WIP Add pyinfra for chatwoot.testrun.org

pyinfra_nginx/nginx.py

@@ -1,7 +1,5 @@
-"""
-nginx deploy
-"""
 from io import StringIO
+import importlib.resources
 
 from pyinfra import host
 from pyinfra.api.deploy import deploy
@@ -9,7 +7,7 @@ from pyinfra.operations import files, server, apt, systemd
 from pyinfra.facts.deb import DebPackages
 from pyinfra_acmetool import deploy_acmetool
 
-def _install_nginx():
+def deploy_nginx():
     if not host.get_fact(DebPackages):
         raise DeployError(("Can't deploy prerequisites on non-deb system"))
 
@@ -18,15 +16,17 @@ def _install_nginx():
     apt.packages(
         name = "Install nginx-extras",
         packages = ["nginx-extras"],
-        _sudo = True,
     )
 
-def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True):
+
+def add_nginx_domain(domain: str, config_path: str = None, proxy_port: int = None, enabled=True, acmetool=True):
     """Let a domain be handled by nginx, create a Let's Encrypt certificate for it, and deploy the config.
 
     :param domain: the domain of the website
     :param config_path: the local path to the nginx config file
+    :param proxy_port: proxy_pass all HTTP traffic to some internal port
     :param enabled: whether the site should be enabled at /etc/nginx/sites-enabled
+    :param acmetool: whether acmetool should fetch TLS certs for the domain
     """
     default_config_link = files.link(
         path="/etc/nginx/sites-enabled/default", present=False
@@ -37,13 +37,24 @@ def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True)
         deploy_acmetool(nginx_hook=True, domains=[domain])
 
     if enabled:
-        config = files.put(
+        if config_path:
-            src=config_path,
+            config = files.put(
-            dest=f"/etc/nginx/sites-available/{domain}",
+                src=config_path,
-            user="root",
+                dest=f"/etc/nginx/sites-available/{domain}",
-            group="root",
+                user="root",
-            mode="644",
+                group="root",
-        )
+                mode="644",
+            )
+        elif proxy_port:
+            config = files.template(
+                src=importlib.resources.files(__package__) / "proxy_pass.nginx_config.j2",
+                dest=f"/etc/nginx/sites-available/{domain}",
+                user="root",
+                group="root",
+                mode="644",
+                domain=domain,
+                proxy_port=proxy_port,
+            )
         config_link = files.link(
             path=f"/etc/nginx/sites-enabled/{domain}",
             target=f"/etc/nginx/sites-available/{domain}",
@@ -62,6 +73,3 @@ def add_nginx_domain(domain: str, config_path: str, enabled=True, acmetool=True)
         restarted=need_restart,
     )
 
-@deploy("Deploy nginx")
-def deploy_nginx():
-    _install_nginx()

pyinfra_nginx/proxy_pass.nginx_config.j2

@@ -0,0 +1,19 @@
+server {
+	server_name {{ domain }};
+	client_max_body_size 512m;
+
+	location / {
+        proxy_set_header    Host                $http_host;
+        proxy_set_header    X-Real-IP           $remote_addr;
+        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-Proto   $scheme;
+        proxy_pass http://127.0.0.1:{{ proxy_port }}/;
+	}
+
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+    ssl_certificate /var/lib/acme/live/{{ domain }}/fullchain; # managed by acmetool
+    ssl_certificate_key /var/lib/acme/live/{{ domain }}/privkey; # managed by acmetool
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}