Added nginx

ansible/roles/nginx/files/docker-compose.yaml

@@ -0,0 +1,23 @@
+version: '3.5'
+services:
+  nginx:
+    container_name: nginx
+    image: nginx
+    restart: unless-stopped
+    volumes:
+      - /srv/nginx/conf.d:/etc/nginx/conf.d:ro
+      - /srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /srv/certbot/etc:/etc/letsencrypt
+      - /srv/certbot/www:/var/www/certbot
+    ports:
+      - "80:80"
+      - "443:443"
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+    networks:
+      - nginx
+
+networks:
+  nginx:
+    driver: bridge
+    name: nginx
+

ansible/roles/nginx/tasks/main.yaml

@@ -0,0 +1,38 @@
+---
+
+- name: install base apps
+  apt:
+    force_apt_get: yes
+    name:
+      - docker-compose-v2
+
+- name: base path
+  file:
+    path: "/srv/nginx/conf.d"
+    state: directory
+    recurse: true
+
+- name: copy docker-compose
+  copy:
+    src: files/docker-compose.yaml
+    dest: /srv/nginx/docker-compose.yaml
+  register: dockercompose
+
+- name: nginx config
+  template:
+    src: templates/nginx.conf
+    dest: /srv/nginx/nginx.conf
+  register: nginxconf
+
+- name: launch nginx
+  command: docker compose up -d
+  args:
+    chdir: /srv/nginx
+
+- name: restart nginx
+  command: docker compose restart
+  args:
+    chdir: /srv/nginx
+  when: dockercompose.changed or nginxconf.changed
+
+

ansible/roles/nginx/templates/nginx.conf

@@ -0,0 +1,73 @@
+user nginx;
+
+worker_processes    auto;
+
+events { worker_connections 1024; }
+
+http {
+
+    charset utf-8;
+    server {
+        listen 80;
+        server_name {{domain_name}};
+        server_tokens off;
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
+
+    }
+
+    server {
+        # Hide nginx version information.
+        server_tokens off;
+
+        listen  443 ssl default_server;
+
+        server_name {{domain_name}};
+
+        root    /usr/share/nginx/html;
+        include /etc/nginx/mime.types;
+
+        ssl_certificate /etc/letsencrypt/live/{{domain_name}}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/{{domain_name}}/privkey.pem;
+
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        gzip            on;
+        gzip_vary       on;
+        gzip_http_version  1.0;
+        gzip_comp_level 5;
+        gzip_types
+                        application/atom+xml
+                        application/javascript
+                        application/json
+                        application/rss+xml
+                        application/vnd.ms-fontobject
+                        application/x-font-ttf
+                        application/x-web-app-manifest+json
+                        application/xhtml+xml
+                        application/xml
+                        font/opentype
+                        image/svg+xml
+                        image/x-icon
+                        text/css
+                        text/plain
+                        text/x-component;
+        gzip_proxied    no-cache no-store private expired auth;
+        gzip_min_length 256;
+        gunzip          on;
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+
+}

ansible/site.yaml

@@ -8,5 +8,6 @@
 - name: mastodon instance
   hosts: social
   roles:
+    - { role: nginx, become: yes }
     - { role: mastodon, become: yes }