veza/infra/ansible/roles/nginx_proxy_cache/tasks/main.yml

# nginx_proxy_cache role — installs nginx, renders the cache config
# pointed at the MinIO cluster, ensures the systemd unit running.
# Idempotent.
---
- name: Install nginx + curl (curl needed for the smoke test)
  ansible.builtin.apt:
    name:
      - nginx
      - curl
    state: present
    update_cache: true
    cache_valid_time: 3600
  tags: [nginx_cache, packages]

- name: Ensure cache root directory
  ansible.builtin.file:
    path: "{{ nginx_cache_root }}"
    state: directory
    owner: www-data
    group: www-data
    mode: "0755"
  tags: [nginx_cache, config]

- name: Render nginx.conf (top-level)
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    owner: root
    group: root
    mode: "0644"
  notify: Reload nginx
  tags: [nginx_cache, config]

- name: Disable the default site
  ansible.builtin.file:
    path: /etc/nginx/sites-enabled/default
    state: absent
  notify: Reload nginx
  tags: [nginx_cache, config]

- name: Render the veza-cache site config
  ansible.builtin.template:
    src: sites/veza-cache.conf.j2
    dest: /etc/nginx/sites-available/veza-cache.conf
    owner: root
    group: root
    mode: "0644"
  notify: Reload nginx
  tags: [nginx_cache, config]

- name: Enable veza-cache site
  ansible.builtin.file:
    src: /etc/nginx/sites-available/veza-cache.conf
    dest: /etc/nginx/sites-enabled/veza-cache.conf
    state: link
    force: true
  notify: Reload nginx
  tags: [nginx_cache, config]

- name: Validate nginx config
  ansible.builtin.command:
    cmd: nginx -t
  changed_when: false
  tags: [nginx_cache, config]

- name: Enable + start nginx
  ansible.builtin.systemd:
    name: nginx
    state: started
    enabled: true
  tags: [nginx_cache, service]
feat(infra): nginx_proxy_cache phase-1 edge cache fronting MinIO (W3+) Self-hosted edge cache on a dedicated Incus container, sits between clients and the MinIO EC:2 cluster. Replaces the need for an external CDN at v1.0 traffic levels — handles thousands of concurrent listeners on the R720, leaks zero logs to a third party. This is the phase-1 alternative documented in the v1.0.9 CDN synthesis : phase-1 = self-hosted Nginx, phase-2 = 2 cache nodes + GeoDNS, phase-3 = Bunny.net via the existing CDN_* config (still inert with CDN_ENABLED=false). - infra/ansible/roles/nginx_proxy_cache/ : install nginx + curl, render nginx.conf with shared zone (128 MiB keys + 20 GiB disk, inactive=7d), render veza-cache site that proxies to the minio_nodes upstream pool with keepalive=32. HLS segments cached 7d via 1 MiB slice ; .m3u8 cached 60s ; everything else 1h. - Cache key excludes Authorization / Cookie (presigned URLs only in v1.0). slice_range included for segments so byte-range requests with arbitrary offsets all hit the same cached chunks. - proxy_cache_use_stale error timeout updating http_500..504 + background_update + lock — survives MinIO partial outages without cold-storming the origin. - X-Cache-Status surfaced on every response so smoke tests + operators can verify HIT/MISS without parsing access logs. - stub_status bound to 127.0.0.1:81/__nginx_status for the future prometheus nginx_exporter sidecar. - infra/ansible/playbooks/nginx_proxy_cache.yml : provisions the Incus container + applies common baseline + role. - inventory/lab.yml : new nginx_cache group. - infra/ansible/tests/test_nginx_cache.sh : MISS→HIT roundtrip via X-Cache-Status, on-disk entry verification. Acceptance : smoke test reports MISS then HIT for the same URL ; cache directory carries on-disk entries. No backend code change — the cache is transparent. To route through it, flip AWS_S3_ENDPOINT=http://nginx-cache.lxd:80 in the API env. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 13:58:14 +00:00			`# nginx_proxy_cache role — installs nginx, renders the cache config`
			`# pointed at the MinIO cluster, ensures the systemd unit running.`
			`# Idempotent.`
			`---`
			`- name: Install nginx + curl (curl needed for the smoke test)`
			`ansible.builtin.apt:`
			`name:`
			`- nginx`
			`- curl`
			`state: present`
			`update_cache: true`
			`cache_valid_time: 3600`
			`tags: [nginx_cache, packages]`

			`- name: Ensure cache root directory`
			`ansible.builtin.file:`
			`path: "{{ nginx_cache_root }}"`
			`state: directory`
			`owner: www-data`
			`group: www-data`
			`mode: "0755"`
			`tags: [nginx_cache, config]`

			`- name: Render nginx.conf (top-level)`
			`ansible.builtin.template:`
			`src: nginx.conf.j2`
			`dest: /etc/nginx/nginx.conf`
			`owner: root`
			`group: root`
			`mode: "0644"`
			`notify: Reload nginx`
			`tags: [nginx_cache, config]`

			`- name: Disable the default site`
			`ansible.builtin.file:`
			`path: /etc/nginx/sites-enabled/default`
			`state: absent`
			`notify: Reload nginx`
			`tags: [nginx_cache, config]`

			`- name: Render the veza-cache site config`
			`ansible.builtin.template:`
			`src: sites/veza-cache.conf.j2`
			`dest: /etc/nginx/sites-available/veza-cache.conf`
			`owner: root`
			`group: root`
			`mode: "0644"`
			`notify: Reload nginx`
			`tags: [nginx_cache, config]`

			`- name: Enable veza-cache site`
			`ansible.builtin.file:`
			`src: /etc/nginx/sites-available/veza-cache.conf`
			`dest: /etc/nginx/sites-enabled/veza-cache.conf`
			`state: link`
			`force: true`
			`notify: Reload nginx`
			`tags: [nginx_cache, config]`

			`- name: Validate nginx config`
			`ansible.builtin.command:`
			`cmd: nginx -t`
			`changed_when: false`
			`tags: [nginx_cache, config]`

			`- name: Enable + start nginx`
			`ansible.builtin.systemd:`
			`name: nginx`
			`state: started`
			`enabled: true`
			`tags: [nginx_cache, service]`