Ansible Nginx Modification (#210)

* Ansible Nginx Modification

* https support

* same env variable

Author: Manas23601

devops/services/nginx/setup_nginx_service.yml

@@ -7,8 +7,7 @@
     image_tag: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:image_tag') }}"
     replicas: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:replicas') }}"
     domain_name: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:domain_name') }}"
-    fullchain: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:fullchain') }}"
-    privkey: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:privkey') }}"
+    use_https: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:use_https') }}"
     destination_directory: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:destination_directory') }}"
   tasks:
     - name: Copy file from host to machine
@@ -34,18 +33,26 @@
         state: directory
         mode: "0755"
 
+    - name: Pull Certificates
+      set_fact:
+        fullchain: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:fullchain') }}"
+        privkey: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/prod/nginx:privkey') }}"
+      when: use_https == "true"
+
     - name: Create fullchain.pem
       copy:
         dest: /nginx/certificates/{{ domain_name }}/fullchain.pem
         content: |
           {{ fullchain }}
+      when: use_https == "true"
 
     - name: Create privkey.pem
       copy:
         dest: /nginx/certificates/{{ domain_name }}/privkey.pem
         content: |
           {{ privkey }}
-
+      when: use_https == "true"
+      
     - name: Retrieve environment file from Vault
       set_fact:
         env_file: "{{ lookup('hashi_vault', 'secret=secret/data/generate') }}"

generate.sh

@@ -49,3 +49,26 @@ for ((i=0; i<$count; i++)); do
 done
 
 printf "    }\n" >> "${DOMAIN_NAME}.conf"
+
+if [ "${USE_HTTPS}" = "true" ]; then
+    printf "\nserver { listen 443; \n listen [::]:443; \n server_name ${DOMAIN_NAME};\n" >> "${DOMAIN_NAME}.conf"
+
+    printf "            ssl_certificate /etc/nginx/certificates/${DOMAIN_NAME}/fullchain.pem;\n" >> "${DOMAIN_NAME}.conf"
+    printf "            ssl_certificate_key /etc/nginx/certificates/${DOMAIN_NAME}/privkey.pem;\n" >> "${DOMAIN_NAME}.conf"
+    printf "            ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;\n" >> "${DOMAIN_NAME}.conf"
+    printf "            ssl_ciphers         HIGH:!aNULL:!MD5;\n" >> "${DOMAIN_NAME}.conf"
+
+    # Loop through each model
+    for ((i=0; i<$count; i++)); do
+        # Get model details from config.json
+        apiBasePath=$(jq -r ".models[$i].apiBasePath" config.json)
+
+        # Calculate the exposed port for the model
+        exposedPort=$((8000 + i))
+
+        # Add location block to Nginx configuration
+        printf "            location ${apiBasePath}/ {\n                proxy_pass http://localhost:${exposedPort}/;\n            }\n" >> "${DOMAIN_NAME}.conf"
+    done
+
+    printf "    }\n" >> "${DOMAIN_NAME}.conf"
+fi

sample.env

@@ -3,4 +3,5 @@ AUTH_HEADER=
 AUTH_HEADER_KEY=Authorization
 DOMAIN_NAME=
 DOCKER_REGISTRY_URL=ghcr.io
-GITHUB_REPOSITORY=aitools
+GITHUB_REPOSITORY=
+USE_HTTPS=false