.include_tasks:
+    file: install_certbot.yml
+
+- name: Include Generate Certs tasks
+  ansible.builtin.include_tasks:
+    file: generate_certs.yml
+
+- name: Include Create Vhosts tasks
+  ansible.builtin.include_tasks:
+    file: create_vhosts.yml