forked from ISTI-ansible-roles/ansible-roles
Merge branch 'master' of adellam/ansible-roles into master
This commit is contained in:
commit
2e6f87a097
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: '../../library/centos/roles/centos-bootstrap'
|
- role: '../../library/centos/roles/centos-bootstrap'
|
||||||
- role: '../../library/centos/roles/rsyslog'
|
- role: '../../library/roles/rsyslog'
|
||||||
- role: '../../library/roles/dell-server-utilities'
|
- role: '../../library/roles/dell-server-utilities'
|
||||||
- role: '../../library/roles/sshd_config'
|
- role: '../../library/roles/sshd_config'
|
||||||
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
|
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
|
||||||
|
|
|
@ -1,113 +0,0 @@
|
||||||
---
|
|
||||||
nginx_enabled: True
|
|
||||||
nginx_package_state: installed
|
|
||||||
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
||||||
nginx_ssl_level: intermediate
|
|
||||||
|
|
||||||
nginx_snippets_dir: /etc/nginx/snippets
|
|
||||||
nginx_default_conf_dir: /etc/nginx/default.d
|
|
||||||
|
|
||||||
nginx_conf_snippets:
|
|
||||||
- nginx-compression.conf
|
|
||||||
- nginx-websockets.conf
|
|
||||||
- nginx-browser-cache.conf
|
|
||||||
- letsencrypt-proxy.conf
|
|
||||||
- nginx-proxy-params.conf
|
|
||||||
- nginx-server-ssl.conf
|
|
||||||
- nginx-cors.conf
|
|
||||||
|
|
||||||
nginx_old_snippets:
|
|
||||||
- compression.conf
|
|
||||||
|
|
||||||
nginx_workers: 4
|
|
||||||
nginx_worker_connections: 1024
|
|
||||||
nginx_multi_accept: 'off'
|
|
||||||
nginx_worker_rlimit_nofile: 2048
|
|
||||||
nginx_server_tokens: 'off'
|
|
||||||
|
|
||||||
nginx_large_client_header_buffers: 4 8k
|
|
||||||
|
|
||||||
nginx_enable_compression: True
|
|
||||||
nginx_gzip_vary: "on"
|
|
||||||
nginx_gzip_proxied: any
|
|
||||||
nginx_gzip_comp_level: 6
|
|
||||||
nginx_gzip_buffers: 16 8k
|
|
||||||
nginx_gzip_http_version: 1.1
|
|
||||||
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
|
|
||||||
|
|
||||||
nginx_enable_browser_cache: True
|
|
||||||
nginx_cache_control: public
|
|
||||||
nginx_html_cache_expire: -1
|
|
||||||
nginx_feed_cache_expire_enabled: False
|
|
||||||
nginx_feed_cache_expire: 1h
|
|
||||||
nginx_media_cache_expire: 1M
|
|
||||||
nginx_css_js_cache_expire: -1
|
|
||||||
|
|
||||||
nginx_reverse_proxy: False
|
|
||||||
nginx_define_x_real_ip: False
|
|
||||||
nginx_proxy_buffering: "on"
|
|
||||||
nginx_proxy_redirect: "off"
|
|
||||||
nginx_proxy_buffer_size: 128k
|
|
||||||
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
|
|
||||||
nginx_proxy_busy_buffers_size: 256k
|
|
||||||
nginx_proxy_connect_timeout: 30s
|
|
||||||
nginx_proxy_read_timeout: 480s
|
|
||||||
nginx_proxy_send_timeout: 120s
|
|
||||||
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
|
|
||||||
nginx_client_max_body_size: 100M
|
|
||||||
nginx_client_body_timeout: 240s
|
|
||||||
|
|
||||||
nginx_cors_limit_origin: True
|
|
||||||
nginx_cors_extended_rules: False
|
|
||||||
nginx_cors_acl_origin: 'http?://(localhost)'
|
|
||||||
|
|
||||||
# Find a set of acceptable defaults for the cache setup
|
|
||||||
nginx_cache_enabled: False
|
|
||||||
|
|
||||||
nginx_use_ldap_pam_auth: False
|
|
||||||
nginx_pam_svc_name: nginx
|
|
||||||
nginx_ldap_uri: "ldap://ldap.example.org"
|
|
||||||
nginx_ldap_base_dn: "dc=example,dc=org"
|
|
||||||
nginx_basic_auth: False
|
|
||||||
nginx_basic_auth_users:
|
|
||||||
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
|
|
||||||
# nginx_ldap_login_attribute: uid
|
|
||||||
# nginx_ldap_pam_groupdn:
|
|
