Add nginx proxy server

hosts

@@ -7,7 +7,7 @@ dns:
     dns_2:
       ansible_host: 192.168.1.4
       sync_target: 192.168.1.3
-nginx:
+proxy:
   hosts:
-    nginx_1:
+    proxy_1:
       ansible_host: 192.168.1.12

roles/docker/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Add apt key for docker
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add docker repository into sources list
+  apt_repository:
+    repo: deb https://download.docker.com/linux/ubuntu jammy stable
+    state: present
+
+- name: Install docker packages
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+    state: present

roles/firewall/tasks/main.yml

@@ -41,6 +41,14 @@
     jump: ACCEPT
   notify: Persist iptables
 
+- name: Allow admin web (nginx proxy)
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 81
+    jump: ACCEPT
+  notify: Persist iptables
+
 - name: Allow dns
   iptables:
     chain: INPUT

roles/nginx-proxy-manager/files/default.conf

@@ -0,0 +1,42 @@
+# "You are not configured" page, which is the default if another default doesn't exist
+server {
+	listen 80;
+	listen [::]:80;
+
+	set $forward_scheme "http";
+	set $server "127.0.0.1";
+	set $port "80";
+
+	server_name localhost-nginx-proxy-manager;
+	access_log /data/logs/fallback_access.log standard;
+	error_log /data/logs/fallback_error.log warn;
+	include conf.d/include/assets.conf;
+	include conf.d/include/block-exploits.conf;
+	include conf.d/include/letsencrypt-acme-challenge.conf;
+
+	location / {
+		return 444;
+		index index.html;
+		root /var/www/html;
+	}
+	return 444;
+}
+
+# First 443 Host, which is the default if another default doesn't exist
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	set $forward_scheme "https";
+	set $server "127.0.0.1";
+	set $port "443";
+
+	server_name localhost;
+	access_log /data/logs/fallback_access.log standard;
+	error_log /dev/null crit;
+	ssl_certificate /data/nginx/dummycert.pem;
+	ssl_certificate_key /data/nginx/dummykey.pem;
+	include conf.d/include/ssl-ciphers.conf;
+
+	return 444;
+}

roles/nginx-proxy-manager/files/docker-compose.yml

@@ -0,0 +1,13 @@
+version: "3"
+services:
+  app:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    ports:
+      - 80:80 # Public HTTP Port
+      - 443:443 # Public HTTPS Port
+      - 81:81 # Admin Web Port
+    volumes:
+      - ./data:/data
+      - ./letsencrypt:/etc/letsencrypt
+      - ./default.conf:/etc/nginx/conf.d/default.conf

roles/nginx-proxy-manager/files/production.conf

@@ -0,0 +1,33 @@
+# Admin Interface
+server {
+        listen 81;
+        listen [::]:81;
+
+        server_name nginxproxymanager;
+        root /app/frontend;
+        access_log /dev/null;
+
+        location /api {
+                return 302 /api/;
+        }
+
+        location /api/ {
+                add_header            X-Served-By $host;
+                proxy_set_header Host $host;
+                proxy_set_header      X-Forwarded-Scheme $scheme;
+                proxy_set_header      X-Forwarded-Proto  $scheme;
+                proxy_set_header      X-Forwarded-For    $remote_addr;
+                proxy_pass            http://127.0.0.1:3000/;
+
+                proxy_read_timeout 15m;
+                proxy_send_timeout 15m;
+        }
+
+        location / {
+                index index.html;
+                if ($request_uri ~ ^/(.*)\.html$) {
+                        return 302 /$1;
+                }
+                try_files $uri $uri.html $uri/ /index.html;
+        }
+}

roles/nginx-proxy-manager/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Create npm user
+  user:
+    name: npm
+    groups: docker
+    shell: /bin/bash
+    state: present
+
+- name: Create npm directory
+  become: yes
+  become_user: npm
+  file:
+    path: /home/npm/npm
+    state: directory
+
+- name: Put npm docker-compose in place
+  copy:
+    src: files/docker-compose.yml
+    dest: /home/npm/npm/docker-compose.yml
+    mode: 0600
+    owner: npm
+    group: npm
+
+- name: Put default npm config in place
+  copy:
+    src: files/default.conf
+    dest: /home/npm/npm/default.conf
+    mode: 0644
+    owner: npm
+    group: npm
+
+- name: Start npm
+  become: yes
+  become_user: npm
+  command:
+    chdir: /home/npm/npm
+    cmd: docker compose up -d

site.yml

@@ -18,3 +18,9 @@
   roles:
     - role: pihole
       tags: pihole
+- hosts: proxy
+  become: yes
+  roles:
+    - role: docker
+    - role: nginx-proxy-manager
+      tags: npm