diff --git a/dev/bitwarden.yml b/dev/bitwarden.yml index 7925204..911a8ef 100644 --- a/dev/bitwarden.yml +++ b/dev/bitwarden.yml @@ -5,6 +5,7 @@ - host_vars/bitwarden.yml roles: - base + - nginx - docker - traefik - bitwarden diff --git a/dev/host_vars/bitwarden.yml b/dev/host_vars/bitwarden.yml index c14f96b..628303b 100644 --- a/dev/host_vars/bitwarden.yml +++ b/dev/host_vars/bitwarden.yml @@ -2,6 +2,9 @@ allow_reboot: false manage_network: false +# nginx proxy +proxy: helloworld + # docker docker_users: - vagrant @@ -13,6 +16,9 @@ traefik_domain: traefik.vm.krislamo.org traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin #traefik_acme_email: realemail@example.com # Let's Encrypt settings #traefik_production: true +traefik_ports: + - "8000:80" + - "4430:443" # bitwarden # Get Installation ID & Key at https://bitwarden.com/host/ diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index 2b66848..7c5d06d 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -11,7 +11,7 @@ - name: Download Bitwarden script get_url: url: "https://raw.githubusercontent.com/\ - bitwarden/server/master/scripts/bitwarden.sh" + bitwarden/self-host/master/bitwarden.sh" dest: "{{ bitwarden_root }}" mode: u+x diff --git a/roles/nginx/tasks/proxy.yml b/roles/nginx/tasks/proxy.yml index e69de29..75ea13a 100644 --- a/roles/nginx/tasks/proxy.yml +++ b/roles/nginx/tasks/proxy.yml @@ -0,0 +1,17 @@ +- name: Install nginx + apt: + name: nginx + state: present + +- name: Install nginx configuration + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + mode: '0644' + register: nginx_conf + +- name: Reload nginx + service: + name: nginx + state: reloaded + enabled: true diff --git a/roles/nginx/tasks/webserver.yml b/roles/nginx/tasks/webserver.yml index 2afcf1c..204ded2 100644 --- a/roles/nginx/tasks/webserver.yml +++ b/roles/nginx/tasks/webserver.yml @@ -22,7 +22,9 @@ image: nginx:{{ nginx_version }} state: started restart_policy: always + container_default_behavior: no_defaults networks_cli_compatible: true + network_mode: traefik networks: - name: traefik volumes: diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..e2bb7c2 --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,45 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} + +## tcp LB and SSL passthrough for backend ## +stream { + upstream traefik { + server 127.0.0.1:4430 max_fails=3 fail_timeout=10s; + } + +log_format basic '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$upstream_addr" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; + + access_log /var/log/nginx/traefik_access.log basic; + error_log /var/log/nginx/traefik_error.log; + + server { + listen 443; + proxy_pass traefik; + proxy_next_upstream on; + } +} diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml index 6fb908f..83e84ab 100644 --- a/roles/traefik/handlers/main.yml +++ b/roles/traefik/handlers/main.yml @@ -9,5 +9,6 @@ name: "{{ traefik_name }}" image: traefik:{{ traefik_version }} state: started - restart: yes + container_default_behavior: no_defaults + restart: true listen: restart_traefik diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index dd5348a..60fc43d 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -36,7 +36,9 @@ state: started restart_policy: always ports: "{{ traefik_ports }}" - networks_cli_compatible: "false" + container_default_behavior: no_defaults + networks_cli_compatible: true + network_mode: traefik networks: - name: traefik labels: