diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml index ccac7dc3..861006ce 100644 --- a/library/bootstrap-roles/centos-common/meta/main.yml +++ b/library/bootstrap-roles/centos-common/meta/main.yml @@ -1,7 +1,7 @@ --- dependencies: - role: '../../library/centos/roles/centos-bootstrap' - - role: '../../library/centos/roles/rsyslog' + - role: '../../library/roles/rsyslog' - role: '../../library/roles/dell-server-utilities' - role: '../../library/roles/sshd_config' - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } diff --git a/library/centos/roles/nginx/defaults/main.yml b/library/centos/roles/nginx/defaults/main.yml deleted file mode 100644 index 37a3569a..00000000 --- a/library/centos/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -nginx_enabled: True -nginx_package_state: installed -# See https://mozilla.github.io/server-side-tls/ssl-config-generator/ -nginx_ssl_level: intermediate - -nginx_snippets_dir: /etc/nginx/snippets -nginx_default_conf_dir: /etc/nginx/default.d - -nginx_conf_snippets: - - nginx-compression.conf - - nginx-websockets.conf - - nginx-browser-cache.conf - - letsencrypt-proxy.conf - - nginx-proxy-params.conf - - nginx-server-ssl.conf - - nginx-cors.conf - -nginx_old_snippets: - - compression.conf - -nginx_workers: 4 -nginx_worker_connections: 1024 -nginx_multi_accept: 'off' -nginx_worker_rlimit_nofile: 2048 -nginx_server_tokens: 'off' - -nginx_large_client_header_buffers: 4 8k - -nginx_enable_compression: True -nginx_gzip_vary: "on" -nginx_gzip_proxied: any -nginx_gzip_comp_level: 6 -nginx_gzip_buffers: 16 8k -nginx_gzip_http_version: 1.1 -nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" - -nginx_enable_browser_cache: True -nginx_cache_control: public -nginx_html_cache_expire: -1 -nginx_feed_cache_expire_enabled: False -nginx_feed_cache_expire: 1h -nginx_media_cache_expire: 1M -nginx_css_js_cache_expire: -1 - -nginx_reverse_proxy: False -nginx_define_x_real_ip: False -nginx_proxy_buffering: "on" -nginx_proxy_redirect: "off" -nginx_proxy_buffer_size: 128k -nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}' -nginx_proxy_busy_buffers_size: 256k -nginx_proxy_connect_timeout: 30s -nginx_proxy_read_timeout: 480s -nginx_proxy_send_timeout: 120s -nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}' -nginx_client_max_body_size: 100M -nginx_client_body_timeout: 240s - -nginx_cors_limit_origin: True -nginx_cors_extended_rules: False -nginx_cors_acl_origin: 'http?://(localhost)' - -# Find a set of acceptable defaults for the cache setup -nginx_cache_enabled: False - -nginx_use_ldap_pam_auth: False -nginx_pam_svc_name: nginx -nginx_ldap_uri: "ldap://ldap.example.org" -nginx_ldap_base_dn: "dc=example,dc=org" -nginx_basic_auth: False -nginx_basic_auth_users: - - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' } -# nginx_ldap_login_attribute: uid -# nginx_ldap_pam_groupdn: -nginx_letsencrypt_managed: True -nginx_websockets_support: False -nginx_use_common_virthost: False -# Use 'ssl http2' if the nginx version supports it -nginx_ssl_type: ssl http2 -# When we do not use letsencrypt: -# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt' -# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key' - -# Virtualhost example -# nginx_virthosts: -# - virthost_name: '{{ ansible_fqdn }}' -# listen: '{{ http_port }}' -# server_name: '{{ ansible_fqdn }}' -# server_aliases: '' -# index: index.html -# error_page: /path_to_error_page.html -# ssl_enabled: False -# ssl_only: False -# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}' -# root: /usr/share/nginx/html/ -# server_tokens: 'off' -# proxy_standard_setup: True -# proxy_additional_options: -# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;' -# proxies: -# - location: / -# target: http://localhost:{{ local_http_port }}; -# -# extra_parameters: | -# location ~ \.php$ { -# fastcgi_split_path_info ^(.+\.php)(/.