add an nginx role
This commit is contained in:
parent
953c27a866
commit
496885341d
12 changed files with 498 additions and 0 deletions
18
nginx/README.md
Normal file
18
nginx/README.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
# nginx
|
||||
|
||||
Install Nginx.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
||||
* `nginx_worker_processes` : number of worker processes ;
|
||||
* `nginx_default_redirect_url` : URL to redirect to in case of error ;
|
||||
* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the whitelist.
|
||||
* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist.
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
8
nginx/defaults/main.yml
Normal file
8
nginx/defaults/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
nginx_worker_processes: '{{ ansible_processor_vcpus }}'
|
||||
nginx_default_redirect_url: "http://evolix.fr"
|
||||
|
||||
nginx_private_ipaddr_whitelist_present: []
|
||||
nginx_private_ipaddr_whitelist_absent: []
|
||||
|
||||
nginx_private_htpasswd_present: []
|
||||
nginx_private_htpasswd_absent: []
|
130
nginx/files/init.d/spawn-fcgi-munin-graph
Normal file
130
nginx/files/init.d/spawn-fcgi-munin-graph
Normal file
|
@ -0,0 +1,130 @@
|
|||
#! /bin/sh
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: spawn-fcgi-munin-graph
|
||||
# Required-Start: $all
|
||||
# Required-Stop: $all
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Description: starts FastCGI for Munin-Graph
|
||||
### END INIT INFO
|
||||
# --------------------------------------------------------------
|
||||
# Munin-CGI-Graph Spawn-FCGI Startscript by Julien Schmidt
|
||||
# eMail: munin-trac at julienschmidt.com
|
||||
# www: http://www.julienschmidt.com
|
||||
# --------------------------------------------------------------
|
||||
# Install:
|
||||
# 1. Copy this file to /etc/init.d
|
||||
# 2. Edit the variables below
|
||||
# 3. run "update-rc.d spawn-fcgi-munin-graph defaults"
|
||||
# --------------------------------------------------------------
|
||||
# Special thanks for their help to:
|
||||
# Frantisek Princ
|
||||
# J<>r<EFBFBD>me Warnier
|
||||
# --------------------------------------------------------------
|
||||
# Last Update: 14. February 2013
|
||||
#
|
||||
# Please change the following variables:
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
NAME=spawn-fcgi-munin-graph
|
||||
PID_FILE=/var/run/munin/$NAME.pid
|
||||
SOCK_FILE=/var/run/munin/$NAME.sock
|
||||
SOCK_USER=www-data
|
||||
FCGI_USER=munin
|
||||
FCGI_GROUP=munin
|
||||
FCGI_WORKERS=2
|
||||
DAEMON=/usr/bin/spawn-fcgi
|
||||
DAEMON_OPTS="-s $SOCK_FILE -F $FCGI_WORKERS -U $SOCK_USER -u $FCGI_USER -g $FCGI_GROUP -P $PID_FILE -- /usr/lib/munin/cgi/munin-cgi-graph"
|
||||
|
||||
# --------------------------------------------------------------
|
||||
# No edits necessary beyond this line
|
||||
# --------------------------------------------------------------
|
||||
|
||||
if [ ! -x $DAEMON ]; then
|
||||
echo "File not found or is not executable: $DAEMON!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
status() {
|
||||
if [ ! -r $PID_FILE ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
for FCGI_PID in `cat $PID_FILE`; do
|
||||
if [ -z "${FCGI_PID}" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
FCGI_RUNNING=`ps -p ${FCGI_PID} | grep ${FCGI_PID}`
|
||||
if [ -z "${FCGI_RUNNING}" ]; then
|
||||
return 1
|
||||
fi
|
||||
done;
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
start() {
|
||||
if status; then
|
||||
echo "FCGI is already running!"
