From acd2cefb1e5ace5f9f5a6ff8aeb05d3120c4d410 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Sun, 22 May 2022 00:19:56 -0400 Subject: [PATCH] Setup nginx reverse proxy --- dev/host_vars/proxy.yml | 35 ++++++++++++++++++++++ dev/proxy.yml | 11 +++++++ roles/.gitignore | 1 + roles/bitwarden/tasks/main.yml | 1 + roles/gitea/tasks/main.yml | 33 +++++++++++++++++++- roles/proxy/handlers/main.yml | 5 ++++ roles/proxy/tasks/main.yml | 35 ++++++++++++++++++++++ roles/proxy/templates/nginx.conf.j2 | 25 ++++++++++++++++ roles/proxy/templates/server-nginx.conf.j2 | 14 +++++++++ 9 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 dev/host_vars/proxy.yml create mode 100644 dev/proxy.yml create mode 100644 roles/proxy/handlers/main.yml create mode 100644 roles/proxy/tasks/main.yml create mode 100644 roles/proxy/templates/nginx.conf.j2 create mode 100644 roles/proxy/templates/server-nginx.conf.j2 diff --git a/dev/host_vars/proxy.yml b/dev/host_vars/proxy.yml new file mode 100644 index 0000000..a65dfb7 --- /dev/null +++ b/dev/host_vars/proxy.yml @@ -0,0 +1,35 @@ +# base +allow_reboot: false +manage_network: false + +# proxy +proxy: + - name: bitwarden + domain: "{{ bitwarden_domain }}" + proxy_pass: "http://127.0.0.1:8080" + production: false + - name: gitea + domain: "{{ gitea_domain }}" + proxy_pass: "http://127.0.0.1:3080" + production: false + +# docker +docker_users: + - vagrant + +# bitwarden +# Get Installation ID & Key at https://bitwarden.com/host/ +bitwarden_domain: vault.vm.krislamo.org +bitwarden_dbpass: password +bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23 +bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p +#bitwarden_prodution: true + +# gitea +gitea_domain: git.vm.krislamo.org +gitea_version: 1 +gitea_dbversion: latest +gitea_dbpass: password +gitea_ports: + - "222:22" + - "3080:3000" diff --git a/dev/proxy.yml b/dev/proxy.yml new file mode 100644 index 0000000..8df84cb --- /dev/null +++ b/dev/proxy.yml @@ -0,0 +1,11 @@ +- name: Install Proxy Server + hosts: all + become: true + vars_files: + - host_vars/proxy.yml + roles: + - base + - proxy + - docker + - bitwarden + - gitea diff --git a/roles/.gitignore b/roles/.gitignore index 792c0f3..a050612 100644 --- a/roles/.gitignore +++ b/roles/.gitignore @@ -11,6 +11,7 @@ !nextcloud*/ !nginx*/ !prometheus*/ +!proxy*/ !rsnapshot*/ !traefik*/ !unifi*/ diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index 7c5d06d..4a9cc12 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -31,6 +31,7 @@ template: src: compose.override.yml.j2 dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml" + when: traefik_version is defined notify: - rebuild_bitwarden - start_bitwarden diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 290945b..c6391e6 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -9,6 +9,7 @@ state: started restart_policy: always volumes: "{{ gitea_dbroot }}:/var/lib/mysql" + container_default_behavior: "no_defaults" networks_cli_compatible: true networks: - name: "{{ gitea_name }}" @@ -18,12 +19,13 @@ MYSQL_USER: "{{ gitea_dbuser }}" MYSQL_PASSWORD: "{{ gitea_dbpass }}" -- name: Start Gitea container +- name: Start Gitea container (traefik routing) docker_container: name: "{{ gitea_name }}" image: gitea/gitea:{{ gitea_version }} state: started restart_policy: always + container_default_behavior: "no_defaults" networks_cli_compatible: true ports: "{{ gitea_ports }}" networks: @@ -52,3 +54,32 @@ traefik.http.services.gitea.loadbalancer.server.port: "3000" traefik.docker.network: traefik traefik.enable: "true" + when: traefik_version is defined + +- name: Start Gitea container + docker_container: + name: "{{ gitea_name }}" + image: gitea/gitea:{{ gitea_version }} + state: started + restart_policy: always + container_default_behavior: "no_defaults" + networks_cli_compatible: true + ports: "{{ gitea_ports }}" + networks: + - name: "{{ gitea_name }}" + volumes: + - "{{ gitea_root }}:/data" + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + env: + USER_UID: "1000" + USER_GID: "1000" + DB_TYPE: mysql + DB_HOST: "{{ gitea_dbname }}" + DB_NAME: "{{ gitea_dbname }}" + DB_USER: "{{ gitea_dbuser }}" + DB_PASSWD: "{{ gitea_dbpass }}" + ROOT_URL: "https://{{ gitea_domain }}/" + SSH_DOMAIN: "{{ gitea_domain }}" + DOMAIN: "{{ gitea_domain }}" + when: traefik_version is not defined diff --git a/roles/proxy/handlers/main.yml b/roles/proxy/handlers/main.yml new file mode 100644 index 0000000..00e75ca --- /dev/null +++ b/roles/proxy/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Reload nginx + service: + name: nginx + state: reloaded + listen: reload_nginx diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml new file mode 100644 index 0000000..8d3c6c1 --- /dev/null +++ b/roles/proxy/tasks/main.yml @@ -0,0 +1,35 @@ +- name: Install nginx + apt: + name: nginx + state: present + update_cache: true + +- name: Install nginx base configuration + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + mode: '0644' + notify: reload_nginx + +- name: Install nginx sites configuration + template: + src: server-nginx.conf.j2 + dest: "/etc/nginx/conf.d/{{ item.name }}.conf" + mode: '0644' + loop: "{{ proxy }}" + notify: reload_nginx + +- name: Generate self-signed certificate + shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ + -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ + -keyout /etc/ssl/private/nginx-selfsigned.key \ + -out /etc/ssl/certs/nginx-selfsigned.crt' + args: + creates: /etc/ssl/certs/nginx-selfsigned.crt + notify: reload_nginx + +- name: Start nginx and enable on boot + service: + name: nginx + state: started + enabled: true diff --git a/roles/proxy/templates/nginx.conf.j2 b/roles/proxy/templates/nginx.conf.j2 new file mode 100644 index 0000000..8e47758 --- /dev/null +++ b/roles/proxy/templates/nginx.conf.j2 @@ -0,0 +1,25 @@ +user www-data; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.log main; + server_tokens off; + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + server_names_hash_bucket_size 128; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/roles/proxy/templates/server-nginx.conf.j2 b/roles/proxy/templates/server-nginx.conf.j2 new file mode 100644 index 0000000..1545a4a --- /dev/null +++ b/roles/proxy/templates/server-nginx.conf.j2 @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + server_name {{ item.domain }}; + access_log /var/log/nginx/{{ item.domain }}.log main; +{% if not item.production %} + ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; + ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; +{% endif %} + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass {{ item.proxy_pass }}; + } +}