containers_web: switch to apache proxy

* replaces nginx container
* gitea uses http/1.1 only, due to go-gitea/gitea#19265
* vaultwarden admin uses oidc sso

roles/containers_web/README.md

@@ -1,11 +1,10 @@
 # Ansible Role: `containers_web`
 
-This role provides role variables for `containers` role and installs containerized web apps, including:
+This role provides role variables for `containers` role, installs an Apache web server, and installs containerized web apps, including:
 
 - [cloudflared](https://github.com/cloudflare/cloudflared)
 - [Gitea](https://gitea.io/)
 - [Keycloak](https://www.keycloak.org/)
-- [Nginx](https://nginx.org/)
 - [Vaultwarden](https://github.com/dani-garcia/vaultwarden)
 
 Required facts: `distribution`, `virtualization_type`
@@ -14,5 +13,6 @@ Required role vars:
 
 - `cloudflared_token`: Cloudflare Tunnel token.
 - `containers_web_cron_ping_url`: Webhook URL for cron job.
+- `vaultwarden_oidc`: OIDC client credentials, requires `client_id` and `client_secret`.
 
 Supported OS: RHEL-like systems, version 8 or newer

roles/containers_web/files/httpd/conf.d/1_proxy.conf

@@ -0,0 +1,2 @@
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy 10.88.0.0/24

roles/containers_web/files/httpd/conf.d/gitea.conf

@@ -0,0 +1,25 @@
+<VirtualHost *:443>
+	ServerName gitea.chrisx.xyz
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem
+	SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem
+	Protocols http/1.1
+
+	Header always set Referrer-Policy "no-referrer"
+	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	Header always set X-Content-Type-Options "nosniff"
+	Header always set X-Robots-Tag "none"
+	Header always set X-XSS-Protection "1; mode=block"
+
+	AllowEncodedSlashes NoDecode
+
+	ProxyPass /robots.txt !
+	ProxyPass / http://127.0.0.1:53000/
+	ProxyPassReverse / http://127.0.0.1:53000/
+    ProxyPreserveHost On
+    ProxyRequests off
+	RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
+
+	ErrorLog /var/log/httpd/gitea_error_log
+	CustomLog /var/log/httpd/gitea_access_log combined
+</VirtualHost>

roles/containers_web/files/httpd/conf.d/sso.conf

@@ -0,0 +1,22 @@
+<VirtualHost *:443>
+	ServerName sso.chrisx.xyz
+	SSLEngine on
+	SSLCertificateFile /etc/ssl/chrisx.xyz/fullchain.pem
+	SSLCertificateKeyFile /etc/ssl/chrisx.xyz/privkey.pem
+	Protocols h2 http/1.1
+
+	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+	AliasMatch "^/resources/.+/login/keycloak/img/favicon.ico$" /var/www/html/favicon.ico
+	RedirectMatch 404 "^/$"
+
+	ProxyPassMatch "^/$" !
+	ProxyPassMatch "^/resources/.+/login/keycloak/img/favicon.ico$" !
+	ProxyPass / http://127.0.0.1:58080/
+	ProxyPassReverse / http://127.0.0.1:58080/
+	ProxyPreserveHost On
+	RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
+
+	ErrorLog /var/log/httpd/sso_error_log
+	CustomLog /var/log/httpd/sso_access_log combined
+</VirtualHost>

roles/containers_web/tasks/apache.yml

@@ -0,0 +1,35 @@
+- name: Copy favicon
+  ansible.builtin.copy:
+    src: favicon.ico
+    dest: /var/www/html
+    mode: 0644
+
+- name: Generate new OIDC crypto password
+  ansible.builtin.set_fact:
+    oidc_crypto: "{{ lookup('password', '/dev/null length=64') }}"
+- name: Copy vaultwarden site config
+  ansible.builtin.template:
+    src: vaultwarden.conf.j2
+    dest: /etc/httpd/conf.d/vaultwarden.conf
+    mode: 0640
+- name: Copy Apache site config
+  ansible.builtin.copy:
+    src: httpd/conf.d
+    dest: /etc/httpd
+    mode: 0640
+
+- name: Copy chrisx ssl certs
+  ansible.builtin.import_role:
+    name: sslcert
+    tasks_from: chrisx.yml
+
+- name: Configure SELinux httpd_can_network_connect
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+
+- name: Restart httpd
+  ansible.builtin.systemd:
+    name: httpd
+    state: restarted

roles/containers_web/tasks/main.yml

@@ -1,28 +1,16 @@
 - name: Load secret vars
   ansible.builtin.include_vars: secrets.yml
 
-- name: Create containers directory
-  ansible.builtin.file:
-    path: ~/containers
-    state: directory
-    mode: 0700
-  register: _containers_dir
-
-- name: Configure Nginx
-  ansible.builtin.import_tasks: nginx.yml
-- name: Copy helper scripts
-  ansible.builtin.import_tasks: scripts.yml
-
 - name: Set up Postgres DBs
   ansible.builtin.import_tasks: postgres_db.yml
   become_user: postgres
   delegate_to: postgres
 
-- name: Create container network
-  containers.podman.podman_network:
-    name: ct
-    state: present
-
 - name: Launch containers
   ansible.builtin.import_role:
     name: containers
+
+- name: Configure Apache sites
+  ansible.builtin.import_tasks: apache.yml
+- name: Copy helper scripts
+  ansible.builtin.import_tasks: scripts.yml

roles/containers_web/tasks/scripts.yml

@@ -1,17 +1,3 @@
-- name: Copy logrotate config
-  ansible.builtin.template:
-    src: logrotate.conf.j2
-    dest: "{{ _containers_dir.path }}/log/logrotate.conf"
-    mode: 0644
-- name: Set up logrotate cron job
-  ansible.builtin.cron:
-    name: container logrotate
-    # yamllint disable-line rule:line-length
-    job: "/usr/sbin/logrotate -s {{ _containers_dir.path }}/log/logrotate.state {{ _containers_dir.path }}/log/logrotate.conf"
-    hour: 2
-    minute: 0
-    state: present
-
 - name: Copy backup script
   ansible.builtin.template:
     src: backup.sh