+)$; -# fastcgi_pass unix:/var/run/php5-fpm.sock; -# fastcgi_index index.php; -# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# include fastcgi_params; -# } - diff --git a/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh b/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh deleted file mode 100644 index d18314b3..00000000 --- a/library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_LOG_DIR=/var/log/letsencrypt -DATE=$( date ) - -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/nginx.log - -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log -fi - -echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log -if [ -x /bin/systemctl ] ; then - systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1 -else - service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1 -fi - -echo "Done." >> $LE_LOG_DIR/nginx.log - -exit 0 diff --git a/library/centos/roles/nginx/files/nginx.pam b/library/centos/roles/nginx/files/nginx.pam deleted file mode 100644 index f94005a8..00000000 --- a/library/centos/roles/nginx/files/nginx.pam +++ /dev/null @@ -1,26 +0,0 @@ - -# -auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so -auth requisite pam_deny.so -auth required pam_permit.so - -# -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 default=ignore] pam_ldap.so -account requisite pam_deny.so -account required pam_permit.so - -# -password [success=1 default=ignore] pam_unix.so obscure sha512 -password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass -password requisite pam_deny.so -password required pam_permit.so - -# -session [default=1] pam_permit.so -session requisite pam_deny.so -session required pam_permit.so -session optional pam_umask.so -session required pam_unix.so -session optional pam_ldap.so diff --git a/library/centos/roles/nginx/handlers/main.yml b/library/centos/roles/nginx/handlers/main.yml deleted file mode 100644 index 04c7fb28..00000000 --- a/library/centos/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Reload nginx - service: name=nginx state=reloaded - -- name: Restart nginx - service: name=nginx state=restarted - diff --git a/library/centos/roles/nginx/tasks/basic-auth.yml b/library/centos/roles/nginx/tasks/basic-auth.yml deleted file mode 100644 index cdf35c61..00000000 --- a/library/centos/roles/nginx/tasks/basic-auth.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- block: - - name: Install the python passlib library - apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600 - - - name: Create the htpasswd file needed by the basic auth - htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} - with_items: '{{ nginx_basic_auth_users }}' - - when: nginx_basic_auth - tags: nginx - diff --git a/library/centos/roles/nginx/tasks/main.yml b/library/centos/roles/nginx/tasks/main.yml deleted file mode 100644 index 4bbac35f..00000000 --- a/library/centos/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- import_tasks: nginx.yml -- import_tasks: nginx-config.yml -- import_tasks: nginx-virtualhosts.yml - when: nginx_use_common_virthost -- import_tasks: nginx-letsencrypt.yml - when: letsencrypt_acme_install is defined and letsencrypt_acme_install -- import_tasks: basic-auth.yml -- import_tasks: pam-ldap.yml - -- name: Ensure that the webserver is running and enabled at boot time - service: name=nginx state=started enabled=yes - when: nginx_enabled - ignore_errors: True - tags: nginx - -- name: Ensure that the webserver is stopped and disabled - service: name=nginx state=stopped enabled=no - when: not nginx_enabled - ignore_errors: True - tags: nginx diff --git a/library/centos/roles/nginx/tasks/nginx-config.yml b/library/centos/roles/nginx/tasks/nginx-config.yml deleted file mode 100644 index d633a41c..00000000 --- a/library/centos/roles/nginx/tasks/nginx-config.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- block: - - name: Create the snippets directory - file: dest={{ nginx_snippets_dir }} state=directory - - - name: Create the pki directory - file: dest={{ {{ pki_dir }}/nginx }} state=directory - - - name: Create a dhparams file 2048 bits long - shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048 - args: - creates: '{{ pki_dir }}/nginx/dhparams.pem' - when: nginx_ssl_level == 'intermediate' - notify: Reload nginx - - - name: Install the supported configuration snippets - template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 - with_items: '{{ nginx_conf_snippets }}' - - - name: Install the main nginx.conf - template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444 - notify: Reload nginx - - - name: Remove the old configuration snippets - file: dest=/etc/nginx/conf.d/{{ item }} state=absent - with_items: '{{ nginx_old_snippets }}' - - when: nginx_enabled - tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml b/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml deleted file mode 100644 index 2c57d94a..00000000 --- a/library/centos/roles/nginx/tasks/nginx-letsencrypt.