eriol/ansible-collection-kit
1
0
Fork 0
Code Releases Activity

Add nginx role

Browse source
This commit is contained in:
Daniele Tricoli 2021-01-20 19:44:04 +01:00
parent 3b13eeaf17
commit ae1ba3fe9d
7 changed files with 185 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
roles/nginx/defaults/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
nginx_become: true
nginx_become_user: root
# Possible values are: nginx, nginx-core (only since bullseye), nginx-light,
# nginx-full and nginx-extras.
nginx_default_package: nginx
nginx_root: /var/www
nginx_vhosts: []

10
roles/nginx/files/etc/nginx/sites-enabled/_.conf Normal file
View file

@ -0,0 +1,10 @@
# Ansible managed.
server {
listen 80 default_server deferred;
listen [::]:80 default_server deferred;
server_name _;
return 444;
}

14
roles/nginx/handlers/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: systemctl restart nginx
systemd:
name: nginx.service
state: restarted
become: "{{ nginx_become }}"
become_user: "{{ nginx_become_user }}"
- name: systemctl reload nginx
systemd:
name: nginx.service
state: reloaded
become: "{{ nginx_become }}"
become_user: "{{ nginx_become_user }}"

42
roles/nginx/tasks/create-vhosts.yml Normal file
View file

@ -0,0 +1,42 @@
---
- name: create vhost directories
file:
path: "{{ nginx_root }}/{{ item.servername }}"
state: directory
with_items: "{{ nginx_vhosts }}"
- name: create vhost content directories
file:
path: "{{ nginx_root }}/{{ item.servername }}/html"
state: directory
with_items: "{{ nginx_vhosts }}"
- name: create vhost logs directories
file:
path: "{{ nginx_root }}/{{ item.servername }}/logs"
state: directory
with_items: "{{ nginx_vhosts }}"
- name: add vhost configuration file for {{ item.servername }}
template:
src: etc/nginx/sites-available/site-vhost.j2
dest: "/etc/nginx/sites-available/{{ item.servername }}.vhost"
owner: root
group: root
mode: 0640
with_items: "{{ nginx_vhosts }}"
notify: systemctl restart nginx
- name: remove all the vhost enabled
file:
path: /etc/nginx/sites-enabled/*.vhost
state: absent
notify: systemctl restart nginx
- name: add vhost configuration sylink for {{ item.servername }}
file:
src: "/etc/nginx/sites-available/{{ item.servername }}.vhost"
dest: "/etc/nginx/sites-enabled/{{ item.servername }}.vhost"
state: link
with_items: "{{ nginx_vhosts }}"
notify: systemctl restart nginx

33
roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,33 @@
---
- block:
- name: install {{ nginx_default_package }}
apt:
name: "{{ nginx_default_package }}"
state: present
update_cache: true
cache_valid_time: 3600
- name: remove the default site
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/nginx/sites-enabled/default
- /etc/nginx/sites-available/default
- /var/www/html
notify: systemctl reload nginx
- name: add default server to reply to client who not send correct Host header
copy:
src: etc/nginx/sites-enabled/_.conf
dest: /etc/nginx/sites-enabled/_.conf
owner: root
group: root
mode: 0640
notify: systemctl reload nginx
- import_tasks: create-vhosts.yml
become: "{{ nginx_become }}"
become_user: "{{ nginx_become_user }}"

55
roles/nginx/templates/etc/nginx/sites-available/site-vhost.j2 Normal file
View file

@ -0,0 +1,55 @@
# {{ ansible_managed }}
server {
server_name {{ item.servername }}{% if item.serveralias is defined %}{% for alias in item.serveralias %} {{ alias }}{% endfor %}{% endif %};
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
{% if item.acme_challenges is defined %}
location ^~ /.well-known/acme-challenge {
alias {{ item.acme_challenges }};
}
{% endif %}
}
server {
server_name {{ item.servername }}{% if item.serveralias is defined %}{% for alias in item.serveralias %} {{ alias }}{% endfor %}{% endif %};
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate {{ item.ssl_certificate }};
ssl_certificate_key {{ item.ssl_certificate_key }};
ssl_trusted_certificate {{ item.ssl_trusted_certificate }};
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
root {{ nginx_root }}/{{ item.servername }}/html;
index index.html index.htm;
{% if item.acme_challenges is defined %}
location ^~ /.well-known/acme-challenge {
alias {{ item.acme_challenges }};
}
{% endif %}
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
access_log {{ nginx_root }}/{{ item.servername }}/logs/access.log;
error_log {{ nginx_root }}/{{ item.servername }}/logs/error.log;
}

25
tests/test.yml
View file

@ -19,8 +19,26 @@
admin_user: administrator
admin_password: the_secret_password
admin_key_file: ~/.ssh/test/id_rsa.pub
domains:
- cname: mail.example.org
snake_oil_cert_domains:
- example.org
- example2.org
- mail.example.org
nginx_vhosts:
- servername: example.org
serveralias:
- www.example.org
- www2.example.org
acme_challenges: /tmp/acme
ssl_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
ssl_certificate_key: /var/lib/snakeoil/certs/example.org/privkey.pem
ssl_trusted_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
- servername: example2.org
serveralias:
- www.example2.org
- www2.example2.org
ssl_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
ssl_certificate_key: /var/lib/snakeoil/certs/example2.org/privkey.pem
ssl_trusted_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
roles:
# - ../roles/apt_dist_upgrade
- ../roles/common
@ -29,9 +47,10 @@
- ../roles/iptables
- ../roles/sshd
- ../roles/fail2ban
- ../roles/snake_oil_cert
- ../roles/nginx
# - ../roles/admin
# - ../roles/docker
# - {role: ../roles/snake_oil_dehydrated, become: true}
# - {role: ../roles/mailserver}
# - {role: ../roles/weechat}
# Uncomment to test wikijs role: it's commented since the tarball that we