|
||||
exit 1
|
||||
else
|
||||
$DAEMON $DAEMON_OPTS
|
||||
fi
|
||||
}
|
||||
|
||||
stop () {
|
||||
if ! status; then
|
||||
echo "No PID-file at $PID_FILE found or PID not valid. Maybe not running"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Kill processes
|
||||
for PID_RUNNING in `cat $PID_FILE`; do
|
||||
kill -9 $PID_RUNNING
|
||||
done
|
||||
|
||||
# Remove PID-file
|
||||
rm -f $PID_FILE
|
||||
|
||||
# Remove Sock-File
|
||||
rm -f $SOCK_FILE
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
echo "Starting $NAME: "
|
||||
start
|
||||
echo "... DONE"
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo "Stopping $NAME: "
|
||||
stop
|
||||
echo "... DONE"
|
||||
;;
|
||||
|
||||
force-reload|restart)
|
||||
echo "Stopping $NAME: "
|
||||
stop
|
||||
echo "Starting $NAME: "
|
||||
start
|
||||
echo "... DONE"
|
||||
;;
|
||||
|
||||
status)
|
||||
if status; then
|
||||
echo "FCGI is RUNNING"
|
||||
else
|
||||
echo "FCGI is NOT RUNNING"
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|force-reload|restart|status}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
2
nginx/files/munin/plugin-conf.d/evolinux.nginx
Normal file
2
nginx/files/munin/plugin-conf.d/evolinux.nginx
Normal file
|
@ -0,0 +1,2 @@
|
|||
[nginx_*]
|
||||
env.url http://munin/nginx_status
|
1
nginx/files/nginx/snippets/private_htpasswd
Normal file
1
nginx/files/nginx/snippets/private_htpasswd
Normal file
|
@ -0,0 +1 @@
|
|||
# user:password for HTTP Basic authentication
|
1
nginx/files/nginx/snippets/private_ipaddr_whitelist
Normal file
1
nginx/files/nginx/snippets/private_ipaddr_whitelist
Normal file
|
@ -0,0 +1 @@
|
|||
# Whitelisted IP addresses, used in default site…
|
16
nginx/handlers/main.yml
Normal file
16
nginx/handlers/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
|
||||
---
|
||||
- name: restart nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: restart munin
|
||||
service:
|
||||
name: munin-node
|
||||
state: restarted
|
52
nginx/tasks/configure_munin.yml
Normal file
52
nginx/tasks/configure_munin.yml
Normal file
|
@ -0,0 +1,52 @@
|
|||
---
|
||||
- name: Add munin to hosts
|
||||
lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: 'munin$'
|
||||
line: '127.0.0.1 munin'
|
||||
|
||||
- name: Copy Munin config for Nginx
|
||||
copy:
|
||||
src: munin/plugin-conf.d/evolinux.nginx
|
||||
dest: /etc/munin/plugin-conf.d/
|
||||
mode: 0644
|
||||
notify: restart munin
|
||||
|
||||
- name: Enable Munin plugins for Nginx
|
||||
file:
|
||||
src: '/usr/share/munin/plugins/{{ item }}'
|
||||
dest: '/etc/munin/plugins/{{ item }}'
|
||||
state: link
|
||||
with_items:
|
||||
- nginx_request
|
||||
- nginx_status
|
||||
notify: restart munin
|
||||
|
||||
- name: Ensure packages for Munin CGI are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: installed
|
||||
with_items:
|
||||
- liblwp-useragent-determined-perl
|
||||
- spawn-fcgi
|
||||
|
||||
- name: Adjust rights for munin-cgi
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
owner: munin
|
||||
group: adm
|
||||
with_fileglob:
|
||||
- /var/log/munin/munin-cgi-*
|
||||
|
||||
- name: Install Init script for Munin-fcgi
|
||||
copy:
|
||||
src: init.d/spawn-fcgi-munin-graph
|
||||
dest: /etc/init.d/
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure that Munin-fcgi is started/stopped correctly
|
||||
service:
|
||||
name: spawn-fcgi-munin-graph
|
||||
enabled: yes
|
||||
state: started
|
||||
notify: restart spawn-fcgi-munin-graph
|
18
nginx/tasks/create_default_cert.yml
Normal file
18
nginx/tasks/create_default_cert.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- name: Verify that ssl-cert is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: installed
|
||||
|
||||
- name: Create private key for default site ({{ ansible_fqdn }})
|
||||
shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/C=FR/ST=PACA/L=Marseille/O=Evolix/CN={{ ansible_fqdn }}/emailAddress=security@evolix.net" 2>/dev/null
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: 0640
|
||||
|
||||
- name: Create certificate for default site
|
||||
shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt 2>/dev/null
|
108
nginx/tasks/main.yml
Normal file
108
nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,108 @@
|
|||
---
|
||||
- name: Ensure Nginx is installed
|
||||
apt:
|
||||
name: nginx-full
|
||||
state: installed
|
||||
notify: restart nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Install Nginx configuration
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: 0640
|
||||
# force: yes
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Copy snippets
|
||||
copy:
|
||||
src: nginx/snippets/
|
||||
dest: /etc/nginx/snippets/
