From 68619b80b52cdccae851d8d1d9a84e7f90abccf6 Mon Sep 17 00:00:00 2001
From: Stefan Haun <tux@netz39.de>
Date: Sat, 27 Aug 2022 14:03:10 +0200
Subject: [PATCH] Add role to setup nginx with HTTPS forward capabilities

---
 .../files/apt-preference-99nginx              |  4 +
 roles/nginx-https-ingress/files/nginx.conf    | 34 +++++++
 roles/nginx-https-ingress/handlers/main.yml   |  7 ++
 roles/nginx-https-ingress/tasks/main.yml      | 89 +++++++++++++++++++
 .../templates/dehydrated-host.conf.j2         | 14 +++
 .../templates/nginx.list.j2                   |  2 +
 .../templates/passthrough.conf.j2             | 25 ++++++
 7 files changed, 175 insertions(+)
 create mode 100644 roles/nginx-https-ingress/files/apt-preference-99nginx
 create mode 100644 roles/nginx-https-ingress/files/nginx.conf
 create mode 100644 roles/nginx-https-ingress/handlers/main.yml
 create mode 100644 roles/nginx-https-ingress/tasks/main.yml
 create mode 100644 roles/nginx-https-ingress/templates/dehydrated-host.conf.j2
 create mode 100644 roles/nginx-https-ingress/templates/nginx.list.j2
 create mode 100644 roles/nginx-https-ingress/templates/passthrough.conf.j2

diff --git a/roles/nginx-https-ingress/files/apt-preference-99nginx b/roles/nginx-https-ingress/files/apt-preference-99nginx
new file mode 100644
index 0000000..1513083
--- /dev/null
+++ b/roles/nginx-https-ingress/files/apt-preference-99nginx
@@ -0,0 +1,4 @@
+Package: *
+Pin: origin nginx.org
+Pin: release o=nginx
+Pin-Priority: 900
diff --git a/roles/nginx-https-ingress/files/nginx.conf b/roles/nginx-https-ingress/files/nginx.conf
new file mode 100644
index 0000000..896c9a5
--- /dev/null
+++ b/roles/nginx-https-ingress/files/nginx.conf
@@ -0,0 +1,34 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+include /etc/nginx/passthrough.conf;
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile        on;
+  #tcp_nopush     on;
+
+  keepalive_timeout  65;
+
+  #gzip  on;
+
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/dehydrated-hosts/*;
+}
diff --git a/roles/nginx-https-ingress/handlers/main.yml b/roles/nginx-https-ingress/handlers/main.yml
new file mode 100644
index 0000000..53aebbb
--- /dev/null
+++ b/roles/nginx-https-ingress/handlers/main.yml
@@ -0,0 +1,7 @@
+# Handlers für nginx-https-proxy
+---
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
diff --git a/roles/nginx-https-ingress/tasks/main.yml b/roles/nginx-https-ingress/tasks/main.yml
new file mode 100644
index 0000000..ff095d1
--- /dev/null
+++ b/roles/nginx-https-ingress/tasks/main.yml
@@ -0,0 +1,89 @@
+# Tasks für nginx-https-proxy
+---
+### Install required packages
+#
+# At this point, we also check that apt is available,
+# which is assumed for all future operations.
+- name: Install nginx prerequisites
+  ansible.builtin.apt:
+    state: present
+    name:
+    - apt-transport-https
+    - ca-certificates
+    - gnupg2
+
+### Setup APT cache for the nginx repository
+#
+# We need the nginx repository to get the ngx_stream_core_module
+# for SSL passthrough.
+
+- name: Add nginx apt-key
+  apt_key:
+    url: https://nginx.org/keys/nginx_signing.key
+    state: present
+
+- name: Add nginx's APT repository
+  ansible.builtin.template:
+    src: templates/nginx.list.j2
+    dest: /etc/apt/sources.list.d/nginx.list
+  register: apt_repo
+
+- name: Set nginx APT preference
+  ansible.builtin.copy:
+    src: files/apt-preference-99nginx
+    dest: /etc/apt/preferences.d/99nginx
+
+- name: Update package cache
+  ansible.builtin.apt:
+    update_cache: true
+  when: apt_repo.changed
+
+### Install nginx
+
+- name: Install nginx
+  ansible.builtin.apt:
+    state: present
+    name:
+    # This version of nginx comes with the ngx_stream_core_module module
+    - nginx
+
+
+### Configuration
+- name: Setup passthrough matrix
+  ansible.builtin.template:
+    src: templates/passthrough.conf.j2
+    dest: /etc/nginx/passthrough.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart nginx
+
+- name: Create directory for dehydrated forwardings
+  ansible.builtin.file:
+    path: /etc/nginx/dehydrated-hosts
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Setup dehydrated forwardings
+  ansible.builtin.template:
+    src: templates/dehydrated-host.conf.j2
+    dest: "/etc/nginx/dehydrated-hosts/{{ item.server }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ ingress }}"
+  notify: restart nginx
+
+- name: Setup nginx configuration
+  # Note the order here: The nginx configuration _needs_ he dehydrated-hosts
+  # directory and the passthrough.conf file, so we do them first to ensure
+  # a valid configuration in case the playbook is cancelled mid-way.
+  ansible.builtin.copy:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart nginx
diff --git a/roles/nginx-https-ingress/templates/dehydrated-host.conf.j2 b/roles/nginx-https-ingress/templates/dehydrated-host.conf.j2
new file mode 100644
index 0000000..7647271
--- /dev/null
+++ b/roles/nginx-https-ingress/templates/dehydrated-host.conf.j2
@@ -0,0 +1,14 @@
+# Dehydrated forwardings for server {{ item.server }}
+{% if 'hosts' in item %}
+{%   for host in item.hosts %}
+server {
+  listen          80;
+  listen          [::]:80;
+  server_name     {{ host }};
+
+  location /.well-known/acme-challenge {
+    proxy_pass      http://{{ item.server }}.n39.eu:80;
+  }
+}
+{%   endfor %}
+{% endif %}
diff --git a/roles/nginx-https-ingress/templates/nginx.list.j2 b/roles/nginx-https-ingress/templates/nginx.list.j2
new file mode 100644
index 0000000..9e4235f
--- /dev/null
+++ b/roles/nginx-https-ingress/templates/nginx.list.j2
@@ -0,0 +1,2 @@
+deb https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
+deb-src https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
diff --git a/roles/nginx-https-ingress/templates/passthrough.conf.j2 b/roles/nginx-https-ingress/templates/passthrough.conf.j2
new file mode 100644
index 0000000..b5deb41
--- /dev/null
+++ b/roles/nginx-https-ingress/templates/passthrough.conf.j2
@@ -0,0 +1,25 @@
+# SSL passthrough matrix
+
+stream {
+  map $ssl_preread_server_name $name {
+{% for i in ingress %}
+{%   if 'hosts' in i %}
+{%     for host in i.hosts %}
+    {{ host }} {{ i.server }};
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+  }
+
+{% for i in ingress %}
+  upstream {{ i.server }} {
+    server {{ i.server }}.n39.eu:443;
+  }
+{% endfor %}
+
+  server {
+    listen 443;
+    proxy_pass $name;
+    ssl_preread on;
+  }
+}