From 58db617aa8422e21296d700aeed54f6a5938a4d2 Mon Sep 17 00:00:00 2001
From: Fenris Wolf <fenris@folksprak.org>
Date: Tue, 16 Sep 2025 20:35:46 +0200
Subject: [PATCH] [mod]

---
 .../defaults/main.json                        |  4 +++
 .../davina_backend-and-nginx/tasks/main.json  | 35 ++++++++++++++++++
 .../templates/conf.j2                         | 36 +++++++++++++++++++
 roles/davina_backend-and-nginx/vardef.json    | 15 ++++++++
 .../defaults/main.json                        |  0
 .../tasks/main.json                           |  0
 .../templates/conf.json.j2                    |  0
 .../templates/systemd_unit.j2                 |  0
 8 files changed, 90 insertions(+)
 create mode 100644 roles/davina_backend-and-nginx/defaults/main.json
 create mode 100644 roles/davina_backend-and-nginx/tasks/main.json
 create mode 100644 roles/davina_backend-and-nginx/templates/conf.j2
 create mode 100644 roles/davina_backend-and-nginx/vardef.json
 rename roles/{davina => davina_backend}/defaults/main.json (100%)
 rename roles/{davina => davina_backend}/tasks/main.json (100%)
 rename roles/{davina => davina_backend}/templates/conf.json.j2 (100%)
 rename roles/{davina => davina_backend}/templates/systemd_unit.j2 (100%)

diff --git a/roles/davina_backend-and-nginx/defaults/main.json b/roles/davina_backend-and-nginx/defaults/main.json
new file mode 100644
index 0000000..4c8cf16
--- /dev/null
+++ b/roles/davina_backend-and-nginx/defaults/main.json
@@ -0,0 +1,4 @@
+{
+	"var_davina_backend_and_nginx_domain": "davina.example.org",
+	"var_davina_backend_and_nginx_tls_mode": "force"
+}
diff --git a/roles/davina_backend-and-nginx/tasks/main.json b/roles/davina_backend-and-nginx/tasks/main.json
new file mode 100644
index 0000000..91cb61a
--- /dev/null
+++ b/roles/davina_backend-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_davina_backend_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_davina_backend_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_davina_backend_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/roles/davina_backend-and-nginx/templates/conf.j2 b/roles/davina_backend-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..2d46869
--- /dev/null
+++ b/roles/davina_backend-and-nginx/templates/conf.j2
@@ -0,0 +1,36 @@
+{% macro davina_backend_common() %}
+	location / {
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param REDIRECT_STATUS 200;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+	}
+{% endmacro %}
+
+server {
+	listen 80;
+	listen [::]:80;
+	
+	server_name {{var_davina_backend_and_nginx_domain}};
+	
+{% if var_davina_backend_and_nginx_tls_mode == 'force' %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ davina_backend_common() }}
+{% endif %}
+}
+
+{% if var_davina_backend_and_nginx_tls_mode != 'disable' %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_davina_backend_and_nginx_domain}};
+	
+	ssl_certificate_key /etc/ssl/private/{{var_davina_backend_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_davina_backend_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ davina_backend_common() }}
+}
+{% endif %}
diff --git a/roles/davina_backend-and-nginx/vardef.json b/roles/davina_backend-and-nginx/vardef.json
new file mode 100644
index 0000000..08f61a3
--- /dev/null
+++ b/roles/davina_backend-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/davina/defaults/main.json b/roles/davina_backend/defaults/main.json
similarity index 100%
rename from roles/davina/defaults/main.json
rename to roles/davina_backend/defaults/main.json
diff --git a/roles/davina/tasks/main.json b/roles/davina_backend/tasks/main.json
similarity index 100%
rename from roles/davina/tasks/main.json
rename to roles/davina_backend/tasks/main.json
diff --git a/roles/davina/templates/conf.json.j2 b/roles/davina_backend/templates/conf.json.j2
similarity index 100%
rename from roles/davina/templates/conf.json.j2
rename to roles/davina_backend/templates/conf.json.j2
diff --git a/roles/davina/templates/systemd_unit.j2 b/roles/davina_backend/templates/systemd_unit.j2
similarity index 100%
rename from roles/davina/templates/systemd_unit.j2
rename to roles/davina_backend/templates/systemd_unit.j2