refactor: centralize web front proxy and internal nginx configs

Unify reverse proxy handling across apps via sys-stk-front-proxy and cleanly separate internal docker nginx configs from external vhosts. Changes: - docker-compose: use with_first_found for optional env and docker-compose.override files so roles can provide either a template or a static file without noisy 'Could not find or access' failures. - sys-stk-front-proxy: remove front_proxy_domain_conf_src and switch nginx vhost rendering to with_first_found over app-specific proxy.conf.j2 and the generic roles/sys-svc-proxy vhost flavour; keep health-check and handler logic unchanged. - web-app-nextcloud: migrate to sys-stk-full-stateful (front proxy + DB + docker), move internal nginx config to docker.conf.j2 under the volume path, and rename host.conf.j2 to proxy.conf.j2 for the external vhost. - web-app-magento: rename nginx.conf.j2 to docker.conf.j2 and update the runtime template task accordingly to make the intent (internal nginx) explicit. - web-app-matrix: rename nginx.conf.j2 to synapse.conf.j2 and adjust the webserver task to use the new template name for the synapse vhost. - web-app-bridgy-fed & web-app-flowise: pass domain and http_port explicitly when including sys-stk-front-proxy so the front stack has all required context. - web-svc-cdn/file/html: replace direct sys-stk-front-base + sys-util-csp-cert + nginx.conf.j2 handling with sys-stk-front-proxy and proxy.conf.j2, relying on the shared front-stack for TLS/CSP/vHost wiring. - web-svc-collabora: drop the direct nginx.conf.j2 vhost generation and rename it to proxy.conf.j2 so it is picked up by sys-stk-front-proxy like other services. - web-opt-rdr-domains: rename redirect.domain.nginx.conf.j2 to redirect-domain.conf.j2 and adjust the task for clearer and more consistent naming. Context: see ChatGPT refactor discussion on 2025-11-30 (proxy unification, Collabora/Nextcloud/CDN stacks, CSP/header handling): https://chatgpt.com/share/692c64ea-a488-800f-ad42-7f7692a3742f
2025-12-02 07:38:22 +00:00 · 2025-11-30 16:38:39 +01:00
parent 5a65410dd8
commit 007963044b
25 changed files with 50 additions and 104 deletions
--- a/roles/docker-compose/tasks/04_files.yml
+++ b/roles/docker-compose/tasks/04_files.yml
@@ -13,35 +13,31 @@
    - create_dockerfile_result is failed
    - "'Could not find or access' not in create_dockerfile_result.msg"

- name:           "Create (optional) '{{ docker_compose.files.env }}'"
+- name: "Create (optional) '{{ docker_compose.files.env }}'"
  template:
-    src:          "{{ item }}"
-    dest:         "{{ docker_compose.files.env }}"
-    mode:         '770'
-    force:        yes
-  notify:         docker compose up
-  register:       env_template
-  loop:
-    - "{{ application_id | abs_role_path_by_application_id }}/templates/env.j2"
-    - "{{ application_id | abs_role_path_by_application_id }}/files/env"
-  failed_when:
-    - env_template is failed
-    - "'Could not find or access' not in env_template.msg"
+    src: "{{ item }}"
+    dest: "{{ docker_compose.files.env }}"
+    mode: '770'
+    force: yes
+  notify: docker compose up
+  with_first_found:
+    - files:
+        - "{{ application_id | abs_role_path_by_application_id }}/templates/env.j2"
+        - "{{ application_id | abs_role_path_by_application_id }}/files/env"
+      skip: true

- name:           "Create (optional) '{{ docker_compose.files.docker_compose_override }}'"
+- name: "Create (optional) '{{ docker_compose.files.docker_compose_override }}'"
  template:
-    src:          "{{ item }}"
-    dest:         "{{ docker_compose.files.docker_compose_override }}"
-    mode:         '770'
-    force:        yes
-  notify:         docker compose up
-  register:       docker_compose_override_template
-  loop:
-    - "{{ application_id | abs_role_path_by_application_id }}/templates/docker-compose.override.yml.j2"
-    - "{{ application_id | abs_role_path_by_application_id }}/files/docker-compose.override.yml"
-  failed_when:
-    - docker_compose_override_template is failed
-    - "'Could not find or access' not in docker_compose_override_template.msg"
+    src: "{{ item }}"
+    dest: "{{ docker_compose.files.docker_compose_override }}"
+    mode: '770'
+    force: yes
+  notify: docker compose up
+  with_first_found:
+    - files:
+        - "{{ application_id | abs_role_path_by_application_id }}/templates/docker-compose.override.yml.j2"
+        - "{{ application_id | abs_role_path_by_application_id }}/files/docker-compose.override.yml"
+      skip: true

