From 1380efe40049b63e5b81294033a523b8efed5e0e Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Fri, 12 Jul 2024 15:00:55 +0200
Subject: [PATCH] feat(server/nginx): implement nginx role

Signed-off-by: Matej Focko <me@mfocko.xyz>
---
 roles/server/nginx/defaults/main.yml          | 11 +++
 roles/server/nginx/files/nginx.conf           | 17 ++++
 roles/server/nginx/files/proxy.conf           | 12 +++
 roles/server/nginx/tasks/install.yml          |  6 ++
 roles/server/nginx/tasks/main.yml             | 89 +++++++++++++++++++
 roles/server/nginx/templates/http.conf        | 74 +++++++++++++++
 roles/server/nginx/templates/me.conf          | 20 +++++
 .../server/nginx/templates/reverse_proxy.conf | 13 +++
 roles/server/nginx/templates/ssl.conf         | 14 +++
 9 files changed, 256 insertions(+)
 create mode 100644 roles/server/nginx/defaults/main.yml
 create mode 100644 roles/server/nginx/files/nginx.conf
 create mode 100644 roles/server/nginx/files/proxy.conf
 create mode 100644 roles/server/nginx/tasks/install.yml
 create mode 100644 roles/server/nginx/tasks/main.yml
 create mode 100644 roles/server/nginx/templates/http.conf
 create mode 100644 roles/server/nginx/templates/me.conf
 create mode 100644 roles/server/nginx/templates/reverse_proxy.conf
 create mode 100644 roles/server/nginx/templates/ssl.conf

diff --git a/roles/server/nginx/defaults/main.yml b/roles/server/nginx/defaults/main.yml
new file mode 100644
index 0000000..99cb0a1
--- /dev/null
+++ b/roles/server/nginx/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+# Name of the certificate generated by Certbot
+server_nginx_certname: None
+
+# List of reverse proxies to be set up; objects of ‹domain›, ‹upstream› and
+# ‹protocol› for proxying, e.g.:
+#
+#     - domain: "cockpit"
+#       upstream: "127.0.0.1:9090"
+#       protocol: "https"
+server_nginx_reverse_proxy: []
diff --git a/roles/server/nginx/files/nginx.conf b/roles/server/nginx/files/nginx.conf
new file mode 100644
index 0000000..fc92e15
--- /dev/null
+++ b/roles/server/nginx/files/nginx.conf
@@ -0,0 +1,17 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+include /etc/nginx/http.conf;
diff --git a/roles/server/nginx/files/proxy.conf b/roles/server/nginx/files/proxy.conf
new file mode 100644
index 0000000..d70928d
--- /dev/null
+++ b/roles/server/nginx/files/proxy.conf
@@ -0,0 +1,12 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+
+proxy_redirect off;
+proxy_http_version 1.1;
+proxy_buffering off;
+chunked_transfer_encoding off;
+proxy_read_timeout 86400;
diff --git a/roles/server/nginx/tasks/install.yml b/roles/server/nginx/tasks/install.yml
new file mode 100644
index 0000000..8335768
--- /dev/null
+++ b/roles/server/nginx/tasks/install.yml
@@ -0,0 +1,6 @@
+---
+- name: Install as module on AlmaLinux
+  ansible.builtin.dnf:
+    name: "@nginx:1.24"
+    state: present
+  when: ansible_distribution == "AlmaLinux"
diff --git a/roles/server/nginx/tasks/main.yml b/roles/server/nginx/tasks/main.yml
new file mode 100644
index 0000000..62979bd
--- /dev/null
+++ b/roles/server/nginx/tasks/main.yml
@@ -0,0 +1,89 @@
+---
+- name: Packages
+  ansible.builtin.include_tasks: install.yml
+  tags: install
+
+- name: Install the proxy snippet
+  ansible.builtin.copy:
+    src: files/proxy.conf
+    dest: /etc/nginx/proxy.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Install the SSL snippet
+  ansible.builtin.template:
+    src: templates/ssl.conf
+    dest: /etc/nginx/ssl.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Install the default config
+  ansible.builtin.copy:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Install the HTTP config
+  ansible.builtin.template:
+    src: templates/http.conf
+    dest: /etc/nginx/http.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Enable $HOME shortcut
+  ansible.builtin.template:
+    src: templates/me.conf
+    dest: /etc/nginx/conf.d/me.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Allow httpd in homedirs in SELinux
+  ansible.posix.seboolean:
+    name: httpd_enable_homedirs
+    state: true