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a letsencrypt hook for nginx - copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555 - - when: - - letsencrypt_acme_install is defined and letsencrypt_acme_install - - nginx_letsencrypt_managed - tags: [ 'nginx', 'letsencrypt' ] - -- block: - - name: Remove the letsencrypt hook for nginx - file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent - - when: not nginx_letsencrypt_managed - tags: [ 'nginx', 'letsencrypt' ] - diff --git a/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml b/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml deleted file mode 100644 index 8946a579..00000000 --- a/library/centos/roles/nginx/tasks/nginx-virtualhosts.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install the nginx virtualhost files - template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444 - with_items: '{{ nginx_virthosts | default(omit) }}' - notify: Reload nginx - tags: [ 'nginx', 'virtualhost' ] - diff --git a/library/centos/roles/nginx/tasks/nginx.yml b/library/centos/roles/nginx/tasks/nginx.yml deleted file mode 100644 index 23eebb29..00000000 --- a/library/centos/roles/nginx/tasks/nginx.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install the nginx web server - yum: pkg={{ item }} state={{ nginx_package_state }} - with_items: - - nginx - tags: nginx - diff --git a/library/centos/roles/nginx/tasks/pam-ldap.yml b/library/centos/roles/nginx/tasks/pam-ldap.yml deleted file mode 100644 index 9f37f629..00000000 --- a/library/centos/roles/nginx/tasks/pam-ldap.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install pam service for nginx - copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }} - notify: Reload nginx - when: nginx_use_ldap_pam_auth - tags: - - nginx - diff --git a/library/centos/roles/nginx/templates/ldap.conf.j2 b/library/centos/roles/nginx/templates/ldap.conf.j2 deleted file mode 100644 index b748f415..00000000 --- a/library/centos/roles/nginx/templates/ldap.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# The distinguished name of the search base. -base {{ nginx_ldap_base_dn }} - -# Another way to specify your LDAP server is to provide an -uri {{ nginx_ldap_uri }} -if {% nginx_ldap_login_attribute is defined %} -pam_login_attribute {{ nginx_ldap_login_attribute }} -{% endif %} -if {% nginx_ldap_pam_groupdn is defined %} -pam_groupdn -{% endif %} -# The LDAP version to use (defaults to 3 -# if supported by client library) -ldap_version 3 - -nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 b/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 deleted file mode 100644 index d385cf19..00000000 --- a/library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# Include this one inside a "server" directive listening on port 80, this way: -# include /etc/nginx/snippets/letsencrypt-proxy.conf; - location ^~ /.well-known/acme-challenge { - proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge; - access_log /var/log/nginx/letsencrypt_acmetool_access.log; - error_log /var/log/nginx/letsencrypt_acmetool_error.log; - } - - diff --git a/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 b/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 deleted file mode 100644 index ade01328..00000000 --- a/library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# include inside a 'server' directive -# -location ~* \.(?:manifest|appcache|html?|xml|json)$ { - expires {{ nginx_html_cache_expire }}; -} - -{% if nginx_feed_cache_expire_enabled %} -# -location ~* \.(?:rss|atom)$ { - expires {{ nginx_feed_cache_expire }}; - add_header Cache-Control "{{ nginx_cache_control }}"; -} -{% endif %} - -# -location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { - expires {{ nginx_media_cache_expire }}; - access_log off; - add_header Cache-Control "{{ nginx_cache_control }}"; -} - -# -location ~* \.