||||||
nginx_letsencrypt_managed: True
|
|
||||||
nginx_websockets_support: False
|
|
||||||
nginx_use_common_virthost: False
|
|
||||||
# Use 'ssl http2' if the nginx version supports it
|
|
||||||
nginx_ssl_type: ssl http2
|
|
||||||
# When we do not use letsencrypt:
|
|
||||||
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
|
|
||||||
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
|
|
||||||
|
|
||||||
# Virtualhost example
|
|
||||||
# nginx_virthosts:
|
|
||||||
# - virthost_name: '{{ ansible_fqdn }}'
|
|
||||||
# listen: '{{ http_port }}'
|
|
||||||
# server_name: '{{ ansible_fqdn }}'
|
|
||||||
# server_aliases: ''
|
|
||||||
# index: index.html
|
|
||||||
# error_page: /path_to_error_page.html
|
|
||||||
# ssl_enabled: False
|
|
||||||
# ssl_only: False
|
|
||||||
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
|
||||||
# root: /usr/share/nginx/html/
|
|
||||||
# server_tokens: 'off'
|
|
||||||
# proxy_standard_setup: True
|
|
||||||
# proxy_additional_options:
|
|
||||||
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
|
|
||||||
# proxies:
|
|
||||||
# - location: /
|
|
||||||
# target: http://localhost:{{ local_http_port }};
|
|
||||||
#
|
|
||||||
# extra_parameters: |
|
|
||||||
# location ~ \.php$ {
|
|
||||||
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
|
||||||
# fastcgi_index index.php;
|
|
||||||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
# include fastcgi_params;
|
|
||||||
# }
|
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
|
||||||
LE_LOG_DIR=/var/log/letsencrypt
|
|
||||||
DATE=$( date )
|
|
||||||
|
|
||||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
|
||||||
echo "$DATE" >> $LE_LOG_DIR/nginx.log
|
|
||||||
|
|
||||||
if [ -f /etc/default/letsencrypt ] ; then
|
|
||||||
. /etc/default/letsencrypt
|
|
||||||
else
|
|
||||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
|
|
||||||
if [ -x /bin/systemctl ] ; then
|
|
||||||
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
|
|
||||||
else
|
|
||||||
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Done." >> $LE_LOG_DIR/nginx.log
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -1,26 +0,0 @@
|
||||||
|
|
||||||
#
|
|
||||||
auth [success=2 default=ignore] pam_unix.so nullok_secure
|
|
||||||
auth [success=1 default=ignore] pam_ldap.so
|
|
||||||
auth requisite pam_deny.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
|
|
||||||
#
|
|
||||||
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
|
|
||||||
account [success=1 default=ignore] pam_ldap.so
|
|
||||||
account requisite pam_deny.so
|
|
||||||
account required pam_permit.so
|
|
||||||
|
|
||||||
#
|
|
||||||
password [success=1 default=ignore] pam_unix.so obscure sha512
|
|
||||||
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
|
|
||||||
password requisite pam_deny.so
|
|
||||||
password required pam_permit.so
|
|
||||||
|
|
||||||
#
|
|
||||||
session [default=1] pam_permit.so
|
|
||||||
session requisite pam_deny.so
|
|
||||||
session required pam_permit.so
|
|
||||||
session optional pam_umask.so
|
|
||||||
session required pam_unix.so
|
|
||||||
session optional pam_ldap.so
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
- name: Reload nginx
|
|
||||||
service: name=nginx state=reloaded
|
|
||||||
|
|
||||||
- name: Restart nginx
|
|
||||||
service: name=nginx state=restarted
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
---
|
|
||||||
- block:
|
|
||||||
- name: Install the python passlib library
|
|
||||||
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
|
|
||||||
|
|
||||||
