mirror of
https://github.com/DO1JLR/ansible_role_nginx.git
synced 2024-08-16 16:19:48 +02:00
Initial checkin
This commit is contained in:
commit
520a6781b9
15 changed files with 469 additions and 0 deletions
19
defaults/main.yml
Normal file
19
defaults/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
nginx_sites: {}
|
||||
|
||||
#nginx_sites:
|
||||
# - name: 'example.org'
|
||||
# altnames:
|
||||
# - 'www.example.org'
|
||||
# - 'ftp.example.org'
|
||||
# robots: 'robots_allow_all.txt' Optional
|
||||
# htaccess: 'htpasswd.example.org' Optional
|
||||
|
||||
|
||||
snippet_files:
|
||||
- 'acmetool.snippet.conf'
|
||||
- 'tls_settings.snippet.conf'
|
||||
|
||||
|
||||
#default_robots_file: 'robots_disallow_all.txt'
|
16
files/acmetool/enable_tls.sh
Normal file
16
files/acmetool/enable_tls.sh
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/bin/bash
|
||||
set -euf -o pipefail
|
||||
|
||||
IFS=$'\n'
|
||||
|
||||
EVENT_NAME="$1"
|
||||
[ "$EVENT_NAME" = "live-updated" ] || exit 42
|
||||
|
||||
while read -r host; do
|
||||
if [[ -e "/etc/nginx/sites-available/${host}_tls" ]]; then
|
||||
echo "Enabling tls site for ${host}"
|
||||
ln -s -f "/etc/nginx/sites-available/${host}_tls" "/etc/nginx/sites-enabled/${host}_tls"
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
29
files/nginx/nginx.conf
Normal file
29
files/nginx/nginx.conf
Normal file
|
@ -0,0 +1,29 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
include /usr/share/nginx/modules/*.conf;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
access_log /var/log/nginx/access.log;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
10
files/nginx/sites-available/default_http.j2
Normal file
10
files/nginx/sites-available/default_http.j2
Normal file
|
@ -0,0 +1,10 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
include snippets/acmetool.snippet.conf;
|
||||
|
||||
location ^~ / {
|
||||
return 308 https://{{ inventory_hostname }}$request_uri;
|
||||
}
|
||||
}
|
16
files/nginx/sites-available/default_tls.j2
Normal file
16
files/nginx/sites-available/default_tls.j2
Normal file
|
@ -0,0 +1,16 @@
|
|||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
|
||||
include snippets/tls_settings.snippet.conf;
|
||||
|
||||
ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain;
|
||||
ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey;
|
||||
|
||||
access_log /var/log/nginx/log_{{ inventory_hostname }}.access.log;
|
||||
error_log /var/log/nginx/log_{{ inventory_hostname }}.error.log;
|
||||
|
||||
location ^~ / {
|
||||
return 403;
|
||||
}
|
||||
}
|
12
files/nginx/sites-available/http_plain_redirect.conf.j2
Normal file
12
files/nginx/sites-available/http_plain_redirect.conf.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ site.name }};
|
||||
|
||||
include snippets/acmetool.snippet.conf;
|
||||
|
||||
location ^~ / {
|
||||
return 308 https://{{ site.name }}$request_uri;
|
||||
}
|
||||
}
|
4
files/nginx/snippets/acmetool.snippet.conf
Normal file
4
files/nginx/snippets/acmetool.snippet.conf
Normal file
|
@ -0,0 +1,4 @@
|
|||
location /.well-known/acme-challenge/ {
|
||||
alias /run/acme/acme-challenge/;
|
||||
auth_basic "off";
|
||||
}
|
6
files/nginx/snippets/tls_settings.snippet.conf
Normal file
6
files/nginx/snippets/tls_settings.snippet.conf
Normal file
|
@ -0,0 +1,6 @@
|
|||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
#resolver 8.8.8.8 8.8.4.4 valid=300s;
|
||||
#resolver_timeout 3s;
|
14
handlers/main.yml
Normal file
14
handlers/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: Restart nginx
|
||||
systemd:
|
||||
name: 'nginx.service'
|
||||
daemon_reload: yes
|
||||
state: restarted
|
||||
|
||||
|
||||
- name: Reload nginx
|
||||
systemd:
|
||||
name: 'nginx.service'
|
||||
daemon_reload: yes
|
||||
state: reloaded
|
38
tasks/acme.yml
Normal file
38