 - name:           "Create (obligatoric) '{{ docker_compose.files.docker_compose }}'"
  template:
--- a/roles/sys-stk-front-proxy/tasks/01_base.yml
+++ b/roles/sys-stk-front-proxy/tasks/01_base.yml
@@ -8,10 +8,15 @@

 - name: "Copy nginx config to '{{ front_proxy_domain_conf_dst }}'"
  template:
-    src:  "{{ front_proxy_domain_conf_src }}"
+    src: "{{ item }}"
    dest: "{{ front_proxy_domain_conf_dst }}"
  register: nginx_conf
  notify: restart openresty
+  vars:
+    nginx_template_candidates:
+      - "{{ application_id | abs_role_path_by_application_id }}/templates/proxy.conf.j2"
+      - "roles/sys-svc-proxy/templates/vhost/{{ vhost_flavour }}.conf.j2"
+  with_first_found: "{{ nginx_template_candidates }}"

 - block:
  - name: "Check if {{ domains | get_domain(application_id) }} is reachable (only if config unchanged)"
--- a/roles/sys-stk-front-proxy/vars/main.yml
+++ b/roles/sys-stk-front-proxy/vars/main.yml
@@ -1,2 +1 @@
-front_proxy_domain_conf_dst:  "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, domain ~ '.conf'] | path_join }}"
-front_proxy_domain_conf_src:  "roles/sys-svc-proxy/templates/vhost/{{ vhost_flavour }}.conf.j2"
+front_proxy_domain_conf_dst:  "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, domain ~ '.conf'] | path_join }}"
--- a/roles/web-app-bridgy-fed/tasks/01_core.yml
+++ b/roles/web-app-bridgy-fed/tasks/01_core.yml
@@ -5,5 +5,8 @@
 - name: "Include front proxy for {{ container_hostname}}:{{ ports.localhost.http[application_id] }}"
  include_role:
    name: sys-stk-front-proxy
+  vars:
+    domain:     "{{ domains | get_domain(application_id) }}"
+    http_port:  "{{ ports.localhost.http[application_id] }}"

 - include_tasks: utils/run_once.yml
--- a/roles/web-app-flowise/tasks/main.yml
+++ b/roles/web-app-flowise/tasks/main.yml
@@ -26,3 +26,6 @@
 - name: "Include role sys-stk-front-proxy for '{{ application_id }}'"
  include_role:
    name: sys-stk-front-proxy
+  vars:
+    domain:     "{{ domains | get_domain(application_id) }}"
+    http_port:  "{{ ports.localhost.http[application_id] }}"
--- a/roles/web-app-magento/tasks/02_runtime_conf.yml
+++ b/roles/web-app-magento/tasks/02_runtime_conf.yml
@@ -20,7 +20,7 @@

 - name: Render nginx main config (no TLS; single source of truth)
  template:
-    src: "nginx.conf.j2"
+    src: "docker.conf.j2"
    dest: "{{ MAGENTO_NGINX_CONF_PATH }}"
    mode: '0644'
    force: true
--- a/roles/web-app-magento/templates/docker.conf.j2
+++ b/roles/web-app-magento/templates/docker.conf.j2
--- a/roles/web-app-matrix/tasks/03_webserver.yml
+++ b/roles/web-app-matrix/tasks/03_webserver.yml
@@ -25,7 +25,7 @@

 - name: create {{ MATRIX_SYNAPSE_DOMAIN }}.conf
  template:
-    src:  "templates/nginx.conf.j2" 
+    src:  "templates/synapse.conf.j2" 
    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ MATRIX_SYNAPSE_DOMAIN }}.conf"
  vars:
    domain:     "{{ MATRIX_SYNAPSE_DOMAIN }}"
--- a/roles/web-app-matrix/templates/synapse.conf.j2
+++ b/roles/web-app-matrix/templates/synapse.conf.j2
--- a/roles/web-app-nextcloud/tasks/01_fullstack.yml
+++ b/roles/web-app-nextcloud/tasks/01_fullstack.yml
@@ -1,20 +1,11 @@
- name: "include role for {{ application_id }} to receive certs & do modification routines for '{{ NEXTCLOUD_DOMAIN }}:{{ NEXTCLOUD_PORT }}'"
-  include_role:
-    name: sys-util-csp-cert
-
- name: create nextcloud proxy configuration file
-  template:
-    src:    "nginx/host.conf.j2" 
-    dest:   "{{ NEXTCLOUD_HOST_NGINX_PATH }}"
-  notify: restart openresty
-
 - name: "load docker and db for {{ application_id }}"
  include_role:
-    name: sys-stk-back-stateful
+    name: sys-stk-full-stateful
  vars:
    docker_compose_flush_handlers: false

