From 131991ec2279944ced48f529cdc61dccefe5725d Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Sun, 28 Apr 2024 15:13:05 +0200
Subject: [PATCH] Create generic rule for simple nginx reverse proxy

---
 .vscode/settings.json                         |  3 +-
 roles/actual/handlers/main.yml                |  5 ----
 roles/actual/tasks/main.yml                   | 28 ++++---------------
 roles/actual/templates/actual.conf.j2         | 25 -----------------
 roles/simple-reverse-proxy/handlers/main.yml  |  6 ++++
 roles/simple-reverse-proxy/tasks/main.yml     | 25 +++++++++++++++++
 .../templates/nginx-configuration.conf.j2     | 23 +++++++++++++++
 7 files changed, 62 insertions(+), 53 deletions(-)
 delete mode 100644 roles/actual/templates/actual.conf.j2
 create mode 100644 roles/simple-reverse-proxy/handlers/main.yml
 create mode 100644 roles/simple-reverse-proxy/tasks/main.yml
 create mode 100644 roles/simple-reverse-proxy/templates/nginx-configuration.conf.j2

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 9dfb7de..250d05c 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -2,5 +2,6 @@
     "ansible.python.interpreterPath": "/home/thomas/python_venv/bin/python",
     "files.associations": {
         "*.yml": "ansible"
-    }
+    },
+    "ansible.validation.lint.arguments": "-x name[template]"
 }
diff --git a/roles/actual/handlers/main.yml b/roles/actual/handlers/main.yml
index 3a63107..292f833 100644
--- a/roles/actual/handlers/main.yml
+++ b/roles/actual/handlers/main.yml
@@ -1,9 +1,4 @@
 ---
-- name: Restart Nginx
-  become: true
-  ansible.builtin.systemd:
-    name: nginx.service
-    state: restarted
 - name: Restart ufw
   become: true
   ansible.builtin.systemd:
diff --git a/roles/actual/tasks/main.yml b/roles/actual/tasks/main.yml
index 59fcb8c..6f9dee9 100644
--- a/roles/actual/tasks/main.yml
+++ b/roles/actual/tasks/main.yml
@@ -47,25 +47,9 @@
         state: started
         enabled: true
         scope: user
-- name: Install certificate for actual.kleinendorst.info
-  become: true
-  ansible.builtin.command:
-    cmd: register_certbot_domain.sh actual.kleinendorst.info
-    creates: /etc/letsencrypt/live/actual.kleinendorst.info # The certificate directory
-- name: Set Nginx configuration
-  become: true
-  ansible.builtin.template:
-    src: actual.conf.j2
-    dest: /etc/nginx/conf.d/actual.conf
-    mode: '0644'
-  notify: Restart Nginx
-# - name: Allow https through firewall
-#   become: true
-#   community.general.ufw:
-#     rule: allow
-#     port: https
-#     proto: tcp
-#   notify: Restart ufw
-- name: Debug
-  ansible.builtin.debug:
-    msg: "Don't forget to manually add a DNS record for actual.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
+- name: Include simple-reverse-proxy role
+  ansible.builtin.include_role:
+    name: simple-reverse-proxy
+  vars:
+    simple_reverse_proxy_internal_port: 5006
+    simple_reverse_proxy_internal_subdomain: actual
diff --git a/roles/actual/templates/actual.conf.j2 b/roles/actual/templates/actual.conf.j2
deleted file mode 100644
index a9cf1bd..0000000
--- a/roles/actual/templates/actual.conf.j2
+++ /dev/null
@@ -1,25 +0,0 @@
-# Template comes from the actual documentation: https://actualbudget.org/docs/config/reverse-proxies/#nginx
-# It was however modified in some ways because the referenced files weren't created.
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  server_name actual.kleinendorst.info;
-
-  client_max_body_size 20M; # The budgets can become quite large and need to be uploaded
-
-  # SSL via Let's Encrypt
-  ssl_certificate /etc/letsencrypt/live/actual.kleinendorst.info/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/actual.kleinendorst.info/privkey.pem; # managed by Certbot
-  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-  ssl_ciphers         HIGH:!aNULL:!MD5;
-
-  location / {
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-
-    set $upstream_address 127.0.0.1;
-    set $upstream_port 5006;
-    set $upstream_proto http;
-    proxy_pass $upstream_proto://$upstream_address:$upstream_port;
-  }
-}
diff --git a/roles/simple-reverse-proxy/handlers/main.yml b/roles/simple-reverse-proxy/handlers/main.yml
new file mode 100644
index 0000000..d78a686
--- /dev/null
+++ b/roles/simple-reverse-proxy/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx.service
+    state: restarted
diff --git a/roles/simple-reverse-proxy/tasks/main.yml b/roles/simple-reverse-proxy/tasks/main.yml
new file mode 100644
index 0000000..d27113f
--- /dev/null
+++ b/roles/simple-reverse-proxy/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: "Install certificate for {{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info"
+  become: true
+  ansible.builtin.command:
+    cmd: "register_certbot_domain.sh {{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info"
+    creates: "/etc/letsencrypt/live/{{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info" # The certificate directory
+- name: Set Nginx configuration
+  become: true
+  ansible.builtin.template:
+    src: nginx-configuration.conf.j2
+    dest: "/etc/nginx/conf.d/{{ simple_reverse_proxy_internal_subdomain }}.conf"
+    mode: '0644'
+  notify: Restart Nginx
+# - name: Allow https through firewall
+#   become: true
+#   community.general.ufw:
+#     rule: allow
+#     port: https
+#     proto: tcp
+#   notify: Restart ufw
+- name: Debug
+  ansible.builtin.debug:
+    msg: >-
+      Don't forget to manually add a DNS record for {{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info
+      pointing to: {{ ansible_facts['default_ipv4']['address'] }}.
diff --git a/roles/simple-reverse-proxy/templates/nginx-configuration.conf.j2 b/roles/simple-reverse-proxy/templates/nginx-configuration.conf.j2
new file mode 100644
index 0000000..7b1ca6f
--- /dev/null
+++ b/roles/simple-reverse-proxy/templates/nginx-configuration.conf.j2
@@ -0,0 +1,23 @@
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name {{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info;
+
+  client_max_body_size 20M;
+
+  # SSL via Let's Encrypt
+  ssl_certificate       /etc/letsencrypt/live/{{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info/fullchain.pem; # managed by Certbot
+  ssl_certificate_key   /etc/letsencrypt/live/{{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info/privkey.pem; # managed by Certbot
+  ssl_protocols         TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_ciphers           HIGH:!aNULL:!MD5;
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+
+    set $upstream_address 127.0.0.1;
+    set $upstream_port {{ simple_reverse_proxy_internal_port }};
+    set $upstream_proto http;
+    proxy_pass $upstream_proto://$upstream_address:$upstream_port;
+  }
+}