- name: Create the htpasswd file needed by the basic auth
|
|
||||||
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
|
|
||||||
with_items: '{{ nginx_basic_auth_users }}'
|
|
||||||
|
|
||||||
when: nginx_basic_auth
|
|
||||||
tags: nginx
|
|
||||||
|
|
|
@ -1,21 +0,0 @@
|
||||||
---
|
|
||||||
- import_tasks: nginx.yml
|
|
||||||
- import_tasks: nginx-config.yml
|
|
||||||
- import_tasks: nginx-virtualhosts.yml
|
|
||||||
when: nginx_use_common_virthost
|
|
||||||
- import_tasks: nginx-letsencrypt.yml
|
|
||||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
|
||||||
- import_tasks: basic-auth.yml
|
|
||||||
- import_tasks: pam-ldap.yml
|
|
||||||
|
|
||||||
- name: Ensure that the webserver is running and enabled at boot time
|
|
||||||
service: name=nginx state=started enabled=yes
|
|
||||||
when: nginx_enabled
|
|
||||||
ignore_errors: True
|
|
||||||
tags: nginx
|
|
||||||
|
|
||||||
- name: Ensure that the webserver is stopped and disabled
|
|
||||||
service: name=nginx state=stopped enabled=no
|
|
||||||
when: not nginx_enabled
|
|
||||||
ignore_errors: True
|
|
||||||
tags: nginx
|
|
|
@ -1,29 +0,0 @@
|
||||||
---
|
|
||||||
- block:
|
|
||||||
- name: Create the snippets directory
|
|
||||||
file: dest={{ nginx_snippets_dir }} state=directory
|
|
||||||
|
|
||||||
- name: Create the pki directory
|
|
||||||
file: dest={{ {{ pki_dir }}/nginx }} state=directory
|
|
||||||
|
|
||||||
- name: Create a dhparams file 2048 bits long
|
|
||||||
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
|
|
||||||
args:
|
|
||||||
creates: '{{ pki_dir }}/nginx/dhparams.pem'
|
|
||||||
when: nginx_ssl_level == 'intermediate'
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Install the supported configuration snippets
|
|
||||||
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
|
|
||||||
with_items: '{{ nginx_conf_snippets }}'
|
|
||||||
|
|
||||||
- name: Install the main nginx.conf
|
|
||||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Remove the old configuration snippets
|
|
||||||
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
|
|
||||||
with_items: '{{ nginx_old_snippets }}'
|
|
||||||
|
|
||||||
when: nginx_enabled
|
|
||||||
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
|
|
@ -1,20 +0,0 @@
|
||||||
---
|
|
||||||
- block:
|
|
||||||
- name: Create the acme hooks directory if it does not yet exist
|
|
||||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
|
||||||
|
|
||||||
- name: Install a letsencrypt hook for nginx
|
|
||||||
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
|
|
||||||
|
|
||||||
when:
|
|
||||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
|
||||||
- nginx_letsencrypt_managed
|
|
||||||
tags: [ 'nginx', 'letsencrypt' ]
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Remove the letsencrypt hook for nginx
|
|
||||||
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
|
|
||||||
|
|
||||||
when: not nginx_letsencrypt_managed
|
|
||||||
tags: [ 'nginx', 'letsencrypt' ]
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install the nginx virtualhost files
|
|
||||||
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
|
|
||||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
|
||||||
notify: Reload nginx
|
|
||||||
tags: [ 'nginx', 'virtualhost' ]
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install the nginx web server
|
|
||||||
yum: pkg={{ item }} state={{ nginx_package_state }}
|
|
||||||
with_items:
|
|
||||||
- nginx
|
|
||||||
tags: nginx
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install pam service for nginx
|
|
||||||
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
|
|
||||||
notify: Reload nginx
|
|
||||||
when: nginx_use_ldap_pam_auth
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
# The distinguished name of the search base.
|
|
||||||
base {{ nginx_ldap_base_dn }}
|
|
||||||
|
|
||||||
# Another way to specify your LDAP server is to provide an
|
|
||||||
uri {{ nginx_ldap_uri }}
|
|
||||||
if {% nginx_ldap_login_attribute is defined %}
|
|
||||||
pam_login_attribute {{ nginx_ldap_login_attribute }}
|
|
||||||
{% endif %}
|
|
||||||
if {% nginx_ldap_pam_groupdn is defined %}
|
|
||||||
pam_groupdn
|
|
||||||
{% endif %}
|
|
||||||
# The LDAP version to use (defaults to 3
|
|
||||||
# if supported by client library)
|
|
||||||
ldap_version 3
|
|
||||||
|
|
||||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
|
|
@ -1,9 +0,0 @@
|
||||||
# Include this one inside a "server" directive listening on port 80, this way:
|
|
||||||
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
|
||||||
location ^~ /.well-known/acme-challenge {
|
|
||||||
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
|
|
||||||
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
|
|
||||||
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
# include inside a 'server' directive
|
|
||||||
#
|
|
||||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
|
||||||
expires {{ nginx_html_cache_expire }};
|
|
||||||
}
|
|
||||||
|
|
||||||
{% if nginx_feed_cache_expire_enabled %}
|
|
||||||
#
|
|
||||||
location ~* \.(?:rss|atom)$ {
|
|
||||||
expires {{ nginx_feed_cache_expire }};
|
|
||||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
|
||||||
}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
#
|
|
||||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
|
||||||
expires {{ nginx_media_cache_expire }};
|
|
||||||
access_log off;
|
|
||||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
location ~* \.(?:css|js)$ {
|
|
||||||
expires {{ nginx_css_js_cache_expire }};
|
|
||||||
access_log off;
|
|
||||||
add_header Cache-Control "{{ nginx_cache_control }}";
|
|
||||||
}
|
|
|
@ -1,6 +0,0 @@
|
||||||
gzip_vary {{ nginx_gzip_vary }};
|
|
||||||
gzip_proxied {{ nginx_gzip_proxied }};
|
|
||||||
gzip_comp_level {{ nginx_gzip_comp_level }};
|
|
||||||
gzip_buffers {{ nginx_gzip_buffers }};
|
|
||||||
gzip_http_version {{ nginx_gzip_http_version }};
|
|
||||||
gzip_types {{ nginx_gzip_types }};
|
|
|
@ -1,60 +0,0 @@
|
||||||
{% if nginx_cors_extended_rules %}
|
|
||||||
if ($request_method = 'OPTIONS') {
|
|
||||||
{% if nginx_cors_limit_origin %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
|
||||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
|
||||||
{% else %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
{% endif %}
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
||||||
#
|
|
||||||
# Custom headers and headers various browsers *should* be OK with but aren't
|
|
||||||
#
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
||||||
#
|
|
||||||
# Tell client that this pre-flight info is valid for 20 days
|
|
||||||
#
|
|
||||||
add_header 'Access-Control-Max-Age' 1728000;
|
|
||||||
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
|
||||||
add_header 'Content-Length' 0;
|
|
||||||
return 204;
|
|
||||||
}
|
|
||||||
if ($request_method = 'POST') {
|
|
||||||
{% if nginx_cors_limit_origin %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
|
||||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
|
||||||
{% else %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
{% endif %}
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
||||||
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
||||||
}
|
|
||||||
if ($request_method = 'GET') {
|
|
||||||
{% if nginx_cors_limit_origin %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
|
||||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
|
||||||
{% else %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
{% endif %}
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
||||||
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
|
||||||
}
|
|
||||||
{% else %}
|
|
||||||
{% if nginx_cors_limit_origin %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
|
||||||
add_header 'Access-Control-Allow-Credentials' 'true';
|
|
||||||
{% else %}
|
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
|
||||||
{% endif %}
|
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
|
|
||||||
{% if nginx_cors_limit_origin %}
|
|
||||||
}
|
|
||||||
if ($request_method = 'OPTIONS') {
|
|
||||||
return 204;
|
|
||||||
}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
# Proxy stuff
|
|
||||||
# include /etc/nginx/snippets/nginx-proxy-params.conf;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
{% if haproxy_ips is defined %}
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Host $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
{% else %}
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
{% if nginx_define_x_real_ip %}
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_buffering {{ nginx_proxy_buffering }};
|
|
||||||
proxy_buffer_size {{ nginx_proxy_buffer_size }};
|
|
||||||
proxy_buffers {{ nginx_proxy_buffers }};
|
|
||||||
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
|
|
||||||
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
|
|
||||||
proxy_redirect {{ nginx_proxy_redirect }};
|
|
||||||
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
|
|
||||||
proxy_read_timeout {{ nginx_proxy_read_timeout }};
|
|
||||||
proxy_send_timeout {{ nginx_proxy_send_timeout }};
|
|
|
@ -1,24 +0,0 @@
|
||||||
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
|
||||||
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
|
|
||||||
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
|
|
||||||
{% else %}
|
|
||||||
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
|
|
||||||
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
|
|
||||||
{% endif %}
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_session_timeout 10m;
|
|
||||||
{% if nginx_ssl_level == 'intermediate' %}
|
|
||||||
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
|
||||||
{% endif %}
|
|
||||||
{% if nginx_ssl_level == 'modern' %}
|
|
||||||
ssl_session_tickets off;