- block:
+- when: NEXTCLOUD_WHITEBOARD_ENABLED | bool
+  block:
    - name: "Create '{{ NEXTCLOUD_WHITEBOARD_SERVICE_DIRECTORY }}' Directory"
      file:
        path: "{{ NEXTCLOUD_WHITEBOARD_SERVICE_DIRECTORY }}"
@@ -26,8 +17,6 @@
        src:    "Dockerfiles/Whiteboard.j2"
        dest:   "{{ NEXTCLOUD_WHITEBOARD_SERVICE_DOCKERFILE }}"
      notify: docker compose build
-      
-  when: NEXTCLOUD_WHITEBOARD_ENABLED | bool

 - name: "create {{ NEXTCLOUD_HOST_CONF_ADD_PATH }}"
  file:
@@ -46,6 +35,6 @@

 - name: create internal nextcloud nginx configuration
  template:
-    src:  "nginx/docker.conf.j2" 
-    dest: "{{ NEXTCLOUD_HOST_NGINX_SRC }}"
+    src:  "docker.conf.j2" 
+    dest: "{{ NEXTCLOUD_HOST_NGINX_PATH }}"
  notify: docker compose up
--- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
@@ -10,7 +10,7 @@
    ports:
      - "127.0.0.1:{{ NEXTCLOUD_PORT }}:{{ container_port }}"
    volumes:
-      - "{{ NEXTCLOUD_HOST_NGINX_SRC }}:/etc/nginx/nginx.conf:ro"
+      - "{{ NEXTCLOUD_HOST_NGINX_PATH }}:/etc/nginx/nginx.conf:ro"
    volumes_from:
      - {{ NEXTCLOUD_SERVICE }}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2'  %}
--- a/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/docker.conf.j2
--- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2
--- a/roles/web-app-nextcloud/vars/main.yml
+++ b/roles/web-app-nextcloud/vars/main.yml
@@ -22,10 +22,9 @@ NEXTCLOUD_PLUGINS_ENABLED:          "{{ applications | get_app_conf(application_
 ## Paths

 ### Host
-NEXTCLOUD_HOST_CONF_ADD_PATH:       "{{ [ docker_compose.directories.volumes, 'infinito' ] | path_join }}"              # This folder is the path to which the additive configurations will be copied
-NEXTCLOUD_HOST_INCL_PATH:           "{{ [ docker_compose.directories.volumes, 'includes.php' ] | path_join }}"          # Path to the instruction file on the host. Responsible for loading the additional configurations
-NEXTCLOUD_HOST_NGINX_PATH:          "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, NEXTCLOUD_DOMAIN ~ '.conf' ] | path_join }}"  # Nginx path for proxy conf
-NEXTCLOUD_HOST_NGINX_SRC:           "{{ [ docker_compose.directories.volumes, 'nginx.conf' ] | path_join }}" 
+NEXTCLOUD_HOST_CONF_ADD_PATH:       "{{ [ docker_compose.directories.volumes, 'infinito' ] | path_join }}"      # This folder is the path to which the additive configurations will be copied
+NEXTCLOUD_HOST_INCL_PATH:           "{{ [ docker_compose.directories.volumes, 'includes.php' ] | path_join }}"  # Path to the instruction file on the host. Responsible for loading the additional configurations
+NEXTCLOUD_HOST_NGINX_PATH:          "{{ [ docker_compose.directories.volumes, 'nginx.conf' ] | path_join }}"    # Path where the internal Nextcloud NGinx config on the host server is stored

 ## Control Node
 NEXTCLOUD_CNODE_PLUGIN_VARS_PATH:   "{{ [role_path, 'vars/plugins/'] | path_join }}"                                 # Folder in which the files for the plugin configuration are stored
--- a/roles/web-opt-rdr-domains/tasks/redirect-domain.yml
+++ b/roles/web-opt-rdr-domains/tasks/redirect-domain.yml
@@ -4,6 +4,6 @@

