From 7bfd3331e320132071a36be6215947bddebacac1 Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Thu, 6 Jun 2024 20:39:13 -0400
Subject: [PATCH] add ipv6 to nginx

---
 nginx/certbot.yaml                  | 23 +++++++++++++++++++-
 nginx/nginx.conf                    |  2 ++
 nginx/nginx.yaml                    |  2 +-
 nginx/service/certbot-renew.service |  6 ++++++
 nginx/service/certbot-renew.timer   |  9 ++++++++
 nginx/stream.d/gitea-ssh.conf       |  1 +
 nginx/stream.d/iperf3.conf          |  2 ++
 nginx/stream.d/kube.conf            |  1 +
 nginx/stream.d/minecraft.conf       |  8 +++++++
 nginx/stream.d/unifi-external.conf  |  8 -------
 nginx/vars.yaml                     | 33 +++++++++++++++++++++++++++--
 11 files changed, 83 insertions(+), 12 deletions(-)
 create mode 100644 nginx/service/certbot-renew.service
 create mode 100644 nginx/service/certbot-renew.timer
 create mode 100644 nginx/stream.d/minecraft.conf
 delete mode 100644 nginx/stream.d/unifi-external.conf

diff --git a/nginx/certbot.yaml b/nginx/certbot.yaml
index 4e0b1b3..6542f84 100644
--- a/nginx/certbot.yaml
+++ b/nginx/certbot.yaml
@@ -1,6 +1,7 @@
 
 - name: Update certbot certs
-  hosts: yellow
+  hosts: colors
+  serial: 1
   become: true
   become_user: root
   become_method: sudo
@@ -21,3 +22,23 @@
     # Loops over every external.domains sub list
     loop: "{{ http }}"
     when: item.external.expose
+  - name: Create certbot renew service
+    template:
+      src: service/certbot-renew.service
+      dest: /etc/systemd/system/certbot-renew.service
+      owner: root
+      group: root
+      mode: '0644'
+  - name: Create certbot renew timer
+    template:
+      src: service/certbot-renew.timer
+      dest: /etc/systemd/system/certbot-renew.timer
+      owner: root
+      group: root
+      mode: '0644'
+  - name: Reload certbot-renew timer service
+    ansible.builtin.systemd_service:
+      daemon_reload: true
+      enabled: true
+      state: restarted
+      name: certbot-renew.timer
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 7719633..75886f7 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -65,11 +65,13 @@ stream {
         # The default http ports
 {% for port in defaults.listen_ports %}
         listen {{ ansible_default_ipv4.address }}:{{ port }};
+        listen [{{ ansible_default_ipv6.address }}]:{{ port }};
 {% endfor %}
 
         # Any unique ports listed in the extra_ports field
 {% for port in unique_ports %}
         listen {{ ansible_default_ipv4.address }}:{{ port }};
+        listen [{{ ansible_default_ipv6.address }}]:{{ port }};
 {% endfor %}
 
         proxy_pass $map_forward_ip:$upstream_port;
diff --git a/nginx/nginx.yaml b/nginx/nginx.yaml
index d56762d..fb7de50 100644
--- a/nginx/nginx.yaml
+++ b/nginx/nginx.yaml
@@ -1,5 +1,5 @@
 - name: Update nginx stream configuration
-  hosts: yellow
+  hosts: colors
   become: true
   become_user: root
   become_method: sudo
diff --git a/nginx/service/certbot-renew.service b/nginx/service/certbot-renew.service
new file mode 100644
index 0000000..d1d78a2
--- /dev/null
+++ b/nginx/service/certbot-renew.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Certbot Renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew
diff --git a/nginx/service/certbot-renew.timer b/nginx/service/certbot-renew.timer
new file mode 100644
index 0000000..4cfde23
--- /dev/null
+++ b/nginx/service/certbot-renew.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer for Certbot Renewal
+
+[Timer]
+OnBootSec=300
+OnUnitActiveSec=1w
+
+[Install]
+WantedBy=multi-user.target
diff --git a/nginx/stream.d/gitea-ssh.conf b/nginx/stream.d/gitea-ssh.conf
index a56be4f..3f6edcc 100644
--- a/nginx/stream.d/gitea-ssh.conf
+++ b/nginx/stream.d/gitea-ssh.conf
@@ -3,5 +3,6 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen {{ ansible_default_ipv4.address }}:2222;
+    listen [{{ ansible_default_ipv6.address }}]:2222;
     proxy_pass 10.1.2.100:2222;
 }
diff --git a/nginx/stream.d/iperf3.conf b/nginx/stream.d/iperf3.conf
index 104d4d7..dabf9d9 100644
--- a/nginx/stream.d/iperf3.conf
+++ b/nginx/stream.d/iperf3.conf
@@ -4,5 +4,7 @@ server {
 
