blob: e2624c4e3796238fb4ff465420a101f458c5c80e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
---
- name: Copy webserver files
ansible.builtin.copy:
src: "{{ item }}"
dest: "{{ DATA_ROOT }}/nginx"
owner: "{{ USER }}"
group: "{{ USER }}"
mode: '0644'
loop:
- www
- user_conf.d
notify: Restart nginx
- name: Setup nginx
containers.podman.podman_container:
name: webserver
image: docker.io/jonasal/nginx-certbot
network: "{{ NETWORK }}"
ports:
- "8080:80"
- "8443:443"
env:
CERTBOT_EMAIL: "johannes@memzero.de"
# STAGING: "1"
# DEBUG: "1"
volumes:
# Use 'Z' to privately relable selinux contexts.
- "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
# Use 'z' to shared-ly relable selinux contexts.
- "{{ DATA_ROOT }}/nginx/www:/www:ro,z"
# All services run in rootless-podman and nginx is the only entry point from
# the outside acting as webserver and reverse proxy.
# Since we dont want to lower the *unprivileged* port start (1024) we install
# two forwarding routes from
# 80 -> 8080
# 443 -> 8443
- name: Forward port 80/443 to 8080/8443
ansible.builtin.iptables:
table: nat
chain: PREROUTING
protocol: tcp
match: tcp
destination_port: "{{ item.from }}"
jump: REDIRECT
to_ports: "{{ item.to }}"
comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
become: true
loop:
- { from: 80 , to: 8080 }
- { from: 443, to: 8443 }
|
