debfranca
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Only one nginx role.

This commit is contained in:
Andrea Dell'Amico 2020-01-22 14:37:31 +01:00
parent 4c06ae5b2d
commit 5c6253e917
32 changed files with 100 additions and 778 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/bootstrap-roles/centos-common/meta/main.yml
View File

@ -1,7 +1,7 @@
---
dependencies:
- role: '../../library/centos/roles/centos-bootstrap'
- role: '../../library/centos/roles/rsyslog'
- role: '../../library/roles/rsyslog'
- role: '../../library/roles/dell-server-utilities'
- role: '../../library/roles/sshd_config'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }

113
library/centos/roles/nginx/defaults/main.yml
View File

@ -1,113 +0,0 @@
---
nginx_enabled: True
nginx_package_state: installed
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
nginx_snippets_dir: /etc/nginx/snippets
nginx_default_conf_dir: /etc/nginx/default.d
nginx_conf_snippets:
- nginx-compression.conf
- nginx-websockets.conf
- nginx-browser-cache.conf
- letsencrypt-proxy.conf
- nginx-proxy-params.conf
- nginx-server-ssl.conf
- nginx-cors.conf
nginx_old_snippets:
- compression.conf
nginx_workers: 4
nginx_worker_connections: 1024
nginx_multi_accept: 'off'
nginx_worker_rlimit_nofile: 2048
nginx_server_tokens: 'off'
nginx_large_client_header_buffers: 4 8k
nginx_enable_compression: True
nginx_gzip_vary: "on"
nginx_gzip_proxied: any
nginx_gzip_comp_level: 6
nginx_gzip_buffers: 16 8k
nginx_gzip_http_version: 1.1
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
nginx_enable_browser_cache: True
nginx_cache_control: public
nginx_html_cache_expire: -1
nginx_feed_cache_expire_enabled: False
nginx_feed_cache_expire: 1h
nginx_media_cache_expire: 1M
nginx_css_js_cache_expire: -1
nginx_reverse_proxy: False
nginx_define_x_real_ip: False
nginx_proxy_buffering: "on"
nginx_proxy_redirect: "off"
nginx_proxy_buffer_size: 128k
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
nginx_proxy_busy_buffers_size: 256k
nginx_proxy_connect_timeout: 30s
nginx_proxy_read_timeout: 480s
nginx_proxy_send_timeout: 120s
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
nginx_client_max_body_size: 100M
nginx_client_body_timeout: 240s
nginx_cors_limit_origin: True
nginx_cors_extended_rules: False
nginx_cors_acl_origin: 'http?://(localhost)'
# Find a set of acceptable defaults for the cache setup
nginx_cache_enabled: False
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.example.org"
nginx_ldap_base_dn: "dc=example,dc=org"
nginx_basic_auth: False
nginx_basic_auth_users:
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
# nginx_ldap_login_attribute: uid
# nginx_ldap_pam_groupdn:
nginx_letsencrypt_managed: True
nginx_websockets_support: False
nginx_use_common_virthost: False
# Use 'ssl http2' if the nginx version supports it
nginx_ssl_type: ssl http2
# When we do not use letsencrypt:
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
# Virtualhost example
# nginx_virthosts:
# - virthost_name: '{{ ansible_fqdn }}'
# listen: '{{ http_port }}'
# server_name: '{{ ansible_fqdn }}'
# server_aliases: ''
# index: index.html
# error_page: /path_to_error_page.html
# ssl_enabled: False
# ssl_only: False
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
# root: /usr/share/nginx/html/
# server_tokens: 'off'
# proxy_standard_setup: True
# proxy_additional_options:
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
# proxies:
# - location: /
# target: http://localhost:{{ local_http_port }};
#
# extra_parameters: |
# location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# }

25
library/centos/roles/nginx/files/nginx-letsencrypt-acme.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/nginx.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
fi
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
if [ -x /bin/systemctl ] ; then
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
else
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/nginx.log
exit 0

26
library/centos/roles/nginx/files/nginx.pam
View File

@ -1,26 +0,0 @@
#
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so
auth requisite pam_deny.so
auth required pam_permit.so
#
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
#
password [success=1 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
#
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so

7
library/centos/roles/nginx/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nginx
service: name=nginx state=reloaded
- name: Restart nginx
service: name=nginx state=restarted

12
library/centos/roles/nginx/tasks/basic-auth.yml
View File

@ -1,12 +0,0 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
with_items: '{{ nginx_basic_auth_users }}'
when: nginx_basic_auth
tags: nginx

