mirror of
https://github.com/DO1JLR/ansible_role_nginx.git
synced 2024-08-16 16:19:48 +02:00
Merge pull request #3 from DO1JLR/x
Fix nginx template copy and linting
This commit is contained in:
commit
49e20aea53
9 changed files with 46 additions and 43 deletions
|
@ -2,7 +2,7 @@
|
||||||
extends: default
|
extends: default
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# 150 chars should be enough, but don't fail if a line is longer
|
# 170 chars should be enough, but don't fail if a line is longer
|
||||||
line-length:
|
line-length:
|
||||||
max: 150
|
max: 180
|
||||||
level: warning
|
level: warning
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
||||||
- name: systemctl reload nginx
|
- name: Run systemctl reload nginx
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: 'nginx.service'
|
name: 'nginx.service'
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Copy shell script to enable tls sites
|
- name: Copy shell script to enable tls sites
|
||||||
become: true
|
become: true
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: 'files/acmetool/enable_tls.sh'
|
src: 'files/acmetool/enable_tls.sh'
|
||||||
dest: '/etc/acme/hooks/enable_tls.sh'
|
dest: '/etc/acme/hooks/enable_tls.sh'
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -10,13 +10,15 @@
|
||||||
|
|
||||||
- name: Get certificate for default server
|
- name: Get certificate for default server
|
||||||
become: true
|
become: true
|
||||||
command: acmetool want '{{ inventory_hostname }}'
|
ansible.builtin.command:
|
||||||
|
cmd: "acmetool want '{{ inventory_hostname }}'"
|
||||||
args:
|
args:
|
||||||
creates: '/var/lib/acme/live/{{ inventory_hostname }}'
|
creates: '/var/lib/acme/live/{{ inventory_hostname }}'
|
||||||
|
|
||||||
- name: Get certificates for all configured sites
|
- name: Get certificates for all configured sites
|
||||||
become: true
|
become: true
|
||||||
command: acmetool want '{{ ([site.name] + (site.altnames | default([]) )) | join(" ") }}'
|
ansible.builtin.command:
|
||||||
|
cmd: acmetool want '{{ ([site.name] + (site.altnames | default([]))) | join(" ") }}' -> acmetool want '{{ ([site.name] + (site.altnames | default([]))) | join(" ") }}'
|
||||||
args:
|
args:
|
||||||
creates: '/var/lib/acme/live/{{ site.name }}/'
|
creates: '/var/lib/acme/live/{{ site.name }}/'
|
||||||
with_items: '{{ nginx_sites }}'
|
with_items: '{{ nginx_sites }}'
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create default site tls https configuration
|
- name: Create default site tls https configuration
|
||||||
become: true
|
become: true
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Enable default site plain http configuration
|
- name: Enable default site plain http configuration
|
||||||
become: true
|
become: true
|
||||||
|
@ -28,7 +28,7 @@
|
||||||
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
|
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
|
||||||
state: link
|
state: link
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
# Note: Done by acmetool after sucessfully obtaining a suitable certificate
|
# Note: Done by acmetool after sucessfully obtaining a suitable certificate
|
||||||
- name: Enable default site configuration
|
- name: Enable default site configuration
|
||||||
|
@ -38,5 +38,5 @@
|
||||||
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
|
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
|
||||||
state: link
|
state: link
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
when: not nginx__acmetool_enabled
|
when: not nginx__acmetool_enabled
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
---
|
---
|
||||||
- name: simple versionscheck
|
- name: Simple versionscheck
|
||||||
ansible.builtin.include_tasks: versioncheck.yml
|
ansible.builtin.include_tasks: versioncheck.yml
|
||||||
when: submodules_versioncheck | bool
|
when: submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: Install nginx
|
- name: Install nginx
|
||||||
ansible.builtin.include_tasks: installation.yml
|
ansible.builtin.include_tasks: installation.yml
|
||||||
|
|
||||||
- name: create nginx user and group
|
- name: Create nginx user and group
|
||||||
ansible.builtin.include_tasks: users.yml
|
ansible.builtin.include_tasks: users.yml
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
ansible.builtin.include_tasks: nginx.yml
|
ansible.builtin.include_tasks: nginx.yml
|
||||||
|
|
||||||
- name: start nginx webserver
|
- name: Start nginx webserver
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: configure nginx default site
|
- name: Configure nginx default site
|
||||||
ansible.builtin.include_tasks: default_site.yml
|
ansible.builtin.include_tasks: default_site.yml
|
||||||
when: nginx__infrastructure_domain__enabled | bool
|
when: nginx__infrastructure_domain__enabled | bool
|
||||||
|
|
||||||
|
|
|
@ -3,12 +3,12 @@
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'templates/nginx/nginx.conf.j2'
|
src: 'templates/nginx/nginx.conf.j2'
|
||||||
dest: '/etc/nginx/'
|
dest: '/etc/nginx/nginx.conf'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create 'private' directory
|
- name: Create 'private' directory
|
||||||
become: true
|
become: true
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
path: '/etc/nginx/private/dhparam.pem'
|
path: '/etc/nginx/private/dhparam.pem'
|
||||||
size: '{{ nginx__dhparam_size | mandatory }}'
|
size: '{{ nginx__dhparam_size | mandatory }}'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create 'sites-available' directory
|
- name: Create 'sites-available' directory
|
||||||
become: true
|
become: true
|
||||||
|
@ -74,4 +74,4 @@
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
