diff --git a/ansible/roles/nginx/files/docker-compose.yaml b/ansible/roles/nginx/files/docker-compose.yaml new file mode 100644 index 0000000..e56f962 --- /dev/null +++ b/ansible/roles/nginx/files/docker-compose.yaml @@ -0,0 +1,23 @@ +version: '3.5' +services: + nginx: + container_name: nginx + image: nginx + restart: unless-stopped + volumes: + - /srv/nginx/conf.d:/etc/nginx/conf.d:ro + - /srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - /srv/certbot/etc:/etc/letsencrypt + - /srv/certbot/www:/var/www/certbot + ports: + - "80:80" + - "443:443" + command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" + networks: + - nginx + +networks: + nginx: + driver: bridge + name: nginx + diff --git a/ansible/roles/nginx/tasks/main.yaml b/ansible/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..219dddc --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yaml @@ -0,0 +1,38 @@ +--- + +- name: install base apps + apt: + force_apt_get: yes + name: + - docker-compose-v2 + +- name: base path + file: + path: "/srv/nginx/conf.d" + state: directory + recurse: true + +- name: copy docker-compose + copy: + src: files/docker-compose.yaml + dest: /srv/nginx/docker-compose.yaml + register: dockercompose + +- name: nginx config + template: + src: templates/nginx.conf + dest: /srv/nginx/nginx.conf + register: nginxconf + +- name: launch nginx + command: docker compose up -d + args: + chdir: /srv/nginx + +- name: restart nginx + command: docker compose restart + args: + chdir: /srv/nginx + when: dockercompose.changed or nginxconf.changed + + diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf new file mode 100644 index 0000000..6e67700 --- /dev/null +++ b/ansible/roles/nginx/templates/nginx.conf @@ -0,0 +1,73 @@ +user nginx; + +worker_processes auto; + +events { worker_connections 1024; } + +http { + + charset utf-8; + server { + listen 80; + server_name {{domain_name}}; + server_tokens off; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } + + } + + server { + # Hide nginx version information. + server_tokens off; + + listen 443 ssl default_server; + + server_name {{domain_name}}; + + root /usr/share/nginx/html; + include /etc/nginx/mime.types; + + ssl_certificate /etc/letsencrypt/live/{{domain_name}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{domain_name}}/privkey.pem; + + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + try_files $uri $uri/ /index.html; + } + + gzip on; + gzip_vary on; + gzip_http_version 1.0; + gzip_comp_level 5; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 256; + gunzip on; + } + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/ansible/site.yaml b/ansible/site.yaml index a38c7aa..08d81f4 100644 --- a/ansible/site.yaml +++ b/ansible/site.yaml @@ -8,5 +8,6 @@ - name: mastodon instance hosts: social roles: + - { role: nginx, become: yes } - { role: mastodon, become: yes }