mirror of
https://github.com/DO1JLR/ansible_role_nginx.git
synced 2024-08-16 16:19:48 +02:00
create option for logging
create option for logging add new ansible prefix
This commit is contained in:
parent
c0bd7476c0
commit
0144eb1c02
GPG key ID:
CD08445BFF4313D1
10 changed files with 57 additions and 49 deletions
|
|
@ -5,17 +5,18 @@ submodules_versioncheck: false
|
||||||
nginx_sites: {}
|
nginx_sites: {}
|
||||||
|
|
||||||
# nginx_sites:
|
# nginx_sites:
|
||||||
# - name: 'example.org'
|
# - name: 'example.org' # required
|
||||||
# altnames:
|
# altnames: # Optional alternative names
|
||||||
# - 'www.example.org'
|
# - 'www.example.org'
|
||||||
# - 'ftp.example.org'
|
# - 'ftp.example.org'
|
||||||
# robots: 'robots_allow_all.txt' Optional, unimplemented
|
# logging: false # Optional enable nginx logging
|
||||||
# htaccess: 'htpasswd.example.org' Optional, unimplemented
|
# robots: 'robots_allow_all.txt' # Optional, unimplemented
|
||||||
# webroot: Optional, for use with 'webhost' role
|
# htaccess: 'htpasswd.example.org' # Optional, unimplemented
|
||||||
# path Optional, for use with 'webhost' role
|
# webroot: # Optional, for use with 'webhost' role
|
||||||
# user Optional, for use with 'webhost' role
|
# path # Optional, for use with 'webhost' role
|
||||||
# group Optional, for use with 'webhost' role
|
# user # Optional, for use with 'webhost' role
|
||||||
# mode Optional, for use with 'webhost' role
|
# group # Optional, for use with 'webhost' role
|
||||||
|
# mode # Optional, for use with 'webhost' role
|
||||||
|
|
||||||
nginx__snippet_path: 'files/nginx/snippets/'
|
nginx__snippet_path: 'files/nginx/snippets/'
|
||||||
nginx__snippet_files:
|
nginx__snippet_files:
|
||||||
|
|
@ -25,6 +26,8 @@ nginx__snippet_files:
|
||||||
|
|
||||||
# default_robots_file: 'robots_disallow_all.txt'
|
# default_robots_file: 'robots_disallow_all.txt'
|
||||||
|
|
||||||
|
# nginx logging default for all sites
|
||||||
|
nginx__default_enable_logging: false
|
||||||
|
|
||||||
nginx__dhparam_size: 4096
|
nginx__dhparam_size: 4096
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
||||||
error_log /var/log/nginx/log_{{ site.name }}.error.log;
|
|
||||||
|
|
||||||
#access_log /var/log/nginx/log_{{ site.name }}.access.log;
|
|
||||||
access_log off;
|
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
- name: Create default site tls https configuration
|
- name: Create default site tls https configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'templates/nginx/sites-available/default_tls.j2'
|
src: 'templates/nginx/sites-available/default_tls.j2'
|
||||||
dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
- name: Enable default site plain http configuration
|
- name: Enable default site plain http configuration
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
|
src: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
|
||||||
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
|
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
|
||||||
state: link
|
state: link
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
# Note: Done by acmetool after sucessfully obtaining a suitable certificate
|
# Note: Done by acmetool after sucessfully obtaining a suitable certificate
|
||||||
- name: Enable default site configuration
|
- name: Enable default site configuration
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
src: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
||||||
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
|
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
|
||||||
state: link
|
state: link
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Update apt cache
|
- name: Update apt cache
|
||||||
become: true
|
become: true
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
cache_valid_time: 3600
|
cache_valid_time: 3600
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when:
|
when:
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
- name: Install nginx
|
- name: Install nginx
|
||||||
become: true
|
become: true
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- 'nginx'
|
- 'nginx'
|
||||||
state: "{{ nxinx__state }}"
|
state: "{{ nxinx__state }}"
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
- name: simple versionscheck
|
- name: simple versionscheck
|
||||||
include_tasks: versioncheck.yml
|
ansible.builtin.include_tasks: versioncheck.yml
|
||||||
when: submodules_versioncheck | bool
|
when: submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: Install nginx
|
- name: Install nginx
|
||||||
include_tasks: installation.yml
|
ansible.builtin.include_tasks: installation.yml
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
include_tasks: nginx.yml
|
ansible.builtin.include_tasks: nginx.yml
|
||||||
|
|
||||||
- name: start nginx webserver
|
- name: start nginx webserver
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
|
|
@ -16,19 +16,19 @@
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: configure nginx default site
|
- name: configure nginx default site
|
||||||