with_items: '{{ nginx__snippet_files }}'
|
with_items: '{{ nginx__snippet_files }}'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Create '{{ site.name }}' site plain http configuration
|
- name: "Create site plain http configuration for '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'templates/nginx/sites-available/http_plain_redirect.conf.j2'
|
src: 'templates/nginx/sites-available/http_plain_redirect.conf.j2'
|
||||||
|
@ -8,9 +8,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls https configuration
|
- name: "Create site tls https configuration for '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/sites/{{ site.name }}_tls.conf'
|
src: 'files/nginx/sites/{{ site.name }}_tls.conf'
|
||||||
|
@ -19,9 +19,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls parameter configuration
|
- name: "Create site tls parameter configuration for '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/snippets/tls_parameters.snippet.conf'
|
src: 'files/nginx/snippets/tls_parameters.snippet.conf'
|
||||||
|
@ -30,9 +30,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site tls certificate configuration
|
- name: "Create site tls certificate configuration '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'files/nginx/snippets/tls_certificate.snippet.conf'
|
src: 'files/nginx/snippets/tls_certificate.snippet.conf'
|
||||||
|
@ -41,9 +41,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Create '{{ site.name }}' site logging configuration
|
- name: "Create site logging configuration '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'templates/nginx/snippets/logging.snippet.conf.j2'
|
src: 'templates/nginx/snippets/logging.snippet.conf.j2'
|
||||||
|
@ -52,9 +52,9 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 'u=rw,g=r,o=r'
|
mode: 'u=rw,g=r,o=r'
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
- name: Enable '{{ site.name }}' site plain http configuration
|
- name: "Enable site plain http configuration '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ site.name }}_http'
|
src: '/etc/nginx/sites-available/{{ site.name }}_http'
|
||||||
|
@ -62,15 +62,15 @@
|
||||||
state: link
|
state: link
|
||||||
when: site.http_plain_template | default(True)
|
when: site.http_plain_template | default(True)
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
|
|
||||||
# Note: done by acmetool after sucessfully obtaining a suitable certificate
|
# Note: done by acmetool after sucessfully obtaining a suitable certificate
|
||||||
- name: Enable '{{ site.name }}' site tls configuration
|
- name: "Enable site tls configuration '{{ site.name }}'"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
src: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
src: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
||||||
dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
|
dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
|
||||||
state: link
|
state: link
|
||||||
notify:
|
notify:
|
||||||
- systemctl reload nginx
|
- Run systemctl reload nginx
|
||||||
when: not nginx__acmetool_enabled
|
when: not nginx__acmetool_enabled
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: "create {{ nginx__group }} Group"
|
- name: "Create Group {{ nginx__group }}"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.group:
|
ansible.builtin.group:
|
||||||
name: "{{ nginx__group }}"
|
name: "{{ nginx__group }}"
|
||||||
system: true
|
system: true
|
||||||
state: 'present'
|
state: 'present'
|
||||||
|
|
||||||
- name: "create {{ nginx__user }} user"
|
- name: "Create user {{ nginx__user }}"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ nginx__user }}"
|
name: "{{ nginx__user }}"
|
||||||
|
|
|
@ -8,37 +8,38 @@
|
||||||
path: '/etc/.ansible-version'
|
path: '/etc/.ansible-version'
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: check playbook version
|
- name: Check playbook version
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/.ansible-version/{{ playbook_version_path }}"
|
src: "/etc/.ansible-version/{{ playbook_version_path }}"
|
||||||
register: playbook_version
|
register: playbook_version
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck | bool
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
failed_when: false
|
failed_when: false
|
||||||
|
|
||||||
- name: Print remote role version
|
- name: Print remote role version
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
|
msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: Print locale role version
|
- name: Print locale role version
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "Local role version: '{{ playbook_version_number|string }}'."
|
msg: "Local role version: '{{ playbook_version_number | string }}'."
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: Check if your version is outdated
|
- name: Check if your version is outdated
|
||||||
ansible.builtin.fail:
|
ansible.builtin.fail:
|
||||||
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
|
||||||
when:
|
when:
|
||||||
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool
|
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool
|
||||||
|
|
||||||
- name: write new version to remote disk
|
- name: Write new version to remote disk
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ playbook_version_number }}"
|
content: "{{ playbook_version_number }}"
|
||||||
dest: "/etc/.ansible-version/{{ playbook_version_path }}"
|
dest: "/etc/.ansible-version/{{ playbook_version_path }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
when: submodules_versioncheck|bool
|
when: submodules_versioncheck | bool
|
||||||
|
tags: skip_ansible_lint_template-instead-of-copy
|
||||||
|
|
Loading…
Reference in a new issue