1
0
Fork 0
mirror of https://github.com/DO1JLR/ansible_role_nginx.git synced 2024-08-16 16:19:48 +02:00
ansible_role_nginx/readme.md
2021-02-27 00:46:37 +01:00

123 lines
4.9 KiB
Markdown

Nginx Webserver
===============
Ansible role to configure the `nginx` webserver and manage TLS certificates
by the help of the `acmetool` LE client. This role is designed to work together
with the `acmetool` role.
Variables
---------
* `nginx__dhparam_size` (Default 2048):
The DH parameters bit length.
* `nginx_sites` (Default `{}`):
The virtual hosts configurations for this webserver.
* `nginx__disable_acmetool` (Default `False`):
Optionally disable acme support within this role.
Note: If you do not intent to use `acmetool` or LE at all, it is possible to disable
support for it. However, in that case *all* TLS certificates and private keys
loaded by the nginx configuration must be present on the destination host *before*
running this role. Additionally you need to provide own replacement templates
for `files/nginx/sites-available/*j2` (see point 3 in the next section).
Files
-----
Note: Path segments `<host_files>` when resolved by the `hf`/`hfg` lookup plugins always
include full `hf`/`hfg` functionality, for example also search the `group_files`
directory as apropriate. (See also note on dependencies below.)
* Main `nginx` configuration file template `nginx/nginx.conf`
Lookup path:
- `<playbook_dir> / files / <host_files> / <inventory_hostname> / nginx / nginx.conf` [via `hf` lookup]
- `<playbook_dir> / files / nginx / nginx.conf` [via `hf` lookup]
- `<role_dir> / files / nginx / nginx.conf` [default role fallback]
* Global (default and vhost independent) configuration snippets
Lookup path:
- `<playbook_dir> / files / <host_files> / <inventory_hostname> / nginx / snippets / <snippetname>_global.snippet.conf` [via `hfg` lookup]
- `<playbook_dir> / files / nginx / snippets / <snippetname>_global.snippet.conf` [via `hfg` lookup]
- `<role_dir> / files / nginx / snippets / <snippetname>_global.snippet.conf` [default role fallback]
Note: The `<snippetname>` may not contain a `_`.
* Main configuration file for each virtual host (usually contains corresponding nginx `server` block)
Lookup path (tls):
- `<playbook_dir> / files / nginx / sites / <vhostname>_tls.conf`
- `<role_dir> / files / nginx / sites-available / vhost_tls.conf.j2` [default role fallback]
Lookup path (http):
- `<playbook_dir> / files / nginx / sites / <vhostname>_http.conf` [via `first_found` lookup]
- `<role_dir> / files / nginx / sites-available / vhost_http_redirect.conf.j2` [default role fallback]
* Per virtual host templated snippets
Lookup path:
- `<playbook_dir> / files / <host_files> / <inventory_hostname> / nginx / snippets / _<snippetname>_site.snippet.conf` [via `hfg` lookup]
- `<playbook_dir> / files / nginx / snippets / _<snippetname>_site.snippet.conf` [via `hfg` lookup]
- `<role_dir> / files / nginx / snippets / _<snippetname>_site.snippet.conf` [default role fallback]
Note 1: The file name is expanded on the server per each virtual host to `<vhostname>_<snippetname>_site.snippet.conf`.
Note 2: The `<snippetname>` may not contain a `_`.
* Per virtual host custom individual snippet files
Lookup path:
- `<playbook_dir> / files / <host_files> / <inventory_hostname> / nginx / snippets / <vhostname>_<snippetname>_site.snippet.conf` [via `hfg` lookup]
- `<playbook_dir> / files / nginx / snippets / <vhostname>_<snippetname>_site.snippet.conf` [via `hfg` lookup]
- `<role_dir> / files / nginx / snippets / <vhostname>_<snippetname>_site.snippet.conf` [default role fallback]
Note 1: In general, content of such snippets could be merged with main vhost configuration file.
Note 2: The `<snippetname>` may not contain a `_`.
* Per virtual host basic auth file
Lookup path:
- unimplemented
* Per virtual host robots file
Lookup path:
- unimplemented
Example
-------
Configuration of the virtual hosts in the `host_vars` of the webserver:
```
nginx_sites:
- name: 'example.org'
altnames: Optional, for acmetool
- 'www.example.org'
- 'ftp.example.org'
robots: 'robots_allow_all.txt' Optional, unimplemented
htaccess: 'htpasswd.example.org' Optional, unimplemented
webroot: Optional, for use with 'webhost' role
path Optional, for use with 'webhost' role
user Optional, for use with 'webhost' role
group Optional, for use with 'webhost' role
mode Optional, for use with 'webhost' role
```
Alternatively, put this data into a suitable `group_vars` file.
Dependencies
------------
This role depends on the `host_file` (`hf`) and `host_files_glob` (`hfg`) lookup plugins.
References
----------
* [Nginx documentation](https://nginx.org/en/docs/)
* [acmetool](https://github.com/hlandau/acmetool)
* [acmetool user's guide](https://hlandau.github.io/acmetool/userguide)