include_tasks: default_site.yml
|
ansible.builtin.include_tasks: default_site.yml
|
||||||
when: nginx__infrastructure_domain__enabled | bool
|
when: nginx__infrastructure_domain__enabled | bool
|
||||||
|
|
||||||
- name: Configure nginx sites
|
- name: Configure nginx sites
|
||||||
include_tasks: single_site.yml
|
ansible.builtin.include_tasks: single_site.yml
|
||||||
with_items: '{{ nginx_sites }}'
|
with_items: '{{ nginx_sites }}'
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: site
|
loop_var: site
|
||||||
|
|
||||||
# Restart nginx before doing acme stuff
|
# Restart nginx before doing acme stuff
|
||||||
- name: Flush handlers to restart nginx now
|
- name: Flush handlers to restart nginx now
|
||||||
meta: flush_handlers
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
- name: Configure acmetool and obtain certificates
|
- name: Configure acmetool and obtain certificates
|
||||||
include_tasks: acme.yml
|
ansible.builtin.include_tasks: acme.yml
|
||||||
when: nginx__acmetool_enabled
|
when: nginx__acmetool_enabled
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Copy main nginx configuration file
|
- name: Copy main nginx configuration file
|
||||||
become: true
|
become: true
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: 'nginx/nginx.conf'
|
src: 'nginx/nginx.conf'
|
||||||
dest: '/etc/nginx/'
|
dest: '/etc/nginx/'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
- name: Create 'private' directory
|
- name: Create 'private' directory
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '/etc/nginx/private'
|
path: '/etc/nginx/private'
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
|
|
||||||
- name: Create new dhparam of size '{{ nginx__dhparam_size }}'
|
- name: Create new dhparam of size '{{ nginx__dhparam_size }}'
|
||||||
become: true
|
become: true
|
||||||
openssl_dhparam:
|
community.crypto.openssl_dhparam:
|
||||||
path: '/etc/nginx/private/dhparam.pem'
|
path: '/etc/nginx/private/dhparam.pem'
|
||||||
size: '{{ nginx__dhparam_size | mandatory }}'
|
size: '{{ nginx__dhparam_size | mandatory }}'
|
||||||
notify:
|
notify:
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
|
|
||||||
- name: Create 'sites-available' directory
|
- name: Create 'sites-available' directory
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '/etc/nginx/sites-available'
|
path: '/etc/nginx/sites-available'
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -38,7 +38,7 @@
|
||||||
|
|
||||||
- name: Create 'sites-enabled' directory
|
- name: Create 'sites-enabled' directory
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '/etc/nginx/sites-enabled'
|
path: '/etc/nginx/sites-enabled'
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -48,7 +48,7 @@
|
||||||
# Todo: Reconsider best practices
|
# Todo: Reconsider best practices
|
||||||
- name: Remove default site config from package installation
|
- name: Remove default site config from package installation
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '{{ item }}'
|
path: '{{ item }}'
|
||||||
state: absent
|
state: absent
|
||||||
with_items:
|
with_items:
|
||||||
|
|
@ -57,7 +57,7 @@
|
||||||
|
|
||||||
- name: Create 'snippets' directory
|
- name: Create 'snippets' directory
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '/etc/nginx/snippets'
|
path: '/etc/nginx/snippets'
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -66,7 +66,7 @@
|
||||||
|
|
||||||
- name: Copy nginx snippet files
|
- name: Copy nginx snippet files
|
||||||
become: true
|
become: true
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: '{{ nginx__snippet_path }}{{ item }}'
|
src: '{{ nginx__snippet_path }}{{ item }}'
|
||||||
dest: '/etc/nginx/snippets/{{ item }}'
|
dest: '/etc/nginx/snippets/{{ item }}'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Create '{{ site.name }}' site plain http configuration
|
- name: Create '{{ site.name }}' site plain http configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'templates/nginx/sites-available/http_plain_redirect.conf.j2'
|
src: 'templates/nginx/sites-available/http_plain_redirect.conf.j2'
|
||||||
dest: '/etc/nginx/sites-available/{{ site.name }}_http'
|
dest: '/etc/nginx/sites-available/{{ site.name }}_http'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls https configuration
|
- name: Create '{{ site.name }}' site tls https configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/sites/{{ site.name }}_tls.conf'
|
src: 'files/nginx/sites/{{ site.name }}_tls.conf'
|
||||||
dest: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
dest: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls parameter configuration
|
- name: Create '{{ site.name }}' site tls parameter configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/snippets/tls_parameters.snippet.conf'
|
src: 'files/nginx/snippets/tls_parameters.snippet.conf'
|
||||||
dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf'
|
dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -34,7 +34,7 @@
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls certificate configuration
