feat: full untested ansible setup

2026-04-22 12:22:58 +02:00
parent b1d9b2a857
commit 0d967909e7
37 changed files with 1362 additions and 1 deletions
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,94 @@
+---
+- name: Install nginx package
+  ansible.builtin.apt:
+    name: nginx
+    state: present
+    update_cache: true
+
+- name: Ensure ACME webroot exists for nginx
+  ansible.builtin.file:
+    path: /var/www/letsencrypt
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: "0755"
+
+- name: Ensure static site directories exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "0755"
+  loop: "{{ static_sites | default([]) }}"
+  loop_control:
+    label: "{{ item.path }}"
+
+- name: Publish static placeholder files
+  ansible.builtin.copy:
+    dest: "{{ item.0.path }}/{{ item.1.path }}"
+    content: "{{ item.1.content }}"
+    owner: "{{ item.0.owner }}"
+    group: "{{ item.0.group }}"
+    mode: "0644"
+  loop: "{{ (static_sites | default([])) | subelements('files', skip_missing=True) }}"
+  loop_control:
+    label: "{{ item.0.name }}/{{ item.1.path }}"
+
+- name: Remove default nginx site
+  ansible.builtin.file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: Reload nginx
+
+- name: Check which ACME certificates already exist
+  ansible.builtin.stat:
+    path: "/etc/letsencrypt/live/{{ item.certificate_name | default(item.server_names[0]) }}/fullchain.pem"
+  loop: "{{ nginx_sites | selectattr('acme_managed', 'defined') | selectattr('acme_managed') | list }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: nginx_site_cert_stats
+
+- name: Build ACME certificate availability map
+  ansible.builtin.set_fact:
+    nginx_acme_certificates_available: >-
+      {{
+        dict(
+          nginx_site_cert_stats.results
+          | map(attribute='item.name')
+          | zip(nginx_site_cert_stats.results | map(attribute='stat.exists'))
+        )
+      }}
+
+- name: Render nginx site configurations
+  ansible.builtin.template:
+    src: site.conf.j2
+    dest: "/etc/nginx/sites-available/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ nginx_sites }}"
+  loop_control:
+    label: "{{ item.name }}"
+  notify: Reload nginx
+
+- name: Enable nginx sites
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ item.name }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
+    state: link
+    force: true
+  loop: "{{ nginx_sites }}"
+  loop_control:
+    label: "{{ item.name }}"
+  notify: Reload nginx
+
+- name: Validate nginx configuration
+  ansible.builtin.command: nginx -t
+  changed_when: false
+
+- name: Ensure nginx service is enabled
+  ansible.builtin.service:
+    name: nginx
+    state: started
+    enabled: true
--- a/roles/nginx/templates/site.conf.j2
+++ b/roles/nginx/templates/site.conf.j2
@@ -0,0 +1,76 @@
+server {
+    listen 80{% if item.default_server | default(false) %} default_server{% endif %};
+    listen [::]:80{% if item.default_server | default(false) %} default_server{% endif %};
+    server_name {{ item.server_names | join(' ') }};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+    }
+
+{% if item.acme_only | default(false) %}
+    location / {
+        return 404;
+    }
+{% else %}
+    location / {
+        return 301 https://$host$request_uri;
+    }
+{% endif %}
+}
+
+{% if not (item.acme_only | default(false)) %}
+server {
+    listen 443 ssl http2{% if item.default_server | default(false) %} default_server{% endif %};
+    listen [::]:443 ssl http2{% if item.default_server | default(false) %} default_server{% endif %};
+    server_name {{ item.server_names | join(' ') }};
+
+{% if item.acme_managed | default(true) %}
+{% set certificate_name = item.certificate_name | default(item.server_names[0]) %}
+{% set nginx_site_has_live_cert = nginx_acme_certificates_available[item.name] | default(false) %}
+{% if nginx_site_has_live_cert %}
+    ssl_certificate /etc/letsencrypt/live/{{ certificate_name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ certificate_name }}/privkey.pem;
+{% else %}
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+{% endif %}
+{% endif %}
+
+    client_max_body_size 50m;
+
+{% if item.static_root is defined %}
+    root {{ item.static_root }};
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+{% else %}
+{% for location in item.static_locations | default([]) %}
+{% if location.path.endswith('/') %}
+    location = {{ location.path[:-1] }} {
+        return 301 {{ location.path }};
+    }
+{% endif %}
+    location ^~ {{ location.path }} {
+        alias {{ location.alias }};
+{% if location.autoindex | default(false) %}
+        autoindex on;
+{% endif %}
+    }
+{% endfor %}
+    location / {
+        proxy_pass http://{{ item.upstream_host }}:{{ item.upstream_port }};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+{% if item.websocket | default(false) %}
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+{% endif %}
+    }
+{% endif %}
+}
+{% endif %}