|
|
||||||
# modern configuration. tweak to your needs.
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
||||||
{% endif %}
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
add_header Strict-Transport-Security max-age=15768000;
|
|
|
@ -1,184 +0,0 @@
|
||||||
server {
|
|
||||||
listen {{ item.http_port | default (80) }};
|
|
||||||
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
|
||||||
{% if letsencrypt_acme_install %}
|
|
||||||
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.access_log is defined %}
|
|
||||||
access_log {{ item.access_log }};
|
|
||||||
{% else %}
|
|
||||||
access_log /var/log/nginx/{{ item.server_name }}_access.log;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.error_log is defined %}
|
|
||||||
error_log {{ item.error_log }};
|
|
||||||
{% else %}
|
|
||||||
error_log /var/log/nginx/{{ item.server_name }}_error.log;
|
|
||||||
{% endif %}
|
|
||||||
server_tokens {{ item.server_tokens | default('off') }};
|
|
||||||
{% if item.ssl_enabled and item.ssl_only %}
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ item.server_name }}$request_uri;
|
|
||||||
}
|
|
||||||
{% else %}
|
|
||||||
# This is the default for nginx on Ubuntu 14.04
|
|
||||||
root {{ item.root | default('/usr/share/nginx/html/') }};
|
|
||||||
index {{ item.index | default('index.html index.htm') }};
|
|
||||||
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
|
||||||
location = /50x.html {
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
}
|
|
||||||
location = /favicon.ico {
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
location = /robots.txt {
|
|
||||||
allow all;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
{% if haproxy_ips is defined %}
|
|
||||||
# We are behind haproxy
|
|
||||||
{% for ip in haproxy_ips %}
|
|
||||||
set_real_ip_from {{ ip }};
|
|
||||||
{% endfor %}
|
|
||||||
real_ip_header X-Forwarded-For;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.max_body is defined %}
|
|
||||||
client_max_body_size {{ item.max_body }};
|
|
||||||
{% else %}
|
|
||||||
client_max_body_size {{ nginx_client_max_body_size }};
|
|
||||||
{% endif %}
|
|
||||||
{% if item.body_timeout is defined %}
|
|
||||||
client_body_timeout {{ item.body_timeout }};
|
|
||||||
{% else %}
|
|
||||||
client_body_timeout {{ nginx_client_body_timeout }};
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if item.additional_options is defined %}
|
|
||||||
{% for add_opt in item.additional_options %}
|
|
||||||
|
|
||||||
{{ add_opt }};
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if item.websockets is defined and item.websockets %}
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
|
||||||
# Proxy stuff
|
|
||||||
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
|
||||||
{% if item.proxy_additional_options is defined %}
|
|
||||||
{% for popt in item.proxy_additional_options %}
|
|
||||||
{{ popt }};
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.locations is defined %}
|
|
||||||
{% for location in item.locations %}
|
|
||||||
location {{ location.location }} {
|
|
||||||
{% if location.target is defined %}
|
|
||||||
proxy_pass {{ location.target }};
|
|
||||||
{% endif %}
|
|
||||||
{% if location.extra_conf is defined %}
|
|
||||||
{{ location.extra_conf }}
|
|
||||||
{% endif %}
|
|
||||||
{% if location.other_opts is defined %}
|
|
||||||
{% for opt in location.other_opts %}
|
|
||||||
{{ opt }};
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.extra_parameters is defined %}
|
|
||||||
{{ item.extra_parameters }}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
{% if item.ssl_enabled %}
|
|
||||||
server {
|
|
||||||
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
|
|
||||||
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
|
||||||
{% if item.access_log is defined %}
|
|
||||||
access_log {{ item.access_log }};
|
|
||||||
{% else %}
|
|
||||||
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.error_log is defined %}
|
|
||||||
error_log {{ item.error_log }};
|
|
||||||
{% else %}
|
|
||||||
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
|
|
||||||
{% endif %}
|
|
||||||
root {{ item.root | default('/usr/share/nginx/html/') }};
|
|
||||||
index {{ item.index | default('index.html index.htm') }};
|
|
||||||
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
|
||||||
location = /50x.html {
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
}
|
|
||||||