21
library/centos/roles/nginx/tasks/main.yml
View File

@ -1,21 +0,0 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml
- import_tasks: pam-ldap.yml
- name: Ensure that the webserver is running and enabled at boot time
service: name=nginx state=started enabled=yes
when: nginx_enabled
ignore_errors: True
tags: nginx
- name: Ensure that the webserver is stopped and disabled
service: name=nginx state=stopped enabled=no
when: not nginx_enabled
ignore_errors: True
tags: nginx

29
library/centos/roles/nginx/tasks/nginx-config.yml
View File

@ -1,29 +0,0 @@
---
- block:
- name: Create the snippets directory
file: dest={{ nginx_snippets_dir }} state=directory
- name: Create the pki directory
file: dest={{ {{ pki_dir }}/nginx }} state=directory
- name: Create a dhparams file 2048 bits long
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
args:
creates: '{{ pki_dir }}/nginx/dhparams.pem'
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
- name: Install the main nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
notify: Reload nginx
- name: Remove the old configuration snippets
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
with_items: '{{ nginx_old_snippets }}'
when: nginx_enabled
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

20
library/centos/roles/nginx/tasks/nginx-letsencrypt.yml
View File

@ -1,20 +0,0 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook for nginx
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]
- block:
- name: Remove the letsencrypt hook for nginx
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
when: not nginx_letsencrypt_managed
tags: [ 'nginx', 'letsencrypt' ]

7
library/centos/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
tags: [ 'nginx', 'virtualhost' ]

7
library/centos/roles/nginx/tasks/nginx.yml
View File

@ -1,7 +0,0 @@
---
- name: Install the nginx web server
yum: pkg={{ item }} state={{ nginx_package_state }}
with_items:
- nginx
tags: nginx

8
library/centos/roles/nginx/tasks/pam-ldap.yml
View File

@ -1,8 +0,0 @@
---
- name: Install pam service for nginx
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx

16
library/centos/roles/nginx/templates/ldap.conf.j2
View File

@ -1,16 +0,0 @@
# The distinguished name of the search base.
base {{ nginx_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
uri {{ nginx_ldap_uri }}
if {% nginx_ldap_login_attribute is defined %}
pam_login_attribute {{ nginx_ldap_login_attribute }}
{% endif %}
if {% nginx_ldap_pam_groupdn is defined %}
pam_groupdn
{% endif %}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

9
library/centos/roles/nginx/templates/letsencrypt-proxy.conf.j2
View File

@ -1,9 +0,0 @@
# Include this one inside a "server" directive listening on port 80, this way:
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
}

27
library/centos/roles/nginx/templates/nginx-browser-cache.conf.j2
View File

@ -1,27 +0,0 @@
# include inside a 'server' directive
#
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires {{ nginx_html_cache_expire }};
}
{% if nginx_feed_cache_expire_enabled %}
#
location ~* \.(?:rss|atom)$ {
expires {{ nginx_feed_cache_expire }};
add_header Cache-Control "{{ nginx_cache_control }}";
}
{% endif %}
#
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires {{ nginx_media_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}
#
location ~* \.(?:css|js)$ {
expires {{ nginx_css_js_cache_expire }};
access_log off;
add_header Cache-Control "{{ nginx_cache_control }}";
}

6
library/centos/roles/nginx/templates/nginx-compression.conf.j2
View File

@ -1,6 +0,0 @@
gzip_vary {{ nginx_gzip_vary }};
gzip_proxied {{ nginx_gzip_proxied }};
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_buffers {{ nginx_gzip_buffers }};
gzip_http_version {{ nginx_gzip_http_version }};
gzip_types {{ nginx_gzip_types }};

60
library/centos/roles/nginx/templates/nginx-cors.conf.j2
View File

@ -1,60 +0,0 @@
{% if nginx_cors_extended_rules %}
if ($request_method = 'OPTIONS') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
if ($request_method = 'GET') {
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
{% else %}
{% if nginx_cors_limit_origin %}
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
add_header 'Access-Control-Allow-Credentials' 'true';
{% else %}
add_header 'Access-Control-Allow-Origin' '*';
{% endif %}
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
{% if nginx_cors_limit_origin %}
}
if ($request_method = 'OPTIONS') {
return 204;
}
{% endif %}
{% endif %}

25
library/centos/roles/nginx/templates/nginx-proxy-params.conf.j2
View File

@ -1,25 +0,0 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
{% else %}
proxy_set_header Host $host;
{% if nginx_define_x_real_ip %}
proxy_set_header X-Real-IP $remote_addr;
{% endif %}
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
proxy_buffer_size {{ nginx_proxy_buffer_size }};
proxy_buffers {{ nginx_proxy_buffers }};
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
proxy_redirect {{ nginx_proxy_redirect }};
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
proxy_read_timeout {{ nginx_proxy_read_timeout }};
proxy_send_timeout {{ nginx_proxy_send_timeout }};