(?:css|js)$ { - expires {{ nginx_css_js_cache_expire }}; - access_log off; - add_header Cache-Control "{{ nginx_cache_control }}"; -} diff --git a/library/centos/roles/nginx/templates/nginx-compression.conf.j2 b/library/centos/roles/nginx/templates/nginx-compression.conf.j2 deleted file mode 100644 index 4a06955b..00000000 --- a/library/centos/roles/nginx/templates/nginx-compression.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -gzip_vary {{ nginx_gzip_vary }}; -gzip_proxied {{ nginx_gzip_proxied }}; -gzip_comp_level {{ nginx_gzip_comp_level }}; -gzip_buffers {{ nginx_gzip_buffers }}; -gzip_http_version {{ nginx_gzip_http_version }}; -gzip_types {{ nginx_gzip_types }}; diff --git a/library/centos/roles/nginx/templates/nginx-cors.conf.j2 b/library/centos/roles/nginx/templates/nginx-cors.conf.j2 deleted file mode 100644 index b3e8f4bc..00000000 --- a/library/centos/roles/nginx/templates/nginx-cors.conf.j2 +++ /dev/null @@ -1,60 +0,0 @@ -{% if nginx_cors_extended_rules %} -if ($request_method = 'OPTIONS') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # - # Custom headers and headers various browsers *should* be OK with but aren't - # - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - # - # Tell client that this pre-flight info is valid for 20 days - # - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; -} -if ($request_method = 'POST') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; -} -if ($request_method = 'GET') { -{% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; - add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} - add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; -} -{% else %} -{% if nginx_cors_limit_origin %} -add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}'; -add_header 'Access-Control-Allow-Credentials' 'true'; -{% else %} -add_header 'Access-Control-Allow-Origin' '*'; -{% endif %} -add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; -add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With'; -{% if nginx_cors_limit_origin %} -} -if ($request_method = 'OPTIONS') { - return 204; -} -{% endif %} -{% endif %} - diff --git a/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 b/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 deleted file mode 100644 index 572c2530..00000000 --- a/library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -# Proxy stuff -# include /etc/nginx/snippets/nginx-proxy-params.conf; -proxy_http_version 1.1; -{% if haproxy_ips is defined %} -proxy_set_header Host $http_host; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-Host $remote_addr; -proxy_set_header X-Forwarded-Server $host; -{% else %} -proxy_set_header Host $host; -{% if nginx_define_x_real_ip %} -proxy_set_header X-Real-IP $remote_addr; -{% endif %} -{% endif %} -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_buffering {{ nginx_proxy_buffering }}; -proxy_buffer_size {{ nginx_proxy_buffer_size }}; -proxy_buffers {{ nginx_proxy_buffers }}; -proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }}; -proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }}; -proxy_redirect {{ nginx_proxy_redirect }}; -proxy_connect_timeout {{ nginx_proxy_connect_timeout }}; -proxy_read_timeout {{ nginx_proxy_read_timeout }}; -proxy_send_timeout {{ nginx_proxy_send_timeout }}; diff --git a/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 b/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 deleted file mode 100644 index 9bd227e8..00000000 --- a/library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} -ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain; -ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey; -{% else %} -ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }}; -ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }}; -{% endif %} -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 10m; -{% if nginx_ssl_level == 'intermediate' %} -ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem; -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; -{% endif %} -{% if nginx_ssl_level == 'modern' %} -ssl_session_tickets