diff --git a/defaults/main.yml b/defaults/main.yml index a8f11c0..891e522 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,17 +5,18 @@ submodules_versioncheck: false nginx_sites: {} # nginx_sites: -# - name: 'example.org' -# altnames: +# - name: 'example.org' # required +# altnames: # Optional alternative names # - 'www.example.org' # - 'ftp.example.org' -# robots: 'robots_allow_all.txt' Optional, unimplemented -# htaccess: 'htpasswd.example.org' Optional, unimplemented -# webroot: Optional, for use with 'webhost' role -# path Optional, for use with 'webhost' role -# user Optional, for use with 'webhost' role -# group Optional, for use with 'webhost' role -# mode Optional, for use with 'webhost' role +# logging: false # Optional enable nginx logging +# robots: 'robots_allow_all.txt' # Optional, unimplemented +# htaccess: 'htpasswd.example.org' # Optional, unimplemented +# webroot: # Optional, for use with 'webhost' role +# path # Optional, for use with 'webhost' role +# user # Optional, for use with 'webhost' role +# group # Optional, for use with 'webhost' role +# mode # Optional, for use with 'webhost' role nginx__snippet_path: 'files/nginx/snippets/' nginx__snippet_files: @@ -25,6 +26,8 @@ nginx__snippet_files: # default_robots_file: 'robots_disallow_all.txt' +# nginx logging default for all sites +nginx__default_enable_logging: false nginx__dhparam_size: 4096 diff --git a/files/nginx/snippets/logging.snippet.conf b/files/nginx/snippets/logging.snippet.conf deleted file mode 100644 index 18af9a6..0000000 --- a/files/nginx/snippets/logging.snippet.conf +++ /dev/null @@ -1,4 +0,0 @@ -error_log /var/log/nginx/log_{{ site.name }}.error.log; - -#access_log /var/log/nginx/log_{{ site.name }}.access.log; -access_log off; diff --git a/tasks/default_site.yml b/tasks/default_site.yml index f5c883e..e0ef4f7 100644 --- a/tasks/default_site.yml +++ b/tasks/default_site.yml @@ -12,7 +12,7 @@ - name: Create default site tls https configuration become: true - template: + ansible.builtin.template: src: 'templates/nginx/sites-available/default_tls.j2' dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls' owner: root @@ -23,7 +23,7 @@ - name: Enable default site plain http configuration become: true - file: + ansible.builtin.file: src: '/etc/nginx/sites-available/{{ inventory_hostname }}_http' dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http' state: link @@ -33,7 +33,7 @@ # Note: Done by acmetool after sucessfully obtaining a suitable certificate - name: Enable default site configuration become: true - file: + ansible.builtin.file: src: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls' dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls' state: link diff --git a/tasks/installation.yml b/tasks/installation.yml index d4dd1e6..c29dae8 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -1,7 +1,7 @@ --- - name: Update apt cache become: true - apt: + ansible.builtin.apt: cache_valid_time: 3600 update_cache: true when: @@ -9,7 +9,7 @@ - name: Install nginx become: true - package: + ansible.builtin.package: name: - 'nginx' state: "{{ nxinx__state }}" diff --git a/tasks/main.yml b/tasks/main.yml index 3e65c62..5cc1960 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: simple versionscheck - include_tasks: versioncheck.yml + ansible.builtin.include_tasks: versioncheck.yml when: submodules_versioncheck | bool - name: Install nginx - include_tasks: installation.yml + ansible.builtin.include_tasks: installation.yml - name: Configure nginx - include_tasks: nginx.yml + ansible.builtin.include_tasks: nginx.yml - name: start nginx webserver ansible.builtin.systemd: @@ -16,19 +16,19 @@ enabled: true - name: configure nginx default site - include_tasks: default_site.yml + ansible.builtin.include_tasks: default_site.yml when: nginx__infrastructure_domain__enabled | bool - name: Configure nginx sites - include_tasks: single_site.yml + ansible.builtin.include_tasks: single_site.yml with_items: '{{ nginx_sites }}' loop_control: loop_var: site # Restart nginx before doing acme stuff - name: Flush handlers to restart nginx now - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Configure acmetool and obtain certificates - include_tasks: acme.yml + ansible.builtin.include_tasks: acme.yml when: nginx__acmetool_enabled diff --git a/tasks/nginx.yml b/tasks/nginx.yml index b448e7d..6fec803 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -1,7 +1,7 @@ --- - name: Copy main nginx configuration file become: true - copy: + ansible.builtin.copy: src: 'nginx/nginx.conf' dest: '/etc/nginx/' owner: root @@ -12,7 +12,7 @@ - name: Create 'private' directory become: true - file: + ansible.builtin.file: path: '/etc/nginx/private' state: directory owner: root @@ -21,7 +21,7 @@ - name: Create new dhparam of size '{{ nginx__dhparam_size }}' become: true - openssl_dhparam: + community.crypto.openssl_dhparam: path: '/etc/nginx/private/dhparam.pem' size: '{{ nginx__dhparam_size | mandatory }}' notify: @@ -29,7 +29,7 @@ - name: Create 'sites-available' directory become: true - file: + ansible.builtin.file: path: '/etc/nginx/sites-available' state: directory owner: root @@ -38,7 +38,7 @@ - name: Create 'sites-enabled' directory become: true - file: + ansible.builtin.file: path: '/etc/nginx/sites-enabled' state: directory owner: root @@ -48,7 +48,7 @@ # Todo: Reconsider best practices - name: Remove default site config from package installation become: true - file: + ansible.builtin.file: path: '{{ item }}' state: absent with_items: @@ -57,7 +57,7 @@ - name: Create 'snippets' directory become: true - file: + ansible.builtin.file: path: '/etc/nginx/snippets' state: directory owner: root @@ -66,7 +66,7 @@ - name: Copy nginx snippet files become: true - copy: + ansible.builtin.copy: src: '{{ nginx__snippet_path }}{{ item }}' dest: '/etc/nginx/snippets/{{ item }}' owner: root diff --git a/tasks/single_site.yml b/tasks/single_site.yml index db5da26..25fa406 100644 --- a/tasks/single_site.yml +++ b/tasks/single_site.yml @@ -1,7 +1,7 @@ --- - name: Create '{{ site.name }}' site plain http configuration become: true - template: + ansible.builtin.template: src: 'templates/nginx/sites-available/http_plain_redirect.conf.j2' dest: '/etc/nginx/sites-available/{{ site.name }}_http' owner: root @@ -12,7 +12,7 @@ - name: Create '{{ site.name }}' site tls https configuration become: true - template: + ansible.builtin.template: src: 'files/nginx/sites/{{ site.name }}_tls.conf' dest: '/etc/nginx/sites-available/{{ site.name }}_tls' owner: root @@ -23,7 +23,7 @@ - name: Create '{{ site.name }}' site tls parameter configuration become: true - template: + ansible.builtin.template: src: 'files/nginx/snippets/tls_parameters.snippet.conf' dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf' owner: root @@ -34,7 +34,7 @@ - name: Create '{{ site.name }}' site tls certificate configuration become: true - template: + ansible.builtin.template: src: 'files/nginx/snippets/tls_certificate.snippet.conf' dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf' owner: root @@ -45,8 +45,8 @@ - name: Create '{{ site.name }}' site logging configuration become: true - template: - src: 'files/nginx/snippets/logging.snippet.conf' + ansible.builtin.template: + src: 'templates/nginx/snippets/logging.snippet.conf.j2' dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf' owner: root group: root @@ -56,7 +56,7 @@ - name: Enable '{{ site.name }}' site plain http configuration become: true - file: + ansible.builtin.file: src: '/etc/nginx/sites-available/{{ site.name }}_http' dest: '/etc/nginx/sites-enabled/{{ site.name }}_http' state: link @@ -67,7 +67,7 @@ # Note: done by acmetool after sucessfully obtaining a suitable certificate - name: Enable '{{ site.name }}' site tls configuration become: true - file: + ansible.builtin.file: src: '/etc/nginx/sites-available/{{ site.name }}_tls' dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls' state: link diff --git a/tasks/versioncheck.yml b/tasks/versioncheck.yml index 1ca07b5..dca3e47 100644 --- a/tasks/versioncheck.yml +++ b/tasks/versioncheck.yml @@ -1,7 +1,7 @@ --- - name: Create directory for versionscheck become: true - file: + ansible.builtin.file: path: '/etc/.ansible-version' state: directory mode: 0755 @@ -9,7 +9,7 @@ - name: check playbook version become: true - slurp: + ansible.builtin.slurp: src: "/etc/.ansible-version/{{ playbook_version_path }}" register: playbook_version when: submodules_versioncheck|bool @@ -17,29 +17,29 @@ failed_when: false - name: Print remote role version - debug: + ansible.builtin.debug: msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}" when: submodules_versioncheck|bool - name: Print locale role version - debug: + ansible.builtin.debug: msg: "Local role version: '{{ playbook_version_number|string }}'." when: submodules_versioncheck|bool - name: Check if your version is outdated - fail: + ansible.builtin.fail: msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" when: - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool - name: check if '/etc/ansible-version/' is empty - find: + ansible.builtin.find: paths: '/etc/ansible-version/' register: filesFound - name: write new version to remote disk become: true - copy: + ansible.builtin.copy: content: "{{ playbook_version_number }}" dest: "/etc/.ansible-version/{{ playbook_version_path }}" mode: '0644' diff --git a/templates/nginx/snippets/logging.snippet.conf.j2 b/templates/nginx/snippets/logging.snippet.conf.j2 new file mode 100644 index 0000000..aa64b69 --- /dev/null +++ b/templates/nginx/snippets/logging.snippet.conf.j2 @@ -0,0 +1,9 @@ +error_log /var/log/nginx/log_{{ site.name }}.error.log; + +{% if site.logging | default( nginx__default_enable_logging ) -%} +access_log /var/log/nginx/log_{{ site.name }}.access.log; +access_log on; +{% else %} +# access_log /var/log/nginx/log_{{ site.name }}.access.log; +access_log off; +{% endif %} diff --git a/vars/main.yml b/vars/main.yml index aff862e..7fad633 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,3 @@ --- -playbook_version_number: 22 # should be int +playbook_version_number: 23 # should be int playbook_version_path: 'do1jlr.nginx_roles-ansible.version'