add an nginx role
This commit is contained in:
parent
953c27a866
commit
496885341d
18
nginx/README.md
Normal file
18
nginx/README.md
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# nginx
|
||||||
|
|
||||||
|
Install Nginx.
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
Main variables are :
|
||||||
|
|
||||||
|
* `nginx_worker_processes` : number of worker processes ;
|
||||||
|
* `nginx_default_redirect_url` : URL to redirect to in case of error ;
|
||||||
|
* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the whitelist.
|
||||||
|
* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist.
|
||||||
|
|
||||||
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
8
nginx/defaults/main.yml
Normal file
8
nginx/defaults/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
nginx_worker_processes: '{{ ansible_processor_vcpus }}'
|
||||||
|
nginx_default_redirect_url: "http://evolix.fr"
|
||||||
|
|
||||||
|
nginx_private_ipaddr_whitelist_present: []
|
||||||
|
nginx_private_ipaddr_whitelist_absent: []
|
||||||
|
|
||||||
|
nginx_private_htpasswd_present: []
|
||||||
|
nginx_private_htpasswd_absent: []
|
130
nginx/files/init.d/spawn-fcgi-munin-graph
Normal file
130
nginx/files/init.d/spawn-fcgi-munin-graph
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: spawn-fcgi-munin-graph
|
||||||
|
# Required-Start: $all
|
||||||
|
# Required-Stop: $all
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Description: starts FastCGI for Munin-Graph
|
||||||
|
### END INIT INFO
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
# Munin-CGI-Graph Spawn-FCGI Startscript by Julien Schmidt
|
||||||
|
# eMail: munin-trac at julienschmidt.com
|
||||||
|
# www: http://www.julienschmidt.com
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
# Install:
|
||||||
|
# 1. Copy this file to /etc/init.d
|
||||||
|
# 2. Edit the variables below
|
||||||
|
# 3. run "update-rc.d spawn-fcgi-munin-graph defaults"
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
# Special thanks for their help to:
|
||||||
|
# Frantisek Princ
|
||||||
|
# J<>r<EFBFBD>me Warnier
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
# Last Update: 14. February 2013
|
||||||
|
#
|
||||||
|
# Please change the following variables:
|
||||||
|
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
NAME=spawn-fcgi-munin-graph
|
||||||
|
PID_FILE=/var/run/munin/$NAME.pid
|
||||||
|
SOCK_FILE=/var/run/munin/$NAME.sock
|
||||||
|
SOCK_USER=www-data
|
||||||
|
FCGI_USER=munin
|
||||||
|
FCGI_GROUP=munin
|
||||||
|
FCGI_WORKERS=2
|
||||||
|
DAEMON=/usr/bin/spawn-fcgi
|
||||||
|
DAEMON_OPTS="-s $SOCK_FILE -F $FCGI_WORKERS -U $SOCK_USER -u $FCGI_USER -g $FCGI_GROUP -P $PID_FILE -- /usr/lib/munin/cgi/munin-cgi-graph"
|
||||||
|
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
# No edits necessary beyond this line
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
|
||||||
|
if [ ! -x $DAEMON ]; then
|
||||||
|
echo "File not found or is not executable: $DAEMON!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
status() {
|
||||||
|
if [ ! -r $PID_FILE ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
for FCGI_PID in `cat $PID_FILE`; do
|
||||||
|
if [ -z "${FCGI_PID}" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
FCGI_RUNNING=`ps -p ${FCGI_PID} | grep ${FCGI_PID}`
|
||||||
|
if [ -z "${FCGI_RUNNING}" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
done;
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
if status; then
|
||||||
|
echo "FCGI is already running!"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
$DAEMON $DAEMON_OPTS
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
stop () {
|
||||||
|
if ! status; then
|
||||||
|
echo "No PID-file at $PID_FILE found or PID not valid. Maybe not running"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Kill processes
|
||||||
|
for PID_RUNNING in `cat $PID_FILE`; do
|
||||||
|
kill -9 $PID_RUNNING
|
||||||
|
done
|
||||||
|
|
||||||
|
# Remove PID-file
|
||||||
|
rm -f $PID_FILE
|
||||||
|
|
||||||
|
# Remove Sock-File
|
||||||
|
rm -f $SOCK_FILE
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
echo "Starting $NAME: "
|
||||||
|
start
|
||||||
|
echo "... DONE"
|
||||||
|
;;
|
||||||
|
|
||||||
|
stop)
|
||||||
|
echo "Stopping $NAME: "
|
||||||
|
stop
|
||||||
|
echo "... DONE"
|
||||||
|
;;
|
||||||
|
|
||||||
|
force-reload|restart)
|
||||||
|
echo "Stopping $NAME: "
|
||||||
|
stop
|
||||||
|
echo "Starting $NAME: "
|
||||||
|
start
|
||||||
|
echo "... DONE"
|
||||||
|
;;
|
||||||
|
|
||||||
|
status)
|
||||||
|
if status; then
|
||||||
|
echo "FCGI is RUNNING"
|
||||||
|
else
|
||||||
|
echo "FCGI is NOT RUNNING"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "Usage: $0 {start|stop|force-reload|restart|status}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
2
nginx/files/munin/plugin-conf.d/evolinux.nginx
Normal file
2
nginx/files/munin/plugin-conf.d/evolinux.nginx
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
[nginx_*]
|
||||||
|
env.url http://munin/nginx_status
|
1
nginx/files/nginx/snippets/private_htpasswd
Normal file
1
nginx/files/nginx/snippets/private_htpasswd
Normal file
|
@ -0,0 +1 @@
|
||||||
|
# user:password for HTTP Basic authentication
|
1
nginx/files/nginx/snippets/private_ipaddr_whitelist
Normal file
1
nginx/files/nginx/snippets/private_ipaddr_whitelist
Normal file
|
@ -0,0 +1 @@
|
||||||
|
# Whitelisted IP addresses, used in default site…
|
16
nginx/handlers/main.yml
Normal file
16
nginx/handlers/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
|
||||||
|
---
|
||||||
|
- name: restart nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart munin
|
||||||
|
service:
|
||||||
|
name: munin-node
|
||||||
|
state: restarted
|
52
nginx/tasks/configure_munin.yml
Normal file
52
nginx/tasks/configure_munin.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
- name: Add munin to hosts
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/hosts
|
||||||
|
regexp: 'munin$'
|
||||||
|
line: '127.0.0.1 munin'
|
||||||
|
|
||||||
|
- name: Copy Munin config for Nginx
|
||||||
|
copy:
|
||||||
|
src: munin/plugin-conf.d/evolinux.nginx
|
||||||
|
dest: /etc/munin/plugin-conf.d/
|
||||||
|
mode: 0644
|
||||||
|
notify: restart munin
|
||||||
|
|
||||||
|
- name: Enable Munin plugins for Nginx
|
||||||
|
file:
|
||||||
|
src: '/usr/share/munin/plugins/{{ item }}'
|
||||||
|
dest: '/etc/munin/plugins/{{ item }}'
|
||||||
|
state: link
|
||||||
|
with_items:
|
||||||
|
- nginx_request
|
||||||
|
- nginx_status
|
||||||
|
notify: restart munin
|
||||||
|
|
||||||
|
- name: Ensure packages for Munin CGI are installed
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: installed
|
||||||
|
with_items:
|
||||||
|
- liblwp-useragent-determined-perl
|
||||||
|
- spawn-fcgi
|
||||||
|
|
||||||
|
- name: Adjust rights for munin-cgi
|
||||||
|
file:
|
||||||
|
path: '{{ item }}'
|
||||||
|
owner: munin
|
||||||
|
group: adm
|
||||||
|
with_fileglob:
|
||||||
|
- /var/log/munin/munin-cgi-*
|
||||||
|
|
||||||
|
- name: Install Init script for Munin-fcgi
|
||||||
|
copy:
|
||||||
|
src: init.d/spawn-fcgi-munin-graph
|
||||||
|
dest: /etc/init.d/
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Ensure that Munin-fcgi is started/stopped correctly
|
||||||
|
service:
|
||||||
|
name: spawn-fcgi-munin-graph
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
notify: restart spawn-fcgi-munin-graph
|
18
nginx/tasks/create_default_cert.yml
Normal file
18
nginx/tasks/create_default_cert.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: Verify that ssl-cert is installed
|
||||||
|
apt:
|
||||||
|
name: ssl-cert
|
||||||
|
state: installed
|
||||||
|
|
||||||
|
- name: Create private key for default site ({{ ansible_fqdn }})
|
||||||
|
shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/C=FR/ST=PACA/L=Marseille/O=Evolix/CN={{ ansible_fqdn }}/emailAddress=security@evolix.net" 2>/dev/null
|
||||||
|
|
||||||
|
- name: Adjust rights on private key
|
||||||
|
file:
|
||||||
|
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||||
|
owner: root
|
||||||
|
group: ssl-cert
|
||||||
|
mode: 0640
|
||||||
|
|
||||||
|
- name: Create certificate for default site
|
||||||
|
shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt 2>/dev/null
|
108
nginx/tasks/main.yml
Normal file
108
nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,108 @@
|
||||||
|
---
|
||||||
|
- name: Ensure Nginx is installed
|
||||||
|
apt:
|
||||||
|
name: nginx-full
|
||||||
|
state: installed
|
||||||
|
notify: restart nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Install Nginx configuration
|
||||||
|
template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
mode: 0640
|
||||||
|
# force: yes
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Copy snippets
|
||||||
|
copy:
|
||||||
|
src: nginx/snippets/
|
||||||
|
dest: /etc/nginx/snippets/
|
||||||
|
directory_mode: 0640
|
||||||
|
mode: 0640
|
||||||
|
# force: yes
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: add IP addresses to private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||||
|
line: "allow {{ item }};"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
|
||||||
|
|
||||||
|
- name: remove IP addresses from private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||||
|
line: "allow {{ item }};"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
|
||||||
|
|
||||||
|
- name: add user:pwd to private htpasswd
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_htpasswd
|
||||||
|
line: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ nginx_private_htpasswd_present }}"
