ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit f503d5407cd6c4979f4301ee95c0c487e506f975
parent 99d49d7500bf693c98d33da441679a1434739dc4
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 22 Feb 2021 16:57:41 +0100

roles/nginx: split tasks into multiple files, use handler
13 files changed, 292 insertions(+), 311 deletions(-)
D
roles/nginx-handler/handlers/main.yml
|
19
-------------------
D
roles/nginx/files/nginx.conf
|
59
-----------------------------------------------------------
A
roles/nginx/handlers/main.yml
|
17
+++++++++++++++++
A
roles/nginx/meta/main.yml
|
5
+++++
A
roles/nginx/tasks/checks.yml
|
1
+
A
roles/nginx/tasks/configure.yml
|
57
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
roles/nginx/tasks/firewall.yml
|
17
+++++++++++++++++
A
roles/nginx/tasks/install.yml
|
15
+++++++++++++++
M
roles/nginx/tasks/main.yml
|
249
++++++-------------------------------------------------------------------------
A
roles/nginx/tasks/remove.yml
|
43
+++++++++++++++++++++++++++++++++++++++++++
A
roles/nginx/tasks/start.yml
|
18
++++++++++++++++++
A
roles/nginx/tasks/vhosts.yml
|
40
++++++++++++++++++++++++++++++++++++++++
A
roles/nginx/templates/nginx.conf.j2
|
63
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/roles/nginx-handler/handlers/main.yml b/roles/nginx-handler/handlers/main.yml
@@ -1,19 +0,0 @@
----
-
-- name: "[OpenRC] Restart service: nginx"
-  service:
-    name: nginx
-    state: restarted
-  when:
-    - ansible_service_mgr == "openrc"
-    - services.nginx.enable is true
-  listen: "Restart nginx"
-
-- name: "[systemd] Restart service: nginx"
-  systemd:
-    name: nginx
-    state: restarted
-  when:
-    - ansible_service_mgr == "systemd"
-    - services.nginx.enable is true
-  listen: "Restart nginx"
diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf
@@ -1,59 +0,0 @@
-#
-# !!! This file is managed by Ansible !!!
-#
-
-user nginx;
-
-worker_processes auto;
-
-pcre_jit on;
-
-error_log /var/log/nginx/error.log warn;
-
-include /etc/nginx/modules/*.conf;
-
-
-events {
-	worker_connections 1024;
-}
-
-http {
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	server_tokens off;
-
-	server_names_hash_bucket_size 64;
-
-	types_hash_max_size 1024;
-	types_hash_bucket_size 128;
-
-	client_max_body_size 1m;
-
-	keepalive_timeout 65;
-
-	sendfile on;
-
-	tcp_nodelay on;
-
-	ssl_prefer_server_ciphers on;
-
-	ssl_session_cache shared:SSL:2m;
-
-	gzip on;
-
-	gzip_vary on;
-
-	#gzip_static on;
-
-
-	# Specifies the main log format.
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-			'$status $body_bytes_sent "$http_referer" '
-			'"$http_user_agent" "$http_x_forwarded_for"';
-
-	access_log /var/log/nginx/access.log main;
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/vhosts/*.conf;
-}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "[OpenRC] Restart service: nginx (to deploy config changes)"
+  service:
+    name: nginx
+    state: restarted
+  when:
+    - ansible_service_mgr == "openrc"
+  listen: "Restart nginx"
+
+- name: "[systemd] Restart service: nginx (to deploy config changes)"
+  systemd:
+    name: nginx
+    state: restarted
+  when:
+    - ansible_service_mgr == "systemd"
+  listen: "Restart nginx"
diff --git a/roles/nginx/meta/main.yml b/roles/nginx/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: nftables-handler+
\ No newline at end of file
diff --git a/roles/nginx/tasks/checks.yml b/roles/nginx/tasks/checks.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/nginx/tasks/configure.yml b/roles/nginx/tasks/configure.yml
@@ -0,0 +1,57 @@
+---
+
+- name: adding user nginx to group acme-redirect
+  user:
+    name: nginx
+    groups: acme-redirect
+    append: yes
+  when: 
+    - services.acme_redirect.enable is true
+
+- name: Download dh-params from mozilla to /etc/nginx/dhparam
+  get_url:
+    url: https://ssl-config.mozilla.org/ffdhe2048.txt
+    dest: /etc/nginx/dhparam
+    owner: nginx
+    group: nginx
+  notify: "Restart nginx"
+
+- name: "Create file: /etc/nginx/nginx.conf"
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: nginx
+    group: nginx
+  notify: "Restart nginx"
+
+- name: "Create file: /etc/nginx/ssl.conf"
+  copy:
+    src: ssl_settings.conf
+    dest: /etc/nginx/ssl.conf
+    owner: nginx
+    group: nginx
+  notify: "Restart nginx"
+
+- name: "Create file: /etc/nginx/proxy.conf"
+  copy:
+    src: proxy_settings.conf
+    dest: /etc/nginx/proxy.conf
+    owner: nginx
+    group: nginx
+    mode: 0755
+  notify: "Restart nginx"
+
+- name: "Create directory: /etc/nginx/passwd"
+  file:
+    path:  /etc/nginx/passwd
+    state: directory
+    owner: nginx
+    group: nginx
+    mode:  0700
+
+- name: "Create directory: /etc/nginx/conf.d"
+  file:
+    path: /etc/nginx/conf.d
+    state: directory
+    owner: nginx
+    group: nginx
diff --git a/roles/nginx/tasks/firewall.yml b/roles/nginx/tasks/firewall.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "[nftables] Create rule for: nginx(http & https)"
+  copy:
+    src: nftables-rule.nft
+    dest: /etc/nftables.d/nginx.nft
+  notify: "Restart nftables"
+  when: 
+    - services.nginx.sslOnly is false
+
+- name: "[nftables] Create rule for: nginx(https only)"
+  copy:
+    src: nftables-rule_httpsOnly.nft
+    dest: /etc/nftables.d/nginx.nft
+  notify: "Restart nftables"
+  when:
+    - services.nginx.sslOnly is true
diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml
@@ -0,0 +1,15 @@
+---
+
+- name: "[Alpine] Install package: nginx" 
+  apk:
+    name: nginx
+    state: present
+  when:
+    - ansible_distribution == "Alpine" 
+
+- name: "[Archlinux] Install package: nginx" 
+  pacman:
+    name: nginx
+    state: present
+  when:
+    - ansible_distribution == "Archlinux" 
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
@@ -1,253 +1,36 @@
 ---
 