24
library/centos/roles/nginx/templates/nginx-server-ssl.conf.j2
View File

@ -1,24 +0,0 @@
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
{% else %}
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if nginx_ssl_level == 'intermediate' %}
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{% endif %}
{% if nginx_ssl_level == 'modern' %}
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

184
library/centos/roles/nginx/templates/nginx-virthost.j2
View File

@ -1,184 +0,0 @@
server {
listen {{ item.http_port | default (80) }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if letsencrypt_acme_install %}
include /etc/nginx/snippets/letsencrypt-proxy.conf;
{% endif %}
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_error.log;
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
{% if item.ssl_enabled and item.ssl_only %}
location / {
return 301 https://{{ item.server_name }}$request_uri;
}
{% else %}
# This is the default for nginx on Ubuntu 14.04
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
{% if item.additional_options is defined %}
{% for add_opt in item.additional_options %}
{{ add_opt }};
{% endfor %}
{% endif %}
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }};
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.extra_conf is defined %}
{{ location.extra_conf }}
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
{% endif %}
}
{% if item.ssl_enabled %}
server {
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
{% if item.access_log is defined %}
access_log {{ item.access_log }};
{% else %}
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
{% endif %}
{% if item.error_log is defined %}
error_log {{ item.error_log }};
{% else %}
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
{% endif %}
root {{ item.root | default('/usr/share/nginx/html/') }};
index {{ item.index | default('index.html index.htm') }};
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
{% if haproxy_ips is defined %}
# We are behind haproxy
{% for ip in haproxy_ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header X-Forwarded-For;
{% endif %}
{% if item.max_body is defined %}
client_max_body_size {{ item.max_body }};
{% else %}
client_max_body_size {{ nginx_client_max_body_size }};
{% endif %}
{% if item.body_timeout is defined %}
client_body_timeout {{ item.body_timeout }};
{% else %}
client_body_timeout {{ nginx_client_body_timeout }};
{% endif %}
server_tokens {{ item.server_tokens | default('off') }};
include /etc/nginx/snippets/nginx-server-ssl.conf;
{% if item.websockets is defined and item.websockets %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% endif %}
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
# Proxy stuff
include /etc/nginx/snippets/nginx-proxy-params.conf;
{% if item.proxy_additional_options is defined %}
{% for popt in item.proxy_additional_options %}
{{ popt }}
{% endfor %}
{% endif %}
{% if item.locations is defined %}
{% for location in item.locations %}
location {{ location.location }} {
{% if location.target is defined %}
proxy_pass {{ location.target }};
{% endif %}
{% if location.other_opts is defined %}
{% for opt in location.other_opts %}
{{ opt }};
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
{% endif %}
{% if item.extra_parameters is defined %}
{{ item.extra_parameters }}
{% endif %}
}
{% endif %}

4
library/centos/roles/nginx/templates/nginx-websockets.conf.j2
View File

@ -1,4 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

102
library/centos/roles/nginx/templates/nginx.conf.j2
View File

@ -1,102 +0,0 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections {{ nginx_worker_connections }};
multi_accept {{ nginx_multi_accept }};
}
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens {{ nginx_server_tokens }};
include /etc/nginx/mime.types;
default_type application/octet-stream;
large_client_header_buffers {{ nginx_large_client_header_buffers }};
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# location / {
# }
# error_page 404 /404.html;
# location = /40x.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

2
library/roles/nginx/defaults/main.yml
View File

@ -6,8 +6,6 @@ nginx_package_state: present
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
nginx_ssl_level: intermediate
#nginx_virthosts: []
nginx_snippets_dir: /etc/nginx/snippets
nginx_conf_snippets:

9
library/roles/nginx/tasks/basic-auth.yml
View File

@ -1,7 +1,12 @@
---
- block:
- name: Install the python passlib library
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
- name: Install the python passlib library on deb based distributions
apt: pkg=python-passlib state=present cache_valid_time=3600
when: ansible_distribution_file_variety == "Debian"
- name: Install the python passlib library on RH based distributions
yum: pkg=python-passlib state=present
when: ansible_distribution_file_variety == "RedHat"
- name: Create the htpasswd file needed by the basic auth
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}