|
||||||
|
|
||||||
|
- name: remove user:pwd from private htpasswd
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_htpasswd
|
||||||
|
line: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ nginx_private_htpasswd_absent }}"
|
||||||
|
|
||||||
|
- name: Check if a certificate is present for default site
|
||||||
|
stat:
|
||||||
|
path: /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||||
|
register: stat_crt
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- include: create_default_cert.yml
|
||||||
|
when: not stat_crt.stat.exists
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Install Nginx default site
|
||||||
|
template:
|
||||||
|
src: default_site.j2
|
||||||
|
dest: /etc/nginx/sites-available/default
|
||||||
|
mode: 0640
|
||||||
|
# force: yes
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Enable Nginx default site
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/default
|
||||||
|
dest: /etc/nginx/sites-enabled/default
|
||||||
|
state: link
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Verify that the service is enabled and started
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Check if Munin is installed
|
||||||
|
stat:
|
||||||
|
path: /etc/munin/plugin-conf.d/munin-node
|
||||||
|
register: stat_munin_node
|
||||||
|
tags:
|
||||||
|
- munin
|
||||||
|
|
||||||
|
- include: configure_munin.yml
|
||||||
|
when: stat_munin_node.stat.exists
|
||||||
|
tags:
|
||||||
|
- munin
|
56
nginx/templates/default_site.j2
Normal file
56
nginx/templates/default_site.j2
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
server {
|
||||||
|
|
||||||
|
listen [::]:80;
|
||||||
|
listen 80;
|
||||||
|
server_name {{ ansible_fqdn }};
|
||||||
|
return 301 https://{{ ansible_fqdn }}$request_uri;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
|
||||||
|
listen 443 ssl spdy;
|
||||||
|
# listen [::]:80 default_server ipv6only=on; ## listen for ipv6
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}.key;
|
||||||
|
|
||||||
|
server_name {{ ansible_fqdn }};
|
||||||
|
index index.htm index.html index.php;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
error_page 403 {{ nginx_default_redirect_url }};
|
||||||
|
|
||||||
|
root /var/www;
|
||||||
|
|
||||||
|
# Auth.
|
||||||
|
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||||
|
deny all;
|
||||||
|
auth_basic "Reserved {{ ansible_fqdn }}";
|
||||||
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
satisfy any;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html index.htm;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /munin/ {
|
||||||
|
alias /var/cache/munin/www/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ^~ /munin-cgi/munin-cgi-graph/ {
|
||||||
|
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
fastcgi_pass unix:/var/run/munin/spawn-fcgi-munin-graph.sock;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name munin;
|
||||||
|
|
||||||
|
location /nginx_status {
|
||||||
|
stub_status on;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
}
|
88
nginx/templates/nginx.conf.j2
Normal file
88
nginx/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
user www-data;
|
||||||
|
worker_processes {{ nginx_worker_processes }};
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
#multi_accept on;
|
||||||
|
use epoll;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Tuning Evolix
|
||||||
|
##
|
||||||
|
#connection_pool_size 256;
|
||||||
|
#client_header_buffer_size 64k;
|
||||||
|
#client_body_buffer_size 128k;
|
||||||
|
#large_client_header_buffers 8 16k;
|
||||||
|
#request_pool_size 4k;
|
||||||
|
#client_header_timeout 10m;
|
||||||
|
#client_body_timeout 10m;
|
||||||
|
#send_timeout 10m;
|
||||||
|
#client_max_body_size 50m;
|
||||||
|
server_tokens off;
|
||||||
|
server_names_hash_max_size 512;
|
||||||
|
server_names_hash_bucket_size 128;
|
||||||
|
server_name_in_redirect off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
# gzip_vary on;
|
||||||
|
# gzip_proxied any;
|
||||||
|
# gzip_comp_level 6;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||||
|
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access_log;
|
||||||
|
error_log /var/log/nginx/error_log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# nginx-naxsi config
|
||||||
|
##
|
||||||
|
# Uncomment it if you installed nginx-naxsi
|
||||||
|
##
|
||||||
|
|
||||||
|
#include /etc/nginx/naxsi_core.rules;
|
||||||
|
|
||||||
|
##
|
||||||
|
# nginx-passenger config
|
||||||
|
##
|
||||||
|
# Uncomment it if you installed nginx-passenger
|
||||||
|
##
|
||||||
|
|
||||||
|
#passenger_root /usr;
|
||||||
|
#passenger_ruby /usr/bin/ruby;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
Loading…
Reference in a new issue