-#install it
-
-- name: "[Alpine] Install package: nginx" 
-  apk:
-    name: nginx
-    state: present
-    update_cache: yes
-  when: 
-    - ansible_distribution == "Alpine" 
-    - services.nginx.enable is true
-
-- name: "[Archlinux] Install package: nginx" 
-  pacman:
-    name: nginx
-    state: present
-    update_cache: yes
-  when: 
-    - ansible_distribution == "Archlinux" 
-    - services.nginx.enable is true
-
-
-# configure it
-
-- name: adding user nginx to group acme-redirect
-  user:
-    name: nginx
-    groups: acme-redirect
-    append: yes
-  when: 
-    - services.nginx.enable is true
-    - services.acme_redirect.enable is true
-
-- name: "Create directory: /etc/nginx/passwd"
-  file:
-    path:  /etc/nginx/passwd
-    state: directory
-    owner: nginx
-    group: nginx
-    mode:  0700
-  when: 
-    - services.nginx.enable is true
-
-- name: Download dh-params from mozilla to /etc/nginx/dhparam
-  get_url:
-    url: https://ssl-config.mozilla.org/ffdhe2048.txt
-    dest: /etc/nginx/dhparam
-    owner: nginx
-    group: nginx    
-  when: 
-    - services.nginx.enable is true
-
-- name: "Create file: /etc/nginx/nginx.conf"
-  copy:
-    src: nginx.conf
-    dest: /etc/nginx/nginx.conf
-    owner: nginx
-    group: nginx
-  when: 
-    - services.nginx.enable is true
-
-- name: "Create file: /etc/nginx/ssl.conf"
-  copy:
-    src: ssl_settings.conf
-    dest: /etc/nginx/ssl.conf
-    owner: nginx
-    group: nginx
-  when: 
-    - services.nginx.enable is true
-
-- name: "Create file: /etc/nginx/proxy.conf"
-  copy:
-    src: proxy_settings.conf
-    dest: /etc/nginx/proxy.conf
-    owner: nginx
-    group: nginx
-    mode: 0755
-  when: 
-    - services.nginx.enable is true
-
-- name: "Create directory: /etc/nginx/conf.d"
-  file:
-    path: /etc/nginx/conf.d
-    state: directory
-    owner: nginx
-    group: nginx
-  when: 
-    - services.nginx.enable is true
-
-- name: "Recreate directory: /etc/nginx/vhost"
-  file:
-    path: /etc/nginx/vhosts
-    state: "{{ item }}"
-    owner: nginx
-    group: nginx
-  with_items:
-    - absent
-    - directory
-  when: 
-    - services.nginx.enable is true
-
-- name: Generate nginx vhosts
-  template:
-    src: vhost.conf.j2
-    dest: /etc/nginx/vhosts/{{item.key}}.conf
-    owner: nginx
-    group: nginx
-    mode: 0644
-  loop: "{{ lookup('dict', services.nginx.vhosts, wantlist=True) }}"
-  when: 
-    - services.nginx.enable is true
-    - services.nginx.vhosts is defined
-
-
-# firewall it
-
-- name: "[nftables] Create rule for: nginx(http & https)"
-  copy:
-    src: nftables-rule.nft
-    dest: /etc/nftables.d/nginx.nft
-  when: 
-    - network.nftables.enable is true
-    - services.nginx.enable is true
-    - services.nginx.sslOnly is not defined or services.nginx.sslOnly is false
-
-- name: "[nftables] Create rule for: nginx(https only)"
-  copy:
-    src: nftables-rule_httpsOnly.nft
-    dest: /etc/nftables.d/nginx.nft
+- include: install.yml
   when:
-    - network.nftables.enable is true
+    - services.nginx.enable is defined
     - services.nginx.enable is true
-    - services.nginx.sslOnly is defined
-    - services.nginx.sslOnly is true
 
