11 files changed, 198 insertions, 0 deletions

diff --git a/playbooks/roles/nginx/files/nginx.conf b/playbooks/roles/nginx/files/nginx.conf
new file mode 100644
index 0000000..6ddd8ab
--- /dev/null
+++ b/playbooks/roles/nginx/files/nginx.conf
@@ -0,0 +1,26 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+  worker_connections 768;
+}
+
+http {
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  gzip on;
+  gzip_disable "msie6";
+
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/sites-enabled/*;
+}
diff --git a/playbooks/roles/nginx/handlers/main.yml b/playbooks/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..2ce85ba
--- /dev/null
+++ b/playbooks/roles/nginx/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
+    enabled: true
+
+- name: Restart ufw
+  ansible.builtin.service:
+    name: ufw
+    state: restarted
diff --git a/playbooks/roles/nginx/tasks/main.yml b/playbooks/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..b4cd6ed
--- /dev/null
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+
+- name: Allow http
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow https
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+  notify:
+    - Restart ufw
+
+- name: Install nginx
+  ansible.builtin.apt:
+    name: nginx
+    state: present
+  notify:
+    - Restart nginx
+
+- name: Download dhparams
+  ansible.builtin.get_url:
+    url: "{{ dh_params_src }}"
+    dest: /etc/nginx/dhparams.pem
+    mode: '0755'
+
+- name: Add system nginx config
+  ansible.builtin.copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    mode: '0755'
+
+- name: Copy nginx sites
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/etc/nginx/sites-enabled/"
+    mode: '0755'
+  with_fileglob:
+    - "templates/{{ inventory_hostname }}/*.conf"
+  notify:
+    - Restart nginx
diff --git a/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.auth.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.auth.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..9a767f2
--- /dev/null
+++ b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.auth.mistymountainstherapy.com.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name auth.mistymountainstherapy.com;
+
+  location / {
+    rewrite ^ https://auth.mistymountainstherapy.com$request_uri? permanent;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.mail.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.mail.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..8f6d782
--- /dev/null
+++ b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/http.mail.mistymountainstherapy.com.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name mail.mistymountainstherapy.com;
+
+  location / {
+    rewrite ^ https://mail.mistymountainstherapy.com$request_uri? permanent;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.auth.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.auth.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..fe39586
--- /dev/null
+++ b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.auth.mistymountainstherapy.com.conf
@@ -0,0 +1,23 @@
+server {
+  server_name auth.mistymountainstherapy.com;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/auth.mistymountainstherapy.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/auth.mistymountainstherapy.com/privkey.pem;
+
+  location / {
+    proxy_pass         https://localhost:8443;
+    proxy_redirect     off;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Host $server_name;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.mail.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.mail.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..2a6a7bc
--- /dev/null
+++ b/playbooks/roles/nginx/templates/mail.int.mistymountainstherapy.com/https.mail.mistymountainstherapy.com.conf
@@ -0,0 +1,21 @@
+server {
+  server_name mail.mistymountainstherapy.com;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/mail.mistymountainstherapy.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/mail.mistymountainstherapy.com/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:9002;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..fc6e8f6
--- /dev/null
+++ b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.mistymountainstherapy.com.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name mistymountainstherapy.com;
+
+  location / {
+    rewrite ^ https://mistymountainstherapy.com$request_uri? permanent;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.www.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.www.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..d165e01
--- /dev/null
+++ b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/http.www.mistymountainstherapy.com.conf
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name www.mistymountainstherapy.com;
+
+  location / {
+    rewrite ^ https://mistymountainstherapy.com$request_uri? permanent;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..6cdd63f
--- /dev/null
+++ b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.mistymountainstherapy.com.conf
@@ -0,0 +1,21 @@
+server {
+  server_name mistymountainstherapy.com;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/mistymountainstherapy.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/mistymountainstherapy.com/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:8821;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}
diff --git a/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.www.mistymountainstherapy.com.conf b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.www.mistymountainstherapy.com.conf
new file mode 100644
index 0000000..c6ae568
--- /dev/null
+++ b/playbooks/roles/nginx/templates/www.int.mistymountainstherapy.com/https.www.mistymountainstherapy.com.conf
@@ -0,0 +1,19 @@
+server {
+  server_name www.mistymountainstherapy.com;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/www.mistymountainstherapy.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/www.mistymountainstherapy.com/privkey.pem;
+
+  location / {
+    rewrite ^ https://mistymountainstherapy.com$request_uri? permanent;
+  }
+}