From 130e101cc6f1504a529e10a00ada91ad2b1d1e76 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Wed, 8 Jun 2022 22:34:50 +0200
Subject: [PATCH] add some files

---
 handlers/main.yml                          |  5 ++
 tasks/main.yml                             | 42 +++++++++++++++
 templates/nginx.conf                       | 59 ++++++++++++++++++++++
 templates/snippets/connection_upgrade.conf |  7 +++
 templates/stream_rp.conf                   | 13 +++++
 5 files changed, 126 insertions(+)
 create mode 100644 handlers/main.yml
 create mode 100644 templates/nginx.conf
 create mode 100644 templates/snippets/connection_upgrade.conf
 create mode 100644 templates/stream_rp.conf

diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..6dfcdd7
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
diff --git a/tasks/main.yml b/tasks/main.yml
index 218ca39..0305825 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -8,6 +8,37 @@
   retries: 3
   until: apt_result is succeeded
 
+- name: Copy snippets
+  template:
+    src: "snippets/{{ item }}"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - connection_upgrade.conf # fix some nginx bug
+
+- name: Ensure the cert directory exists
+  file:
+    path: /etc/nginx/certs
+    state: directory
+
+- name: Create a dummy cert
+  block:
+    - name: Generate private key
+      openssl_privatekey:
+        path: /etc/nginx/certs/dummy.key
+        mode: u=rw,g=,o=
+        size: 4096
+    - name: Generate the signing request
+      openssl_csr:
+        path: /etc/nginx/certs/dummy.req
+        privatekey_path: /etc/nginx/certs/dummy.key
+        common_name: dummy
+    - name: Sign Cert
+      openssl_certificate:
+        path: /etc/nginx/certs/dummy.pem
+        privatekey_path: /etc/nginx/certs/dummy.key
+        csr_path: /etc/nginx/certs/dummy.req
+        provider: selfsigned
+
 - name: Add wasm to mime type
   lineinfile:
     path: /etc/nginx/mime.types
@@ -17,3 +48,14 @@
     group: root
     mode: '0644'
     insertbefore: '}'
+
+- name: Copy NGINX conf
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Create the SSL reverse proxy conf
+  template:
+    src: stream_rp.conf
+    dest: /etc/nginx/stream_rp.conf
+    force: no
diff --git a/templates/nginx.conf b/templates/nginx.conf
new file mode 100644
index 0000000..0e5334a
--- /dev/null
+++ b/templates/nginx.conf
@@ -0,0 +1,59 @@
+{{ ansible_managed | comment }}
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 768;
+    #worker_processes auto; # <- default is 1
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    gzip off; # compression and crypto don't mix
+
+    # include /etc/nginx/conf.d/*.conf;  # Ansible
+    include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+    include /etc/nginx/stream_rp.conf;
+
+    # Proxy request from the back end address
+    map $ssl_preread_server_name $name_from_back {
+        acme-v02.api.letsencrypt.org    acme;
+        r3.o.lencr.org                  r3;
+        default            self-back;
+    }
+    upstream acme {
+        server acme-v02.api.letsencrypt.org:443;
+    }
+    upstream r3 {
+        server r3.o.lencr.org:443;
+    }
+    upstream self-back {
+        server 127.0.0.1:9443;
+    }
+    server {
+        listen 192.168.10.1:443;
+        proxy_pass $name_from_back;
+        ssl_preread on;
+    }
+}
diff --git a/templates/snippets/connection_upgrade.conf b/templates/snippets/connection_upgrade.conf
new file mode 100644
index 0000000..27ac1b8
--- /dev/null
+++ b/templates/snippets/connection_upgrade.conf
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
diff --git a/templates/stream_rp.conf b/templates/stream_rp.conf
new file mode 100644
index 0000000..d7da21d
--- /dev/null
+++ b/templates/stream_rp.conf
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+map $ssl_preread_server_name $name_from_front {
+    default         self;
+}
+upstream self {
+    server 127.0.0.1:8443;
+}
+server {
+    listen 172.20.198.2:443;
+    proxy_pass $name_from_front;
+    ssl_preread on;
+ }