     listen {{ ansible_default_ipv4.address }}:5201;
     listen {{ ansible_default_ipv4.address }}:5201 udp;
+    listen [{{ ansible_default_ipv6.address }}]:5201;
+    listen [{{ ansible_default_ipv6.address }}]:5201 udp;
     proxy_pass 127.0.0.1:5201;
 }
diff --git a/nginx/stream.d/kube.conf b/nginx/stream.d/kube.conf
index ff3fd96..98b01a4 100644
--- a/nginx/stream.d/kube.conf
+++ b/nginx/stream.d/kube.conf
@@ -9,5 +9,6 @@ server {
     error_log /var/log/nginx/nginx_stream_error.log warn;
 
     listen {{ ansible_default_ipv4.address }}:6443;
+    listen [{{ ansible_default_ipv6.address }}]:6443;
     proxy_pass kube_backend;
 }
diff --git a/nginx/stream.d/minecraft.conf b/nginx/stream.d/minecraft.conf
new file mode 100644
index 0000000..d692330
--- /dev/null
+++ b/nginx/stream.d/minecraft.conf
@@ -0,0 +1,8 @@
+server {
+    access_log /var/log/nginx/nginx_stream_access.log basic;
+    error_log /var/log/nginx/nginx_stream_error.log warn;
+
+    listen {{ ansible_default_ipv4.address }}:25565-25575;
+    listen [{{ ansible_default_ipv6.address }}]:25565-25575;
+    proxy_pass 10.1.2.100:$server_port;
+}
diff --git a/nginx/stream.d/unifi-external.conf b/nginx/stream.d/unifi-external.conf
deleted file mode 100644
index 2990dc0..0000000
--- a/nginx/stream.d/unifi-external.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# server {
-#     access_log /var/log/nginx/nginx_stream_access.log basic;
-#     error_log /var/log/nginx/nginx_stream_error.log warn;
-
-#     resolver 1.1.1.1;
-#     listen {{ ansible_default_ipv4.address }}:8082;
-#     proxy_pass {{ ansible_default_ipv4.address }}:8080;
-# }
diff --git a/nginx/vars.yaml b/nginx/vars.yaml
index 028bd93..7b89452 100644
--- a/nginx/vars.yaml
+++ b/nginx/vars.yaml
@@ -1,5 +1,6 @@
 defaults:
   forward_ip: "10.1.2.101"
+  dns_ip: "10.1.2.102"
   listen_ports:
   - 443
   - 80
@@ -51,6 +52,15 @@ http:
       ip: "10.1.203.197"
       port: 9090
       protocol: https
+  - external:
+      domain: orange
+      expose: false
+      extra_http_ports: []
+      extra_https_ports: []
+    internal:
+      ip: "10.1.200.253"
+      port: 9090
+      protocol: https
   - external:
       domain: node1
       expose: false
@@ -93,12 +103,21 @@ http:
       port: 80
       protocol: http
   - external:
-      domain: pihole
+      domain: pihole-yellow
       expose: false
       extra_http_ports: []
       extra_https_ports: []
     internal:
-      ip: 10.1.203.197
+      ip: "10.1.203.197"
+      port: 8081
+      protocol: http
+  - external:
+      domain: pihole-orange
+      expose: false
+      extra_http_ports: []
+      extra_https_ports: []
+    internal:
+      ip: "10.1.200.253"
       port: 8081
       protocol: http
   - external:
@@ -119,3 +138,13 @@ http:
       ip: 10.1.175.237
       port: 11000
       protocol: http
+  - external:
+      domain: unifi-external
+      expose: true
+      extra_http_ports:
+      - 8080
+      extra_https_ports: []
+    internal:
+      ip: 10.1.241.139
+      port: 8443
+      protocol: https