-- name: "[OpenRC] Restart service: nftables"
-  service:
-    name: nftables
-    state: restarted
+- include: configure.yml
   when:
-    - ansible_service_mgr == "openrc"
-    - network.nftables.enable is true
+    - services.nginx.enable is defined
     - services.nginx.enable is true
 
-- name: "[systemd] Restart service: nftables"
-  systemd:
-    name: nftables
-    state: restarted
+- include: vhosts.yml
   when:
-    - ansible_service_mgr == "systemd"
-    - network.nftables.enable is true
-    - services.nginx.enable is true
-
-
-# (re)start it
-
-- name: "[OpenRC] Enable and restart service: nginx"
-  service:
-    name: nginx
-    enabled: yes
-    state: restarted
-  when:
-    - ansible_service_mgr == "openrc"
+    - services.nginx.enable is defined
     - services.nginx.enable is true
+    - services.nginx.vhosts is defined
 
-- name: "[systemd] Enable and restart service: nginx"
-  systemd:
-    name: nginx
-    enabled: yes
-    state: restarted
+- include: firewall.yml
   when:
-    - ansible_service_mgr == "systemd"
+    - services.nginx.enable is defined
     - services.nginx.enable is true
-
-
-# stop it 
-
-- name: "[OpenRC] Disable and stop service: nginx"
-  service:
-    name: nginx
-    enabled: no
-    state: stopped
-  when:
-    - ansible_service_mgr == "openrc"
-    - services.nginx.enable is false
-
-- name: "[systemd] Disable and stop service: nginx"
-  systemd:
-    name: nginx
-    enabled: no
-    state: stopped
-  when:
-    - ansible_service_mgr == "systemd"
-    - services.nginx.enable is false
-
-
-#defirewall it
-
-- name: "[nftables] Delete rule for: bind"
-  file:
-    path: /etc/nftables.d/bind.nft
-    state: absent
-  when: 
     - network.nftables.enable is true
-    - services.nginx.enable is false
 
-- name: "[OpenRC] Restart service: nftables"
-  service:
-    name: nftables
-    state: restarted
+- include: start.yml
   when:
-    - ansible_service_mgr == "openrc"
-    - network.nftables.enable is true
-    - services.nginx.enable is false
+    - services.nginx.enable is defined
+    - services.nginx.enable is true
 
-- name: "[systemd] Restart service: nftables"
-  systemd:
-    name: nftables
-    state: restarted
+- include: remove.yml
   when:
-    - ansible_service_mgr == "systemd"
-    - network.nftables.enable is true
-    - services.nginx.enable is false
-
-
-# remove it 
-
-- name: "[Alpine] Remove package: nginx" 
-  apk:
-    name: nginx
-    state: absent
-  when: 
-    - ansible_distribution == "Alpine" 
-    - services.nginx.enable is false
-
-- name: "[Archlinux] Remove package: nginx" 
-  pacman:
-    name: nginx
-    state: absent
-  when: 
-    - ansible_distribution == "Archlinux" 
+    - services.nginx.enable is defined
     - services.nginx.enable is false
 