location = /favicon.ico {
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
location = /robots.txt {
|
|
||||||
allow all;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
{% if haproxy_ips is defined %}
|
|
||||||
# We are behind haproxy
|
|
||||||
{% for ip in haproxy_ips %}
|
|
||||||
set_real_ip_from {{ ip }};
|
|
||||||
{% endfor %}
|
|
||||||
real_ip_header X-Forwarded-For;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.max_body is defined %}
|
|
||||||
client_max_body_size {{ item.max_body }};
|
|
||||||
{% else %}
|
|
||||||
client_max_body_size {{ nginx_client_max_body_size }};
|
|
||||||
{% endif %}
|
|
||||||
{% if item.body_timeout is defined %}
|
|
||||||
client_body_timeout {{ item.body_timeout }};
|
|
||||||
{% else %}
|
|
||||||
client_body_timeout {{ nginx_client_body_timeout }};
|
|
||||||
{% endif %}
|
|
||||||
server_tokens {{ item.server_tokens | default('off') }};
|
|
||||||
|
|
||||||
include /etc/nginx/snippets/nginx-server-ssl.conf;
|
|
||||||
|
|
||||||
{% if item.websockets is defined and item.websockets %}
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection $connection_upgrade;
|
|
||||||
{% endif %}
|
|
||||||
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
|
||||||
# Proxy stuff
|
|
||||||
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
|
||||||
{% if item.proxy_additional_options is defined %}
|
|
||||||
{% for popt in item.proxy_additional_options %}
|
|
||||||
{{ popt }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.locations is defined %}
|
|
||||||
{% for location in item.locations %}
|
|
||||||
location {{ location.location }} {
|
|
||||||
{% if location.target is defined %}
|
|
||||||
proxy_pass {{ location.target }};
|
|
||||||
{% endif %}
|
|
||||||
{% if location.other_opts is defined %}
|
|
||||||
{% for opt in location.other_opts %}
|
|
||||||
{{ opt }};
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{% if item.extra_parameters is defined %}
|
|
||||||
{{ item.extra_parameters }}
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
|
|
||||||
{% endif %}
|
|
|
@ -1,4 +0,0 @@
|
||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' close;
|
|
||||||
}
|
|
|
@ -1,102 +0,0 @@
|
||||||
# For more information on configuration, see:
|
|
||||||
# * Official English Documentation: http://nginx.org/en/docs/
|
|
||||||
# * Official Russian Documentation: http://nginx.org/ru/docs/
|
|
||||||
|
|
||||||
user nginx;
|
|
||||||
worker_processes auto;
|
|
||||||
error_log /var/log/nginx/error.log;
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
|
|
||||||
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
|
|
||||||
include /usr/share/nginx/modules/*.conf;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections {{ nginx_worker_connections }};
|
|
||||||
multi_accept {{ nginx_multi_accept }};
|
|
||||||
}
|
|
||||||
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
|
|
||||||
|
|
||||||
http {
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
tcp_nodelay on;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
types_hash_max_size 2048;
|
|
||||||
server_tokens {{ nginx_server_tokens }};
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
large_client_header_buffers {{ nginx_large_client_header_buffers }};
|
|
||||||
|
|
||||||
{% if nginx_enable_compression %}
|
|
||||||
include /etc/nginx/snippets/nginx-compression.conf;
|
|
||||||
{% endif %}
|
|
||||||
{% if nginx_websockets_support %}
|
|
||||||
include /etc/nginx/snippets/nginx-websockets.conf;
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
|
||||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
|
||||||
# for more information.
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
|
|
||||||
# server {
|
|
||||||
# listen 80 default_server;
|
|
||||||
# listen [::]:80 default_server;
|
|
||||||
# server_name _;
|
|
||||||
# root /usr/share/nginx/html;
|
|
||||||
|
|
||||||
# # Load configuration files for the default server block.
|
|
||||||
# include /etc/nginx/default.d/*.conf;
|
|
||||||
|
|
||||||
# location / {
|
|
||||||
# }
|
|
||||||
|
|
||||||
# error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
# }
|
|
||||||
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
|
||||||
# location = /50x.html {
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
||||||
# Settings for a TLS enabled server.
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen 443 ssl http2 default_server;
