From f6d6295df37874789242781848b9f7cc20170c95 Mon Sep 17 00:00:00 2001
From: mustard <sussybaka@homelab0ne.xyz>
Date: Sat, 4 Oct 2025 00:03:14 +0200
Subject: [PATCH] feat: added nginx role

---
 deploy.yaml                       |  5 +++++
 roles/nginx/files/nginx.container | 18 +++++++++++++++++
 roles/nginx/files/tls.conf        | 12 ++++++++++++
 roles/nginx/tasks/main.yaml       | 32 +++++++++++++++++++++++++++++++
 4 files changed, 67 insertions(+)
 create mode 100644 deploy.yaml
 create mode 100644 roles/nginx/files/nginx.container
 create mode 100644 roles/nginx/files/tls.conf
 create mode 100644 roles/nginx/tasks/main.yaml

diff --git a/deploy.yaml b/deploy.yaml
new file mode 100644
index 0000000..a3e8d3d
--- /dev/null
+++ b/deploy.yaml
@@ -0,0 +1,5 @@
+---
+- hosts: jellyfin
+  roles:
+    - nginx
+  
diff --git a/roles/nginx/files/nginx.container b/roles/nginx/files/nginx.container
new file mode 100644
index 0000000..3ee6f66
--- /dev/null
+++ b/roles/nginx/files/nginx.container
@@ -0,0 +1,18 @@
+[Unit]
+Description=nginx container
+
+[Container]
+ContainerName=nginx
+Image=ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim
+PublishPort=8080:8080
+Volume=/srv/nginx/tls.conf:/etc/nginx/tls.conf:ro
+PodmanArgs=--runtime runsc --security-opt label:disable
+Label=disable
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target
+
+[Service]
+Restart=always
+
diff --git a/roles/nginx/files/tls.conf b/roles/nginx/files/tls.conf
new file mode 100644
index 0000000..1bc7ccd
--- /dev/null
+++ b/roles/nginx/files/tls.conf
@@ -0,0 +1,12 @@
+ssl_certificate /etc/nginx/ssl/cert.pem;
+ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
new file mode 100644
index 0000000..26e478c
--- /dev/null
+++ b/roles/nginx/tasks/main.yaml
@@ -0,0 +1,32 @@
+- name: Create nginx dir
+  ansible.builtin.file:
+    path: /srv/nginx
+    state: directory
+    mode: '0644'
+
+- name: Copy over nginx.container file
+  ansible.builtin.copy:
+    src: ./files/nginx.container
+    dest: /etc/containers/systemd/nginx.container
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Copy over tls.conf file
+  ansible.builtin.copy:
+    src: ./files/tls.conf
+    dest: /srv/nginx/tls.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Run systemctl daemon-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+
+- name: Start nginx container
+  ansible.builtin.systemd_service:
+    name: nginx.service
+    state: started
+    enabled: true
+