Add nginx deployment

Includes documented roles for:
- installing nginx & configuring handlers
- installing the mTLS certificate for Cloudflare
- installing firewall rules

They are kept separate for now, for composability.

Closes #22.

14 files changed, 131 insertions, 0 deletions

diff --git a/README.md b/README.md
index babe9ca..ac10a37 100644
--- a/README.md
+++ b/README.md
@@ -22,3 +22,13 @@ requirements.txt                     # Python requirements
 1. Install project dependancies: `python -m pip install -r requirements.txt`
 1. Install the pre-commit hook: `pre-commit install`
 1. Create a `vault_passwords` file and write the vault password to it
+
+
+## Documentation
+
+Infrastructure-related documentation ("the big picture"), once a sufficient
+level of infrastructure is established, can be found in [`docs/`](./docs/).
+
+Documentation for our Ansible roles can be found in the `README.md` file of
+each role, and role defaults (at `roles/myrole/defaults/main.yml`) contain a
+commented view on which variables are configurable for the given role.
diff --git a/inventory.yaml b/inventory.yaml
index 6e2f382..95fd4c7 100644
--- a/inventory.yaml
+++ b/inventory.yaml
@@ -23,5 +23,10 @@ all:
         lovelace:
         hopper:
         ritchie:
+    nginx:
+      hosts:
+        turing:
+        ritchie:
+        neumann:
   vars:
     wireguard_port: 46850
diff --git a/playbook.yml b/playbook.yml
index 784f023..83389f4 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -6,6 +6,13 @@
     - ufw
     - wireguard
 
+- name: Deploy nginx to hosts
+  hosts: nginx
+  roles:
+    - nginx
+    - nginx-ufw
+    - nginx-cloudflare-mtls
+
 - name: Deploy podman to container service hosts
   hosts: podman
   roles:
diff --git a/roles/nginx-cloudflare-mtls/README.md b/roles/nginx-cloudflare-mtls/README.md
new file mode 100644
index 0000000..8d766ae
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/README.md
@@ -0,0 +1,19 @@
+# Role "nginx-cloudflare-mtls"
+
+Installs the certificate required for performing mutual TLS authentication
+between NGINX and Cloudflare.
+
+To use mutual TLS in your NGINX virtual hosts, add this configuration snippet:
+
+```nginx
+ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }};
+ssl_verify_client on;
+```
+
+
+## Variables
+
+See [role defaults](./defaults/main.yml) for an annotated overview.
+
+
+<!-- vim: set textwidth=80 ts=2 ts=2: -->
diff --git a/roles/nginx-cloudflare-mtls/defaults/main.yml b/roles/nginx-cloudflare-mtls/defaults/main.yml
new file mode 100644
index 0000000..ff1c667
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# The path at which to install the certificate.
+nginx_cloudflare_mtls_certificate_path: /etc/nginx/certs/cloudflare.crt
diff --git a/roles/nginx-cloudflare-mtls/files/cloudflare.crt b/roles/nginx-cloudflare-mtls/files/cloudflare.crt
new file mode 100644
index 0000000..0684b9e
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/files/cloudflare.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
+aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
+cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
+MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
+BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
+VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
+ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
+42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
+ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
+hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
+QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
+Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
+aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
+lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
+PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
+CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
++4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
+AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
+DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
+alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
+QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
+zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
+VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
+6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
+0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
+5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
+fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
+bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
+iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
+AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
+fVQ6VpyjEXdiIXWUq/o=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/roles/nginx-cloudflare-mtls/meta/main.yml b/roles/nginx-cloudflare-mtls/meta/main.yml
new file mode 100644
index 0000000..72b1bd7
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - nginx
diff --git a/roles/nginx-cloudflare-mtls/tasks/main.yml b/roles/nginx-cloudflare-mtls/tasks/main.yml
new file mode 100644
index 0000000..c10be7b
--- /dev/null
+++ b/roles/nginx-cloudflare-mtls/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: copy the cloudflare mutual TLS certificate
+  copy:
+    src: cloudflare.crt
+    dest: /etc/nginx/certs/cloudflare.crt;
+    owner: root
+    group: root
+    mode: 0444
+  tags:
+    - role::nginx-cloudflare-mtls
diff --git a/roles/nginx-ufw/README.md b/roles/nginx-ufw/README.md
new file mode 100644
index 0000000..042fda8
--- /dev/null
+++ b/roles/nginx-ufw/README.md
@@ -0,0 +1,6 @@
+# Role "nginx-ufw"
+
+Allows NGINX HTTP and HTTPS traffic through the UFW firewall.
+
+
+<!-- vim: set textwidth=80 sw=2 ts=2: -->
diff --git a/roles/nginx-ufw/meta/main.yml b/roles/nginx-ufw/meta/main.yml
new file mode 100644
index 0000000..dac7049
--- /dev/null
+++ b/roles/nginx-ufw/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - nginx
+  - ufw
diff --git a/roles/nginx-ufw/tasks/main.yml b/roles/nginx-ufw/tasks/main.yml
new file mode 100644
index 0000000..bea22aa
--- /dev/null
+++ b/roles/nginx-ufw/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: allow https traffic through the firewall
+  ufw:
+    app: WWW Secure
+    rule: allow
+    comment: nginx web server
+  tags:
+    - role::nginx-ufw
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000..245cc99
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,7 @@
+# Role "nginx"
+
+Installs nginx on target hosts and provides a handler for reloading nginx, for
+instance on configuration change or certificate renewal.
+
+
+<!-- vim: set textwidth=80 sw=2 ts=2: -->
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..376d85a
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: reload the nginx service
+  service:
+    name: nginx
+    state: reloaded
+  tags:
+    - role::nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..849a09e
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: install nginx
+  package:
+    name: nginx
+    state: present
+  tags:
+    - role::nginx