tasks/acme.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
|
||||
- name: Copy shell script to enable tls sites
|
||||
copy:
|
||||
src: 'files/acmetool/enable_tls.sh'
|
||||
dest: '/etc/acme/hooks/enable_tls.sh'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rx,g=r,o='
|
||||
tags:
|
||||
- configuration
|
||||
- acme
|
||||
|
||||
|
||||
- name: Get certificate for default server
|
||||
command: acmetool want '{{ inventory_hostname }}'
|
||||
args:
|
||||
creates: '/var/lib/acme/live/{{ inventory_hostname }}'
|
||||
tags:
|
||||
- configuration
|
||||
- acme
|
||||
- certificates
|
||||
- operation
|
||||
|
||||
|
||||
- name: Get certificates for all configured sites
|
||||
#command: acmetool want '{{ site.name }}' '{{ site.altnames | default([]) | join(" ") }}'
|
||||
command: acmetool want '{{ ([site.name] + (site.altnames | default([]) )) | join(" ") }}'
|
||||
args:
|
||||
creates: '/var/lib/acme/live/{{ site.name }}/'
|
||||
with_items: '{{ nginx_sites }}'
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- configuration
|
||||
- acme
|
||||
- certificates
|
||||
- operation
|
57
tasks/default_site.yml
Normal file
57
tasks/default_site.yml
Normal file
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
|
||||
- name: Create default site plain http configuration
|
||||
template:
|
||||
src: 'files/nginx/sites-available/default_http.j2'
|
||||
dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
- name: Create default site tls https configuration
|
||||
template:
|
||||
src: 'files/nginx/sites-available/default_tls.j2'
|
||||
dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
- name: Enable default site plain http configuration
|
||||
file:
|
||||
src: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
|
||||
dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
|
||||
state: link
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
# Note: Done by acmetool after sucessfully obtaining a suitable certificate
|
||||
#- name: Enable default site configuration
|
||||
# file:
|
||||
# src: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
|
||||
# dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
|
||||
# state: link
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - sites
|
11
tasks/installation.yml
Normal file
11
tasks/installation.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Install nginx
|
||||
apt:
|
||||
package:
|
||||
- 'nginx'
|
||||
state: latest
|
||||
update_cache: yes
|
||||
cache_valid_time: 43200
|
||||
tags:
|
||||
- installation
|
51
tasks/main.yml
Normal file
51
tasks/main.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
|
||||
- name: Install nginx
|
||||
include_tasks: installation.yml
|
||||
tags:
|
||||
- repository
|
||||
- installation
|
||||
|
||||
|
||||
- name: Configure nginx
|
||||
include_tasks: nginx.yml
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- dhparam
|
||||
|
||||
|
||||
- name: Start nginx webserver
|
||||
service:
|
||||
name: nginx
|
||||
state: started
|
||||
enabled: yes
|
||||
tags:
|
||||
- operation
|
||||
- nginx
|
||||
|
||||
|
||||
- name: Configure nginx default site
|
||||
include_tasks: default_site.yml
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
- name: Configure nginx sites
|
||||
include_tasks: single_site.yml
|
||||
with_items: '{{ nginx_sites }}'
|
||||
loop_control:
|
||||
loop_var: site
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
- name: Configure acmetool and obtain certificates
|
||||
include_tasks: acme.yml
|
||||
tags:
|
||||
- configuration
|
||||
- acme
|
77
tasks/nginx.yml
Normal file
77
tasks/nginx.yml
Normal file
|
@ -0,0 +1,77 @@
|
|||
---
|
||||
|
||||
- name: Copy main nginx configuration file
|
||||
copy:
|
||||
src: 'nginx/nginx.conf'
|
||||
dest: '/etc/nginx/'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
|
||||
|
||||
#- name: Create strong dhparams
|
||||
