Setup nginx reverse proxy

dev/host_vars/proxy.yml

@@ -0,0 +1,35 @@
+# base
+allow_reboot: false
+manage_network: false
+
+# proxy
+proxy:
+  - name: bitwarden
+    domain: "{{ bitwarden_domain }}"
+    proxy_pass: "http://127.0.0.1:8080"
+    production: false
+  - name: gitea
+    domain: "{{ gitea_domain }}"
+    proxy_pass: "http://127.0.0.1:3080"
+    production: false
+
+# docker
+docker_users:
+  - vagrant
+
+# bitwarden
+# Get Installation ID & Key at https://bitwarden.com/host/
+bitwarden_domain: vault.vm.krislamo.org
+bitwarden_dbpass: password
+bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
+bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
+#bitwarden_prodution: true
+
+# gitea
+gitea_domain: git.vm.krislamo.org
+gitea_version: 1
+gitea_dbversion: latest
+gitea_dbpass: password
+gitea_ports:
+  - "222:22"
+  - "3080:3000"

dev/proxy.yml

@@ -0,0 +1,11 @@
+- name: Install Proxy Server
+  hosts: all
+  become: true
+  vars_files:
+    - host_vars/proxy.yml
+  roles:
+    - base
+    - proxy
+    - docker
+    - bitwarden
+    - gitea

roles/.gitignore

@@ -11,6 +11,7 @@
 !nextcloud*/
 !nginx*/
 !prometheus*/
+!proxy*/
 !rsnapshot*/
 !traefik*/
 !unifi*/

roles/bitwarden/tasks/main.yml

@@ -31,6 +31,7 @@
   template:
     src: compose.override.yml.j2
     dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
+  when: traefik_version is defined
   notify:
     - rebuild_bitwarden
     - start_bitwarden

roles/gitea/tasks/main.yml

@@ -9,6 +9,7 @@
     state: started
     restart_policy: always
     volumes: "{{ gitea_dbroot }}:/var/lib/mysql"
+    container_default_behavior: "no_defaults"
     networks_cli_compatible: true
     networks:
       - name: "{{ gitea_name }}"
@@ -18,12 +19,13 @@
       MYSQL_USER: "{{ gitea_dbuser }}"
       MYSQL_PASSWORD: "{{ gitea_dbpass }}"
 
-- name: Start Gitea container
+- name: Start Gitea container (traefik routing)
   docker_container:
     name: "{{ gitea_name }}"
     image: gitea/gitea:{{ gitea_version }}
     state: started
     restart_policy: always
+    container_default_behavior: "no_defaults"
     networks_cli_compatible: true
     ports: "{{ gitea_ports }}"
     networks:
@@ -52,3 +54,32 @@
       traefik.http.services.gitea.loadbalancer.server.port: "3000"
       traefik.docker.network: traefik
       traefik.enable: "true"
+  when: traefik_version is defined
+
+- name: Start Gitea container
+  docker_container:
+    name: "{{ gitea_name }}"
+    image: gitea/gitea:{{ gitea_version }}
+    state: started
+    restart_policy: always
+    container_default_behavior: "no_defaults"
+    networks_cli_compatible: true
+    ports: "{{ gitea_ports }}"
+    networks:
+      - name: "{{ gitea_name }}"
+    volumes:
+      - "{{ gitea_root }}:/data"
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    env:
+      USER_UID: "1000"
+      USER_GID: "1000"
+      DB_TYPE: mysql
+      DB_HOST: "{{ gitea_dbname }}"
+      DB_NAME: "{{ gitea_dbname }}"
+      DB_USER: "{{ gitea_dbuser }}"
+      DB_PASSWD: "{{ gitea_dbpass }}"
+      ROOT_URL: "https://{{ gitea_domain }}/"
+      SSH_DOMAIN: "{{ gitea_domain }}"
+      DOMAIN: "{{ gitea_domain }}"
+  when: traefik_version is not defined

roles/proxy/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Reload nginx
+  service:
+    name: nginx
+    state: reloaded
+  listen: reload_nginx

roles/proxy/tasks/main.yml

@@ -0,0 +1,35 @@
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+    update_cache: true
+
+- name: Install nginx base configuration
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  notify: reload_nginx
+
+- name: Install nginx sites configuration
+  template:
+    src: server-nginx.conf.j2
+    dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
+    mode: '0644'
+  loop: "{{ proxy }}"
+  notify: reload_nginx
+
+- name: Generate self-signed certificate
+  shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  args:
+    creates: /etc/ssl/certs/nginx-selfsigned.crt
+  notify: reload_nginx
+
+- name: Start nginx and enable on boot
+  service:
+    name: nginx
+    state: started
+    enabled: true

roles/proxy/templates/nginx.conf.j2

@@ -0,0 +1,25 @@
+user www-data;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  include           /etc/nginx/mime.types;
+  default_type      application/octet-stream;
+  log_format        main '$remote_addr - $remote_user [$time_local]  $status '
+                         '"$request" $body_bytes_sent "$http_referer" '
+                         '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log        /var/log/nginx/access.log  main;
+  server_tokens     off;
+  sendfile          on;
+  tcp_nopush        on;
+  keepalive_timeout 65;
+  server_names_hash_bucket_size 128;
+
+  include           /etc/nginx/conf.d/*.conf;
+}

roles/proxy/templates/server-nginx.conf.j2

@@ -0,0 +1,14 @@
+server {
+  listen              443 ssl;
+  server_name         {{ item.domain }};
+  access_log          /var/log/nginx/{{ item.domain }}.log main;
+{% if not item.production %}
+  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
+  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+{% endif %}
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass {{ item.proxy_pass }};
+  }
+}