containers_web: switch to apache proxy

* replaces nginx container
* gitea uses http/1.1 only, due to go-gitea/gitea#19265
* vaultwarden admin uses oidc sso

roles/containers_web/files/httpd/conf.d/1_proxy.conf

@@ -0,0 +1,2 @@
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy 10.88.0.0/24

roles/containers_web/files/httpd/conf.d/gitea.conf

@@ -0,0 +1,24 @@
+<VirtualHost *:443>
+	ServerName gitea.chrisx.xyz
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem
+	SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem
+
+	Header always set Referrer-Policy "no-referrer"
+	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	Header always set X-Content-Type-Options "nosniff"
+	Header always set X-Robots-Tag "none"
+	Header always set X-XSS-Protection "1; mode=block"
+
+	AllowEncodedSlashes NoDecode
+
+	ProxyPass /robots.txt !
+	ProxyPass / http://127.0.0.1:53000/
+	ProxyPassReverse / http://127.0.0.1:53000/
+    ProxyPreserveHost On
+    ProxyRequests off
+	RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
+
+	ErrorLog /var/log/httpd/gitea_error_log
+	CustomLog /var/log/httpd/gitea_access_log combined
+</VirtualHost>

roles/containers_web/files/httpd/conf.d/sso.conf

@@ -0,0 +1,22 @@
+<VirtualHost *:443>
+	ServerName sso.chrisx.xyz
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem
+	SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem
+	Protocols h2 http/1.1
+
+	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+	AliasMatch "^/resources/.+/login/keycloak/img/favicon.ico$" /var/www/html/favicon.ico
+	RedirectMatch 404 "^/$"
+
+	ProxyPassMatch "^/$" !
+	ProxyPassMatch "^/resources/.+/login/keycloak/img/favicon.ico$" !
+	ProxyPass / http://127.0.0.1:58080/
+	ProxyPassReverse / http://127.0.0.1:58080/
+	ProxyPreserveHost On
+	RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
+
+	ErrorLog /var/log/httpd/sso_error_log
+	CustomLog /var/log/httpd/sso_access_log combined
+</VirtualHost>

roles/containers_web/tasks/apache.yml

@@ -0,0 +1,35 @@
+- name: Copy favicon
+  ansible.builtin.copy:
+    src: favicon.ico
+    dest: /var/www/html
+    mode: 0644
+
+- name: Generate new OIDC crypto password
+  ansible.builtin.set_fact:
+    oidc_crypto: "{{ lookup('password', '/dev/null length=64') }}"
+- name: Copy vaultwarden site config
+  ansible.builtin.template:
+    src: vaultwarden.conf.j2
+    dest: /etc/httpd/conf.d/vaultwarden.conf
+    mode: 0640
+- name: Copy Apache site config
+  ansible.builtin.copy:
+    src: httpd/conf.d
+    dest: /etc/httpd
+    mode: 0640
+
+- name: Copy chrisx ssl certs
+  ansible.builtin.import_role:
+    name: sslcert
+    tasks_from: chrisx.yml
+
+- name: Configure SELinux httpd_can_network_connect
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+
+- name: Restart httpd
+  ansible.builtin.systemd:
+    name: httpd
+    state: restarted

roles/containers_web/tasks/main.yml

@@ -8,21 +8,16 @@
     mode: 0700
   register: _containers_dir
 
-- name: Configure Nginx
-  ansible.builtin.import_tasks: nginx.yml
-- name: Copy helper scripts
-  ansible.builtin.import_tasks: scripts.yml
-
 - name: Set up Postgres DBs
   ansible.builtin.import_tasks: postgres_db.yml
   become_user: postgres
   delegate_to: postgres
 
-- name: Create container network
-  containers.podman.podman_network:
-    name: ct
-    state: present
-
 - name: Launch containers
   ansible.builtin.import_role:
     name: containers
+
+- name: Configure Apache sites
+  ansible.builtin.import_tasks: apache.yml
+- name: Copy helper scripts
+  ansible.builtin.import_tasks: scripts.yml

roles/containers_web/tasks/scripts.yml

@@ -1,17 +1,3 @@
-- name: Copy logrotate config
-  ansible.builtin.template:
-    src: logrotate.conf.j2
-    dest: "{{ _containers_dir.path }}/log/logrotate.conf"
-    mode: 0644
-- name: Set up logrotate cron job
-  ansible.builtin.cron:
-    name: container logrotate
-    # yamllint disable-line rule:line-length
-    job: "/usr/sbin/logrotate -s {{ _containers_dir.path }}/log/logrotate.state {{ _containers_dir.path }}/log/logrotate.conf"
-    hour: 2
-    minute: 0
-    state: present
-
 - name: Copy backup script
   ansible.builtin.template:
     src: backup.sh

roles/containers_web/templates/vaultwarden.conf.j2

@@ -0,0 +1,49 @@
+<VirtualHost *:443>
+	ServerName vaultwarden.chrisx.xyz
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem
+	SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem
+	Protocols h2 http/1.1
+
+	Header unset Referrer-Policy
+	Header unset X-XSS-Protection
+	Header always set Referrer-Policy "no-referrer"
+	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	Header always set X-Robots-Tag "none"
+	Header always set X-XSS-Protection "1 mode=block"
+
+	ProxyPass /admin/logout !
+    ProxyPass /robots.txt !
+	ProxyPass / http://127.0.0.1:58288/
+	ProxyPassReverse / http://127.0.0.1:58288/
+	ProxyPreserveHost On
+	RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
+
+	RewriteEngine on
+	RewriteCond %{HTTP:Upgrade} =websocket [NC]
+	RewriteRule /notifications/hub(.*) ws://127.0.0.1:53012/$1 [P,L]
+	Redirect 302 /admin/logout /admin/openid-connect?logout=
+
+	ErrorLog /var/log/httpd/vaultwarden_error_log
+	CustomLog /var/log/httpd/vaultwarden_access_log combined
+
+	OIDCClientID vaultwarden.chrisx.xyz
+	OIDCClientSecret {{ vaultwarden_client_secret }}
+	OIDCPassClaimsAs none
+	OIDCProviderMetadataURL https://sso.chrisx.xyz/realms/chrisx/.well-known/openid-configuration
+	OIDCRedirectURI https://vaultwarden.chrisx.xyz/admin/openid-connect
+	OIDCScope openid
+	OIDCSessionInactivityTimeout 3600
+	OIDCStateMaxNumberOfCookies 2 true
+	OIDCCryptoPassphrase {{ oidc_crypto }}
+
+	<Location "/admin/openid-connect">
+		AuthType openid-connect
+		Require valid-user
+	</Location>
+
+	<Location "/admin">
+		AuthType openid-connect
+		Require claim roles:admin
+	</Location>
+</VirtualHost>