-
-# remove leftover files
-
-- name: "Remove directory: /etc/nginx"
-  file:
-    path: /etc/nginx
-    state: absent
-  when: 
-    - services.nginx.enable is false
+- name: Run handlers
+  meta: flush_handlers
diff --git a/roles/nginx/tasks/remove.yml b/roles/nginx/tasks/remove.yml
@@ -0,0 +1,43 @@
+---
+
+- name: "[OpenRC] Disable and stop service: nginx"
+  service:
+    name: nginx
+    enabled: no
+    state: stopped
+  when:
+    - ansible_service_mgr == "openrc"
+
+- name: "[systemd] Disable and stop service: nginx"
+  systemd:
+    name: nginx
+    enabled: no
+    state: stopped
+  when:
+    - ansible_service_mgr == "systemd"
+
+- name: "[Alpine] Remove package: nginx" 
+  apk:
+    name: nginx
+    state: absent
+  when: 
+    - ansible_distribution == "Alpine" 
+
+- name: "[Archlinux] Remove package: nginx" 
+  pacman:
+    name: nginx
+    state: absent
+  when: 
+    - ansible_distribution == "Archlinux" 
+
+
+- name: "Remove directory: /etc/nginx"
+  file:
+    path: /etc/nginx
+    state: absent
+
+- name: "[nftables] Delete rule for: nginx"
+  file:
+    path: /etc/nftables.d/nginx.nft
+    state: absent
+  notify: "Restart nftables"
diff --git a/roles/nginx/tasks/start.yml b/roles/nginx/tasks/start.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "[OpenRC] Start and enable service: nginx"
+  service:
+    name: nginx
+    enabled: yes
+    state: started
+  when: 
+    - ansible_service_mgr == "openrc"
+
+- name: "[systemd] Start and enable service: nginx"
+  systemd:
+    name: nginx
+    enabled: yes
+    state: started
+  when: 
+    - ansible_service_mgr == "systemd"+
\ No newline at end of file
diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml
@@ -0,0 +1,39 @@
+---
+
+- name: "Create directory: /etc/nginx/vhost"
+  file:
+    path: /etc/nginx/vhosts
+    state: directory
+    owner: nginx
+    group: nginx
+
+- name: Generate nginx vhosts
+  template:
+    src: vhost.conf.j2
+    dest: /etc/nginx/vhosts/{{item.key}}.conf
+    owner: nginx
+    group: nginx
+    mode: 0644
+  notify: "Restart nginx"
+  register: deployed_nginx_vhosts
+  loop: "{{ lookup('dict', services.nginx.vhosts, wantlist=True) }}"
+
+- name: "Collect files in directory: /etc/nginx/vhosts"
+  find:
+    path: /etc/nginx/vhosts
+    hidden: yes
+  register: nginx_vhosts
+  check_mode: no
+  changed_when: false
+  when:
+    - services.acme_redirect.certs is defined
+
+- name: "Remove unmanaged files in directory: /etc/nginx/vhosts"
+  file:
+    path: "/etc/nginx/vhosts/{{ item.path | basename }}"
+    state: absent
+  with_items:
+    - "{{ nginx_vhosts.files }}"
+  notify: "Restart nginx"
+  when:
+    - (item.path) not in ( deployed_nginx_vhosts | json_query('results[].invocation.module_args.dest') | list )+
\ No newline at end of file
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,63 @@
+#
+# !!! This file is managed by Ansible !!!
+#
+
+user nginx;
+
+worker_processes auto;
+
+pcre_jit on;
+
+error_log /var/log/nginx/error.log warn;
+
+include /etc/nginx/modules/*.conf;
+
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	server_tokens off;
+
+	server_names_hash_bucket_size 64;
+
+	types_hash_max_size 1024;
+	types_hash_bucket_size 128;
+
+	client_max_body_size 1G;
+
+	keepalive_timeout 65;
+
+	sendfile on;
+
+	tcp_nodelay on;
+
+	ssl_prefer_server_ciphers on;
+
+	ssl_session_cache shared:SSL:2m;
+
+	gzip on;
+
+	gzip_vary on;
+
+	#gzip_static on;
+
+
+	# Specifies the main log format.
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+	{% if services.nginx.extraConfig is defined %}
+	{{ services.nginx.extraConfig }}
+	{% endif %}
+
+	access_log /var/log/nginx/access.log main;
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/vhosts/*.conf;
+}