# openssl_dhparam:
|
||||
# path: '/etc/nginx/dhparam.pem'
|
||||
# size: 4096
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - dhparam
|
||||
|
||||
|
||||
- name: Create 'sites-available' directory
|
||||
file:
|
||||
path: '/etc/nginx/sites-available'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rwx,g=rx,o=rx'
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
|
||||
|
||||
- name: Create 'sites-enabled' directory
|
||||
file:
|
||||
path: '/etc/nginx/sites-enabled'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rwx,g=rx,o=rx'
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
|
||||
|
||||
- name: Create 'snippets' directory
|
||||
file:
|
||||
path: '/etc/nginx/snippets'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rwx,g=rx,o=rx'
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
|
||||
|
||||
- name: Copy nginx snippet files
|
||||
copy:
|
||||
src: 'files/nginx/snippets/{{ item }}'
|
||||
dest: '/etc/nginx/snippets/{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
with_items: '{{ snippet_files }}'
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
109
tasks/single_site.yml
Normal file
109
tasks/single_site.yml
Normal file
|
@ -0,0 +1,109 @@
|
|||
---
|
||||
# TODO: Implement site config template templates
|
||||
|
||||
|
||||
- name: Create '{{ site.name }}' site plain http configuration
|
||||
template:
|
||||
src: 'files/nginx/sites-available/http_plain_redirect.conf.j2'
|
||||
dest: '/etc/nginx/sites-available/{{ site.name }}_http'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
#when: site.http_plain_template | default(True)
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
- name: Create '{{ site.name }}' site tls https configuration
|
||||
template:
|
||||
src: 'files/nginx/sites/{{ site.name }}_tls.conf'
|
||||
dest: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'u=rw,g=r,o=r'
|
||||
#when: not site.redirect_target | default(True)
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
#- name: Create '{{ site.name }}' site tls parameter configuration
|
||||
# template:
|
||||
# src: 'files/nginx/snippets/tls_certificate.snippet.conf'
|
||||
# dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 'u=rw,g=r,o=r'
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - sites
|
||||
|
||||
|
||||
#- name: Create '{{ site.name }}' site logging configuration
|
||||
# template:
|
||||
# src: 'files/nginx/snippets/logging.snippet.conf'
|
||||
# dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 'u=rw,g=r,o=r'
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - sites
|
||||
|
||||
|
||||
#- name: Copy additional per site '{{ site.name }}' snippet files
|
||||
# template:
|
||||
# src: 'files/nginx/snippets/{{ item }}'
|
||||
# dest: '/etc/nginx/snippets/{{ item }}'
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 'u=rw,g=r,o=r'
|
||||
# with_items: '{{ site.snippets }}'
|
||||
# when: site.snippets | default([])
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - sites
|
||||
|
||||
|
||||
- name: Enable '{{ site.name }}' site plain http configuration
|
||||
file:
|
||||
src: '/etc/nginx/sites-available/{{ site.name }}_http'
|
||||
dest: '/etc/nginx/sites-enabled/{{ site.name }}_http'
|
||||
state: link
|
||||
when: site.http_plain_template | default(True)
|
||||
notify:
|
||||
- Reload nginx
|
||||
tags:
|
||||
- configuration
|
||||
- nginx
|
||||
- sites
|
||||
|
||||
|
||||
# Note: done by acmetool after sucessfully obtaining a suitable certificate
|
||||
#- name: Enable '{{ site.name }}' site tls configuration
|
||||
# file:
|
||||
# src: '/etc/nginx/sites-available/{{ site.name }}_tls'
|
||||
# dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
|
||||
# state: link
|
||||
# notify:
|
||||
# - Reload nginx
|
||||
# tags:
|
||||
# - configuration
|
||||
# - nginx
|
||||
# - sites
|
Loading…
Reference in a new issue