aboutsummaryrefslogtreecommitdiff
path: root/roles/webserver/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/webserver/tasks/main.yml')
-rw-r--r--roles/webserver/tasks/main.yml49
1 files changed, 49 insertions, 0 deletions
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
new file mode 100644
index 0000000..a849f2c
--- /dev/null
+++ b/roles/webserver/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: Copy webserver files
+ ansible.builtin.copy:
+ src: "{{ item }}"
+ dest: "{{ DATA_ROOT }}/nginx"
+ owner: "{{ USER }}"
+ group: "{{ USER }}"
+ loop:
+ - www
+ - user_conf.d
+ notify: Restart nginx
+
+- name: Setup nginx
+ containers.podman.podman_container:
+ name: webserver
+ image: docker.io/jonasal/nginx-certbot
+ network: "{{ NETWORK }}"
+ ports:
+ - "8080:80"
+ - "8443:443"
+ env:
+ CERTBOT_EMAIL: "johannes@memzero.de"
+ STAGING: "1"
+ DEBUG: "1"
+ volumes:
+ # Use 'Z' to privately relable selinux contexts.
+ - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
+ - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z"
+
+# All services run in rootless-podman and nginx is the only entry point from
+# the outside acting as webserver and reverse proxy.
+# Since we dont want to lower the *unprivileged* port start (1024) we install
+# two forwarding routes from
+# 80 -> 8080
+# 443 -> 8443
+- name: Forward port 80/443 to 8080/8443
+ ansible.builtin.iptables:
+ table: nat
+ chain: PREROUTING
+ protocol: tcp
+ match: tcp
+ destination_port: "{{ item.from }}"
+ jump: REDIRECT
+ to_ports: "{{ item.to }}"
+ comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
+ become: yes
+ loop:
+ - { from: 80 , to: 8080 }
+ - { from: 443, to: 8443 } \ No newline at end of file