Add basic nginx role

This role installs a distribution-provided nginx and does some basic
configuration on it. It acts as a reverse proxy for the containers
that does the TLS offloading and provides an optional HTTP basic
authentication page for services that aren't ready to be exposed yet.

roles/nginx/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+sce_nginx_certificate_path: /etc/sce-certbot
+sce_nginx_sites: []

roles/nginx/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    state: reloaded
+    name: nginx

roles/nginx/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- name: Install nginx
+  ansible.builtin.apt:
+    name: nginx
+    # Debian-ism to prevent auto-start of nginx on installation as
+    # we still need to do some configuration.
+    policy_rc_d: 101
+
+- name: Install passlib (for htpasswd)
+  ansible.builtin.apt:
+    name: python3-passlib
+
+- name: Create password file for HTTP basic authentication
+  community.general.htpasswd:
+    path: /etc/nginx/passwdfile
+    name: admin
+    password: "{{ sce_nginx_htpasswd }}"
+    owner: root
+    group: www-data
+    mode: "0640"
+  when: sce_nginx_htpasswd is defined
+
+- name: Check if the passwdfile exists
+  ansible.builtin.stat:
+    path: /etc/nginx/passwdfile
+  register: htpasswdfile
+
+- name: Iterate over configured nginx sites
+  ansible.builtin.include_tasks: site.yml
+  loop: "{{ sce_nginx_sites }}"
+  vars:
+    site_name: "{{ item['name'] }}"
+    site_port: "{{ item['port'] }}"
+
+- name: Disable default nginx site
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent

roles/nginx/tasks/site.yml

@@ -0,0 +1,23 @@
+---
+- name: Check if we need to enable HTTP basic authentication
+  ansible.builtin.stat:
+    path: /etc/nginx/disable_auth_{{ site_name }}
+  register: auth_disabled
+
+- name: Install nginx template
+  ansible.builtin.template:
+    src: nginx-server.j2
+    dest: /etc/nginx/sites-available/{{ site_name }}
+    mode: "0644"
+  vars:
+    auth: "{{ htpasswdfile.stat.exists and not auth_disabled.stat.exists }}"
+  notify: Reload nginx
+
+- name: Activate nginx configuration
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/{{ site_name }}
+    dest: /etc/nginx/sites-enabled/{{ site_name }}
+    owner: root
+    group: root
+    state: link
+  notify: Reload nginx

roles/nginx/templates/nginx-server.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  server_name {{ site_name }};
+
+  ssl_certificate {{ sce_nginx_certificate_path }}/{{ site_name }}/fullchain.pem;
+  ssl_certificate_key {{ sce_nginx_certificate_path }}/{{ site_name }}/privkey.pem;
+
+{% if auth %}
+  auth_basic "SCE";
+  auth_basic_user_file /etc/nginx/passwdfile;
+{% endif %}
+
+  location / {
+    proxy_pass http://127.0.0.1:{{ site_port }};
+  }
+}