Add nginx role
This commit is contained in:
parent
3b13eeaf17
commit
ae1ba3fe9d
9
roles/nginx/defaults/main.yml
Normal file
9
roles/nginx/defaults/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
nginx_become: true
|
||||
nginx_become_user: root
|
||||
|
||||
# Possible values are: nginx, nginx-core (only since bullseye), nginx-light,
|
||||
# nginx-full and nginx-extras.
|
||||
nginx_default_package: nginx
|
||||
nginx_root: /var/www
|
||||
nginx_vhosts: []
|
10
roles/nginx/files/etc/nginx/sites-enabled/_.conf
Normal file
10
roles/nginx/files/etc/nginx/sites-enabled/_.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
# Ansible managed.
|
||||
|
||||
server {
|
||||
listen 80 default_server deferred;
|
||||
listen [::]:80 default_server deferred;
|
||||
|
||||
server_name _;
|
||||
|
||||
return 444;
|
||||
}
|
14
roles/nginx/handlers/main.yml
Normal file
14
roles/nginx/handlers/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: systemctl restart nginx
|
||||
systemd:
|
||||
name: nginx.service
|
||||
state: restarted
|
||||
become: "{{ nginx_become }}"
|
||||
become_user: "{{ nginx_become_user }}"
|
||||
|
||||
- name: systemctl reload nginx
|
||||
systemd:
|
||||
name: nginx.service
|
||||
state: reloaded
|
||||
become: "{{ nginx_become }}"
|
||||
become_user: "{{ nginx_become_user }}"
|
42
roles/nginx/tasks/create-vhosts.yml
Normal file
42
roles/nginx/tasks/create-vhosts.yml
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
- name: create vhost directories
|
||||
file:
|
||||
path: "{{ nginx_root }}/{{ item.servername }}"
|
||||
state: directory
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
|
||||
- name: create vhost content directories
|
||||
file:
|
||||
path: "{{ nginx_root }}/{{ item.servername }}/html"
|
||||
state: directory
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
|
||||
- name: create vhost logs directories
|
||||
file:
|
||||
path: "{{ nginx_root }}/{{ item.servername }}/logs"
|
||||
state: directory
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
|
||||
- name: add vhost configuration file for {{ item.servername }}
|
||||
template:
|
||||
src: etc/nginx/sites-available/site-vhost.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.servername }}.vhost"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
notify: systemctl restart nginx
|
||||
|
||||
- name: remove all the vhost enabled
|
||||
file:
|
||||
path: /etc/nginx/sites-enabled/*.vhost
|
||||
state: absent
|
||||
notify: systemctl restart nginx
|
||||
|
||||
- name: add vhost configuration sylink for {{ item.servername }}
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item.servername }}.vhost"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.servername }}.vhost"
|
||||
state: link
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
notify: systemctl restart nginx
|
33
roles/nginx/tasks/main.yml
Normal file
33
roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
- block:
|
||||
|
||||
- name: install {{ nginx_default_package }}
|
||||
apt:
|
||||
name: "{{ nginx_default_package }}"
|
||||
state: present
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
|
||||
- name: remove the default site
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/nginx/sites-enabled/default
|
||||
- /etc/nginx/sites-available/default
|
||||
- /var/www/html
|
||||
notify: systemctl reload nginx
|
||||
|
||||
- name: add default server to reply to client who not send correct Host header
|
||||
copy:
|
||||
src: etc/nginx/sites-enabled/_.conf
|
||||
dest: /etc/nginx/sites-enabled/_.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: systemctl reload nginx
|
||||
|
||||
- import_tasks: create-vhosts.yml
|
||||
|
||||
become: "{{ nginx_become }}"
|
||||
become_user: "{{ nginx_become_user }}"
|
|
@ -0,0 +1,55 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
server_name {{ item.servername }}{% if item.serveralias is defined %}{% for alias in item.serveralias %} {{ alias }}{% endfor %}{% endif %};
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
{% if item.acme_challenges is defined %}
|
||||
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
alias {{ item.acme_challenges }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ item.servername }}{% if item.serveralias is defined %}{% for alias in item.serveralias %} {{ alias }}{% endfor %}{% endif %};
|
||||
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate {{ item.ssl_certificate }};
|
||||
ssl_certificate_key {{ item.ssl_certificate_key }};
|
||||
ssl_trusted_certificate {{ item.ssl_trusted_certificate }};
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
root {{ nginx_root }}/{{ item.servername }}/html;
|
||||
index index.html index.htm;
|
||||
|
||||
{% if item.acme_challenges is defined %}
|
||||
|
||||
location ^~ /.well-known/acme-challenge {
|
||||
alias {{ item.acme_challenges }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
error_page 404 /404.html;
|
||||
|
||||
access_log {{ nginx_root }}/{{ item.servername }}/logs/access.log;
|
||||
error_log {{ nginx_root }}/{{ item.servername }}/logs/error.log;
|
||||
}
|
|
@ -19,8 +19,26 @@
|
|||
admin_user: administrator
|
||||
admin_password: the_secret_password
|
||||
admin_key_file: ~/.ssh/test/id_rsa.pub
|
||||
domains:
|
||||
- cname: mail.example.org
|
||||
snake_oil_cert_domains:
|
||||
- example.org
|
||||
- example2.org
|
||||
- mail.example.org
|
||||
nginx_vhosts:
|
||||
- servername: example.org
|
||||
serveralias:
|
||||
- www.example.org
|
||||
- www2.example.org
|
||||
acme_challenges: /tmp/acme
|
||||
ssl_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
|
||||
ssl_certificate_key: /var/lib/snakeoil/certs/example.org/privkey.pem
|
||||
ssl_trusted_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
|
||||
- servername: example2.org
|
||||
serveralias:
|
||||
- www.example2.org
|
||||
- www2.example2.org
|
||||
ssl_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
|
||||
ssl_certificate_key: /var/lib/snakeoil/certs/example2.org/privkey.pem
|
||||
ssl_trusted_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
|
||||
roles:
|
||||
# - ../roles/apt_dist_upgrade
|
||||
- ../roles/common
|
||||
|
@ -29,9 +47,10 @@
|
|||
- ../roles/iptables
|
||||
- ../roles/sshd
|
||||
- ../roles/fail2ban
|
||||
- ../roles/snake_oil_cert
|
||||
- ../roles/nginx
|
||||
# - ../roles/admin
|
||||
# - ../roles/docker
|
||||
# - {role: ../roles/snake_oil_dehydrated, become: true}
|
||||
# - {role: ../roles/mailserver}
|
||||
# - {role: ../roles/weechat}
|
||||
# Uncomment to test wikijs role: it's commented since the tarball that we
|
||||
|
|
Loading…
Reference in a new issue