ansible/ansible_role_nginx
1
0
Fork 0
mirror of https://github.com/DO1JLR/ansible_role_nginx.git synced 2024-08-16 16:19:48 +02:00
Code Releases Activity

Extend per-site snippet handling to tls, certificates and logging

Browse source
This commit is contained in:
Raoul 2020-12-23 03:49:11 +01:00
parent 0b60a92826
commit 642aa37a60
No known key found for this signature in database
GPG key ID: C7493D73B67C1842
8 changed files with 66 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
defaults/main.yml
View file

@ -7,13 +7,18 @@ nginx_sites: {}
# altnames: # altnames:
# - 'www.example.org' # - 'www.example.org'
# - 'ftp.example.org' # - 'ftp.example.org'
# robots: 'robots_allow_all.txt' Optional # robots: 'robots_allow_all.txt' Optional, unimplemented
# htaccess: 'htpasswd.example.org' Optional # htaccess: 'htpasswd.example.org' Optional, unimplemented
# webroot: Optional, for use with 'webhost' role
# path Optional, for use with 'webhost' role
# user Optional, for use with 'webhost' role
# group Optional, for use with 'webhost' role
# mode Optional, for use with 'webhost' role
snippet_files: snippet_files:
- 'acmetool.snippet.conf' - 'acmetool.snippet.conf'
- 'tls_settings.snippet.conf' - 'tls_parameters.snippet.conf'
#default_robots_file: 'robots_disallow_all.txt' #default_robots_file: 'robots_disallow_all.txt'

5
files/nginx/sites-available/default_http.j2
View file

@ -2,9 +2,12 @@ server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
access_log /var/log/nginx/log_{{ inventory_hostname }}.access.log;
error_log /var/log/nginx/log_{{ inventory_hostname }}.error.log;
include snippets/acmetool.snippet.conf; include snippets/acmetool.snippet.conf;
location ^~ / { location ^~ / {
return 308 https://{{ inventory_hostname }}$request_uri; return 403;
} }
} }

2
files/nginx/sites-available/default_tls.j2
View file

@ -2,7 +2,7 @@ server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
include snippets/tls_settings.snippet.conf; include snippets/tls_parameters.snippet.conf;
ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain; ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey; ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey;

2
files/nginx/sites-available/http_plain_redirect.conf.j2
View file

@ -4,6 +4,8 @@ server {
server_name {{ site.name }}; server_name {{ site.name }};
include snippets/logging_{{ site.name }}.snippet.conf;
include snippets/acmetool.snippet.conf; include snippets/acmetool.snippet.conf;
location ^~ / { location ^~ / {

4
files/nginx/snippets/logging.snippet.conf Normal file
View file

@ -0,0 +1,4 @@
error_log /var/log/nginx/log_{{ site.name }}.error.log;
#access_log /var/log/nginx/log_{{ site.name }}.access.log;
access_log off;

2
files/nginx/snippets/tls_certificate.snippet.conf Normal file
View file

@ -0,0 +1,2 @@
ssl_certificate /var/lib/acme/live/{{ site.name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ site.name }}/privkey;

5
files/nginx/snippets/tls_settings.snippet.conf → files/nginx/snippets/tls_parameters.snippet.conf
View file

@ -1,6 +1,9 @@
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
#ssl_stapling on; #ssl_stapling on;
#ssl_stapling_verify on; #ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4 valid=300s; #resolver 8.8.8.8 1.1.1.1 valid=300s;
#resolver_timeout 3s; #resolver_timeout 3s;
#ssl_dhparam /etc/ssl/private/site.dh;

67
tasks/single_site.yml
View file

@ -34,34 +34,49 @@
- sites - sites
#- name: Create '{{ site.name }}' site tls parameter configuration - name: Create '{{ site.name }}' site tls parameter configuration
# template: template:
# src: 'files/nginx/snippets/tls_certificate.snippet.conf' src: 'files/nginx/snippets/tls_parameters.snippet.conf'
# dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf' dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf'
# owner: root owner: root
# group: root group: root
# mode: 'u=rw,g=r,o=r' mode: 'u=rw,g=r,o=r'
# notify: notify:
# - Reload nginx - Reload nginx
# tags: tags:
# - configuration - configuration
# - nginx - nginx
# - sites - sites
#- name: Create '{{ site.name }}' site logging configuration - name: Create '{{ site.name }}' site tls certificate configuration
# template: template:
# src: 'files/nginx/snippets/logging.snippet.conf' src: 'files/nginx/snippets/tls_certificate.snippet.conf'
# dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf' dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
# owner: root owner: root
# group: root group: root
# mode: 'u=rw,g=r,o=r' mode: 'u=rw,g=r,o=r'
# notify: notify:
# - Reload nginx - Reload nginx
# tags: tags:
# - configuration - configuration
# - nginx - nginx
# - sites - sites
- name: Create '{{ site.name }}' site logging configuration
template:
src: 'files/nginx/snippets/logging.snippet.conf'
dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
owner: root
group: root
mode: 'u=rw,g=r,o=r'
notify:
- Reload nginx
tags:
- configuration
- nginx
- sites
#- name: Copy additional per site '{{ site.name }}' snippet files #- name: Copy additional per site '{{ site.name }}' snippet files