From 5d126b1ce15cda2122ca91c1559461f129a21f91 Mon Sep 17 00:00:00 2001 From: mustard Date: Tue, 14 Oct 2025 00:19:53 +0200 Subject: [PATCH] chore: improve nginx role so config can be shared and avoid unneeded duplication between roles / VMs --- roles/nginx/files/frontend.network | 1 + roles/nginx/files/nginx.conf | 41 ++++++++++++++++++++++++++++++ roles/nginx/files/nginx.container | 10 ++++++-- roles/nginx/tasks/main.yaml | 35 ++++++++++++++++++++++--- 4 files changed, 81 insertions(+), 6 deletions(-) create mode 100644 roles/nginx/files/frontend.network create mode 100644 roles/nginx/files/nginx.conf diff --git a/roles/nginx/files/frontend.network b/roles/nginx/files/frontend.network new file mode 100644 index 0000000..264f70a --- /dev/null +++ b/roles/nginx/files/frontend.network @@ -0,0 +1 @@ +[Network] diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..bb7e7c5 --- /dev/null +++ b/roles/nginx/files/nginx.conf @@ -0,0 +1,41 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /tmp/nginx.pid; + + +events +{ + worker_connections 1024; +} + + +http +{ + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # log_format main '$proxy_protocol_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} + diff --git a/roles/nginx/files/nginx.container b/roles/nginx/files/nginx.container index 3ee6f66..c4ac84d 100644 --- a/roles/nginx/files/nginx.container +++ b/roles/nginx/files/nginx.container @@ -1,11 +1,17 @@ [Unit] Description=nginx container +Requires=jellyfin.service +After=jellyfin.service [Container] ContainerName=nginx Image=ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim -PublishPort=8080:8080 -Volume=/srv/nginx/tls.conf:/etc/nginx/tls.conf:ro +PublishPort=80:8080 +PublishPort=443:8443 +Network=frontend.network +Volume=/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro +Volume=/srv/nginx/conf.d:/etc/nginx/conf.d:ro +Volume=/srv/certs:/etc/nginx/ssl:Z PodmanArgs=--runtime runsc --security-opt label:disable Label=disable AutoUpdate=registry diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 26e478c..288a826 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -2,7 +2,19 @@ ansible.builtin.file: path: /srv/nginx state: directory - mode: '0644' + mode: '0755' + +- name: Create certs dir if it doesn't exist + ansible.builtin.file: + path: /srv/certs + state: directory + mode: '0755' + +- name: Create conf.d dir if it doesn't exist + ansible.builtin.file: + path: /srv/nginx/conf.d + state: directory + mode: '0755' - name: Copy over nginx.container file ansible.builtin.copy: @@ -12,10 +24,26 @@ group: root mode: '0644' +- name: Copy over nginx.conf file + ansible.builtin.copy: + src: ./files/nginx.conf + dest: /srv/nginx/nginx.conf + owner: root + group: root + mode: '0644' + - name: Copy over tls.conf file ansible.builtin.copy: src: ./files/tls.conf - dest: /srv/nginx/tls.conf + dest: /srv/nginx/conf.d/tls.conf + owner: root + group: root + mode: '0644' + +- name: Copy over frontend network + ansible.builtin.copy: + src: ./files/frontend.network + dest: /etc/containers/systemd/frontend.network owner: root group: root mode: '0644' @@ -27,6 +55,5 @@ - name: Start nginx container ansible.builtin.systemd_service: name: nginx.service - state: started - enabled: true + state: restarted