+    persistent: true
+  when: ansible_facts.selinux.status == 'enabled'
+
+- name: Enable reverse proxy
+  ansible.builtin.template:
+    src: templates/reverse_proxy.conf
+    dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
+    mode: 0644
+    owner: root
+    group: root
+  vars:
+    proxy_domain: "{{ item.domain }}"
+    proxy_upstream: "{{ item.upstream }}"
+    proxy_protocol: "{{ item.protocol }}"
+  loop: "{{ server_nginx_reverse_proxy }}"
+
+# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
+- name: Allow reverse proxy in SELinux
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy"
+
+- name: Enable nginx on firewall
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    immediate: true
+    permanent: true
+    state: enabled
+  loop:
+    - http
+    - https
+  tags: firewall
+
+- name: Enable nginx
+  ansible.builtin.service:
+    name: nginx
+    enabled: true
+    state: restarted
diff --git a/roles/server/nginx/templates/http.conf b/roles/server/nginx/templates/http.conf
new file mode 100644
index 0000000..2f5bbe7
--- /dev/null
+++ b/roles/server/nginx/templates/http.conf
@@ -0,0 +1,74 @@
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80;
+        listen       [::]:80;
+
+        return 301 https://$host$request_uri;
+    }
+
+# Settings for a TLS enabled server.
+#
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  {{ host_fqdn }};
+        root         /usr/share/nginx/html;
+
+        ssl_certificate      /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
+        ssl_certificate_key  /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
+
+        # Allow TLS version 1.2 only, which is a recommended default these days
+        # by international information security standards.
+        ssl_protocols        TLSv1.2;
+
+        ssl_session_cache    shared:SSL:1m;
+        ssl_session_timeout  5m;
+
+        ssl_ciphers  HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers  on;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+
+        location ~ /\.git {
+            return 404;
+        }
+
+        location ~ ^/~(.+?)(/.*)?$ {
+	        alias      /home/$1/public_html$2;
+            autoindex  on;
+        }
+    }
+
+    map $http_upgrade $connection_upgrade {
+        default  upgrade;
+        ''       close;
+    }
+}
diff --git a/roles/server/nginx/templates/me.conf b/roles/server/nginx/templates/me.conf
new file mode 100644
index 0000000..192d437
--- /dev/null
+++ b/roles/server/nginx/templates/me.conf
@@ -0,0 +1,20 @@
+server {
+	include		ssl.conf;
+	include		fastcgi.conf;
+
+	server_name	me.{{ host_fqdn }};
+
+	root /home/{{ target_user }}/public_html;
+	index index.html index.htm;
+	autoindex on;
+
+	error_page 404 /404.html;
+	location = /40x.html {}
+
+	error_page 500 502 503 504 /50x.html;
+	location = /50x.html {}
+
+	location ~ /\.git {
+		return 404;
+	}
+}
diff --git a/roles/server/nginx/templates/reverse_proxy.conf b/roles/server/nginx/templates/reverse_proxy.conf
new file mode 100644
index 0000000..74694ae
--- /dev/null
+++ b/roles/server/nginx/templates/reverse_proxy.conf
@@ -0,0 +1,13 @@
+upstream {{ proxy_domain }} {
+	server {{ proxy_upstream }};
+}
+
+server {
+	include		ssl.conf;
+	server_name	{{ proxy_domain }}.{{ host_fqdn }};
+
+	location ~ / {
+		include proxy.conf;
+		proxy_pass {{ proxy_protocol }}://{{ proxy_domain }};
+	}
+}
diff --git a/roles/server/nginx/templates/ssl.conf b/roles/server/nginx/templates/ssl.conf
new file mode 100644
index 0000000..14a399b
--- /dev/null
+++ b/roles/server/nginx/templates/ssl.conf
@@ -0,0 +1,14 @@
+listen       443 ssl http2;
+
+ssl_certificate      /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
+ssl_certificate_key  /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;
+
+# Allow TLS version 1.2 only, which is a recommended default these days
+# by international information security standards.
+ssl_protocols        TLSv1.2;
+
+ssl_session_cache    shared:SSL:1m;
+ssl_session_timeout  5m;
+
+ssl_ciphers  HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers  on;