Renamed webserver roles to more speakable names

roles/srv-core/README.md

@@ -0,0 +1,24 @@
+# Webserver
+
+This Ansible role installs and configures **Nginx** as a core HTTP/stream server on Arch Linux systems. It provides:
+
+* **HTTP serving** with MIME types, gzip compression, caching, and custom `nginx.conf` templating.
+* **TCP/UDP stream support** via the Nginx Streams module.
+* **Directory management** for configuration, `sites-available`/`enabled`, cache, and data.
+* **Debugging helpers**: log formats and instructions for general and detailed troubleshooting.
+
+## Features
+
+* **Package installation** of `nginx` and `nginx-mod-stream`.
+* **Idempotent setup**: tasks run only once per host.
+* **Configurable reset and cleanup** modes to purge and recreate directories.
+* **Custom `nginx.conf`** template with sensible defaults for performance and security.
+* **Stream proxy support**: includes `stream` block for TCP/UDP proxies.
+* **Cache directory management**: cleanup and recreation based on `MODE_CLEANUP`.
+
+
+## Debugging Tips
+
+* **General logs**: `journalctl -f -u nginx`
+* **Filter by host**: `journalctl -u nginx -f | grep "{{ inventory_hostname }}"`
+* **Enable detailed format**: set `MODE_DEBUG: true` and reload Nginx.

roles/srv-core/Todo.md

@@ -0,0 +1,2 @@
+# To-dos
+- It could make sense to merge this role with svc-prx-openresty

roles/srv-core/meta/main.yml

@@ -0,0 +1,21 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Installs and configures Nginx HTTP and stream modules with performance-tuned defaults."
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  min_ansible_version: "2.9"
+  galaxy_tags:
+    - nginx
+    - http
+    - stream
+    - caching
+    - compression
+    - security
+    - performance
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/roles/srv-core"

roles/srv-core/tasks/01_core.yml

@@ -0,0 +1,49 @@
+- name: "cleanup (if enabled)"
+  include_tasks: 02_cleanup.yml
+  when: >
+    MODE_CLEANUP | bool or
+    MODE_RESET | bool
+
+- name: "reset (if enabled)"
+  include_tasks: 03_reset.yml
+  when: MODE_RESET | bool
+
+- name: "Load docker compose handlers"
+  include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml"
+  vars:
+    handler_role_name: "docker-compose"
+
+- name: "Include tasks to create directories"
+  include_tasks: 04_directories.yml
+
+- name: create nginx config file
+  template: 
+    src:  nginx.conf.j2
+    dest: "{{ NGINX.FILES.CONFIGURATION }}"
+  notify: docker compose up
+
+- name: Include health dependencies
+  include_role:
+    name: "{{ item }}"
+  loop:
+    - sys-ctl-hlth-webserver
+    - sys-ctl-hlth-csp
+  vars:
+    # Extra flush is for performance reasons not necessary
+    flush_handlers: false
+
+- name: Include openresty
+  # Outside of run_once block is necessary for handler loading
+  # Otherwise the when: condition from the block is added to the handlers
+  # Inside openresty their is a validation that it doesn't run multiple times
+  include_role:
+    name: svc-prx-openresty
+
+    # Explicit set to guaranty that application_id will not be overwritten.
+    # Should be anyhow the default case
+    public: false
+
+  vars:
+    # Flush openresty handler on first run, so that openresty is up, before openresty related handlers are triggered
+    flush_handlers: true
+  when: run_once_svc_prx_openresty is not defined

roles/srv-core/tasks/02_cleanup.yml

@@ -0,0 +1,8 @@
+- name: Cleanup all NGINX cache directories
+  become: true
+  ansible.builtin.file:
+    path: "{{ item.value }}"
+    state: absent
+  loop: "{{ NGINX.DIRECTORIES.CACHE | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"

roles/srv-core/tasks/03_reset.yml

@@ -0,0 +1,9 @@
+- name: Delete NGINX config paths
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ NGINX.DIRECTORIES.CONFIGURATION }}"
+    - "{{ NGINX.FILES.CONFIGURATION }}"
+  loop_control:
+    label: "{{ item }}"

roles/srv-core/tasks/04_directories.yml

@@ -0,0 +1,36 @@
+- name: Ensure nginx configuration directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ NGINX.USER }}"
+    group: "{{ NGINX.USER }}"
+    mode: '0755'
+    recurse: yes
+  loop: >
+    {{
+      ( NGINX.DIRECTORIES.HTTP.values() | list ) +
+      [ NGINX.DIRECTORIES.STREAMS ] 
+    }}
+
+- name: Ensure all NGINX cache directories exist
+  become: true
+  ansible.builtin.file:
+    path: "{{ item.value }}"
+    state: directory
+    owner: "{{ NGINX.USER }}"
+    group: "{{ NGINX.USER }}"
+    mode: '0700'
+  loop: "{{ NGINX.DIRECTORIES.CACHE | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Ensure nginx data storage directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    recurse: yes
+    owner: "{{ NGINX.USER }}"
+    group: "{{ NGINX.USER }}"
+    mode:  '0755'
+  loop: >
+    {{ NGINX.DIRECTORIES.DATA.values() | list }}

roles/srv-core/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- block:
+  - include_tasks: 01_core.yml
+  - include_tasks: utils/run_once.yml
+  when: run_once_srv_core is not defined

roles/srv-core/templates/nginx.conf.j2

@@ -0,0 +1,63 @@
+worker_processes auto;
+
+events
+{
+  worker_connections 1024;
+}
+
+http
+{
+  include mime.types;
+
+  {# default_type  application/octet-stream; If html filter does not work, this one needs to be used#}
+
+  default_type text/html;
+
+  {# caching #}
+  proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.GENERAL }} levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off;
+  proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.IMAGE }} levels=1:2 keys_zone=imgcache:10m inactive=60m use_temp_path=off;
+
+  # --------------------------------------------------------------------------------
+  # Tweak the hash table used to store your server_name entries:
+  server_names_hash_bucket_size 64;   # size of each bucket for server_name lookups (in bytes)
+  server_names_hash_max_size    512;  # maximum total buckets for the server_name hash table
+  # --------------------------------------------------------------------------------
+
+  {# logging and debugging #}
+{% if MODE_DEBUG | bool %}
+  {# individual log format for better debugging #}
+  log_format debug '$host - $remote_addr [$time_local] '
+                  '"$request" $status $body_bytes_sent '
+                  '"Referer: $http_referer" '
+                  '"User-Agent: $http_user_agent" '
+                  '"ReqTime: $request_time" "UpstreamTime: $upstream_response_time" '
+                  '"ReqLength: $request_length" "BytesSent: $bytes_sent" '
+                  '"ConnRequests: $connection_requests" '
+                  '"X-Forwarded-For: $http_x_forwarded_for" '
+                  '"Scheme: $scheme" "Protocol: $server_protocol" "ServerName: $server_name"';
+  access_log  /dev/stdout  debug;
+{% endif %}
+  error_log  /dev/stderr  info;
+
+  sendfile on;
+  keepalive_timeout 65;
+
+  {# gzip #}
+  gzip on;
+  gzip_proxied any;
+  gzip_vary on;
+  gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # Disable for Internetexplorer 6
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml;
+
+  types_hash_max_size 4096;  
+  {% for dir in NGINX.DIRECTORIES.HTTP.values() %}
+  include {{ dir }}*.conf;
+  {% endfor %}
+}
+
+# For port proxies
+stream{
+  include {{NGINX.DIRECTORIES.STREAMS}}*.conf;
+}