roles/webserver/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

---
- name: Copy webserver files
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "{{ DATA_ROOT }}/nginx"
    owner: "{{ USER }}"
    group: "{{ USER }}"
    mode: '0644'
  loop:
    - www
    - user_conf.d
    - inc
  notify: Restart nginx

- name: Setup nginx
  containers.podman.podman_container:
    name: webserver
    image: docker.io/jonasal/nginx-certbot
    network: "{{ NETWORK }}"
    ports:
      - "8080:80"
      - "8443:443"
    env:
      CERTBOT_EMAIL: "johannes@memzero.de"
      # STAGING: "1"
      # DEBUG: "1"
    volumes:
      # Use 'Z' to privately relable selinux contexts.
      - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
      - "{{ DATA_ROOT }}/nginx/inc:/etc/nginx/inc:ro,Z"
      - "{{ DATA_ROOT }}/nginx/certs:/etc/letsencrypt:Z"
      # Use 'z' to shared-ly relable selinux contexts.
      - "{{ DATA_ROOT }}/nginx/www:/www:ro,z"

- name: Forward port 80/443 to 8080/8443
  ansible.posix.firewalld:
    rich_rule: "rule family=ipv4 forward-port port={{ item.from }} protocol=tcp to-port={{ item.to }}"
    permanent: true
    immediate: true
    state: enabled
  become: true
  loop:
    - { from: 80 , to: 8080 }
    - { from: 443, to: 8443 }