From 6363e84d3709352b2d36fe4aa6a54f4e4e64eadf Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 12 Sep 2018 15:32:18 +0200 Subject: [PATCH] Add Nginx support to roundcube role --- webapps/roundcube/defaults/main.yml | 1 + webapps/roundcube/handlers/main.yml | 10 +++++ webapps/roundcube/tasks/main.yml | 21 +++++++++- webapps/roundcube/templates/nginx.conf.j2 | 49 +++++++++++++++++++++++ 4 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 webapps/roundcube/templates/nginx.conf.j2 diff --git a/webapps/roundcube/defaults/main.yml b/webapps/roundcube/defaults/main.yml index 5e0c1a81..2102ea8a 100644 --- a/webapps/roundcube/defaults/main.yml +++ b/webapps/roundcube/defaults/main.yml @@ -1,4 +1,5 @@ --- roundcube_host: "roundcube.{{ ansible_fqdn }}" +roundcube_webserver: apache roundcube_imap_host: "localhost" roundcube_imap_port: 143 diff --git a/webapps/roundcube/handlers/main.yml b/webapps/roundcube/handlers/main.yml index bdba6e6b..98b530d9 100644 --- a/webapps/roundcube/handlers/main.yml +++ b/webapps/roundcube/handlers/main.yml @@ -3,3 +3,13 @@ systemd: name: imapproxy state: restarted + +- name: reload apache2 + service: + name: apache2 + state: reloaded + +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 9eac3dd9..9efd6b6a 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -85,24 +85,41 @@ tags: - roundcube -- name: deploy roundcube vhost +- name: deploy apache roundcube vhost template: src: apache2.conf.j2 dest: /etc/apache2/sites-available/rouncube.conf mode: "0640" notify: reload apache2 + when: roundcube_webserver == "apache" tags: - roundcube -- name: enable roundcube vhost +- name: enable apache roundcube vhost file: src: /etc/apache2/sites-available/rouncube.conf dest: /etc/apache2/sites-enabled/rouncube.conf state: link notify: reload apache2 + when: roundcube_webserver == "apache" tags: - roundcube +- name: deploy Nginx roundcube vhost + template: + src: nginx.conf.j2 + dest: /etc/nginx/sites-available/rouncube.conf + when: roundcube_webserver == "nginx" + notify: reload nginx + +- name: enable Nginx roundcube vhost + file: + src: "/etc/nginx/sites-available/rouncube.conf" + dest: "/etc/nginx/sites-enabled/rouncube.conf" + state: link + when: roundcube_webserver == "nginx" + notify: reload nginx + - name: enable roundcube link in default site index lineinfile: dest: /var/www/index.html diff --git a/webapps/roundcube/templates/nginx.conf.j2 b/webapps/roundcube/templates/nginx.conf.j2 new file mode 100644 index 00000000..1719c407 --- /dev/null +++ b/webapps/roundcube/templates/nginx.conf.j2 @@ -0,0 +1,49 @@ +server { + listen 80; + server_name {{ roundcube_host }}; + return 301 https://{{ roundcube_host }}$request_uri; +} + +server { + listen 443 ssl; + server_name {{ roundcube_host }}; + access_log /var/log/nginx/.{{ roundcube_host }}.access.log; + error_log /var/log/nginx/.{{ roundcube_host }}.error.log; + + root /var/lib/roundcube/; + index index.php; + + location / { + try_files $uri $uri/ /index.php?q=$uri&$args; + } + + location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + + location ~ ^/(config|temp|logs)/ { + deny all; + } + + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_prefer_server_ciphers On; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 10m; + add_header Strict-Transport-Security "max-age=31536000"; +}