|
- name: Create '{{ site.name }}' site tls certificate configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/snippets/tls_certificate.snippet.conf'
|
src: 'files/nginx/snippets/tls_certificate.snippet.conf'
|
||||||
dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
|
dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -45,8 +45,8 @@
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site logging configuration
|
- name: Create '{{ site.name }}' site logging configuration
|
||||||
become: true
|
become: true
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/snippets/logging.snippet.conf'
|
src: 'templates/nginx/snippets/logging.snippet.conf.j2'
|
||||||
dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
|
dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
@ -56,7 +56,7 @@
|
||||||
|
|
||||||
- name: Enable '{{ site.name }}' site plain http configuration
|
- name: Enable '{{ site.name }}' site plain http configuration
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ site.name }}_http'
|
src: '/etc/nginx/sites-available/{{ site.name }}_http'
|
||||||
dest: '/etc/nginx/sites-enabled/{{ site.name }}_http'
|
dest: '/etc/nginx/sites-enabled/{{ site.name }}_http'
|
||||||
state: link
|
state: link
|
||||||
|
|
@ -67,7 +67,7 @@
|
||||||
# Note: done by acmetool after sucessfully obtaining a suitable certificate
|
# Note: done by acmetool after sucessfully obtaining a suitable certificate
|
||||||
- name: Enable '{{ site.name }}' site tls configuration
|
- name: Enable '{{ site.name }}' site tls configuration
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
src: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
||||||
dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
|
dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
|
||||||
state: link
|
state: link
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Create directory for versionscheck
|
- name: Create directory for versionscheck
|
||||||
become: true
|
become: true
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: '/etc/.ansible-version'
|
path: '/etc/.ansible-version'
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
- name: check playbook version
|
- name: check playbook version
|
||||||
become: true
|
become: true
|
||||||
slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/.ansible-version/{{ playbook_version_path }}"
|
src: "/etc/.ansible-version/{{ playbook_version_path }}"
|
||||||
register: playbook_version
|
register: playbook_version
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
|
|
@ -17,29 +17,29 @@
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
- name: Print remote role version
|
- name: Print remote role version
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
|
msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
|
|
||||||
- name: Print locale role version
|
- name: Print locale role version
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
msg: "Local role version: '{{ playbook_version_number|string }}'."
|
msg: "Local role version: '{{ playbook_version_number|string }}'."
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck|bool
|
||||||
|
|
||||||
- name: Check if your version is outdated
|
- name: Check if your version is outdated
|
||||||
fail:
|
ansible.builtin.fail:
|
||||||
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
||||||
when:
|
when:
|
||||||
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
||||||
|
|
||||||
- name: check if '/etc/ansible-version/' is empty
|
- name: check if '/etc/ansible-version/' is empty
|
||||||
find:
|
ansible.builtin.find:
|
||||||
paths: '/etc/ansible-version/'
|
paths: '/etc/ansible-version/'
|
||||||
register: filesFound
|
register: filesFound
|
||||||
|
|
||||||
- name: write new version to remote disk
|
- name: write new version to remote disk
|
||||||
become: true
|
become: true
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ playbook_version_number }}"
|
content: "{{ playbook_version_number }}"
|
||||||
dest: "/etc/.ansible-version/{{ playbook_version_path }}"
|
dest: "/etc/.ansible-version/{{ playbook_version_path }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
|
|
||||||
9
templates/nginx/snippets/logging.snippet.conf.j2
Normal file
9
templates/nginx/snippets/logging.snippet.conf.j2
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
error_log /var/log/nginx/log_{{ site.name }}.error.log;
|
||||||
|
|
||||||
|
{% if site.logging | default( nginx__default_enable_logging ) -%}
|
||||||
|
access_log /var/log/nginx/log_{{ site.name }}.access.log;
|
||||||
|
access_log on;
|
||||||
|
{% else %}
|
||||||
|
# access_log /var/log/nginx/log_{{ site.name }}.access.log;
|
||||||
|
access_log off;
|
||||||
|
{% endif %}
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
playbook_version_number: 22 # should be int
|
playbook_version_number: 23 # should be int
|
||||||
playbook_version_path: 'do1jlr.nginx_roles-ansible.version'
|
playbook_version_path: 'do1jlr.nginx_roles-ansible.version'
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue