diff options
Diffstat (limited to 'roles/webserver/tasks/main.yml')
-rw-r--r-- | roles/webserver/tasks/main.yml | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml new file mode 100644 index 0000000..a849f2c --- /dev/null +++ b/roles/webserver/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Copy webserver files + ansible.builtin.copy: + src: "{{ item }}" + dest: "{{ DATA_ROOT }}/nginx" + owner: "{{ USER }}" + group: "{{ USER }}" + loop: + - www + - user_conf.d + notify: Restart nginx + +- name: Setup nginx + containers.podman.podman_container: + name: webserver + image: docker.io/jonasal/nginx-certbot + network: "{{ NETWORK }}" + ports: + - "8080:80" + - "8443:443" + env: + CERTBOT_EMAIL: "johannes@memzero.de" + STAGING: "1" + DEBUG: "1" + volumes: + # Use 'Z' to privately relable selinux contexts. + - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z" + - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z" + +# All services run in rootless-podman and nginx is the only entry point from +# the outside acting as webserver and reverse proxy. +# Since we dont want to lower the *unprivileged* port start (1024) we install +# two forwarding routes from +# 80 -> 8080 +# 443 -> 8443 +- name: Forward port 80/443 to 8080/8443 + ansible.builtin.iptables: + table: nat + chain: PREROUTING + protocol: tcp + match: tcp + destination_port: "{{ item.from }}" + jump: REDIRECT + to_ports: "{{ item.to }}" + comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}" + become: yes + loop: + - { from: 80 , to: 8080 } + - { from: 443, to: 8443 }
\ No newline at end of file |