This Ansible playbook deploys Nginx with Docker Compose, includes Certbot for SSL certificate management, and provides comprehensive configuration options for multiple domains.
- ✅ Runs Nginx container using Docker Compose
- ✅ Includes Certbot container for SSL certificate management
- ✅ Dummy SSL certificates for immediate HTTPS support
- ✅ Automatic certificate switching from dummy to real certificates
- ✅ Containerized logging (logs to stdout/stderr)
- ✅ Configurable Nginx settings via variables
- ✅ HTTP to HTTPS redirect support
- ✅ Custom robots.txt for each domain
- ✅ Configurable location blocks for each domain
- ✅ Basic authentication support per domain
- ✅ Automatic SSL certificate generation and renewal
- ✅ Conditional SSL deployment (only starts certbot when SSL is enabled)
- Ubuntu 18.04+ server
- Ansible 2.9+
- SSH access to target server
- Domain names pointing to your server (optional, can use nip.io)
- Clone this repository:
git clone git@github.com:sferatime/test_task_01.git
cd test_task_01- Install required Ansible collections:
ansible-galaxy collection install -r requirements.yml- Update the inventory file with your server details:
# Edit inventory file
vim inventory.ini- Configure your domains in
group_vars/all.yml:
domains:
- domain: "{{ public_ipv4 }}.nip.io" # Auto-detected public IP
locations:
- path: "/"
proxy_pass: "http://backend:8080"
proxy_set_header: "Host $host"
enable_ssl: true
redirect_http_to_https: true
basic_auth:
enabled: false
username: "admin"
password: "password123"
robots_txt: |
User-agent: *
Disallow: /admin/
Allow: /Each domain can be configured with the following options:
domains:
- domain: "your-domain.com"
locations: # List of location blocks
- path: "/"
proxy_pass: "http://backend:8080"
proxy_set_header: "Host $host"
proxy_set_header: "X-Real-IP $remote_addr"
- path: "/api"
proxy_pass: "http://api:3000"
proxy_set_header: "Host $host"
enable_ssl: true # Enable SSL certificate
redirect_http_to_https: true # Redirect HTTP to HTTPS
basic_auth: # Basic authentication
enabled: true
username: "admin"
password: "secure_password"
robots_txt: | # Custom robots.txt content
User-agent: *
Disallow: /admin/
Allow: /certbot_email: "admin@example.com" # Email for SSL certificates
certbot_staging: false # Use staging environment for testingansible-playbook -i inventory.ini site.ymlansible-playbook -i inventory.ini site.yml --limit web-serveransible-playbook -i inventory.ini site.yml --checkansible-playbook -i inventory.ini site.yml -vFor testing purposes, you can also run the services directly with Docker Compose without using Ansible:
sudo docker-compose up --buildsudo docker-compose downNote: When using Docker Compose directly, disable docker role in dependencies in the file roles/nginx/meta/main.yaml (Because testing set already includes dind)
.
├── ansible.cfg # Ansible configuration
├── inventory.ini # Host inventory
├── site.yml # Main playbook
├── requirements.yml # Ansible collections
├── group_vars/
│ └── all.yml # Global variables
├── roles/
│ ├── docker/ # Docker installation role
│ │ ├── tasks/
│ │ │ └── main.yml # Docker installation tasks
│ │ ├── defaults/
│ │ │ └── main.yml # Docker role variables
│ │ └── meta/
│ │ └── main.yml # Role metadata
│ └── nginx/ # Nginx configuration role
│ ├── tasks/
│ │ └── main.yml # Nginx setup tasks
│ ├── templates/
│ │ ├── nginx.conf.j2 # Nginx main config (logs to stdout)
│ │ ├── domain.conf.j2 # Domain-specific config
│ │ └── docker-compose.yml.j2 # Docker Compose
│ ├── handlers/
│ │ └── main.yml # Handlers
│ ├── defaults/
│ │ └── main.yml # Nginx role variables
│ └── meta/
│ └── main.yml # Role metadata
├── examples/
│ └── sample-config.yml # Sample configuration
└── README.md # This file
The playbook uses two roles with clear separation of concerns:
docker- Installs Docker and Docker Composenginx- Configures and deploys Nginx with SSL and basic auth
The nginx role depends on the docker role and will automatically install Docker if not already present.
The playbook automatically:
- Generates dummy SSL certificates for immediate HTTPS support
- Starts nginx with HTTPS using self-signed certificates
- Generates real Let's Encrypt certificates in the background
- Automatically switches from dummy to real certificates
- Uses Let's Encrypt for free SSL certificates
- Handles certificate renewal automatically
- Supports staging environment for testing
- Dummy certificates: Self-signed certificates are generated for each domain
- Nginx starts: Container starts with HTTPS support immediately
- HTTP redirect: All HTTP traffic redirects to HTTPS
- Real certificates: Certbot generates real Let's Encrypt certificates
- Automatic switch: Configuration updates to use real certificates
Both Nginx and Certbot logs are configured to write to stdout/stderr:
- Nginx access logs: Available via
docker logs nginx - Nginx error logs: Available via
docker logs nginx - Certbot logs: Available via
docker logs certbot
# Nginx logs
docker logs nginx
# Follow nginx logs in real-time
docker logs -f nginx
# Certbot logs
docker logs certbot
# Follow certbot logs in real-time
docker logs -f certbot- HTTP to HTTPS redirects
- Basic authentication per domain
- SSL/TLS 1.2+ only
- Secure cipher suites
docker ps -adocker logs nginxdocker logs certbotdocker exec nginx nginx -tdocker exec certbot certbot renewdocker exec nginx nginx -T | grep ssl_certificate- Ensure the domain is properly configured in
group_vars/all.yml - Check that the proxy_pass URL is accessible
- Verify nginx configuration with
docker exec nginx nginx -t
- Check certbot logs:
docker logs certbot - Verify domain DNS is pointing to the server
- Ensure port 80 and 443 are open in firewall
- Use staging environment for testing:
certbot_staging: true
- Check container logs for errors
- Verify docker-compose configuration
- Ensure all required volumes are accessible