feat: forward tcp traffic easily

roles/immich/README.md

@@ -206,11 +206,44 @@ The role implements proper data isolation for both database backends:
 
 The compose file is deployed to `{{ podman_projects_dir }}/immich/docker-compose.yml` and managed via a systemd service.
 
+## Nginx Reverse Proxy with ACME/Let's Encrypt
+
+The role includes an Nginx vhost template with native ACME support for automatic HTTPS certificate management.
+
+**Prerequisites:**
+1. Nginx role deployed with `acme_email` configured
+2. Port 80/443 accessible from internet (for ACME HTTP-01 challenge)
+3. DNS pointing to your server
+
+**Configuration:**
+```yaml
+# Enable Nginx reverse proxy
+immich_nginx_enabled: true
+immich_nginx_hostname: "blog.hello.com"
+
+# In nginx role configuration (host_vars or group_vars)
+acme_email: "admin@carabosse.cloud"
+```
+
+**What it does:**
+- Deploys HTTPS vhost with automatic Let's Encrypt certificate
+- HTTP → HTTPS redirect
+- Proxies to Immich container on localhost
+- Handles WebSocket upgrades for live photos
+- Large file upload support (50GB max)
+
+**ACME automatic features:**
+- Certificate issuance on first deployment
+- Automatic renewal
+- HTTP-01 challenge handling
+
 ## Post-Installation
 
 After deployment:
 
-1. Access Immich at `http://<host-ip>:2283`
+1. Access Immich at:
+   - **With Nginx enabled**: `https://{{ immich_nginx_hostname }}`
+   - **Without Nginx**: `http://<host-ip>:{{ immich_port }}`
 2. Create an admin account on first login
 3. Configure mobile/desktop apps to point to your server
 

roles/immich/templates/nginx-vhost.conf.j2

@@ -1,7 +1,41 @@
+# Immich vhost with Let's Encrypt (Certbot)
+# Managed by Ansible - DO NOT EDIT MANUALLY
+
 server {
     listen 80;
     server_name {{ immich_nginx_hostname }};
 
+    # Certbot webroot for ACME challenges
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Redirect to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ immich_nginx_hostname }};
+
+    # Let's Encrypt certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/{{ immich_nginx_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ immich_nginx_hostname }}/privkey.pem;
+
+    # SSL configuration
+    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_prefer_server_ciphers {{ 'on' if nginx_ssl_prefer_server_ciphers else 'off' }};
+
+{% if nginx_log_backend == 'journald' %}
+    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_immich;
+    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_immich;
+{% else %}
+    access_log /var/log/nginx/{{ immich_nginx_hostname }}_access.log main;
+    error_log /var/log/nginx/{{ immich_nginx_hostname }}_error.log;
+{% endif %}
+
     client_max_body_size 50000M;
 
     location / {