From 63d5eabd205423a3c9d853d0ea3b65988be6d1a9 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Tue, 14 Mar 2023 16:38:06 +0100
Subject: [PATCH] Initial commit

---
 handlers/main.yml       |   5 ++
 meta/main.yml           |  18 ++++++
 tasks/main.yml          |   8 +++
 templates/nginx.conf.j2 | 118 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 149 insertions(+)
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/nginx.conf.j2

diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..92cca9c
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..f139c39
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,18 @@
+---
+
+dependencies: []
+
+galaxy_info:
+  role_name: nginx-config-svc
+  author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
+  description: Abstraction to configure nginx server
+  license: GPL-3.0-or-later
+  min_ansible_version: 2.9
+  platforms:
+    - name: Alpine
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags: []
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..ae2a527
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: configure nginx for {{ instance_name }}
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/http.d/{{ instance_name }}.conf"
+    mode: 0644
+  notify:
+    - reload nginx
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
new file mode 100644
index 0000000..b0f45bf
--- /dev/null
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,118 @@
+{% if before_server is defined %}
+{{ before_server }}
+{% endif %}
+server {
+  {% if listen80 is defined -%}
+    {{ listen80 }}
+  {% else %}
+    listen 80;
+    listen [::]:80;
+  {% endif %}
+{% if proxy_protocol is defined %}
+
+    listen 81 proxy_protocol;
+    listen [::]:81 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+    server_name {{ domains | join(' ') }};
+
+    location / {
+        # enforce https
+        return 301 https://$server_name:443$request_uri;
+    }
+    {% if unsecure_server is defined %}
+    {{ unsecure_server }}
+    {% endif %}
+    location /.well-known/acme-challenge {
+    {% if acme_challenge is defined %}
+        {{ acme_challenge }}
+    {% else %}
+        root /var/www/acme;
+    {% endif %}
+    }
+}
+
+server {
+  {% if listen443 is defined -%}
+    {{ listen443 }}
+  {% else %}
+    listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
+    listen [::]:443 ssl http2;
+    {% endif %}
+    server_name {% if redirect_to_first is not defined or not redirect_to_first %}{{ domains | join(' ') }}{% else %}{{ domains[0] }}{% endif %};
+{% if proxy_protocol is defined %}
+
+    listen 442 ssl http2 proxy_protocol;
+    listen [::]:442 ssl http2 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+
+    {% if ssl_certificate is defined %}
+    {{ ssl_certificate }}
+    {% else %}
+    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
+    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
+    {% endif %}
+
+    add_header X-XSS-Protection "0";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
+    {% if headers is defined %}{{ headers }}{% endif %}
+
+    {% if server %}
+    {{ server }}
+    {% endif %}
+}
+{% if redirect_to_first is defined and redirect_to_first and domains|length > 1 %}
+server {
+    listen {% if ansible_hostname is defined and ansible_hostname == 'ouaset' %}unix:/var/run/nginx-https.sock{% else %}443{% endif %} ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ domains[1:] | join(' ') }};
+{% if proxy_protocol is defined %}
+
+    listen 442 ssl http2 proxy_protocol;
+    listen [::]:442 ssl http2 proxy_protocol;
+    real_ip_header proxy_protocol;
+{% for ip in proxy_protocol.ipv4 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+{% for ip in proxy_protocol.ipv6 %}
+    set_real_ip_from {{ ip }};
+{% endfor %}
+
+    port_in_redirect off;
+{% endif %}
+
+    {% if ssl_certificate is defined %}
+    {{ ssl_certificate }}
+    {% else %}
+    ssl_certificate /etc/ssl/csr/{{ instance_name }}-fullchain.crt;
+    ssl_certificate_key /etc/ssl/private/{{ instance_name }}.pem;
+    {% endif %}
+
+    add_header X-XSS-Protection "0";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
+
+    location / {
+        rewrite (.*) https://{{ domains[0] }}$1;
+    }
+}
+{% endif %}
+{% if after_server is defined %}
+{{ after_server }}
+{% endif %}