files/nginx.conf

@@ -0,0 +1,72 @@
+
+#user html;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    server_names_hash_bucket_size  64;
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include conf.d/*.conf;
+
+    # another virtual host using mix of IP-, name-, and port-based configuration
+    #
+    #server {
+    #    listen       8000;
+    #    listen       somename:8080;
+    #    server_name  somename  alias  another.alias;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+
+    # HTTPS server
+    #
+    #server {
+    #    listen       443 ssl;
+    #    server_name  localhost;
+
+    #    ssl_certificate      cert.pem;
+    #    ssl_certificate_key  cert.key;
+
+    #    ssl_session_cache    shared:SSL:1m;
+    #    ssl_session_timeout  5m;
+
+    #    ssl_ciphers  HIGH:!aNULL:!MD5;
+    #    ssl_prefer_server_ciphers  on;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+}

handlers/main.yml

@@ -1,2 +1,6 @@
 ---
 # handlers file for nginx-ssl
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted

tasks/create_cert.yml

@@ -0,0 +1,30 @@
+# create_cert.yml
+---
+- name: Create certificate directory for domain if it doesn't exist
+  file:
+    path: /etc/nginx/certs/{{ item.domain }}
+    state: directory
+
+- name: check if privkey exists
+  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/privkey.pem" ]'
+  register: result
+  ignore_errors: true
+
+- name: Create private key (RSA, 4096 bits)
+  community.crypto.openssl_privatekey:
+    path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
+  when: result is failure
+
+- name: check if certificate exists
+  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/fullchain.pem" ]'
+  register: result
+  ignore_errors: true
+
+- name: Create simple self-signed certificate
+  community.crypto.x509_certificate:
+    path: /etc/nginx/certs/{{ item.domain }}/fullchain.pem
+    privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
+    provider: selfsigned
+  when: result is failure
+  notify: restart nginx
+

tasks/main.yml

@@ -3,4 +3,63 @@
 - name: install nginx
   ansible.builtin.package:
     name: nginx
-    state: present
+    state: present
+
+- name: deploy nginx config
+  ansible.builtin.copy:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+  notify: restart nginx
+
+- name: ensure conf.d exists
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d
+    state: directory
+
+- name: deploy service config(s)
+  ansible.builtin.template:
+    src: templates/server.conf
+    dest: /etc/nginx/conf.d/{{ item.domain }}.conf
+  loop: "{{ domains }}"
+  notify: restart nginx
+
+- name: check if letsencrypt is set up
+  ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]'
+  register: result
+  ignore_errors: true
+
+- name: check if letsencrypt is set up
+  ansible.builtin.command: '[ -d "/etc/nginx/certs/" ]'
+  register: result2
+  ignore_errors: true
+
+- name: delete folder if exists
+  ansible.builtin.file:
+    state: absent
+    path: /etc/nginx/certs
+  when: (result is succeeded and result2 is succeeded) or (result is failed and result2 is failed)
+  
+- name: create symlink
+  ansible.builtin.file:
+    src: /etc/letsencrypt/live
+    dest: /etc/nginx/certs
+    state: link
+    force: yes
+  when: result is succeeded
+  notify: restart nginx
+ 
+- name: Create certs directory if it doesn't exist
+  file:
+    path: /etc/nginx/certs/
+    state: directory
+  when: result is failed
+
+- include_tasks: create_cert.yml
+  when: result is failed
+  loop: "{{ domains }}"
+
+- name: ensure nginx is running
+  service:
+    name: nginx
+    state: started
+    enabled: yes

templates/server.conf

@@ -0,0 +1,40 @@
+server {
+  listen 443 ssl;
+  server_name {{ item.domain }} ;
+
+  resolver 172.16.40.20;
+  set $backend "http://localhost:{{ item.port }}";
+  set $certbot "http://localhost";
+
+  ssl_certificate /etc/nginx/certs/{{ item.domain }}/fullchain.pem;
+  ssl_certificate_key /etc/nginx/certs/{{ item.domain }}/privkey.pem;
+  
+  location /.well-known/acme-challenge/ {
+    proxy_pass $certbot;
+    proxy_set_header Host $host;
+  }
+  
+  ssl_session_cache shared:SSL:10m;
+  client_max_body_size 1024m;
+  location / {
+
+    deny 172.16.41.60;
+    allow 172.16.0.0/16;
+    deny all;
+
+    proxy_pass $backend;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Forwarded-Port 443;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Ssl on;
+
+    # re-write redirects to http as to https, example: /home
+    proxy_redirect http:// https://;
+  }
+
+  error_log /var/log/nginx/{{ item.domain }}_error.log;
+  access_log /var/log/nginx/{{ item.domain }}_access.log;
+}
+

vars/main.yml

@@ -1,2 +1,8 @@
 ---
-# vars file for nginx-ssl
+# vars file for nginx-ssl on privtorrents.actcur.com
+
+domains:
+  - domain: privtorrents.actcur.com
+    port: 8112
+
+# end of file