debfranca
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of adellam/ansible-roles into master

This commit is contained in:
Andrea Dell'Amico 2020-01-22 14:38:00 +01:00 committed by Gitea
parent 2d3430000b 5c6253e917
commit 2e6f87a097
32 changed files with 100 additions and 778 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/bootstrap-roles/centos-common/meta/main.yml
View File

@ -1,7 +1,7 @@
---
dependencies:
- role: '../../library/centos/roles/centos-bootstrap'
- role: '../../library/centos/roles/rsyslog'
- role: '../../library/roles/rsyslog'
- role: '../../library/roles/dell-server-utilities'
- role: '../../library/roles/sshd_config'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }

113
library/centos/roles/nginx/defaults/main.yml
View File

@ -1,113 +0,0 @@
---
nginx_enabled: True
nginx_package_state: installed
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_default_conf_dir: /etc/nginx/default.d
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Use 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl http2
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# proxies:
# - location: /
# target: http://localhost:{{ local_http_port }};
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

25
library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
library/centos/roles/nginx/files/nginx.pam
View File

@ -1,26 +0,0 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

7
library/centos/roles/nginx/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

12
library/centos/roles/nginx/tasks/basic-auth.yml
View File

@ -1,12 +0,0 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

21
library/centos/roles/nginx/tasks/main.yml
View File

@ -1,21 +0,0 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

29
library/centos/roles/nginx/tasks/nginx-config.yml
View File

@ -1,29 +0,0 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ {{ pki_dir }}/nginx }} state=directory
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
when: nginx_enabled
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

20
library/centos/roles/nginx/tasks/nginx-letsencrypt.yml
View File

@ -1,20 +0,0 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
library/centos/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]

7
library/centos/roles/nginx/tasks/nginx.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx web server
yum: pkg={{ item }} state={{ nginx_package_state }}
with_items:
- nginx
tags: nginx

8
library/centos/roles/nginx/tasks/pam-ldap.yml
View File

@ -1,8 +0,0 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx

16
library/centos/roles/nginx/templates/ldap.conf.j2
View File

@ -1,16 +0,0 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

9
library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2
View File

@ -1,9 +0,0 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

27
library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2
View File

@ -1,27 +0,0 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

6
library/centos/roles/nginx/templates/nginx-compression.conf.j2
View File

@ -1,6 +0,0 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

60
library/centos/roles/nginx/templates/nginx-cors.conf.j2
View File

@ -1,60 +0,0 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
{% if nginx_cors_limit_origin %}
}
if ($request_method = 'OPTIONS') {
return 204;
}
{% endif %}
{% endif %}

25
library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2
View File

@ -1,25 +0,0 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

24
library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2
View File

@ -1,24 +0,0 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if nginx_ssl_level == 'intermediate' %}
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

184
library/centos/roles/nginx/templates/nginx-virthost.j2
View File

@ -1,184 +0,0 @@
server {
listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
# This is the default for nginx on Ubuntu 14.04
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

4
library/centos/roles/nginx/templates/nginx-websockets.conf.j2
View File

@ -1,4 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

102
library/centos/roles/nginx/templates/nginx.conf.j2
View File

@ -1,102 +0,0 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

2
library/roles/nginx/defaults/main.yml
View File

@ -6,8 +6,6 @@ nginx_package_state: present
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
#nginx_virthosts: []
nginx_snippets_dir: /etc/nginx/snippets
nginx_conf_snippets:

11
library/roles/nginx/tasks/basic-auth.yml
View File

@ -1,8 +1,13 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Install the python passlib library on deb based distributions
apt: pkg=python-passlib state=present cache_valid_time=3600
when: ansible_distribution_file_variety == "Debian"
- name: Install the python passlib library on RH based distributions
yum: pkg=python-passlib state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'

7
library/roles/nginx/tasks/main.yml
View File

@ -1,8 +1,11 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-deb.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: nginx-rh.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
when: nginx_use_common_virthost | bool
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml

16
library/roles/nginx/tasks/nginx-config.yml
View File

@ -17,10 +17,6 @@
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
@ -35,5 +31,15 @@
with_items: '{{ nginx_old_snippets }}'
notify: Reload nginx
when: nginx_enabled
when: nginx_enabled | bool
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
- block:
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
when:
- nginx_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

27
library/roles/nginx/tasks/nginx-deb.yml Normal file
View File

@ -0,0 +1,27 @@
---
- block:
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
when: ansible_distribution_file_variety == "Debian"
tags: nginx

7
library/roles/nginx/tasks/nginx-rh.yml Normal file
View File

@ -0,0 +1,7 @@
---
- block:
- name: Install the nginx web server
yum: pkg=nginx state={{ nginx_package_state }}
when: ansible_distribution_file_variety == "RedHat"
tags: nginx

15
library/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -4,6 +4,10 @@
file: dest={{ nginx_webroot }} state=directory mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on Deb based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
@ -14,4 +18,15 @@
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on RH based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'nginx', 'virtualhost' ]

26
library/roles/nginx/tasks/nginx.yml
View File

@ -1,26 +0,0 @@
---
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
tags: nginx

3
library/roles/nginx/tasks/pam-ldap.yml
View File

@ -3,6 +3,5 @@
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx
tags: nginx

30
library/roles/nginx/templates/nginx.conf.j2
View File

@ -1,11 +1,21 @@
user www-data;
pid /run/nginx.pid;
{% if nginx_use_ppa %}
{% if ansible_distribution_file_variety == "Debian" %}
user www-data;
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
{% else %}
worker_processes {{ nginx_workers }};
{% endif %}
{% endif %}
{% if ansible_distribution_file_variety == "RedHat" %}
user nginx;
worker_processes auto;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
{% endif %}
events {
worker_connections {{ nginx_worker_connections }};
@ -14,6 +24,9 @@ events {
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
@ -31,13 +44,20 @@ http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
include /etc/nginx/sites-enabled/*;
}
include /etc/nginx/conf.d/*.conf;
{% if ansible_distribution_file_variety == "RedHat" %}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
include /etc/nginx/sites-enabled/*;
{% endif %}
}