From ba0c70532f858537b05727033737fb275bf86755 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 27 May 2019 23:49:38 +0300
Subject: [PATCH] first version of proxy site for nginx

---
 roles/nginx/site/tasks/main.yml         | 54 +++++++++++++++++++++++++
 roles/nginx/site/templates/site.conf.j2 | 42 +++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 roles/nginx/site/tasks/main.yml
 create mode 100644 roles/nginx/site/templates/site.conf.j2

diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx/site/tasks/main.yml
new file mode 100644
index 0000000..9b4fd02
--- /dev/null
+++ b/roles/nginx/site/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: "create site data directory for {{ site }}"
+  file:
+    path: "/srv/web/{{ site }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: "{{ ansible_wheel }}"
+  when: redirect is not defined and proxy is not defined
+
+- name: "create site config for {{ site }}"
+  template:
+    dest: /etc/nginx/conf.d/{{ site }}.conf
+    src: site.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart nginx
+
+- name: "copy site private key for {{ site }}"
+  copy:
+    dest: "{{ tls_private }}/{{ site }}.key"
+    src: "{{ item }}"
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/privkey.pem"
+    - "/srv/ca/private/{{ inventory_hostname }}.key"
+  notify: restart nginx
+
+- name: "copy site certificate chain for {{ site }}"
+  copy:
+    src: "{{ item }}"
+    dest: "{{ tls_certs }}/{{ site }}-chain.crt"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/chain.pem"
+    - "/srv/ca/certs/ca.crt"
+  notify: restart nginx
+
+- name: "copy site certificate for {{ site }}"
+  copy:
+    src: "{{ item }}"
+    dest: "{{ tls_certs }}/{{ site }}.crt"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/cert.pem"
+    - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+  notify: restart nginx
diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2
new file mode 100644
index 0000000..2c4f003
--- /dev/null
+++ b/roles/nginx/site/templates/site.conf.j2
@@ -0,0 +1,42 @@
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ site }};
+
+    ssl_certificate {{ tls_certs }}/{{ site }}.crt;
+    ssl_trusted_certificate {{ tls_certs }}/{{ site }}-chain.crt;
+    ssl_certificate_key {{ tls_private }}/{{ site }}.key;
+
+{% if redirect is defined %}
+    return 301 {{ redirect }};
+{% elif proxy is defined %}
+    location / {
+        proxy_pass {{ proxy }};
+        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
+    }
+{% else %}
+    root /srv/web/{{ site }};
+{% endif %}
+    include /etc/nginx/conf.d/{{ site }}/*.conf;
+}
+
+server {
+    ssl off;
+    listen 80;
+    listen [::]:80;
+    server_name {{ site }};
+    location /.well-known/acme-challenge/ {
+        proxy_pass https://noc02.home.foo.sh/.well-known/acme-challenge/;
+        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
+    }
+    location / {
+{% if redirect is defined %}
+        return 301 {{ redirect }};
+{% else %}
+        return 301 https://$host$request_uri;
+{% endif %}
+    }
+}