|
|
||||||
# listen [::]:443 ssl http2 default_server;
|
|
||||||
# server_name _;
|
|
||||||
# root /usr/share/nginx/html;
|
|
||||||
#
|
|
||||||
# ssl_certificate "/etc/pki/nginx/server.crt";
|
|
||||||
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
|
||||||
# ssl_session_cache shared:SSL:1m;
|
|
||||||
# ssl_session_timeout 10m;
|
|
||||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
# ssl_prefer_server_ciphers on;
|
|
||||||
#
|
|
||||||
# # Load configuration files for the default server block.
|
|
||||||
# include /etc/nginx/default.d/*.conf;
|
|
||||||
#
|
|
||||||
# location / {
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# error_page 404 /404.html;
|
|
||||||
# location = /40x.html {
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# error_page 500 502 503 504 /50x.html;
|
|
||||||
# location = /50x.html {
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -6,8 +6,6 @@ nginx_package_state: present
|
||||||
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
nginx_ssl_level: intermediate
|
nginx_ssl_level: intermediate
|
||||||
|
|
||||||
#nginx_virthosts: []
|
|
||||||
|
|
||||||
nginx_snippets_dir: /etc/nginx/snippets
|
nginx_snippets_dir: /etc/nginx/snippets
|
||||||
|
|
||||||
nginx_conf_snippets:
|
nginx_conf_snippets:
|
||||||
|
|
|
@ -1,7 +1,12 @@
|
||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
- name: Install the python passlib library
|
- name: Install the python passlib library on deb based distributions
|
||||||
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
|
apt: pkg=python-passlib state=present cache_valid_time=3600
|
||||||
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
|
||||||
|
- name: Install the python passlib library on RH based distributions
|
||||||
|
yum: pkg=python-passlib state=present
|
||||||
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
|
|
||||||
- name: Create the htpasswd file needed by the basic auth
|
- name: Create the htpasswd file needed by the basic auth
|
||||||
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
|
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
|
||||||
|
|
|
@ -1,8 +1,11 @@
|
||||||
---
|
---
|
||||||
- import_tasks: nginx.yml
|
- import_tasks: nginx-deb.yml
|
||||||
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
- import_tasks: nginx-rh.yml
|
||||||
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
- import_tasks: nginx-config.yml
|
- import_tasks: nginx-config.yml
|
||||||
- import_tasks: nginx-virtualhosts.yml
|
- import_tasks: nginx-virtualhosts.yml
|
||||||
when: nginx_use_common_virthost
|
when: nginx_use_common_virthost | bool
|
||||||
- import_tasks: nginx-letsencrypt.yml
|
- import_tasks: nginx-letsencrypt.yml
|
||||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||||
- import_tasks: basic-auth.yml
|
- import_tasks: basic-auth.yml
|
||||||
|
|
|
@ -17,10 +17,6 @@
|
||||||
when: nginx_ssl_level == 'intermediate'
|
when: nginx_ssl_level == 'intermediate'
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
- name: remove nginx default virtualhost
|
|
||||||
file: dest=/etc/nginx/sites-enabled/default state=absent
|
|
||||||
notify: Reload nginx
|
|
||||||
|
|
||||||
- name: Install the supported configuration snippets
|
- name: Install the supported configuration snippets
|
||||||
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
|
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
|
||||||
with_items: '{{ nginx_conf_snippets }}'
|
with_items: '{{ nginx_conf_snippets }}'
|
||||||
|
@ -35,5 +31,15 @@
|
||||||
with_items: '{{ nginx_old_snippets }}'
|
with_items: '{{ nginx_old_snippets }}'
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
when: nginx_enabled
|
when: nginx_enabled | bool
|
||||||
|
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: remove nginx default virtualhost
|
||||||
|
file: dest=/etc/nginx/sites-enabled/default state=absent
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
when:
|
||||||
|
- nginx_enabled | bool
|
||||||
|
- ansible_distribution_file_variety == "Debian"
|
||||||
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the Ubuntu PPA for nginx
|
||||||
|
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
|
||||||
|
when:
|
||||||
|
- nginx_use_ppa
|
||||||
|
- "'{{ ansible_distribution }}' == 'Ubuntu'"
|
||||||
|
tags: [ 'nginx', 'nginx_ppa' ]
|
||||||
|
|
||||||
|
- name: Install the nginx web server
|
||||||
|
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
|
||||||
|
when:
|
||||||
|
- not nginx_use_ldap_pam_auth
|
||||||
|
- ansible_distribution_major_version <= '14'
|
||||||
|
|
||||||
|
- name: Install the nginx web server if we need ldap auth via pam
|
||||||
|
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
|
||||||
|
when:
|
||||||
|
- nginx_use_ldap_pam_auth
|
||||||
|
- ansible_distribution_major_version <= '14'
|
||||||
|
|
||||||
|
- name: Install the nginx web server on Ubuntu >= 16.04
|
||||||
|
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
|
||||||
|