 - name: "Deploying NGINX redirect configuration for '{{ domain }}'"
  template:
-    src:  redirect.domain.nginx.conf.j2
+    src:  redirect-domain.conf.j2
    dest: "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, domain ~ '.conf'] | path_join }}"
  notify: restart openresty
--- a/roles/web-opt-rdr-domains/templates/redirect.domain.nginx.conf.j2
+++ b/roles/web-opt-rdr-domains/templates/redirect.domain.nginx.conf.j2
--- a/roles/web-svc-cdn/tasks/01_core.yml
+++ b/roles/web-svc-cdn/tasks/01_core.yml
@@ -2,19 +2,7 @@
  include_role:
    name: '{{ item }}'
  loop:
-  - sys-stk-front-base
+  - sys-stk-front-proxy
  - dev-git
-  
- name: "include role for {{ application_id }} to receive certs & do modification routines"
-  include_role:
-    name: sys-util-csp-cert
-  vars:
-    http_port: "{{ ports.localhost.http[application_id] }}"
-
- name: "deploy '{{ CDN_NGINX_PATH }}'"
-  template:
-    src: "nginx.conf.j2"
-    dest: "{{ CDN_NGINX_PATH }}"
-  notify: restart openresty

 - include_tasks: utils/run_once.yml
--- a/roles/web-svc-cdn/templates/proxy.conf.j2
+++ b/roles/web-svc-cdn/templates/proxy.conf.j2
--- a/roles/web-svc-cdn/vars/main.yml
+++ b/roles/web-svc-cdn/vars/main.yml
@@ -1,7 +1,3 @@
 # General
 application_id: "web-svc-cdn"
 domain:         "{{ domains | get_domain(application_id) }}"
-
-# CDN
-CDN_NGINX_FILE: "{{ domain }}.conf"
-CDN_NGINX_PATH: "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, CDN_NGINX_FILE ] | path_join }}"
--- a/roles/web-svc-collabora/tasks/01_core.yml
+++ b/roles/web-svc-collabora/tasks/01_core.yml
@@ -6,12 +6,6 @@
    docker_compose_flush_handlers:        true
    docker_compose_file_creation_enabled: true
    docker_pull_git_repository:           false
-    
- name: "generate {{ domain }}.conf"
-  template:
-    src: "nginx.conf.j2"
-    dest: "{{ [ NGINX.DIRECTORIES.HTTP.SERVERS, domain ~ '.conf'] | path_join }}"
-  notify: restart openresty

 - name: Update Collabora systemplate to include new fonts
  command: "{{ COLLABORA_DOCKER_CONF_EXEC }} update-system-template"
--- a/roles/web-svc-collabora/templates/proxy.conf.j2
+++ b/roles/web-svc-collabora/templates/proxy.conf.j2
--- a/roles/web-svc-file/tasks/main.yml
+++ b/roles/web-svc-file/tasks/main.yml
@@ -3,20 +3,7 @@
    include_role:
      name: '{{ item }}'
    loop:
-    - sys-stk-front-base
+    - sys-stk-front-proxy
    - dev-git
  - include_tasks: utils/run_once.yml
  when: run_once_web_svc_file is not defined
-
- name: "include role for {{ application_id }} to receive certs & do modification routines"
-  include_role:
-    name: sys-util-csp-cert
-  vars:
-    domain: "{{ domains | get_domain(application_id) }}"
-    http_port: "{{ ports.localhost.http[application_id] }}"
-
- name: "generate {{ domains | get_domain(application_id) }}.conf"
-  template:
-    src: "nginx.conf.j2"
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
-  notify: restart openresty
--- a/roles/web-svc-file/templates/proxy.conf.j2
+++ b/roles/web-svc-file/templates/proxy.conf.j2
--- a/roles/web-svc-html/tasks/main.yml
+++ b/roles/web-svc-html/tasks/main.yml
@@ -3,20 +3,7 @@
    include_role:
      name: '{{ item }}'
    loop:
-    - sys-stk-front-base
+    - sys-stk-front-proxy
    - dev-git
  - include_tasks: utils/run_once.yml
  when: run_once_web_svc_html is not defined
-
- name: "include role for {{ application_id }} to receive certs & do modification routines"
-  include_role:
-    name: sys-util-csp-cert
-  vars:
-    domain: "{{ domains | get_domain(application_id) }}"
-    http_port: "{{ ports.localhost.http[application_id] }}"
-
- name: "generate {{ domains | get_domain(application_id) }}.conf"
-  template:
-    src: "nginx.conf.j2"
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
-  notify: restart openresty
--- a/roles/web-svc-html/templates/proxy.conf.j2
+++ b/roles/web-svc-html/templates/proxy.conf.j2