|
||||
directory_mode: 0640
|
||||
mode: 0640
|
||||
# force: yes
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: present
|
||||
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: absent
|
||||
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
|
||||
|
||||
- name: add user:pwd to private htpasswd
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_htpasswd
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
with_items: "{{ nginx_private_htpasswd_present }}"
|
||||
|
||||
- name: remove user:pwd from private htpasswd
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_htpasswd
|
||||
line: "{{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ nginx_private_htpasswd_absent }}"
|
||||
|
||||
- name: Check if a certificate is present for default site
|
||||
stat:
|
||||
path: /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
register: stat_crt
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- include: create_default_cert.yml
|
||||
when: not stat_crt.stat.exists
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Install Nginx default site
|
||||
template:
|
||||
src: default_site.j2
|
||||
dest: /etc/nginx/sites-available/default
|
||||
mode: 0640
|
||||
# force: yes
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Enable Nginx default site
|
||||
file:
|
||||
src: /etc/nginx/sites-available/default
|
||||
dest: /etc/nginx/sites-enabled/default
|
||||
state: link
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Verify that the service is enabled and started
|
||||
service:
|
||||
name: nginx
|
||||
enabled: yes
|
||||
state: started
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: Check if Munin is installed
|
||||
stat:
|
||||
path: /etc/munin/plugin-conf.d/munin-node
|
||||
register: stat_munin_node
|
||||
tags:
|
||||
- munin
|
||||
|
||||
- include: configure_munin.yml
|
||||
when: stat_munin_node.stat.exists
|
||||
tags:
|
||||
- munin
|
56
nginx/templates/default_site.j2
Normal file
56
nginx/templates/default_site.j2
Normal file
|
@ -0,0 +1,56 @@
|
|||
server {
|
||||
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name {{ ansible_fqdn }};
|
||||
return 301 https://{{ ansible_fqdn }}$request_uri;
|
||||
}
|
||||
server {
|
||||
|
||||
listen 443 ssl spdy;
|
||||
# listen [::]:80 default_server ipv6only=on; ## listen for ipv6
|
||||
|
||||
ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}.crt;
|
||||
ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}.key;
|
||||
|
||||
server_name {{ ansible_fqdn }};
|
||||
index index.htm index.html index.php;
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
error_page 403 {{ nginx_default_redirect_url }};
|
||||
|
||||
root /var/www;
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ ansible_fqdn }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
satisfy any;
|
||||
|
||||
location / {
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
location /munin/ {
|
||||
alias /var/cache/munin/www/;
|
||||
}
|
||||
|
||||
location ^~ /munin-cgi/munin-cgi-graph/ {
|
||||
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:/var/run/munin/spawn-fcgi-munin-graph.sock;
|
||||
include fastcgi_params;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name munin;
|
||||
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
}
|
||||
}
|
88
nginx/templates/nginx.conf.j2
Normal file
88
nginx/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,88 @@
|
|||
user www-data;
|
||||
worker_processes {{ nginx_worker_processes }};
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
#multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
##
|
||||
# Tuning Evolix
|
||||
##
|
||||
#connection_pool_size 256;
|
||||
#client_header_buffer_size 64k;
|
||||
#client_body_buffer_size 128k;
|
||||
#large_client_header_buffers 8 16k;
|
||||
#request_pool_size 4k;
|
||||
#client_header_timeout 10m;
|
||||
#client_body_timeout 10m;
|
||||
#send_timeout 10m;
|
||||
#client_max_body_size 50m;
|
||||
server_tokens off;
|
||||
server_names_hash_max_size 512;
|
||||
server_names_hash_bucket_size 128;
|
||||
server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
index index.html;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access_log;
|
||||
error_log /var/log/nginx/error_log;
|
||||
|
||||
##
|
||||
# nginx-naxsi config
|
||||
##
|
||||
# Uncomment it if you installed nginx-naxsi
|
||||
##
|
||||
|
||||
#include /etc/nginx/naxsi_core.rules;
|
||||
|
||||
##
|
||||
# nginx-passenger config
|
||||
##
|
||||
# Uncomment it if you installed nginx-passenger
|
||||
##
|
||||
|
||||
#passenger_root /usr;
|
||||
#passenger_ruby /usr/bin/ruby;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
Loading…
Reference in a new issue