off; -# modern configuration. tweak to your needs. -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -{% endif %} -ssl_prefer_server_ciphers on; -ssl_stapling on; -ssl_stapling_verify on; -add_header Strict-Transport-Security max-age=15768000; diff --git a/library/centos/roles/nginx/templates/nginx-virthost.j2 b/library/centos/roles/nginx/templates/nginx-virthost.j2 deleted file mode 100644 index 0328527a..00000000 --- a/library/centos/roles/nginx/templates/nginx-virthost.j2 +++ /dev/null @@ -1,184 +0,0 @@ -server { - listen {{ item.http_port | default (80) }}; - server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; -{% if letsencrypt_acme_install %} - include /etc/nginx/snippets/letsencrypt-proxy.conf; -{% endif %} - {% if item.access_log is defined %} - access_log {{ item.access_log }}; - {% else %} - access_log /var/log/nginx/{{ item.server_name }}_access.log; - {% endif %} - {% if item.error_log is defined %} - error_log {{ item.error_log }}; - {% else %} - error_log /var/log/nginx/{{ item.server_name }}_error.log; - {% endif %} - server_tokens {{ item.server_tokens | default('off') }}; -{% if item.ssl_enabled and item.ssl_only %} - location / { - return 301 https://{{ item.server_name }}$request_uri; - } -{% else %} - # This is the default for nginx on Ubuntu 14.04 - root {{ item.root | default('/usr/share/nginx/html/') }}; - index {{ item.index | default('index.html index.htm') }}; - error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; - location = /50x.html { - root /usr/share/nginx/html; - } - location = /favicon.ico { - log_not_found off; - access_log off; - } - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - {% if haproxy_ips is defined %} - # We are behind haproxy - {% for ip in haproxy_ips %} - set_real_ip_from {{ ip }}; - {% endfor %} - real_ip_header X-Forwarded-For; - {% endif %} - {% if item.max_body is defined %} - client_max_body_size {{ item.max_body }}; - {% else %} - client_max_body_size {{ nginx_client_max_body_size }}; - {% endif %} - {% if item.body_timeout is defined %} - client_body_timeout {{ item.body_timeout }}; - {% else %} - client_body_timeout {{ nginx_client_body_timeout }}; - {% endif %} - - {% if item.additional_options is defined %} - {% for add_opt in item.additional_options %} - - {{ add_opt }}; - - {% endfor %} - {% endif %} - - {% if item.websockets is defined and item.websockets %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% endif %} - {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} - # Proxy stuff - include /etc/nginx/snippets/nginx-proxy-params.conf; - {% if item.proxy_additional_options is defined %} - {% for popt in item.proxy_additional_options %} - {{ popt }}; - {% endfor %} - {% endif %} - {% if item.locations is defined %} - {% for location in item.locations %} - location {{ location.location }} { - {% if location.target is defined %} - proxy_pass {{ location.target }}; - {% endif %} - {% if location.extra_conf is defined %} - {{ location.extra_conf }} - {% endif %} - {% if location.other_opts is defined %} - {% for opt in location.other_opts %} - {{ opt }}; - {% endfor %} - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - {% if item.extra_parameters is defined %} - {{ item.extra_parameters }} - {% endif %} -{% endif %} - -} - -{% if item.ssl_enabled %} -server { - listen {{ https_port | default(443) }} {{ nginx_ssl_type }}; - server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; - {% if item.access_log is defined %} - access_log {{ item.access_log }}; - {% else %} - access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log; - {% endif %} - {% if item.error_log is defined %} - error_log {{ item.error_log }}; - {% else %} - error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log; - {% endif %} - root {{ item.root | default('/usr/share/nginx/html/') }}; - index {{ item.index | default('index.html index.htm') }}; - error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }}; - location = /50x.html { - root /usr/share/nginx/html; - } - location = /favicon.ico { - log_not_found off; - access_log off; - } - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - {% if haproxy_ips is defined %} - # We are behind haproxy - {% for ip in haproxy_ips %} - set_real_ip_from {{ ip }}; - {% endfor %} - real_ip_header X-Forwarded-For; - {% endif %} - {% if item.max_body is defined %} - client_max_body_size {{ item.max_body }}; - {% else %} - client_max_body_size {{ nginx_client_max_body_size }}; - {% endif %} - {% if item.body_timeout is defined %} - client_body_timeout {{ item.body_timeout }}; - {% else %} - client_body_timeout {{ nginx_client_body_timeout }}; - {% endif %} - server_tokens {{ item.server_tokens | default('off') }}; - - include /etc/nginx/snippets/nginx-server-ssl.conf; - - {% if item.websockets is defined and item.websockets %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% endif %} - {% if item.proxy_standard_setup is defined and item.proxy_standard_setup %} - # Proxy stuff - include /etc/nginx/snippets/nginx-proxy-params.conf; - {% if item.proxy_additional_options is defined %} - {% for popt in item.proxy_additional_options %} - {{ popt }} - {% endfor %} - {% endif %} - {% if item.locations is defined %} - {% for location in item.locations %} - location {{ location.location }} { - {% if location.target is defined %} - proxy_pass {{ location.target }}; - {% endif %} - {% if location.other_opts is defined %} - {% for opt in location.other_opts %} - {{ opt }}; - {% endfor %} - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - {% if item.extra_parameters is defined %} - {{ item.extra_parameters }} - {% endif %} -} - -{% endif %} diff --git a/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 b/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 deleted file mode 100644 index 32af4c3c..00000000 --- a/library/centos/roles/nginx/templates/nginx-websockets.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} diff --git a/library/centos/roles/nginx/templates/nginx.conf.j2 b/library/centos/roles/nginx/templates/nginx.conf.j2 deleted file mode 100644 index df7ffcfb..00000000 --- a/library/centos/roles/nginx/templates/nginx.conf.j2 +++ /dev/null @@ -1,102 +0,0 @@ -# For more information on configuration, see: -# * Official English Documentation: http://nginx.org/en/docs/ -# * Official Russian Documentation: http://nginx.org/ru/docs/ - -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -# Load dynamic modules. See /usr/share/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections {{ nginx_worker_connections }}; - multi_accept {{ nginx_multi_accept }}; -} -worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens {{ nginx_server_tokens }}; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - large_client_header_buffers {{ nginx_large_client_header_buffers }}; - -{% if nginx_enable_compression %} - include /etc/nginx/snippets/nginx-compression.conf; -{% endif %} -{% if nginx_websockets_support %} - include /etc/nginx/snippets/nginx-websockets.conf; -{% endif %} - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - # server { - # listen 80 default_server; - # listen [::]:80 default_server; - # server_name _; - # root /usr/share/nginx/html; - - # # Load configuration files for the default server block. - # include /etc/nginx/default.d/*.conf; - - # location / { - # } - - # error_page 404 /404.html; - # location = /40x.html { - # } - - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - # } - - # Settings for a TLS enabled server. - # - # server { - # listen 443 ssl http2 default_server; - # listen [::]:443 ssl http2 default_server; - # server_name _; - # root /usr/share/nginx/html; - # - # ssl_certificate "/etc/pki/nginx/server.crt"; - # ssl_certificate_key "/etc/pki/nginx/private/server.key"; - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 10m; - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - # - # # Load configuration files for the default server block. - # include /etc/nginx/default.d/*.conf; - # - # location / { - # } - # - # error_page 404 /404.html; - # location = /40x.html { - # } - # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # } - # } -} - - - diff --git a/library/roles/nginx/defaults/main.yml b/library/roles/nginx/defaults/main.yml index bdf9240b..63913015 100644 --- a/library/roles/nginx/defaults/main.yml +++ b/library/roles/nginx/defaults/main.yml @@ -6,8 +6,6 @@ nginx_package_state: present # See https://mozilla.github.io/server-side-tls/ssl-config-generator/ nginx_ssl_level: intermediate -#nginx_virthosts: [] - nginx_snippets_dir: /etc/nginx/snippets nginx_conf_snippets: diff --git a/library/roles/nginx/tasks/basic-auth.yml b/library/roles/nginx/tasks/basic-auth.yml index cdf35c61..13579097 100644 --- a/library/roles/nginx/tasks/basic-auth.yml +++ b/library/roles/nginx/tasks/basic-auth.yml @@ -1,8 +1,13 @@ --- - block: - - name: Install the python passlib library - apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600 - + - name: Install the python passlib library on deb based distributions + apt: pkg=python-passlib state=present cache_valid_time=3600 + when: ansible_distribution_file_variety == "Debian" + + - name: Install the python passlib library on RH based distributions + yum: pkg=python-passlib state=present + when: ansible_distribution_file_variety == "RedHat" + - name: Create the htpasswd file needed by the basic auth htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }} with_items: '{{ nginx_basic_auth_users }}' diff --git a/library/roles/nginx/tasks/main.yml b/library/roles/nginx/tasks/main.yml index 4bbac35f..b0ed6145 100644 --- a/library/roles/nginx/tasks/main.yml +++ b/library/roles/nginx/tasks/main.yml @@ -1,8 +1,11 @@ --- -- import_tasks: nginx.yml +- import_tasks: nginx-deb.yml + when: ansible_distribution_file_variety == "Debian" +- import_tasks: nginx-rh.yml + when: ansible_distribution_file_variety == "RedHat" - import_tasks: nginx-config.yml - import_tasks: nginx-virtualhosts.yml - when: nginx_use_common_virthost + when: nginx_use_common_virthost | bool - import_tasks: nginx-letsencrypt.yml when: letsencrypt_acme_install is defined and letsencrypt_acme_install - import_tasks: basic-auth.yml diff --git a/library/roles/nginx/tasks/nginx-config.yml b/library/roles/nginx/tasks/nginx-config.yml index 2ae899cb..1f3b45e1 100644 --- a/library/roles/nginx/tasks/nginx-config.yml +++ b/library/roles/nginx/tasks/nginx-config.yml @@ -17,10 +17,6 @@ when: nginx_ssl_level == 'intermediate' notify: Reload nginx - - name: remove nginx default virtualhost - file: dest=/etc/nginx/sites-enabled/default state=absent - notify: Reload nginx - - name: Install the supported configuration snippets template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444 with_items: '{{ nginx_conf_snippets }}' @@ -35,5 +31,15 @@ with_items: '{{ nginx_old_snippets }}' notify: Reload nginx - when: nginx_enabled + when: nginx_enabled | bool + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] + +- block: + - name: remove nginx default virtualhost + file: dest=/etc/nginx/sites-enabled/default state=absent + notify: Reload nginx + + when: + - nginx_enabled | bool + - ansible_distribution_file_variety == "Debian" tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] diff --git a/library/roles/nginx/tasks/nginx-deb.yml b/library/roles/nginx/tasks/nginx-deb.yml new file mode 100644 index 00000000..5ddc9b76 --- /dev/null +++ b/library/roles/nginx/tasks/nginx-deb.yml @@ -0,0 +1,27 @@ +--- +- block: + - name: Install the Ubuntu PPA for nginx + apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes + when: + - nginx_use_ppa + - "'{{ ansible_distribution }}' == 'Ubuntu'" + tags: [ 'nginx', 'nginx_ppa' ] + + - name: Install the nginx web server + apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800 + when: + - not nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server if we need ldap auth via pam + apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800 + when: + - nginx_use_ldap_pam_auth + - ansible_distribution_major_version <= '14' + + - name: Install the nginx web server on Ubuntu >= 16.04 + apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800 + when: ansible_distribution_major_version >= '16' + + when: ansible_distribution_file_variety == "Debian" + tags: nginx \ No newline at end of file diff --git a/library/roles/nginx/tasks/nginx-rh.yml b/library/roles/nginx/tasks/nginx-rh.yml new file mode 100644 index 00000000..57211c2d --- /dev/null +++ b/library/roles/nginx/tasks/nginx-rh.yml @@ -0,0 +1,7 @@ +--- +- block: + - name: Install the nginx web server + yum: pkg=nginx state={{ nginx_package_state }} + + when: ansible_distribution_file_variety == "RedHat" + tags: nginx diff --git a/library/roles/nginx/tasks/nginx-virtualhosts.yml b/library/roles/nginx/tasks/nginx-virtualhosts.yml index 1bc8a12f..1615c602 100644 --- a/library/roles/nginx/tasks/nginx-virtualhosts.yml +++ b/library/roles/nginx/tasks/nginx-virtualhosts.yml @@ -4,6 +4,10 @@ file: dest={{ nginx_webroot }} state=directory mode=0755 when: nginx_webroot != '/usr/share/nginx/html' + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on Deb based systems + block: - name: Install the nginx virtualhost files template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444 with_items: '{{ nginx_virthosts | default(omit) }}' @@ -14,4 +18,15 @@ with_items: '{{ nginx_virthosts | default(omit) }}' notify: Reload nginx + when: ansible_distribution_file_variety == "Debian" + tags: [ 'nginx', 'virtualhost' ] + +- name: Install and enable the nginx virtualhost files on RH based systems + block: + - name: Install the nginx virtualhost files + template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444 + with_items: '{{ nginx_virthosts | default(omit) }}' + notify: Reload nginx + + when: ansible_distribution_file_variety == "RedHat" tags: [ 'nginx', 'virtualhost' ] diff --git a/library/roles/nginx/tasks/nginx.yml b/library/roles/nginx/tasks/nginx.yml deleted file mode 100644 index 7b1ee0ba..00000000 --- a/library/roles/nginx/tasks/nginx.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Install the Ubuntu PPA for nginx - apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes - when: - - nginx_use_ppa - - "'{{ ansible_distribution }}' == 'Ubuntu'" - tags: [ 'nginx', 'nginx_ppa' ] - -- name: Install the nginx web server - apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: - - not nginx_use_ldap_pam_auth - - ansible_distribution_major_version <= '14' - tags: nginx - -- name: Install the nginx web server if we need ldap auth via pam - apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: - - nginx_use_ldap_pam_auth - - ansible_distribution_major_version <= '14' - tags: nginx - -- name: Install the nginx web server on Ubuntu >= 16.04 - apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800 - when: ansible_distribution_major_version >= '16' - tags: nginx diff --git a/library/roles/nginx/tasks/pam-ldap.yml b/library/roles/nginx/tasks/pam-ldap.yml index 9f37f629..ae253511 100644 --- a/library/roles/nginx/tasks/pam-ldap.yml +++ b/library/roles/nginx/tasks/pam-ldap.yml @@ -3,6 +3,5 @@ copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }} notify: Reload nginx when: nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx diff --git a/library/roles/nginx/templates/nginx.conf.j2 b/library/roles/nginx/templates/nginx.conf.j2 index 36850fe3..9dc53920 100644 --- a/library/roles/nginx/templates/nginx.conf.j2 +++ b/library/roles/nginx/templates/nginx.conf.j2 @@ -1,11 +1,21 @@ -user www-data; pid /run/nginx.pid; -{% if nginx_use_ppa %} +{% if ansible_distribution_file_variety == "Debian" %} +user www-data; +{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %} worker_processes auto; include /etc/nginx/modules-enabled/*.conf; + {% else %} worker_processes {{ nginx_workers }}; {% endif %} +{% endif %} + +{% if ansible_distribution_file_variety == "RedHat" %} +user nginx; +worker_processes auto; +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; +{% endif %} events { worker_connections {{ nginx_worker_connections }}; @@ -14,6 +24,9 @@ events { worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; tcp_nopush on; tcp_nodelay on; @@ -31,13 +44,20 @@ http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - include /etc/nginx/conf.d/*.conf; {% if nginx_enable_compression %} include /etc/nginx/snippets/nginx-compression.conf; {% endif %} {% if nginx_websockets_support %} include /etc/nginx/snippets/nginx-websockets.conf; {% endif %} - include /etc/nginx/sites-enabled/*; -} + include /etc/nginx/conf.d/*.conf; +{% if ansible_distribution_file_variety == "RedHat" %} + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; +{% endif %} + +{% if ansible_distribution_file_variety == "Debian" %} + include /etc/nginx/sites-enabled/*; +{% endif %} +}