diff --git a/defaults/main.yml b/defaults/main.yml index 59def40..f7bc9a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,6 +40,7 @@ jellyfin_logrotate_config: - compress - shred +jellyfin_base_url: mystream.example.com # DONT CHANGE IT! # Changing the bind ports is currently not supported jellyfin_http_bind_port: 8096 @@ -56,3 +57,18 @@ jellyfin_open_ports: rules: | -A OUTPUT -m state --state NEW -p udp --destination 239.255.255.250 --dport 1900 -j ACCEPT state: present + + +jellyfin_tls_cert_source: mycert.pem +jellyfin_tls_key_source: mykey.pem + +jellyfin_nginx_vhost_enabled: False +jellyfin_nginx_server: localhost +jellyfin_nginx_vhost_dir: /etc/nginx/sites-available +jellyfin_nginx_vhost_symlink: /etc/nginx/sites-enabled +jellyfin_nginx_iptables_enabled: False +jellyfin_nginx_tls_enabled: False +jellyfin_nginx_tls_cert_file: jellyfin-cert.pem +jellyfin_nginx_tls_key_file: jellyfin-key.pem +jellyfin_nginx_proxy_port: "{{ jellyfin_http_bind_port }}" +jellyfin_nginx_proxy_ip: "{{ ansible_default_ipv4.address }}" diff --git a/tasks/main.yml b/tasks/main.yml index a27688c..5fcc207 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,4 +3,6 @@ - import_tasks: storage.yml when: jellyfin_lvm_enabled - include_tasks: install.yml +- import_tasks: nginx.yml + when: matrix_nginx_vhost_enabled - include_tasks: post_tasks.yml diff --git a/tasks/nginx.yml b/tasks/nginx.yml new file mode 100644 index 0000000..bc4e353 --- /dev/null +++ b/tasks/nginx.yml @@ -0,0 +1,48 @@ +--- +- block: + - name: Copy certs and private key to nginx proxy + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + loop: + - { src: "{{ jellyfin_tls_key_source }}", dest: '/etc/pki/tls/private/{{ jellyfin_nginx_tls_key_file }}', mode: '0600' } + - { src: "{{ jellyfin_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ jellyfin_nginx_tls_cert_file }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + notify: __nginx_reload + delegate_to: "{{ jellyfin_nginx_server }}" + when: jellyfin_nginx_tls_enabled + become: True + become_user: root + tags: tls_renewal + +- block: + - name: Add vhost configuration file + template: + src: nginx/vhost.j2 + dest: "{{ jellyfin_nginx_vhost_dir }}/jellyfin" + owner: root + group: root + mode: 0640 + notify: __nginx_reload + + - name: Enable jellyfin vhost + file: + src: "{{ jellyfin_nginx_vhost_dir }}/jellyfin" + dest: "{{ jellyfin_nginx_vhost_symlink }}/jellyfin" + owner: root + group: root + state: link + notify: __nginx_reload + when: jellyfin_nginx_vhost_symlink is defined + + - name: Open ports in iptables + iptables_raw: + name: allow_jellyfin_nginx_proxy + state: present + rules: '-A OUTPUT -m state --state NEW -p tcp -d {{ jellyfin_nginx_proxy_ip }} --dport {{ jellyfin_nginx_proxy_port }} -j ACCEPT' + when: jellyfin_nginx_iptables_enabled + delegate_to: "{{ jellyfin_nginx_server }}" + become: True + become_user: root diff --git a/templates/nginx/vhost.j2 b/templates/nginx/vhost.j2 new file mode 100644 index 0000000..77c867d --- /dev/null +++ b/templates/nginx/vhost.j2 @@ -0,0 +1,38 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} +upstream backend_jellyfin { + server {{ jellyfin_nginx_proxy_ip }}:{{ jellyfin_nginx_proxy_port }}; +} + +server { + listen 80; + server_name {{ jellyfin_base_url | urlsplit('hostname') }}; + + client_max_body_size 200M; + + {% if jellyfin_nginx_tls_enabled %} + return 301 https://$server_name$request_uri; + {% else %} + location / { + proxy_pass {{ 'https' if jellyfin_tls_enabled else 'http' }}://backend_jellyfin; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} +} + +{% if jellyfin_nginx_tls_enabled %} +server { + listen 443 ssl; + server_name {{ jellyfin_base_url | urlsplit('hostname') }}; + + client_max_body_size 200M; + + location / { + proxy_pass {{ 'https' if jellyfin_tls_enabled else 'http' }}://backend_jellyfin; + proxy_set_header X-Forwarded-For $remote_addr; + } + + ssl_certificate /etc/pki/tls/certs/{{ jellyfin_nginx_tls_cert_file }}; + ssl_certificate_key /etc/pki/tls/private/{{ jellyfin_nginx_tls_key_file }}; +} +{% endif %}