add nginx vhost deployment

defaults/main.yml

@@ -42,7 +42,16 @@ unifi_open_ports:
       -A INPUT -m state --state NEW -p tcp --dport 6789 -j ACCEPT
     state: present
 
-unifi_tls_deploment_enabled: False
+unifi_tls_deployment_enabled: False
 unifi_tls_pkcs12_passphrase: temppass
 unifi_tls_cert_path: /etc/pki/tls/certs/mycert.pem
 unifi_tls_key_path: /etc/pki/tls/private/mykey.pem
+
+unifi_nginx_vhost_enabled: False
+unifi_ip_server: localhost
+unifi_server_port: 8443
+unifi_nginx_server: myinventoryname
+unifi_nginx_server_name: unifi.example.com
+unifi_nginx_vhost_dir: /etc/nginx/sites-available
+unifi_nginx_vhost_symlink: /etc/nginx/sites-enabled
+unifi_nginx_iptables_enabled: False

handlers/main.yml

@@ -6,3 +6,12 @@
     name: unifi
   listen: __unifi_restart
   become: True
+
+- name: Reload nginx
+  systemd:
+    state: reloaded
+    name: nginx
+  listen:
+    - __nginx_reload
+  become: True
+  become_user: root

tasks/main.yml

@@ -3,5 +3,6 @@
 - include_tasks: storage.yml
   when: unifi_lvm_enabled
 - include_tasks: install.yml
-- include_tasks: certificates.yml
-  when: unifi_tls_deploment_enabled
+- include_tasks: tls.yml
+  when: unifi_tls_deployment_enabled
+- include_tasks: nginx.yml

tasks/nginx.yml

@@ -0,0 +1,30 @@
+---
+- block:
+  - name: Add default page configuration file
+    template:
+      src: nginx/vhost.j2
+      dest: "{{ unifi_nginx_vhost_dir }}/unifi"
+      owner: root
+      group: root
+      mode: 0640
+    notify: __nginx_reload
+
+  - name: Enable default page
+    file:
+      src: "{{ unifi_nginx_vhost_dir }}/unifi"
+      dest: "{{ unifi_nginx_vhost_symlink }}/unifi"
+      owner: root
+      group: root
+      state: link
+    notify: __nginx_reload
+    when: unifi_nginx_vhost_symlink is defined
+
+  - name: Open ports in iptables
+    iptables_raw:
+      name: allow_nginx_ports
+      state: present
+      rules: '-A OUTPUT -p tcp -d {{ unifi_server_ip }} -m --dports {{ unifi_server_port }} -j ACCEPT'
+    when: unifi_nginx_iptables_enabled
+  delegate_to: "{{ unifi_nginx_server }}"
+  become: True
+  become_user: root

templates/etc/nginx/vhost.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+upstream backend {
+    server {{ unifi_server_ip }}:{{ unifi_server_port }};
+}
+
+server {
+    listen 80;
+    server_name {{ unifi_nginx_server_name }};
+
+    {% if unifi_nginx_tls_enabled %}
+    return 301 https://$server_name$request_uri;
+    {% else %}
+    location / {
+        proxy_pass https://backend;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+    {% endif %}
+}
+
+{% if unifi_nginx_tls_enabled %}
+server {
+    listen              443 ssl;
+    server_name         {{ unifi_nginx_server_name }};
+
+    location / {
+        proxy_pass https://backend;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    ssl_certificate {{ unifi_nginx_tls_cert_file }};
+    ssl_certificate_key {{ unifi_nginx_tls_key_file }};
+}
+{% endif %}