Merge pull request #4 from AlchemyLink/feature/singbox-role-refactor

feat: extract raven_subscribe, nginx_frontend, relay into separate Ansible roles

Author: findias

.gitignore

@@ -1,6 +1,7 @@
 # Secrets — never commit real credentials
 vault_password.txt
 **/secrets.yml
+**/*_secrets.yml
 **/vault_password.txt
 **/*.secret
 **/*.vault

roles/nginx_frontend/defaults/main.yml

@@ -0,0 +1,32 @@
+---
+# nginx_frontend role — TLS frontend for EU server (media.zirgate.com)
+#
+# Responsibilities:
+#   - Install nginx + certbot
+#   - Obtain Let's Encrypt certificate for nginx_frontend_domain
+#   - Proxy Xray XHTTP (nginx_frontend_xhttp_path) → 127.0.0.1:nginx_frontend_xhttp_port
+
+# ── Domain ────────────────────────────────────────────────────────────────────
+nginx_frontend_domain: "media.zirgate.com"
+
+# ── Certbot ───────────────────────────────────────────────────────────────────
+nginx_frontend_certbot_email: ""   # Set in secrets.yml
+
+# ── nginx listen port ─────────────────────────────────────────────────────────
+# IMPORTANT: Xray VLESS Reality already binds to 443 (TCP).
+# nginx_frontend must listen on a different port (e.g., 8443, 9443).
+# The relay role will proxy to this port over HTTPS with SNI.
+nginx_frontend_listen_port: 8443   # Must NOT conflict with xray_vless_port (443)
+
+# ── Raven-subscribe upstream ──────────────────────────────────────────────────
+nginx_frontend_raven_port: 8080    # Must match raven_subscribe_listen_addr port
+
+# ── Xray XHTTP upstream ───────────────────────────────────────────────────────
+nginx_frontend_xhttp_port: 2053    # Must match xray_xhttp.port
+nginx_frontend_xhttp_path: "/api/v3/data-sync"   # Must match xray_xhttp.xhttpSettings.path
+
+# ── TCP stream relay for Xray VLESS Reality ───────────────────────────────────
+# Stream proxy: nginx_frontend_reality_port → 127.0.0.1:443 (Xray)
+# Allows clients to reach Reality via media.zirgate.com instead of direct EU IP.
+nginx_frontend_reality_stream_enabled: true
+nginx_frontend_reality_port: 8445   # External TCP port for Reality stream

roles/nginx_frontend/defaults/secrets.yml.example

@@ -0,0 +1,5 @@
+---
+# Copy to secrets.yml and encrypt with ansible-vault:
+#   ansible-vault encrypt roles/nginx_frontend/defaults/secrets.yml
+
+nginx_frontend_certbot_email: "admin@admin.com"

roles/nginx_frontend/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Reload nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted

roles/nginx_frontend/inventory.ini

@@ -0,0 +1,2 @@
+[eu]
+vpn ansible_host=EU_VPS_IP ansible_user=deploy

roles/nginx_frontend/tasks/certbot.yml

@@ -0,0 +1,23 @@
+---
+- name: Nginx frontend | Check if certificate exists
+  ansible.builtin.stat:
+    path: "/etc/letsencrypt/live/{{ nginx_frontend_domain }}/fullchain.pem"
+  register: nginx_frontend_cert
+
+- name: Nginx frontend | Obtain Let's Encrypt certificate
+  ansible.builtin.command:
+    cmd: >
+      certbot certonly --webroot
+      --webroot-path /var/www/letsencrypt
+      --non-interactive
+      --agree-tos
+      --email {{ nginx_frontend_certbot_email }}
+      -d {{ nginx_frontend_domain }}
+  when: not nginx_frontend_cert.stat.exists
+  notify: Reload nginx
+
+- name: Nginx frontend | Ensure certbot renewal timer is enabled
+  ansible.builtin.service:
+    name: certbot.timer
+    enabled: true
+    state: started

roles/nginx_frontend/tasks/install.yml

@@ -0,0 +1,15 @@
+---
+- name: Nginx frontend | Install nginx and certbot
+  ansible.builtin.apt:
+    name:
+      - nginx
+      - certbot
+      - python3-certbot-nginx
+    state: present
+    update_cache: true
+
+- name: Nginx frontend | Ensure nginx is enabled and started
+  ansible.builtin.service:
+    name: nginx
+    enabled: true
+    state: started

roles/nginx_frontend/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Nginx frontend | Validate
+  ansible.builtin.import_tasks: validate.yml
+  tags: always
+
+- name: Nginx frontend | Install packages
+  ansible.builtin.import_tasks: install.yml
+  tags: nginx_frontend_install
+
+- name: Nginx frontend | Configure HTTP (pre-certbot)
+  ansible.builtin.import_tasks: nginx.yml
+  tags: nginx_frontend_nginx
+
+- name: Nginx frontend | Obtain TLS certificate
+  ansible.builtin.import_tasks: certbot.yml
+  tags: nginx_frontend_certbot
+
+- name: Nginx frontend | Deploy HTTPS config
+  ansible.builtin.import_tasks: nginx_ssl.yml
+  tags: nginx_frontend_ssl
+
+- name: Nginx frontend | Configure TCP stream relay
+  ansible.builtin.import_tasks: stream.yml
+  tags: nginx_frontend_stream

roles/nginx_frontend/tasks/nginx.yml

@@ -0,0 +1,20 @@
+---
+- name: Nginx frontend | Create letsencrypt webroot
+  ansible.builtin.file:
+    path: /var/www/letsencrypt
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Nginx frontend | Deploy HTTP config (pre-certbot)
+  ansible.builtin.template:
+    src: nginx/http.conf.j2
+    dest: "/etc/nginx/conf.d/{{ nginx_frontend_domain }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload nginx
+
+- name: Nginx frontend | Reload nginx before certbot
+  ansible.builtin.meta: flush_handlers

roles/nginx_frontend/tasks/nginx_ssl.yml

@@ -0,0 +1,9 @@
+---
+- name: Nginx frontend | Deploy HTTPS config
+  ansible.builtin.template:
+    src: nginx/https.conf.j2
+    dest: "/etc/nginx/conf.d/{{ nginx_frontend_domain }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload nginx