feat: Add nginx-proxy role for nginx and certbot

2026-03-01 22:23:38 +01:00
parent 90cbc8813c
commit e3dcd0158c
9 changed files with 241 additions and 25 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,26 +1,94 @@
-zfs_pool_name: bigpool
-ip: 192.168.5.7
-ip_admin: 192.168.6.7
-mysql_host: "{{ ip_admin }}"
-gateway: 192.168.6.1
+---
+mydomain: matous.vondrejka.cz

-wireguard-server:
-  wstunnel-download-url: https://github.com/erebe/wstunnel/releases/download/v10.5.2/wstunnel_10.5.2_linux_amd64.tar.gz
-  internal-port: 51822
-
-wireguard-client:
-  ntb:
-    ip: 10.0.0.2
-  tata:
-    ip: 10.0.0.4
-  pi:
-    ip: 10.0.0.5
-  desktop:
-    ip: 10.0.0.6
-
-samba_users:
-  - name: warezjoe
-    path: /warezjoe
-
-  - name: tata
-    path: /tata
+servernames:
+  jellyfin:
+    internal: true
+    upgraded: false
+    server: "jellyfin"
+    port: 8096
+  nextcloud:
+    internal: false
+    upgraded: false
+    server: "192.168.100.11"
+    port: 8080
+  jellyfin-public:
+    internal: false
+    upgraded: false
+    server: "192.168.100.21"
+    port: 8096
+    name_override: jellyfin
+  transmission:
+    internal: true
+    upgraded: true
+    server: "192.168.100.18"
+    port: 9091
+  herodes:
+    internal: true
+    upgraded: false
+    server: "192.168.100.2"
+    port: 8006
+  prometheus:
+    internal: true
+    upgraded: false
+    server: "192.168.100.14"
+    port: 9090
+  n8n:
+    internal: false
+    upgraded: true
+    server: "192.168.100.19"
+    port: 5678
+  glance:
+    internal: false
+    upgraded: false
+    server: "192.168.100.11"
+    port: 81
+  uptimekuma:
+    internal: true
+    upgraded: false
+    server: "192.168.100.13"
+    port: 3001
+  photoprism:
+    internal: false
+    upgraded: true
+    server: "192.168.100.7"
+    port: 2342
+  openclaw:
+    internal: false
+    upgraded: true
+    server: "192.168.100.22"
+    port: 18789
+  wireguard:
+    internal: false
+    upgraded: true
+    server: "192.168.100.5"
+    port: 8080
+  pi-hole:
+    internal: true
+    upgraded: false
+    server: "192.168.100.6"
+    port: 80
+    server_names:
+      - pi-hole.admin.matous.vondrejka.cz
+      - pi-hole.lan
+  gitea:
+    internal: false
+    upgraded: false
+    server: "192.168.100.8"
+    port: 3000
+  nginx-admin:
+    internal: true
+    upgraded: false
+    server: "localhost"
+    port: 81
+    name_override: nginx.admin
+  grafana:
+    internal: true
+    upgraded: false
+    server: "192.168.100.15"
+    port: 3000
+  loki:
+    internal: true
+    upgraded: false
+    server: "loki"
+    port: 3100
--- a/playbooks/services/nginx-proxy.yml
+++ b/playbooks/services/nginx-proxy.yml
@@ -0,0 +1,5 @@
+- name: nginx proxy init
+  hosts: proxy-clean
+  become: true
+  roles:
+    - nginx-proxy
--- a/roles/nginx-proxy/handlers/main.yml
+++ b/roles/nginx-proxy/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
--- a/roles/nginx-proxy/tasks/create_vhosts.yml
+++ b/roles/nginx-proxy/tasks/create_vhosts.yml
@@ -0,0 +1,10 @@
+---
+- name: Create Nginx vhost configurations
+  ansible.builtin.template:
+    src: nginx-vhost.conf.j2
+    dest: "/etc/nginx/conf.d/{{ item.key }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ servernames | dict2items }}"
+  notify: Restart Nginx
--- a/roles/nginx-proxy/tasks/generate_certs.yml
+++ b/roles/nginx-proxy/tasks/generate_certs.yml
@@ -0,0 +1,23 @@
+---
+- name: Stop Nginx before Certbot (if it is running)
+  ansible.builtin.service:
+    name: nginx
+    state: stopped
+  ignore_errors: true
+
+- name: Generate Certbot certificates
+  ansible.builtin.command: >
+    certbot certonly --standalone
+    --non-interactive
+    --agree-tos
