commit f503d5407cd6c4979f4301ee95c0c487e506f975
parent 99d49d7500bf693c98d33da441679a1434739dc4
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 22 Feb 2021 16:57:41 +0100
parent 99d49d7500bf693c98d33da441679a1434739dc4
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 22 Feb 2021 16:57:41 +0100
roles/nginx: split tasks into multiple files, use handler
13 files changed, 292 insertions(+), 311 deletions(-)
M
|
249
++++++-------------------------------------------------------------------------
A
|
63
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/roles/nginx-handler/handlers/main.yml b/roles/nginx-handler/handlers/main.yml @@ -1,19 +0,0 @@ ---- - -- name: "[OpenRC] Restart service: nginx" - service: - name: nginx - state: restarted - when: - - ansible_service_mgr == "openrc" - - services.nginx.enable is true - listen: "Restart nginx" - -- name: "[systemd] Restart service: nginx" - systemd: - name: nginx - state: restarted - when: - - ansible_service_mgr == "systemd" - - services.nginx.enable is true - listen: "Restart nginx"
diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf @@ -1,59 +0,0 @@ -# -# !!! This file is managed by Ansible !!! -# - -user nginx; - -worker_processes auto; - -pcre_jit on; - -error_log /var/log/nginx/error.log warn; - -include /etc/nginx/modules/*.conf; - - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - server_tokens off; - - server_names_hash_bucket_size 64; - - types_hash_max_size 1024; - types_hash_bucket_size 128; - - client_max_body_size 1m; - - keepalive_timeout 65; - - sendfile on; - - tcp_nodelay on; - - ssl_prefer_server_ciphers on; - - ssl_session_cache shared:SSL:2m; - - gzip on; - - gzip_vary on; - - #gzip_static on; - - - # Specifies the main log format. - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/vhosts/*.conf; -}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml @@ -0,0 +1,17 @@ +--- + +- name: "[OpenRC] Restart service: nginx (to deploy config changes)" + service: + name: nginx + state: restarted + when: + - ansible_service_mgr == "openrc" + listen: "Restart nginx" + +- name: "[systemd] Restart service: nginx (to deploy config changes)" + systemd: + name: nginx + state: restarted + when: + - ansible_service_mgr == "systemd" + listen: "Restart nginx"
diff --git a/roles/nginx/meta/main.yml b/roles/nginx/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - role: nftables-handler+ \ No newline at end of file
diff --git a/roles/nginx/tasks/configure.yml b/roles/nginx/tasks/configure.yml @@ -0,0 +1,57 @@ +--- + +- name: adding user nginx to group acme-redirect + user: + name: nginx + groups: acme-redirect + append: yes + when: + - services.acme_redirect.enable is true + +- name: Download dh-params from mozilla to /etc/nginx/dhparam + get_url: + url: https://ssl-config.mozilla.org/ffdhe2048.txt + dest: /etc/nginx/dhparam + owner: nginx + group: nginx + notify: "Restart nginx" + +- name: "Create file: /etc/nginx/nginx.conf" + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: nginx + group: nginx + notify: "Restart nginx" + +- name: "Create file: /etc/nginx/ssl.conf" + copy: + src: ssl_settings.conf + dest: /etc/nginx/ssl.conf + owner: nginx + group: nginx + notify: "Restart nginx" + +- name: "Create file: /etc/nginx/proxy.conf" + copy: + src: proxy_settings.conf + dest: /etc/nginx/proxy.conf + owner: nginx + group: nginx + mode: 0755 + notify: "Restart nginx" + +- name: "Create directory: /etc/nginx/passwd" + file: + path: /etc/nginx/passwd + state: directory + owner: nginx + group: nginx + mode: 0700 + +- name: "Create directory: /etc/nginx/conf.d" + file: + path: /etc/nginx/conf.d + state: directory + owner: nginx + group: nginx
diff --git a/roles/nginx/tasks/firewall.yml b/roles/nginx/tasks/firewall.yml @@ -0,0 +1,17 @@ +--- + +- name: "[nftables] Create rule for: nginx(http & https)" + copy: + src: nftables-rule.nft + dest: /etc/nftables.d/nginx.nft + notify: "Restart nftables" + when: + - services.nginx.sslOnly is false + +- name: "[nftables] Create rule for: nginx(https only)" + copy: + src: nftables-rule_httpsOnly.nft + dest: /etc/nftables.d/nginx.nft + notify: "Restart nftables" + when: + - services.nginx.sslOnly is true
diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml @@ -0,0 +1,15 @@ +--- + +- name: "[Alpine] Install package: nginx" + apk: + name: nginx + state: present + when: + - ansible_distribution == "Alpine" + +- name: "[Archlinux] Install package: nginx" + pacman: + name: nginx + state: present + when: + - ansible_distribution == "Archlinux"
