add nginx vhost config

defaults/main.yml

@@ -40,6 +40,7 @@ jellyfin_logrotate_config:
       - compress
       - shred
 
+jellyfin_base_url: mystream.example.com
 # DONT CHANGE IT!
 # Changing the bind ports is currently not supported
 jellyfin_http_bind_port: 8096
@@ -56,3 +57,18 @@ jellyfin_open_ports:
     rules: |
       -A OUTPUT -m state --state NEW -p udp --destination 239.255.255.250 --dport 1900 -j ACCEPT
     state: present
+
+
+jellyfin_tls_cert_source: mycert.pem
+jellyfin_tls_key_source: mykey.pem
+
+jellyfin_nginx_vhost_enabled: False
+jellyfin_nginx_server: localhost
+jellyfin_nginx_vhost_dir: /etc/nginx/sites-available
+jellyfin_nginx_vhost_symlink: /etc/nginx/sites-enabled
+jellyfin_nginx_iptables_enabled: False
+jellyfin_nginx_tls_enabled: False
+jellyfin_nginx_tls_cert_file: jellyfin-cert.pem
+jellyfin_nginx_tls_key_file: jellyfin-key.pem
+jellyfin_nginx_proxy_port: "{{ jellyfin_http_bind_port }}"
+jellyfin_nginx_proxy_ip: "{{ ansible_default_ipv4.address }}"

tasks/main.yml

@@ -3,4 +3,6 @@
 - import_tasks: storage.yml
   when: jellyfin_lvm_enabled
 - include_tasks: install.yml
+- import_tasks: nginx.yml
+  when: matrix_nginx_vhost_enabled
 - include_tasks: post_tasks.yml

tasks/nginx.yml

@@ -0,0 +1,48 @@
+---
+- block:
+    - name: Copy certs and private key to nginx proxy
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - { src: "{{ jellyfin_tls_key_source }}", dest: '/etc/pki/tls/private/{{ jellyfin_nginx_tls_key_file }}', mode: '0600' }
+        - { src: "{{ jellyfin_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ jellyfin_nginx_tls_cert_file }}', mode: '0750' }
+      loop_control:
+        label: "{{ item.dest }}"
+      notify: __nginx_reload
+  delegate_to: "{{ jellyfin_nginx_server }}"
+  when: jellyfin_nginx_tls_enabled
+  become: True
+  become_user: root
+  tags: tls_renewal
+
+- block:
+    - name: Add vhost configuration file
+      template:
+        src: nginx/vhost.j2
+        dest: "{{ jellyfin_nginx_vhost_dir }}/jellyfin"
+        owner: root
+        group: root
+        mode: 0640
+      notify: __nginx_reload
+
+    - name: Enable jellyfin vhost
+      file:
+        src: "{{ jellyfin_nginx_vhost_dir }}/jellyfin"
+        dest: "{{ jellyfin_nginx_vhost_symlink }}/jellyfin"
+        owner: root
+        group: root
+        state: link
+      notify: __nginx_reload
+      when: jellyfin_nginx_vhost_symlink is defined
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: allow_jellyfin_nginx_proxy
+        state: present
+        rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ jellyfin_nginx_proxy_ip }} --dport {{ jellyfin_nginx_proxy_port }} -j ACCEPT'
+      when: jellyfin_nginx_iptables_enabled
+  delegate_to: "{{ jellyfin_nginx_server }}"
+  become: True
+  become_user: root

templates/nginx/vhost.j2

@@ -0,0 +1,38 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+upstream backend_jellyfin {
+    server {{ jellyfin_nginx_proxy_ip }}:{{ jellyfin_nginx_proxy_port }};
+}
+
+server {
+    listen 80;
+    server_name {{ jellyfin_base_url | urlsplit('hostname') }};
+
+    client_max_body_size 200M;
+
+    {% if jellyfin_nginx_tls_enabled %}
+    return 301 https://$server_name$request_uri;
+    {% else %}
+    location / {
+        proxy_pass {{ 'https' if jellyfin_tls_enabled else 'http' }}://backend_jellyfin;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+    {% endif %}
+}
+
+{% if jellyfin_nginx_tls_enabled %}
+server {
+    listen 443 ssl;
+    server_name {{ jellyfin_base_url | urlsplit('hostname') }};
+
+    client_max_body_size 200M;
+
+    location / {
+        proxy_pass {{ 'https' if jellyfin_tls_enabled else 'http' }}://backend_jellyfin;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+    ssl_certificate /etc/pki/tls/certs/{{ jellyfin_nginx_tls_cert_file }};
+    ssl_certificate_key /etc/pki/tls/private/{{ jellyfin_nginx_tls_key_file }};
+}
+{% endif %}