kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-08 14:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
36f9573fdfead47b789ce7c32a83176f7b946855
computer-playbook/roles/sys-svc-proxy
History
Kevin Veen-Birkenbach 493d5bbbda refactor(web-app-shopware): externalize trusted proxy and host configuration with mounted framework.yaml 
- added new file roles/web-app-shopware/files/framework.yaml defining trusted_proxies and trusted_headers for Symfony
 - mounted framework.yaml into /var/www/html/config/packages/ in docker-compose
 - exposed new role vars SHOPWARE_FRAMEWORK_HOST/DOCKER for mounting path
 - rendered framework.yaml via Ansible copy task with proper permissions
 - adjusted env.j2 to set TRUSTED_PROXIES and TRUSTED_HOSTS dynamically from domains and networks
 - added SHOPWARE_DOMAIN var to vars/main.yml
 - removed inline framework.yaml creation from Dockerfile (now managed via mount)
 - updated proxy template (html.conf.j2) to include X-Forwarded-Ssl header
 - improved init.sh permission handling for shared volumes

See ChatGPT conversation for implementation details and rationale:
https://chatgpt.com/share/690d4fe7-2830-800f-8b6d-b868e7fe0e97
2025-11-07 02:48:49 +01:00
..
meta
templates
refactor(web-app-shopware): externalize trusted proxy and host configuration with mounted framework.yaml
2025-11-07 02:48:49 +01:00
README.md
TODO.md

README.md

Nginx Docker Reverse Proxy 🚀

Description

This Ansible role deploys Nginx as a high-performance reverse proxy in front of Docker-hosted services.
It provides automatic TLS integration, WebSocket support, and a flexible templating system for per-application configuration.

Overview

Optimised for Arch Linux, the role installs Nginx, prepares opinionated configuration snippets and exposes a simple interface for other roles to drop in new virtual-hosts.
It plays well with Lets Encrypt, OAuth2 Proxy, and your existing Docker stack.

Purpose

The goal of this role is to deliver a hassle-free, production-ready reverse proxy for self-hosted containers, suitable for homelabs and small-scale production workloads.

Features

  • Automatic TLS & HSTS — integrates with the sys-svc-webserver-https role for certificate management.
  • Flexible vHost templatesbasic and ws_generic flavours cover standard HTTP and WebSocket applications.
  • Security headers — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
  • WebSocket & HTTP/2 aware — upgrades, keep-alive tuning, and gzip already configured.
  • OAuth2 gating — drop-in support when web-app-oauth2-proxy is present.
  • Modular includes — headers, locations, and global snippets are factored for easy extension.

Credits 📝

Developed and maintained by Kevin Veen-Birkenbach.
More at https://www.veen.world

Part of the Infinito.Nexus Project — licensed under the Infinito.Nexus NonCommercial License