From 453a3748016f7f7f120ca6997ff97ad59c47744e Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Tue, 24 Aug 2021 14:21:51 +0100
Subject: [PATCH] Replace ingress proxy with nginx

This enables HTTPS redirecting at it too much more easily, and matches the gateway configuration.

Requires using upstream versions of nginx to enable https://nginx.org/en/docs/stream/ngx_stream_realip_module.html
---
 ansible/main.yml                        |  2 +
 ansible/roles/ingress/files/haproxy.cfg | 37 ----------------
 ansible/roles/ingress/files/nginx.conf  | 58 +++++++++++++++++++++++++
 ansible/roles/ingress/handlers/main.yml |  4 +-
 ansible/roles/ingress/tasks/haproxy.yml | 20 ---------
 ansible/roles/ingress/tasks/main.yml    |  4 +-
 ansible/roles/ingress/tasks/nginx.yml   | 19 ++++++++
 7 files changed, 83 insertions(+), 61 deletions(-)
 delete mode 100644 ansible/roles/ingress/files/haproxy.cfg
 create mode 100644 ansible/roles/ingress/files/nginx.conf
 delete mode 100644 ansible/roles/ingress/tasks/haproxy.yml
 create mode 100644 ansible/roles/ingress/tasks/nginx.yml

diff --git a/ansible/main.yml b/ansible/main.yml
index 31d445c..65d01df 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -58,6 +58,8 @@
   roles:
     - role: chmduquesne.iptables_persistent
       become: true
+    - role: nginxinc.nginx  # The nginx in debian's repos is very old
+      become: true
     - ingress
     - nebula
 
diff --git a/ansible/roles/ingress/files/haproxy.cfg b/ansible/roles/ingress/files/haproxy.cfg
deleted file mode 100644
index e304901..0000000
--- a/ansible/roles/ingress/files/haproxy.cfg
+++ /dev/null
@@ -1,37 +0,0 @@
-global
-  log /dev/log	local0
-  log /dev/log	local1 notice
-  pidfile /run/haproxy.pid
-  stats timeout 30s
-  user haproxy
-  group haproxy
-  daemon
-  maxconn 10000
-
-defaults
-  log global
-  mode	http
-  option httplog
-  option dontlognull
-
-# Internal LAN routes
-listen http_internal
-    bind *:80
-    mode http
-    server default {{ pve_hosts.docker.ip }}:80 send-proxy-v2
-
-listen https_internal
-    bind *:443
-    mode tcp
-    server default {{ pve_hosts.docker.ip }}:443 send-proxy-v2
-
-listen matrix_internal
-    bind *:8448
-    mode tcp
-    server default {{ pve_hosts.docker.ip }}:443 send-proxy-v2
-
-# External routes
-listen https_external
-    bind *:8443 accept-proxy
-    mode tcp
-    server default {{ pve_hosts.docker.ip }}:443 send-proxy-v2
diff --git a/ansible/roles/ingress/files/nginx.conf b/ansible/roles/ingress/files/nginx.conf
new file mode 100644
index 0000000..ebe428f
--- /dev/null
+++ b/ansible/roles/ingress/files/nginx.conf
@@ -0,0 +1,58 @@
+worker_processes 1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server_tokens off;
+
+    server {
+        listen 80;
+        server_name _;
+        return 308 https://$host$request_uri;
+    }
+}
+
+stream {
+
+    log_format access '$remote_addr [$time_local] '
+                    '$protocol $status $bytes_sent $bytes_received '
+                    '$session_time "$upstream_addr" '
+                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+    access_log /var/log/nginx/access.log access;
+
+    # Internal LAN route
+    server {
+        listen 443;
+        listen 8448;
+        proxy_pass {{ pve_hosts.docker.ip }}:443;
+        proxy_protocol on;
+    }
+
+    # External routes
+    server {
+        listen 8443 proxy_protocol;
+        proxy_protocol on;
+        proxy_pass {{ pve_hosts.docker.ip }}:443;
+        set_real_ip_from {{ wireguard.server.ip }};
+    }
+}
diff --git a/ansible/roles/ingress/handlers/main.yml b/ansible/roles/ingress/handlers/main.yml
index ab04da5..c6f45b7 100644
--- a/ansible/roles/ingress/handlers/main.yml
+++ b/ansible/roles/ingress/handlers/main.yml
@@ -4,8 +4,8 @@
     state: restarted
   become: true
 
-- name: restart haproxy
+- name: restart nginx
   service:
-    name: haproxy
+    name: nginx
     state: restarted
   become: true
diff --git a/ansible/roles/ingress/tasks/haproxy.yml b/ansible/roles/ingress/tasks/haproxy.yml
deleted file mode 100644
index 7e93026..0000000
--- a/ansible/roles/ingress/tasks/haproxy.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Install Haproxy
-  package:
-    name: haproxy
-  become: true
-
-- name: Haproxy config
-  template:
-    src: files/haproxy.cfg
-    dest: /etc/haproxy/haproxy.cfg
-    validate: /usr/sbin/haproxy -c -- %s
-    mode: "0644"
-    backup: yes
-  become: true
-  notify: restart haproxy
-
-- name: Enable Haproxy
-  service:
-    name: haproxy
-    enabled: true
-  become: true
diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml
index 4f39c79..13d371e 100644
--- a/ansible/roles/ingress/tasks/main.yml
+++ b/ansible/roles/ingress/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Configure wireguard
   include: wireguard.yml
 
-- name: Configure haproxy
-  include: haproxy.yml
+- name: Configure nginx
+  include: nginx.yml
diff --git a/ansible/roles/ingress/tasks/nginx.yml b/ansible/roles/ingress/tasks/nginx.yml
new file mode 100644
index 0000000..c31af97
--- /dev/null
+++ b/ansible/roles/ingress/tasks/nginx.yml
@@ -0,0 +1,19 @@
+- name: Install nginx
+  package:
+    name: nginx
+  become: true
+
+- name: Nginx config
+  template:
+    src: files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    validate: nginx -t -c %s
+    mode: "0644"
+  become: true
+  notify: restart nginx
+
+- name: Enable nginx
+  service:
+    name: nginx
+    enabled: true
+  become: true