library/roles/nginx: Manage the main configuration file.

library/roles/nginx: Provide parts of embeddable optional configurations inside /etc/nginx/snippets.

nginx/defaults/main.yml

@@ -6,6 +6,21 @@ nginx_package_state: installed
 
 #nginx_virthosts: []
 
+nginx_snippets_dir: /etc/nginx/snippets
+
+nginx_conf_snippets:
+  - nginx-compression.conf
+  - nginx-websockets.conf
+  - nginx-browser-cache.conf
+  - letsencrypt-proxy.conf
+  - nginx-proxy-params.conf
+
+nginx_workers: 4
+nginx_worker_connections: 1024
+nginx_multi_accept: 'off'
+nginx_worker_rlimit_nofile: 2048
+nginx_server_tokens: 'off'
+
 nginx_enable_compression: True
 nginx_gzip_vary: "on"
 nginx_gzip_proxied: any
@@ -14,6 +29,15 @@ nginx_gzip_buffers: 16 8k
 nginx_gzip_http_version: 1.1
 nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
 
+nginx_enable_browser_cache: True
+nginx_cache_control: public
+nginx_html_cache_expire: -1
+nginx_feed_cache_expire_enabled: False
+nginx_feed_cache_expire: 1h
+nginx_media_cache_expire: 24h
+nginx_css_js_cache_expire: -1
+
+nginx_reverse_proxy: False
 nginx_proxy_buffering: "on"
 nginx_proxy_redirect: "off"
 nginx_proxy_buffer_size: 128k

nginx/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - include: nginx.yml
+- include: nginx-config.yml
 #- include: nginx-virtualhosts.yml
 #  when: nginx_virthosts|length > 0
 - include: nginx-letsencrypt.yml

nginx/tasks/nginx-config.yml

@@ -0,0 +1,19 @@
+---
+- block:
+    - name: Create the snippets directory
+      file: dest={{ nginx_snippets_dir }} state=directory
+
+    - name: remove nginx default virtualhost
+      file: dest=/etc/nginx/sites-enabled/default state=absent
+      notify: Reload nginx
+  
+    - name: Install the supported configuration snippets
+      template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
+      with_items: '{{ nginx_conf_snippets }}'
+
+    - name: Install the main nginx.conf
+      template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
+      notify: Reload nginx
+
+  when: nginx_enabled
+  tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

nginx/tasks/nginx.yml

@@ -20,20 +20,3 @@
   when: nginx_use_ldap_pam_auth
   tags: nginx
 
-- name: remove nginx default config
-  file: dest=/etc/nginx/sites-enabled/default state=absent
-  notify: Reload nginx
-  tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
-
-- name: Install the gzip compression configuration if enabled
-  template: src=nginx-compression.conf.j2 dest=/etc/nginx/conf.d/compression.conf owner=root group=root mode=0444
-  when: nginx_enable_compression
-  notify: Reload nginx
-  tags: [ 'nginx', 'nginx_conf' ]
-
-- name: Install websockets configuration if enabled
-  template: src=nginx-websockets.conf.j2 dest=/etc/nginx/conf.d/websockets.conf owner=root group=root mode=0444
-  when: nginx_websockets_support
-  notify: Reload nginx
-  tags: [ 'nginx', 'nginx_conf' ]
-

nginx/templates/letsencrypt-proxy.conf.j2

@@ -1,10 +1,9 @@
-server {
-    listen 80 default_server;
+# Include this one inside a "server" directive listening on port 80, this way:
+# include /etc/nginx/snippets/letsencrypt-proxy.conf
     location ^~ /.well-known/acme-challenge {
         proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge;
         access_log /var/log/nginx/letsencrypt_acmetool_access.log;
         error_log /var/log/nginx/letsencrypt_acmetool_error.log;
     }
-}
 
 

nginx/templates/nginx-browser-cache.conf.j2

@@ -0,0 +1,27 @@
+# include inside a 'server' directive
+# 
+location ~* \.(?:manifest|appcache|html?|xml|json)$ {
+    expires {{ nginx_html_cache_expire }};
+}
+
+{% if nginx_feed_cache_expire_enabled %}
+#
+location ~* \.(?:rss|atom)$ {
+  expires {{ nginx_feed_cache_expire }};
+  add_header Cache-Control "{{ nginx_cache_control }}";
+}
+{% endif %}
+
+#
+location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+  expires {{ nginx_media_cache_expire }};
+  access_log off;
+  add_header Cache-Control "{{ nginx_cache_control }}";
+}
+
+#
+location ~* \.(?:css|js)$ {
+  expires {{ nginx_css_js_cache_expire }};
+  access_log off;
+  add_header Cache-Control "{{ nginx_cache_control }}";
+}

nginx/templates/nginx-proxy-params.conf.j2

@@ -0,0 +1,16 @@
+# Proxy stuff
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_buffer_size {{ nginx_proxy_buffer_size }};
+proxy_buffers {{ nginx_proxy_buffers }};
+proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
+proxy_set_header X-Forwarded-Host $remote_addr;
+proxy_set_header X-Forwarded-Server $host;
+proxy_http_version 1.1;
+proxy_redirect {{ nginx_proxy_redirect }};
+proxy_buffering {{ nginx_proxy_buffering }};
+proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
+proxy_read_timeout {{ nginx_proxy_read_timeout }};
+proxy_send_timeout {{ nginx_proxy_send_timeout }};

nginx/templates/nginx.conf.j2

@@ -0,0 +1,37 @@
+user www-data;
+worker_processes {{ nginx_workers }};
+pid /run/nginx.pid;
+
+events {
+    worker_connections {{ nginx_worker_connections }};
+    multi_accept {{ nginx_multi_accept }};
+}
+worker_rlimit_nofile    {{ nginx_worker_rlimit_nofile }};
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens {{ nginx_server_tokens }};
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    ##
+    # Logging Settings
+    ##
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    include /etc/nginx/conf.d/*.conf;
+{% if nginx_enable_compression %}
+    include /etc/nginx/snippets/nginx-compression.conf;
+{% endif %}
+{% if nginx_websockets_support %}
+    include /etc/nginx/snippets/nginx-websockets.conf;
+{% endif %}
+    include /etc/nginx/sites-enabled/*;
+}
+