Add reverse-proxy role

roles/reverse-proxy/README.md

@@ -0,0 +1,5 @@
+Set up a basic nginx reverse proxy.
+
+NetBox config context should contain a proxy_pass property with the server address.
+
+Custom error page can be placed in /srv/http/error/index.html.

roles/reverse-proxy/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: Set up nginx site
+  template:
+    dest: '/etc/nginx/http.d/{{ inventory_hostname }}.conf'
+    src: 'nginx.conf.j2'
+  notify: reload nginx

roles/reverse-proxy/templates/nginx.conf.j2

@@ -0,0 +1,28 @@
+server {
+    server_name {{ ([dns_name] + tls_domains|default([])) | join(" ") }};
+
+    listen [::]:443 ssl ipv6only=off;
+    ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem;
+
+    error_page 500 501 502 503 504 505 506 507 508 510 511 /error/;
+
+    location / {
+        proxy_pass {{ proxy_pass }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        proxy_connect_timeout 30s;
+        proxy_max_temp_file_size 0;
+
+        # TODO maybe
+        #proxy_ssl_verify on;
+        #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+    }
+
+    location /error/ {
+        root /srv/http;
+        try_files $uri $uri/index.html =503;
+    }
+}

setup.yml

@@ -66,3 +66,9 @@
   roles:
     - proxmox-backup
     - frr
+
+- hosts: web-front
+  roles:
+    - alpine
+    - nginx
+    - reverse-proxy