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml @@ -1,253 +1,36 @@ --- -#install it - -- name: "[Alpine] Install package: nginx" - apk: - name: nginx - state: present - update_cache: yes - when: - - ansible_distribution == "Alpine" - - services.nginx.enable is true - -- name: "[Archlinux] Install package: nginx" - pacman: - name: nginx - state: present - update_cache: yes - when: - - ansible_distribution == "Archlinux" - - services.nginx.enable is true - - -# configure it - -- name: adding user nginx to group acme-redirect - user: - name: nginx - groups: acme-redirect - append: yes - when: - - services.nginx.enable is true - - services.acme_redirect.enable is true - -- name: "Create directory: /etc/nginx/passwd" - file: - path: /etc/nginx/passwd - state: directory - owner: nginx - group: nginx - mode: 0700 - when: - - services.nginx.enable is true - -- name: Download dh-params from mozilla to /etc/nginx/dhparam - get_url: - url: https://ssl-config.mozilla.org/ffdhe2048.txt - dest: /etc/nginx/dhparam - owner: nginx - group: nginx - when: - - services.nginx.enable is true - -- name: "Create file: /etc/nginx/nginx.conf" - copy: - src: nginx.conf - dest: /etc/nginx/nginx.conf - owner: nginx - group: nginx - when: - - services.nginx.enable is true - -- name: "Create file: /etc/nginx/ssl.conf" - copy: - src: ssl_settings.conf - dest: /etc/nginx/ssl.conf - owner: nginx - group: nginx - when: - - services.nginx.enable is true - -- name: "Create file: /etc/nginx/proxy.conf" - copy: - src: proxy_settings.conf - dest: /etc/nginx/proxy.conf - owner: nginx - group: nginx - mode: 0755 - when: - - services.nginx.enable is true - -- name: "Create directory: /etc/nginx/conf.d" - file: - path: /etc/nginx/conf.d - state: directory - owner: nginx - group: nginx - when: - - services.nginx.enable is true - -- name: "Recreate directory: /etc/nginx/vhost" - file: - path: /etc/nginx/vhosts - state: "{{ item }}" - owner: nginx - group: nginx - with_items: - - absent - - directory - when: - - services.nginx.enable is true - -- name: Generate nginx vhosts - template: - src: vhost.conf.j2 - dest: /etc/nginx/vhosts/{{item.key}}.conf - owner: nginx - group: nginx - mode: 0644 - loop: "{{ lookup('dict', services.nginx.vhosts, wantlist=True) }}" - when: - - services.nginx.enable is true - - services.nginx.vhosts is defined - - -# firewall it - -- name: "[nftables] Create rule for: nginx(http & https)" - copy: - src: nftables-rule.nft - dest: /etc/nftables.d/nginx.nft - when: - - network.nftables.enable is true - - services.nginx.enable is true - - services.nginx.sslOnly is not defined or services.nginx.sslOnly is false - -- name: "[nftables] Create rule for: nginx(https only)" - copy: - src: nftables-rule_httpsOnly.nft - dest: /etc/nftables.d/nginx.nft +- include: install.yml when: - - network.nftables.enable is true + - services.nginx.enable is defined - services.nginx.enable is true - - services.nginx.sslOnly is defined - - services.nginx.sslOnly is true -- name: "[OpenRC] Restart service: nftables" - service: - name: nftables - state: restarted +- include: configure.yml when: - - ansible_service_mgr == "openrc" - - network.nftables.enable is true + - services.nginx.enable is defined - services.nginx.enable is true -- name: "[systemd] Restart service: nftables" - systemd: - name: nftables - state: restarted +- include: vhosts.yml when: - - ansible_service_mgr == "systemd" - - network.nftables.enable is true - - services.nginx.enable is true - - -# (re)start it - -- name: "[OpenRC] Enable and restart service: nginx" - service: - name: nginx - enabled: yes - state: restarted - when: - - ansible_service_mgr == "openrc" + - services.nginx.enable is defined - services.nginx.enable is true + - services.nginx.vhosts is defined -- name: "[systemd] Enable and restart service: nginx" - systemd: - name: nginx - enabled: yes - state: restarted +- include: firewall.yml when: - - ansible_service_mgr == "systemd" + - services.nginx.enable is defined - services.nginx.enable is true - - -# stop it - -- name: "[OpenRC] Disable and stop service: nginx" - service: - name: nginx - enabled: no - state: stopped - when: - - ansible_service_mgr == "openrc" - - services.nginx.enable is false - -- name: "[systemd] Disable and stop service: nginx" - systemd: - name: nginx - enabled: no - state: stopped - when: - - ansible_service_mgr == "systemd" - - services.nginx.enable is false - - -#defirewall it - -- name: "[nftables] Delete rule for: bind" - file: - path: /etc/nftables.d/bind.nft - state: absent - when: - network.nftables.enable is true - - services.nginx.enable is false -- name: "[OpenRC] Restart service: nftables" - service: - name: nftables - state: restarted +- include: start.yml when: - - ansible_service_mgr == "openrc" - - network.nftables.enable is true - - services.nginx.enable is false + - services.nginx.enable is defined + - services.nginx.enable is true -- name: "[systemd] Restart service: nftables" - systemd: - name: nftables - state: restarted +- include: remove.yml when: - - ansible_service_mgr == "systemd" - - network.nftables.enable is true - - services.nginx.enable is false - - -# remove it - -- name: "[Alpine] Remove package: nginx" - apk: - name: nginx - state: absent - when: - - ansible_distribution == "Alpine" - - services.nginx.enable is false - -- name: "[Archlinux] Remove package: nginx" - pacman: - name: nginx - state: absent - when: - - ansible_distribution == "Archlinux" + - services.nginx.enable is defined - services.nginx.enable is false - -# remove leftover files - -- name: "Remove directory: /etc/nginx" - file: - path: /etc/nginx - state: absent - when: - - services.nginx.enable is false +- name: Run handlers + meta: flush_handlers
diff --git a/roles/nginx/tasks/remove.yml b/roles/nginx/tasks/remove.yml @@ -0,0 +1,43 @@ +--- + +- name: "[OpenRC] Disable and stop service: nginx" + service: + name: nginx + enabled: no + state: stopped + when: + - ansible_service_mgr == "openrc" + +- name: "[systemd] Disable and stop service: nginx" + systemd: + name: nginx + enabled: no + state: stopped + when: + - ansible_service_mgr == "systemd" + +- name: "[Alpine] Remove package: nginx" + apk: + name: nginx + state: absent + when: + - ansible_distribution == "Alpine" + +- name: "[Archlinux] Remove package: nginx" + pacman: + name: nginx + state: absent + when: + - ansible_distribution == "Archlinux" + + +- name: "Remove directory: /etc/nginx" + file: + path: /etc/nginx + state: absent + +- name: "[nftables] Delete rule for: nginx" + file: + path: /etc/nftables.d/nginx.nft + state: absent + notify: "Restart nftables"
diff --git a/roles/nginx/tasks/start.yml b/roles/nginx/tasks/start.yml @@ -0,0 +1,17 @@ +--- + +- name: "[OpenRC] Start and enable service: nginx" + service: + name: nginx + enabled: yes + state: started + when: + - ansible_service_mgr == "openrc" + +- name: "[systemd] Start and enable service: nginx" + systemd: + name: nginx + enabled: yes + state: started + when: + - ansible_service_mgr == "systemd"+ \ No newline at end of file
diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml @@ -0,0 +1,39 @@ +--- + +- name: "Create directory: /etc/nginx/vhost" + file: + path: /etc/nginx/vhosts + state: directory + owner: nginx + group: nginx + +- name: Generate nginx vhosts + template: + src: vhost.conf.j2 + dest: /etc/nginx/vhosts/{{item.key}}.conf + owner: nginx + group: nginx + mode: 0644 + notify: "Restart nginx" + register: deployed_nginx_vhosts + loop: "{{ lookup('dict', services.nginx.vhosts, wantlist=True) }}" + +- name: "Collect files in directory: /etc/nginx/vhosts" + find: + path: /etc/nginx/vhosts + hidden: yes + register: nginx_vhosts + check_mode: no + changed_when: false + when: + - services.acme_redirect.certs is defined + +- name: "Remove unmanaged files in directory: /etc/nginx/vhosts" + file: + path: "/etc/nginx/vhosts/{{ item.path | basename }}" + state: absent + with_items: + - "{{ nginx_vhosts.files }}" + notify: "Restart nginx" + when: + - (item.path) not in ( deployed_nginx_vhosts | json_query('results[].invocation.module_args.dest') | list )+ \ No newline at end of file
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,63 @@ +# +# !!! This file is managed by Ansible !!! +# + +user nginx; + +worker_processes auto; + +pcre_jit on; + +error_log /var/log/nginx/error.log warn; + +include /etc/nginx/modules/*.conf; + + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_tokens off; + + server_names_hash_bucket_size 64; + + types_hash_max_size 1024; + types_hash_bucket_size 128; + + client_max_body_size 1G; + + keepalive_timeout 65; + + sendfile on; + + tcp_nodelay on; + + ssl_prefer_server_ciphers on; + + ssl_session_cache shared:SSL:2m; + + gzip on; + + gzip_vary on; + + #gzip_static on; + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + {% if services.nginx.extraConfig is defined %} + {{ services.nginx.extraConfig }} + {% endif %} + + access_log /var/log/nginx/access.log main; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/vhosts/*.conf; +}