Initial commit

2026-04-25 20:00:25 +02:00 · 2026-04-25 20:00:25 +02:00 · 3d0d6c61ec
commit 3d0d6c61ec
10 changed files with 246 additions and 0 deletions
--- a/playbooks/reverseproxy.yml
+++ b/playbooks/reverseproxy.yml
@ -0,0 +1,81 @@
+- name: Nginx reverse proxy configuration
+  hosts: reverseproxy
+  handlers:
+    - name: Restart nginx
+      ansible.builtin.service:
+        name: nginx
+        state: restarted
+  tasks:
+    - name: Makes sure the nginx package is installed
+      ansible.builtin.apt:
+        pkg:
+          - nginx-full
+
+    - name: Nginx security configuration template
+      ansible.builtin.template:
+        src: "templates/nginx/snippets/security-hardening.conf.j2"
+        dest: "/etc/nginx/snippets/security-hardening.conf"
+        mode: '0644'
+      notify: Restart nginx
+
+    - name: Nginx security headers configuration template
+      ansible.builtin.template:
+        src: "templates/nginx/snippets/security-headers.conf.j2"
+        dest: "/etc/nginx/snippets/security-headers.conf"
+        mode: '0644'
+      notify: Restart nginx
+
+    - name: Create dhparam files
+      community.crypto.openssl_dhparam:
+        path: "/etc/nginx/dhparam.pem"
+        size: 4096
+
+    - name: Certificates generation
+      ansible.builtin.include_role:
+        name: geerlingguy.certbot
+      loop: "{{ site | dict2items }}"
+      when: "{{ item.value.tls | default(False) }}"
+      vars:
+        certbot_admin_email: "{{ acme_account.email }}"
+        certbot_install_method: package
+        certbot_auto_renew: true
+        certbot_auto_renew_user: "root"
+        certbot_create_if_missing: true
+        certbot_testmode: "{{ acme_account.testing | default(False) }}"
+        certbot_certs:
+          - name: "{{ item.key }}"
+            domains:
+              - "{{ item.key }}"
+
+    - name: Nginx website configuration template
+      ansible.builtin.template:
+        src: "templates/nginx/sites-available/default-reverse.j2"
+        dest: "/etc/nginx/sites-available/{{ item.key }}"
+        mode: '0644'
+      loop: "{{ site | dict2items }}"
+      when: "item.value.enabled"
+      notify: Restart nginx
+
+    - name: Removing disabled websites from nginx configuration
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-available/{{ item.key }}"
+        state: absent
+      loop: "{{ site | dict2items }}"
+      when: "not item.value.enabled"
+
+    - name: Disable websites in nginx configuration
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-enabled/{{ item.key }}"
+        state: absent
+      loop: "{{ site | dict2items }}"
+      when: "not item.value.enabled"
+      notify: Restart nginx
+
+    - name: Enable websites in nginx configuration
+      ansible.builtin.file:
+        src: "/etc/nginx/sites-available/{{ item.key }}"
+        dest: "/etc/nginx/sites-enabled/{{ item.key }}"
+        state: link
+      loop: "{{ site | dict2items }}"
+      when: "item.value.enabled"
+      notify: Restart nginx