diff --git a/hosts b/hosts index 77588da..e920187 100644 --- a/hosts +++ b/hosts @@ -7,7 +7,7 @@ dns: dns_2: ansible_host: 192.168.1.4 sync_target: 192.168.1.3 -nginx: +proxy: hosts: - nginx_1: + proxy_1: ansible_host: 192.168.1.12 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..7e6ec80 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Add apt key for docker + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + state: present + +- name: Add docker repository into sources list + apt_repository: + repo: deb https://download.docker.com/linux/ubuntu jammy stable + state: present + +- name: Install docker packages + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: present diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 5ba553d..55a0e33 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -41,6 +41,14 @@ jump: ACCEPT notify: Persist iptables +- name: Allow admin web (nginx proxy) + iptables: + chain: INPUT + protocol: tcp + destination_port: 81 + jump: ACCEPT + notify: Persist iptables + - name: Allow dns iptables: chain: INPUT diff --git a/roles/nginx-proxy-manager/files/default.conf b/roles/nginx-proxy-manager/files/default.conf new file mode 100644 index 0000000..e2b5d81 --- /dev/null +++ b/roles/nginx-proxy-manager/files/default.conf @@ -0,0 +1,42 @@ +# "You are not configured" page, which is the default if another default doesn't exist +server { + listen 80; + listen [::]:80; + + set $forward_scheme "http"; + set $server "127.0.0.1"; + set $port "80"; + + server_name localhost-nginx-proxy-manager; + access_log /data/logs/fallback_access.log standard; + error_log /data/logs/fallback_error.log warn; + include conf.d/include/assets.conf; + include conf.d/include/block-exploits.conf; + include conf.d/include/letsencrypt-acme-challenge.conf; + + location / { + return 444; + index index.html; + root /var/www/html; + } + return 444; +} + +# First 443 Host, which is the default if another default doesn't exist +server { + listen 443 ssl; + listen [::]:443 ssl; + + set $forward_scheme "https"; + set $server "127.0.0.1"; + set $port "443"; + + server_name localhost; + access_log /data/logs/fallback_access.log standard; + error_log /dev/null crit; + ssl_certificate /data/nginx/dummycert.pem; + ssl_certificate_key /data/nginx/dummykey.pem; + include conf.d/include/ssl-ciphers.conf; + + return 444; +} diff --git a/roles/nginx-proxy-manager/files/docker-compose.yml b/roles/nginx-proxy-manager/files/docker-compose.yml new file mode 100644 index 0000000..1c64e1b --- /dev/null +++ b/roles/nginx-proxy-manager/files/docker-compose.yml @@ -0,0 +1,13 @@ +version: "3" +services: + app: + image: 'jc21/nginx-proxy-manager:latest' + restart: unless-stopped + ports: + - 80:80 # Public HTTP Port + - 443:443 # Public HTTPS Port + - 81:81 # Admin Web Port + volumes: + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + - ./default.conf:/etc/nginx/conf.d/default.conf diff --git a/roles/nginx-proxy-manager/files/production.conf b/roles/nginx-proxy-manager/files/production.conf new file mode 100644 index 0000000..53bd8ba --- /dev/null +++ b/roles/nginx-proxy-manager/files/production.conf @@ -0,0 +1,33 @@ +# Admin Interface +server { + listen 81; + listen [::]:81; + + server_name nginxproxymanager; + root /app/frontend; + access_log /dev/null; + + location /api { + return 302 /api/; + } + + location /api/ { + add_header X-Served-By $host; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://127.0.0.1:3000/; + + proxy_read_timeout 15m; + proxy_send_timeout 15m; + } + + location / { + index index.html; + if ($request_uri ~ ^/(.*)\.html$) { + return 302 /$1; + } + try_files $uri $uri.html $uri/ /index.html; + } +} diff --git a/roles/nginx-proxy-manager/tasks/main.yml b/roles/nginx-proxy-manager/tasks/main.yml new file mode 100644 index 0000000..14c32e0 --- /dev/null +++ b/roles/nginx-proxy-manager/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: Create npm user + user: + name: npm + groups: docker + shell: /bin/bash + state: present + +- name: Create npm directory + become: yes + become_user: npm + file: + path: /home/npm/npm + state: directory + +- name: Put npm docker-compose in place + copy: + src: files/docker-compose.yml + dest: /home/npm/npm/docker-compose.yml + mode: 0600 + owner: npm + group: npm + +- name: Put default npm config in place + copy: + src: files/default.conf + dest: /home/npm/npm/default.conf + mode: 0644 + owner: npm + group: npm + +- name: Start npm + become: yes + become_user: npm + command: + chdir: /home/npm/npm + cmd: docker compose up -d diff --git a/site.yml b/site.yml index a984fae..f95045b 100644 --- a/site.yml +++ b/site.yml @@ -18,3 +18,9 @@ roles: - role: pihole tags: pihole +- hosts: proxy + become: yes + roles: + - role: docker + - role: nginx-proxy-manager + tags: npm