From 1a925c6491fb4bfe98491474b0e3d88ce028f517 Mon Sep 17 00:00:00 2001
From: Beth Parker <ejparker@actcur.com>
Date: Sat, 5 Oct 2024 23:55:52 -0500
Subject: [PATCH] updated nginx role

---
 files/nginx.conf          | 76 +++++++++++++++++++++++++++++++++++++++
 tasks/create_cert.yml     | 33 +++++++++++++++++
 tasks/main.yml            | 28 ++++++++++++++-
 templates/server.conf     | 38 ++++++++++++++++++++
 templates/server.conf.bak | 38 ++++++++++++++++++++
 vars/main.yml             | 10 +++++-
 6 files changed, 221 insertions(+), 2 deletions(-)
 create mode 100644 files/nginx.conf
 create mode 100644 tasks/create_cert.yml
 create mode 100644 templates/server.conf
 create mode 100644 templates/server.conf.bak

diff --git a/files/nginx.conf b/files/nginx.conf
new file mode 100644
index 0000000..d3e1d3b
--- /dev/null
+++ b/files/nginx.conf
@@ -0,0 +1,76 @@
+
+#user html;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    server_names_hash_bucket_size  64;
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include conf.d/*.conf;
+
+    # another virtual host using mix of IP-, name-, and port-based configuration
+    #
+    #server {
+    #    listen       8000;
+    #    listen       somename:8080;
+    #    server_name  somename  alias  another.alias;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+
+    # HTTPS server
+    #
+    #server {
+    #    listen       443 ssl;
+    #    server_name  localhost;
+
+    #    ssl_certificate      cert.pem;
+    #    ssl_certificate_key  cert.key;
+
+    #    ssl_session_cache    shared:SSL:1m;
+    #    ssl_session_timeout  5m;
+
+    #    ssl_ciphers  HIGH:!aNULL:!MD5;
+    #    ssl_prefer_server_ciphers  on;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+}
+
+stream {
+    include tcpconf.d/*.conf
+}
diff --git a/tasks/create_cert.yml b/tasks/create_cert.yml
new file mode 100644
index 0000000..9e738ca
--- /dev/null
+++ b/tasks/create_cert.yml
@@ -0,0 +1,33 @@
+# create_cert.yml
+---
+- name: Create certs directory if it doesn't exist
+  file:
+    path: /etc/nginx/certs/
+    state: directory
+
+- name: Create certificate directory for domain if it doesn't exist
+  file:
+    path: /etc/nginx/certs/{{ item.domain }}
+    state: directory
+
+- name: check if privkey exists
+  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/privkey.pem" ]'
+  register: result
+  ignore_errors: true
+
+- name: Create private key (RSA, 4096 bits)
+  community.crypto.openssl_privatekey:
+    path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
+  when: result is failure
+
+- name: check if certificate exists
+  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/fullchain.pem" ]'
+  register: result
+  ignore_errors: true
+
+- name: Create simple self-signed certificate
+  community.crypto.x509_certificate:
+    path: /etc/nginx/certs/{{ item.domain }}/fullchain.pem
+    privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
+    provider: selfsigned
+  when: result is failure
diff --git a/tasks/main.yml b/tasks/main.yml
index 347f0f3..c47909e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,4 +3,30 @@
 - name: install nginx
   ansible.builtin.package:
     name: nginx
-    state: present
\ No newline at end of file
+    state: present
+
+- name: deploy nginx config
+  ansible.builtin.copy:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: ensure conf.d exists
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d
+    state: directory
+
+- name: deploy service config(s)
+  ansible.builtin.template:
+    src: templates/server.conf
+    dest: /etc/nginx/conf.d/{{ item.domain }}
+  loop: "{{ domains }}"
+
+- name: check if /etc/nginx/certs exists and is a symlink
+  ansible.builtin.command: '[ -L "/etc/nginx/certs" ]'
+  register: result
+  ignore_errors: true
+
+- include_tasks: create_cert.yml
+  when: result is failed
+  loop: "{{ domains }}"
+  
diff --git a/templates/server.conf b/templates/server.conf
new file mode 100644
index 0000000..1759994
--- /dev/null
+++ b/templates/server.conf
@@ -0,0 +1,38 @@
+server {
+  listen 443 ssl proxy_protocol;
+  server_name {{ item.domain }} ;
+
+  resolver 172.16.40.20;
+  set $backend "http://localhost:{{ item.port }}";
+  set $certbot "http://localhost";
+
+  ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem;
+  ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem;
+  
+  location /.well-known/acme-challenge/ {
+    proxy_pass $certbot;
+    proxy_set_header Host $host;
+  }
+  
+  ssl_session_cache shared:SSL:10m;
+  client_max_body_size 1024m;
+  location / {
+    allow 192.168.0.0/16;
+    deny all;
+
+    proxy_pass $backend;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Forwarded-Port 443;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Ssl on;
+
+    # re-write redirects to http as to https, example: /home
+    proxy_redirect http:// https://;
+  }
+
+  error_log /var/log/nginx/{{ item.domain }}_error.log;
+  access_log /var/log/nginx/{{ item.domain }}_access.log;
+}
+
diff --git a/templates/server.conf.bak b/templates/server.conf.bak
new file mode 100644
index 0000000..324325b
--- /dev/null
+++ b/templates/server.conf.bak
@@ -0,0 +1,38 @@
+server {
+  listen 443 ssl proxy_protocol;
+  server_name {{ item.domain }} ;
+
+  resolver 172.16.40.20;
+  set $backend "http://localhost:{{ item.port }}";
+  set $certbot "http://localhost";
+
+  ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem;
+  ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem;
+  
+  location /.well-known/acme-challenge/ {
+    proxy_pass $certbot;
+    proxy_set_header Host $host;
+  }
+  
+  ssl_session_cache shared:SSL:10m;
+  client_max_body_size 1024m;
+  location / {
+    allow 192.168.0.0/16;
+    deny all;
+
+    proxy_pass $backend;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Forwarded-Port 443;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Ssl on;
+
+    # re-write redirects to http as to https, example: /home
+    proxy_redirect http:// https://;
+  }
+
+  error_log /var/log/nginx/{{ domain }}_error.log;
+  access_log /var/log/nginx/{{ domain }}_access.log;
+}
+
diff --git a/vars/main.yml b/vars/main.yml
index c7d8953..2cb1fe2 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,2 +1,10 @@
 ---
-# vars file for nginx-ssl
+# vars file for nginx-ssl on privtorrents.actcur.com
+
+domains:
+  - domain: privtorrents.actcur.com
+    port: 8112
+  - domain: test.actcur.com
+    port: 8113
+
+# end of file