Refactor and enhance Ansible configurations for dev-02 and nginx proxy setup

- Updated host_vars for dev-02 to include login history settings and modified code server authentication.
- Adjusted opencode server configurations and reduced resource allocation.
- Introduced a new playbook for configuring nginx reverse proxy with TLS and OAuth2.
- Enhanced linux_dev_station role defaults and tasks, including package updates and service configurations.
- Removed unnecessary credential assertions in linux_dev_station tasks.
- Created nginx_proxy role with tasks for certbot, nginx installation, and oauth2-proxy setup.
- Added templates for nginx and oauth2-proxy configurations.
- Updated terraform configuration to reflect new DNS records for ide and agent services.
- Documented changes and configurations in linux_dev_station.md for clarity and future reference.
This commit is contained in:
2026-07-11 19:29:50 -04:00
parent 5818b05d96
commit 272ed647cf
23 changed files with 626 additions and 99 deletions
@@ -0,0 +1,96 @@
{% set cert_prefix = nginx_proxy_sites[0].server_name %}
{% for item in nginx_proxy_sites %}
server {
listen {{ nginx_proxy_nginx_port }} ssl;
http2 on;
server_name {{ item.server_name }};
ssl_certificate {{ item.ssl_certificate | default('/etc/letsencrypt/live/' + cert_prefix + '/fullchain.pem') }};
ssl_certificate_key {{ item.ssl_certificate_key | default('/etc/letsencrypt/live/' + cert_prefix + '/privkey.pem') }};
ssl_protocols {{ nginx_proxy_nginx_ssl_protocols }};
ssl_ciphers {{ nginx_proxy_nginx_ssl_ciphers }};
ssl_prefer_server_ciphers {{ nginx_proxy_nginx_ssl_prefer_server_ciphers }};
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
# Redirect unauthenticated requests to OAuth2 sign-in
error_page 401 = /oauth2/sign_in;
# OAuth2 auth_request
location = /oauth2/auth {
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/auth;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
proxy_method GET;
}
location = /oauth2/callback {
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/callback;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
proxy_buffer_size 16k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
}
location = /oauth2/sign_in {
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }}/oauth2/sign_in;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
location /oauth2/ {
proxy_pass http://{{ nginx_proxy_oauth2_proxy_bind }}:{{ nginx_proxy_oauth2_proxy_port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
location / {
auth_request /oauth2/auth;
auth_request_set $auth_status $upstream_status;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket support
{% if item.websocket | default(true) | bool %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
# Timeouts
proxy_read_timeout {{ item.proxy_read_timeout | default('3600s') }};
proxy_send_timeout {{ item.proxy_send_timeout | default('3600s') }};
}
# Extra location blocks
{% if item.extra_locations | default([]) %}
{% for location in item.extra_locations %}
location {{ location.path }} {
{% for key, value in location.config.items() %}
{{ key }} {{ value }};
{% endfor %}
}
{% endfor %}
{% endif %}
}
{% endfor %}