when: ansible_distribution_major_version >= '16'
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
tags: nginx
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the nginx web server
|
||||||
|
yum: pkg=nginx state={{ nginx_package_state }}
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
|
tags: nginx
|
|
@ -4,6 +4,10 @@
|
||||||
file: dest={{ nginx_webroot }} state=directory mode=0755
|
file: dest={{ nginx_webroot }} state=directory mode=0755
|
||||||
when: nginx_webroot != '/usr/share/nginx/html'
|
when: nginx_webroot != '/usr/share/nginx/html'
|
||||||
|
|
||||||
|
tags: [ 'nginx', 'virtualhost' ]
|
||||||
|
|
||||||
|
- name: Install and enable the nginx virtualhost files on Deb based systems
|
||||||
|
block:
|
||||||
- name: Install the nginx virtualhost files
|
- name: Install the nginx virtualhost files
|
||||||
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
|
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
|
||||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||||
|
@ -14,4 +18,15 @@
|
||||||
with_items: '{{ nginx_virthosts | default(omit) }}'
|
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
tags: [ 'nginx', 'virtualhost' ]
|
||||||
|
|
||||||
|
- name: Install and enable the nginx virtualhost files on RH based systems
|
||||||
|
block:
|
||||||
|
- name: Install the nginx virtualhost files
|
||||||
|
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
|
||||||
|
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
tags: [ 'nginx', 'virtualhost' ]
|
tags: [ 'nginx', 'virtualhost' ]
|
||||||
|
|
|
@ -1,26 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install the Ubuntu PPA for nginx
|
|
||||||
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
|
|
||||||
when:
|
|
||||||
- nginx_use_ppa
|
|
||||||
- "'{{ ansible_distribution }}' == 'Ubuntu'"
|
|
||||||
tags: [ 'nginx', 'nginx_ppa' ]
|
|
||||||
|
|
||||||
- name: Install the nginx web server
|
|
||||||
apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
|
|
||||||
when:
|
|
||||||
- not nginx_use_ldap_pam_auth
|
|
||||||
- ansible_distribution_major_version <= '14'
|
|
||||||
tags: nginx
|
|
||||||
|
|
||||||
- name: Install the nginx web server if we need ldap auth via pam
|
|
||||||
apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
|
|
||||||
when:
|
|
||||||
- nginx_use_ldap_pam_auth
|
|
||||||
- ansible_distribution_major_version <= '14'
|
|
||||||
tags: nginx
|
|
||||||
|
|
||||||
- name: Install the nginx web server on Ubuntu >= 16.04
|
|
||||||
apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
|
|
||||||
when: ansible_distribution_major_version >= '16'
|
|
||||||
tags: nginx
|
|
|
@ -3,6 +3,5 @@
|
||||||
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
|
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
when: nginx_use_ldap_pam_auth
|
when: nginx_use_ldap_pam_auth
|
||||||
tags:
|
tags: nginx
|
||||||
- nginx
|
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,21 @@
|
||||||
user www-data;
|
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
{% if nginx_use_ppa %}
|
{% if ansible_distribution_file_variety == "Debian" %}
|
||||||
|
user www-data;
|
||||||
|
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
|
||||||
worker_processes auto;
|
worker_processes auto;
|
||||||
include /etc/nginx/modules-enabled/*.conf;
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
{% else %}
|
{% else %}
|
||||||
worker_processes {{ nginx_workers }};
|
worker_processes {{ nginx_workers }};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if ansible_distribution_file_variety == "RedHat" %}
|
||||||
|
user nginx;
|
||||||
|
worker_processes auto;
|
||||||
|
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
|
||||||
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections {{ nginx_worker_connections }};
|
worker_connections {{ nginx_worker_connections }};
|
||||||
|
@ -14,6 +24,9 @@ events {
|
||||||
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
|
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
|
@ -31,13 +44,20 @@ http {
|
||||||
access_log /var/log/nginx/access.log;
|
access_log /var/log/nginx/access.log;
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
{% if nginx_enable_compression %}
|
{% if nginx_enable_compression %}
|
||||||
include /etc/nginx/snippets/nginx-compression.conf;
|
include /etc/nginx/snippets/nginx-compression.conf;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if nginx_websockets_support %}
|
{% if nginx_websockets_support %}
|
||||||
include /etc/nginx/snippets/nginx-websockets.conf;
|
include /etc/nginx/snippets/nginx-websockets.conf;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
}
|
|
||||||
|
|
||||||
|
{% if ansible_distribution_file_variety == "RedHat" %}
|
||||||
|
# Load configuration files for the default server block.
|
||||||
|
include /etc/nginx/default.d/*.conf;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if ansible_distribution_file_variety == "Debian" %}
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue