evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

merge nginx-light into nginx

Browse source
This commit is contained in:
Jérémy Lecour 2017-07-14 15:42:36 +02:00
parent a6db2c9428
commit a179f824f1
11 changed files with 211 additions and 258 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
nginx-light/.kitchen.yml
View file

@ -1,36 +0,0 @@
---
driver:
name: docker
privileged: true
use_sudo: false
provisioner:
name: ansible_playbook
hosts: test-kitchen
roles_path: ../
ansible_verbose: true
require_ansible_source: false
require_chef_for_busser: false
idempotency_test: true
platforms:
- name: debian
driver_config:
image: evolix/ansible:2.2.1
verifier:
name: serverspec
suites:
- name: default
provisioner:
name: ansible_playbook
playbook: ./tests/test.yml
verifier:
patterns:
- nginx/tests/spec/nginx_light_spec.rb
bundler_path: '/usr/local/bin'
rspec_path: '/usr/local/bin'
transport:
max_ssh_sessions: 6

9
nginx-light/README.md
View file

@ -1,9 +0,0 @@
# nginx-light
Install Nginx light with a simply default vhost config.
Used for hypervisors and backups servers.
## Tasks
Everything is in the `tasks/main.yml` file.

5
nginx-light/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: reload nginx
service:
name: nginx
state: reloaded

9
nginx-light/tests/spec/nginx_light_spec.rb
View file

@ -1,9 +0,0 @@
require 'net/http'
require 'uri'
require 'serverspec'
set :backend, :exec
describe port(80) do
it { should be_listening }
end

4
nginx-light/tests/test.yml
View file

@ -1,4 +0,0 @@
---
- hosts: test-kitchen
roles:
- role: nginx-light

7
nginx/README.md
View file

@ -6,10 +6,17 @@ Install Nginx.
Everything is in the `tasks/main.yml` file.
There are 2 modes : minimal and regular.
The minimal mode is for servers without real web apps, and only access to munin graphs…
The regular mode is for full fledged web services with optimized defaults.
## Available variables
Main variables are :
* `nginx_minimal` : very basic install and config (default: `False`) ;
* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;

2
nginx/defaults/main.yml
View file

@ -1,4 +1,6 @@
---
nginx_minimal: False
nginx_jessie_backports: False
nginx_private_ipaddr_whitelist_present: []

194
nginx/tasks/main.yml
View file

@ -1,193 +1,7 @@
---
- include: packages_jessie.yml
when: ansible_distribution_release == "jessie"
- include: main_minimal.yml
when: nginx_minimal
- include: packages_stretch.yml
when: ansible_distribution_release == "stretch"
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for private_ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy private_ipaddr_whitelist
copy:
src: nginx/snippets/private_ipaddr_whitelist
dest: /etc/nginx/snippets/private_ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/private_ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
notify: reload nginx
tags:
- nginx
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/private_ipaddr_whitelist
line: "allow {{ item }};"
state: absent
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
notify: reload nginx
tags:
- nginx
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: evolinux-default.conf.j2
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default.conf
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
# - block:
# - name: generate random string for phpmyadmin suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_phpmyadmin_suffix
#
# - name: overwrite nginx_phpmyadmin_suffix
# set_fact:
# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_phpmyadmin_suffix == ""
#
# - name: replace phpmyadmin suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__PHPMYADMIN_SUFFIX__'
# replace: "{{ nginx_phpmyadmin_suffix }}"
#
# - block:
# - name: generate random string for serverstatus suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_serverstatus_suffix
#
# - name: overwrite nginx_serverstatus_suffix
# set_fact:
# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_serverstatus_suffix == ""
#
# - name: replace server-status suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__SERVERSTATUS_SUFFIX__'
# replace: "{{ nginx_serverstatus_suffix }}"
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml
- include: main_regular.yml
when: not nginx_minimal

10
nginx-light/tasks/main.yml → nginx/tasks/main_minimal.yml
View file

@ -1,5 +1,5 @@
---
- name: Ensure Nginx (light) is installed
- name: Ensure Nginx is installed
apt:
name: "{{ item }}"
state: present
@ -13,8 +13,8 @@
- name: Copy default vhost
template:
src: default.j2
dest: /etc/nginx/sites-available/default
src: evolinux-default.minimal.conf.j2
dest: /etc/nginx/sites-available/evolinux-default.minimal.conf
mode: 0644
notify: reload nginx
tags:
@ -23,8 +23,8 @@
- name: Enable default vhost
file:
src: /etc/nginx/sites-available/default
dest: /etc/nginx/sites-enabled/default
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
dest: /etc/nginx/sites-enabled/default.conf
state: link
notify: reload nginx
tags:

193
nginx/tasks/main_regular.yml Normal file
View file

@ -0,0 +1,193 @@
---
- include: packages_jessie.yml
when: ansible_distribution_release == "jessie"
- include: packages_stretch.yml
when: ansible_distribution_release == "stretch"
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for private_ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy private_ipaddr_whitelist
copy:
src: nginx/snippets/private_ipaddr_whitelist
dest: /etc/nginx/snippets/private_ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/private_ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
notify: reload nginx
tags:
- nginx
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/private_ipaddr_whitelist
line: "allow {{ item }};"
state: absent
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
notify: reload nginx
tags:
- nginx
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: evolinux-default.conf.j2
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default.conf
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
# - block:
# - name: generate random string for phpmyadmin suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_phpmyadmin_suffix
#
# - name: overwrite nginx_phpmyadmin_suffix
# set_fact:
# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_phpmyadmin_suffix == ""
#
# - name: replace phpmyadmin suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__PHPMYADMIN_SUFFIX__'
# replace: "{{ nginx_phpmyadmin_suffix }}"
#
# - block:
# - name: generate random string for serverstatus suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_serverstatus_suffix
#
# - name: overwrite nginx_serverstatus_suffix
# set_fact:
# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_serverstatus_suffix == ""
#
# - name: replace server-status suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__SERVERSTATUS_SUFFIX__'
# replace: "{{ nginx_serverstatus_suffix }}"
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml

0
nginx-light/templates/default.j2 → nginx/templates/evolinux-default.minimal.conf.j2
View file