7
library/roles/nginx/tasks/main.yml
View File

@ -1,8 +1,11 @@
---
- import_tasks: nginx.yml
- import_tasks: nginx-deb.yml
when: ansible_distribution_file_variety == "Debian"
- import_tasks: nginx-rh.yml
when: ansible_distribution_file_variety == "RedHat"
- import_tasks: nginx-config.yml
- import_tasks: nginx-virtualhosts.yml
when: nginx_use_common_virthost
when: nginx_use_common_virthost | bool
- import_tasks: nginx-letsencrypt.yml
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: basic-auth.yml

16
library/roles/nginx/tasks/nginx-config.yml
View File

@ -17,10 +17,6 @@
when: nginx_ssl_level == 'intermediate'
notify: Reload nginx
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
- name: Install the supported configuration snippets
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
with_items: '{{ nginx_conf_snippets }}'
@ -35,5 +31,15 @@
with_items: '{{ nginx_old_snippets }}'
notify: Reload nginx
when: nginx_enabled
when: nginx_enabled | bool
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
- block:
- name: remove nginx default virtualhost
file: dest=/etc/nginx/sites-enabled/default state=absent
notify: Reload nginx
when:
- nginx_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]

27
library/roles/nginx/tasks/nginx-deb.yml Normal file
View File

@ -0,0 +1,27 @@
---
- block:
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
when: ansible_distribution_file_variety == "Debian"
tags: nginx

7
library/roles/nginx/tasks/nginx-rh.yml Normal file
View File

@ -0,0 +1,7 @@
---
- block:
- name: Install the nginx web server
yum: pkg=nginx state={{ nginx_package_state }}
when: ansible_distribution_file_variety == "RedHat"
tags: nginx

15
library/roles/nginx/tasks/nginx-virtualhosts.yml
View File

@ -4,6 +4,10 @@
file: dest={{ nginx_webroot }} state=directory mode=0755
when: nginx_webroot != '/usr/share/nginx/html'
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on Deb based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
@ -14,4 +18,15 @@
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "Debian"
tags: [ 'nginx', 'virtualhost' ]
- name: Install and enable the nginx virtualhost files on RH based systems
block:
- name: Install the nginx virtualhost files
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
with_items: '{{ nginx_virthosts | default(omit) }}'
notify: Reload nginx
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'nginx', 'virtualhost' ]

26
library/roles/nginx/tasks/nginx.yml
View File

@ -1,26 +0,0 @@
---
- name: Install the Ubuntu PPA for nginx
apt_repository: repo='{{ nginx_ppa_repo }}' update_cache=yes
when:
- nginx_use_ppa
- "'{{ ansible_distribution }}' == 'Ubuntu'"
tags: [ 'nginx', 'nginx_ppa' ]
- name: Install the nginx web server
apt: pkg=nginx-full state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- not nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server if we need ldap auth via pam
apt: pkg=nginx-extras state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when:
- nginx_use_ldap_pam_auth
- ansible_distribution_major_version <= '14'
tags: nginx
- name: Install the nginx web server on Ubuntu >= 16.04
apt: pkg=nginx state={{ nginx_package_state }} update_cache=yes cache_valid_time=1800
when: ansible_distribution_major_version >= '16'
tags: nginx

3
library/roles/nginx/tasks/pam-ldap.yml
View File

@ -3,6 +3,5 @@
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
notify: Reload nginx
when: nginx_use_ldap_pam_auth
tags:
- nginx
tags: nginx

30
library/roles/nginx/templates/nginx.conf.j2
View File

@ -1,11 +1,21 @@
user www-data;
pid /run/nginx.pid;
{% if nginx_use_ppa %}
{% if ansible_distribution_file_variety == "Debian" %}
user www-data;
{% if nginx_use_ppa or ansible_distribution_major_version >= '16' %}
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
{% else %}
worker_processes {{ nginx_workers }};
{% endif %}
{% endif %}
{% if ansible_distribution_file_variety == "RedHat" %}
user nginx;
worker_processes auto;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
{% endif %}
events {
worker_connections {{ nginx_worker_connections }};
@ -14,6 +24,9 @@ events {
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
@ -31,13 +44,20 @@ http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
{% if nginx_enable_compression %}
include /etc/nginx/snippets/nginx-compression.conf;
{% endif %}
{% if nginx_websockets_support %}
include /etc/nginx/snippets/nginx-websockets.conf;
{% endif %}
include /etc/nginx/sites-enabled/*;
}
include /etc/nginx/conf.d/*.conf;
{% if ansible_distribution_file_variety == "RedHat" %}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
{% endif %}
{% if ansible_distribution_file_variety == "Debian" %}
include /etc/nginx/sites-enabled/*;
{% endif %}
}