Renamed server roles by osi they work on

2025-08-29 15:06:26 +02:00 · 2025-07-10 12:33:46 +02:00
parent c94d623f8f
commit 96268e7161
120 changed files with 167 additions and 167 deletions
--- a/roles/srv-proxy-7-4-core/README.md
+++ b/roles/srv-proxy-7-4-core/README.md
@@ -0,0 +1,31 @@
+# Nginx Docker Reverse Proxy 🚀
+
+## Description
+
+This Ansible role deploys **Nginx** as a high-performance [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) in front of Docker-hosted services.  
+It provides automatic TLS integration, WebSocket support, and a flexible templating system for per-application configuration.
+
+## Overview
+
+Optimised for Arch Linux, the role installs Nginx, prepares opinionated configuration snippets and exposes a simple interface for other roles to drop in new virtual-hosts.  
+It plays well with **Let’s Encrypt**, **OAuth2 Proxy**, and your existing Docker stack.
+
+## Purpose
+
+The goal of this role is to deliver a **hassle-free, production-ready reverse proxy** for self-hosted containers, suitable for homelabs and small-scale production workloads.
+
+## Features
+
+- **Automatic TLS & HSTS** — integrates with the *srv-web-7-6-https* role for certificate management.  
+- **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.  
+- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.  
+- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.  
+- **OAuth2 gating** — drop-in support when *web-app-oauth2-proxy* is present.  
+- **Modular includes** — headers, locations, and global snippets are factored for easy extension.
+
+## Credits 📝
+
+Developed and maintained by **Kevin Veen-Birkenbach**.  
+More at <https://www.veen.world>
+
+Part of the **CyMaIS Project** — licensed under the [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)
--- a/roles/srv-proxy-7-4-core/Todo.md
+++ b/roles/srv-proxy-7-4-core/Todo.md
@@ -0,0 +1,4 @@
+# Todos
+- Optimize buffering
+- Optimize caching
+- Make 'proxy_hide_header Content-Security-Policy' optional by using more_header option. See [ChatGPT Conversation](https://chatgpt.com/share/6825cb39-8db8-800f-8886-0cebdfad575a)
--- a/roles/srv-proxy-7-4-core/meta/main.yml
+++ b/roles/srv-proxy-7-4-core/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Nginx reverse proxy front-end for local Docker applications."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - docker
+    - reverse_proxy
+    - web
+    - automation
+    - archlinux
+  repository: https://s.veen.world/cymais
+  issue_tracker_url: https://s.veen.world/cymaisissues
+  documentation: https://s.veen.world/cymais
+dependencies:
+  - srv-web-7-6-https
+  - srv-web-7-4-core
--- a/roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2
@@ -0,0 +1,2 @@
+add_header Content-Security-Policy "{{ applications | build_csp_header(application_id, domains) }}" always;
+proxy_hide_header Content-Security-Policy; # Todo: Make this optional
--- a/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2
@@ -0,0 +1,33 @@
+location {{location | default("/")}}
+{
+  {% if oauth2_proxy_enabled | default(false) | bool %}
+    {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
+  {% endif %}
+
+  proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
+
+  # headers
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Port 443;
+  proxy_set_header Accept-Encoding "";
+
+  {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
+
+  # WebSocket specific header
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+
+  # deactivate buffering
+  proxy_buffering off;
+  proxy_request_buffering off;
+
+  # timeouts
+  proxy_connect_timeout       1s;
+  proxy_send_timeout          900s;
+  proxy_read_timeout          900s;
+  send_timeout                900s;
+}
--- a/roles/srv-proxy-7-4-core/templates/location/proxy_cache.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/location/proxy_cache.conf.j2
@@ -0,0 +1,12 @@
+location ~* \.(jpg|jpeg|png|gif|webp|ico|svg)$ {
+    # Cache in browser
+    expires 30d;
+    add_header Cache-Control "public, max-age=2592000, immutable";
+
+    # Cache on reverse proxy side
+    proxy_pass http://127.0.0.1:{{http_port}};
+    proxy_cache imgcache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 1m;
+    add_header X-Proxy-Cache $upstream_cache_status;
+}
--- a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
@@ -0,0 +1,61 @@
+server
+{
+  server_name {{domain}};
+
+  {% if applications | is_feature_enabled('oauth2',application_id) %}
+    {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
+  
+  {% if proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{ proxy_extra_configuration }}
+  {% endif %}
+
+  {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
+
+  {% if applications | is_feature_enabled('oauth2', application_id) %}
+    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
+
+    {% if acl.blacklist is defined %}
+      {# 1. Expose everything by default, then protect blacklisted paths #}
+      {% set oauth2_proxy_enabled = false %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+      {% for loc in acl.blacklist %}
+        {% set oauth2_proxy_enabled = true %}
+        {% set location = loc %}
+        {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+      {% endfor %}
+
+    {% elif acl.whitelist is defined %}
+      {# 2. Protect everything by default, then expose whitelisted paths #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+      {% for loc in acl.whitelist %}
+        {% set oauth2_proxy_enabled = false %}
+        {% set location = loc %}
+        {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+      {% endfor %}
+
+    {% else %}
+      {# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
+      {% set oauth2_proxy_enabled = true %}
+      {% set location = "/" %}
+      {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+    {% endif %}
+
+  {% else %}
+    {# 4. OAuth2 completely disabled — expose all #}
+    {% set oauth2_proxy_enabled = false %}
+    {% set location = "/" %}
+    {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+  {% endif %}
+
+}
+
+
--- a/roles/srv-proxy-7-4-core/templates/vhost/ws_generic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/vhost/ws_generic.conf.j2
@@ -0,0 +1,46 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+  server_name {{ domain }};
+
+  {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2' %}
+
+  client_max_body_size {{ client_max_body_size | default('100m') }};
+  keepalive_timeout    70;
+  sendfile             on;
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+
+  {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
+
+  {% if ws_path is defined %}
+    location {{ ws_path }} {
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_pass           http://127.0.0.1:{{ ws_port }};
+    proxy_buffering      off;
+    proxy_http_version   1.1;
+    proxy_set_header     Upgrade        $http_upgrade;
+    proxy_set_header     Connection     $connection_upgrade;
+    tcp_nodelay          on;
+  }
+  {% endif %}
+
+  error_page 500 501 502 503 504 /500.html;
+}