chore: improve nginx role so config can be shared and avoid unneeded duplication between roles / VMs

2025-10-14 00:19:53 +02:00 · 2025-10-14 00:19:53 +02:00 · 5d126b1ce1
commit 5d126b1ce1
parent 5b9295d3a5
4 changed files with 81 additions and 6 deletions
--- a/roles/nginx/files/frontend.network
+++ b/roles/nginx/files/frontend.network
@ -0,0 +1 @@
+[Network]
--- a/roles/nginx/files/nginx.conf
+++ b/roles/nginx/files/nginx.conf
@ -0,0 +1,41 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+pid /tmp/nginx.pid;
+
+
+events
+{
+	worker_connections 1024;
+}
+
+
+http
+{
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+	#        log_format main '$proxy_protocol_addr - $remote_user [$time_local] "$request" '
+	'$status $body_bytes_sent "$http_referer" '
+	'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	sendfile on;
+	#tcp_nopush     on;
+
+	keepalive_timeout 65;
+
+	#gzip  on;
+
+	include /etc/nginx/conf.d/*.conf;
+
+}
+
--- a/roles/nginx/files/nginx.container
+++ b/roles/nginx/files/nginx.container
@ -1,11 +1,17 @@
 [Unit]
 Description=nginx container
+Requires=jellyfin.service
+After=jellyfin.service

 [Container]
 ContainerName=nginx
 Image=ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim
-PublishPort=8080:8080
-Volume=/srv/nginx/tls.conf:/etc/nginx/tls.conf:ro
+PublishPort=80:8080
+PublishPort=443:8443
+Network=frontend.network
+Volume=/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+Volume=/srv/nginx/conf.d:/etc/nginx/conf.d:ro
+Volume=/srv/certs:/etc/nginx/ssl:Z
 PodmanArgs=--runtime runsc --security-opt label:disable
 Label=disable
 AutoUpdate=registry
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@ -2,7 +2,19 @@
  ansible.builtin.file:
    path: /srv/nginx
    state: directory
-    mode: '0644'
+    mode: '0755'
+
+- name: Create certs dir if it doesn't exist
+  ansible.builtin.file:
+    path: /srv/certs
+    state: directory
+    mode: '0755'
+
+- name: Create conf.d dir if it doesn't exist
+  ansible.builtin.file:
+    path: /srv/nginx/conf.d
+    state: directory
+    mode: '0755'

 - name: Copy over nginx.container file
  ansible.builtin.copy:
@ -12,10 +24,26 @@
    group: root
    mode: '0644'

+- name: Copy over nginx.conf file
+  ansible.builtin.copy:
+    src: ./files/nginx.conf
+    dest: /srv/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Copy over tls.conf file
  ansible.builtin.copy:
    src: ./files/tls.conf
-    dest: /srv/nginx/tls.conf
+    dest: /srv/nginx/conf.d/tls.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Copy over frontend network
+  ansible.builtin.copy:
+    src: ./files/frontend.network
+    dest: /etc/containers/systemd/frontend.network
    owner: root
    group: root
    mode: '0644'
@ -27,6 +55,5 @@
 - name: Start nginx container
  ansible.builtin.systemd_service:
    name: nginx.service
-    state: started
-    enabled: true
+    state: restarted