+    --email {{ certbot_email | default("admin@" + mydomain) }}
+    -d {{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}
+  loop: "{{ servernames | dict2items }}"
+  when: not item.value.internal
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}/fullchain.pem"
+
+- name: Start Nginx after Certbot
+  ansible.builtin.service:
+    name: nginx
+    state: started
--- a/roles/nginx-proxy/tasks/install_certbot.yml
+++ b/roles/nginx-proxy/tasks/install_certbot.yml
@@ -0,0 +1,7 @@
+---
+- name: Install Certbot and Nginx plugin
+  ansible.builtin.apt:
+    name:
+      - certbot
+      - python3-certbot-nginx
+    state: present
--- a/roles/nginx-proxy/tasks/install_nginx.yml
+++ b/roles/nginx-proxy/tasks/install_nginx.yml
@@ -0,0 +1,48 @@
+---
+- name: Install Nginx
+  ansible.builtin.apt:
+    name: nginx
+    state: present
+
+- name: Ensure Nginx is enabled and started
+  ansible.builtin.service:
+    name: nginx
+    state: started
+    enabled: true
+
+- name: Create Nginx includes directory
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/include
+    state: directory
+    mode: '0755'
+
+- name: Create proxy.conf include
+  ansible.builtin.copy:
+    content: |
+      add_header       X-Served-By $host;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Scheme $scheme;
+      proxy_set_header X-Forwarded-Proto  $scheme;
+      proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+      proxy_set_header X-Real-IP          $remote_addr;
+      proxy_pass       $forward_scheme://$server:$port$request_uri;
+    dest: /etc/nginx/conf.d/include/proxy.conf
+
+- name: Create internal.conf include (access rules)
+  ansible.builtin.copy:
+    content: |
+      deny 192.168.5.1;
+      allow 192.168.100.0/24;
+      allow 10.0.0.1/24;
+      deny all;
+      satisfy all;
+    dest: /etc/nginx/conf.d/include/internal.conf
+
+- name: Create upgrade.conf include
+  ansible.builtin.copy:
+    content: |
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_pass_header   X-Transmission-Session-Id;
+    dest: /etc/nginx/conf.d/include/upgrade.conf
+
--- a/roles/nginx-proxy/tasks/main.yml
+++ b/roles/nginx-proxy/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Include Nginx installation and configuration tasks
+  ansible.builtin.include_tasks:
+    file: install_nginx.yml
+
+- name: Include Certbot installation and configuration tasks
+  ansible.builtin.include_tasks:
+    file: install_certbot.yml
+
+- name: Include Generate Certs tasks
+  ansible.builtin.include_tasks:
+    file: generate_certs.yml
+
+- name: Include Create Vhosts tasks
+  ansible.builtin.include_tasks:
+    file: create_vhosts.yml
--- a/roles/nginx-proxy/templates/nginx-vhost.conf.j2
+++ b/roles/nginx-proxy/templates/nginx-vhost.conf.j2
@@ -0,0 +1,34 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  server_name {{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }};
+
+  ssl_certificate /etc/letsencrypt/live/{{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}/privkey.pem;
+
+  include /etc/nginx/conf.d/include/ssl-ciphers.conf;
+  include /etc/nginx/conf.d/include/ssl-cache.conf;
+  include /etc/nginx/conf.d/include/force-ssl.conf;
+
+  access_log /var/log/nginx/{{ item.key }}_access.log;
+  error_log /var/log/nginx/{{ item.key }}_error.log warn;
+
+  location / {
+    {% if item.value.upgraded %}
+    include /etc/nginx/conf.d/include/upgrade.conf;
+    {% endif %}
+
+    {% if item.value.internal %}
+    include /etc/nginx/conf.d/include/internal.conf;
+    {% endif %}
+
+    set $forward_scheme http;
+    set $server "{{ item.value.server }}";
+    set $port {{ item.value.port }};
+    include /etc/nginx/conf.d/include/proxy.conf;
+  }
+}