From 33a9eef0fad7b2b18a1a464145f23568386b940f Mon Sep 17 00:00:00 2001 From: "Ivo C.S. Wingelaar" Date: Sun, 13 Oct 2024 11:33:33 +0200 Subject: [PATCH] Add basic nginx role This role installs a distribution-provided nginx and does some basic configuration on it. It acts as a reverse proxy for the containers that does the TLS offloading and provides an optional HTTP basic authentication page for services that aren't ready to be exposed yet. --- roles/nginx/defaults/main.yml | 3 +++ roles/nginx/handlers/main.yml | 5 ++++ roles/nginx/tasks/main.yml | 38 +++++++++++++++++++++++++++ roles/nginx/tasks/site.yml | 23 ++++++++++++++++ roles/nginx/templates/nginx-server.j2 | 19 ++++++++++++++ 5 files changed, 88 insertions(+) create mode 100644 roles/nginx/defaults/main.yml create mode 100644 roles/nginx/handlers/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/tasks/site.yml create mode 100644 roles/nginx/templates/nginx-server.j2 diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml new file mode 100644 index 0000000..3166f3b --- /dev/null +++ b/roles/nginx/defaults/main.yml @@ -0,0 +1,3 @@ +--- +sce_nginx_certificate_path: /etc/sce-certbot +sce_nginx_sites: [] diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..90ba4f0 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + ansible.builtin.systemd_service: + state: reloaded + name: nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..d5c6a58 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Install nginx + ansible.builtin.apt: + name: nginx + # Debian-ism to prevent auto-start of nginx on installation as + # we still need to do some configuration. + policy_rc_d: 101 + +- name: Install passlib (for htpasswd) + ansible.builtin.apt: + name: python3-passlib + +- name: Create password file for HTTP basic authentication + community.general.htpasswd: + path: /etc/nginx/passwdfile + name: admin + password: "{{ sce_nginx_htpasswd }}" + owner: root + group: www-data + mode: "0640" + when: sce_nginx_htpasswd is defined + +- name: Check if the passwdfile exists + ansible.builtin.stat: + path: /etc/nginx/passwdfile + register: htpasswdfile + +- name: Iterate over configured nginx sites + ansible.builtin.include_tasks: site.yml + loop: "{{ sce_nginx_sites }}" + vars: + site_name: "{{ item['name'] }}" + site_port: "{{ item['port'] }}" + +- name: Disable default nginx site + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent diff --git a/roles/nginx/tasks/site.yml b/roles/nginx/tasks/site.yml new file mode 100644 index 0000000..fadfe44 --- /dev/null +++ b/roles/nginx/tasks/site.yml @@ -0,0 +1,23 @@ +--- +- name: Check if we need to enable HTTP basic authentication + ansible.builtin.stat: + path: /etc/nginx/disable_auth_{{ site_name }} + register: auth_disabled + +- name: Install nginx template + ansible.builtin.template: + src: nginx-server.j2 + dest: /etc/nginx/sites-available/{{ site_name }} + mode: "0644" + vars: + auth: "{{ htpasswdfile.stat.exists and not auth_disabled.stat.exists }}" + notify: Reload nginx + +- name: Activate nginx configuration + ansible.builtin.file: + src: /etc/nginx/sites-available/{{ site_name }} + dest: /etc/nginx/sites-enabled/{{ site_name }} + owner: root + group: root + state: link + notify: Reload nginx diff --git a/roles/nginx/templates/nginx-server.j2 b/roles/nginx/templates/nginx-server.j2 new file mode 100644 index 0000000..ec2b57b --- /dev/null +++ b/roles/nginx/templates/nginx-server.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ site_name }}; + + ssl_certificate {{ sce_nginx_certificate_path }}/{{ site_name }}/fullchain.pem; + ssl_certificate_key {{ sce_nginx_certificate_path }}/{{ site_name }}/privkey.pem; + +{% if auth %} + auth_basic "SCE"; + auth_basic_user_file /etc/nginx/passwdfile; +{% endif %} + + location / { + proxy_pass http://127.0.0.1:{{ site_port }}; + } +}