evolix
/
ansible-roles
15
2
Fork 1
Code Issues 53 Pull Requests 13 Releases 10 Wiki Activity
Browse Source

nginx: no more "minimal" mode, but the package remains customizable.
continuous-integration/drone/push Build is passing
Details

pull/124/head
Jérémy Lecour 2 months ago
committed by Jérémy Lecour
parent
cff309ff41
commit
dde2672715
7 changed files with 159 additions and 259 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      CHANGELOG.md
  2. 2
      nginx/defaults/main.yml
  3. 151
      nginx/tasks/main.yml
  4. 40
      nginx/tasks/main_minimal.yml
  5. 182
      nginx/tasks/main_regular.yml
  6. 10
      nginx/tasks/packages.yml
  7. 31
      nginx/templates/evolinux-default.minimal.conf.j2

2
CHANGELOG.md
View File

@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release.
### Removed
* nginx: no more "minimal" mode, but the package remains customizable.
### Security
## [10.4.0] 2020-12-24

2
nginx/defaults/main.yml
View File

@ -4,7 +4,7 @@ nginx_minimal: False
# backward compatibility with a previously used variable
nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}"
nginx_package_name: "nginx-full"
nginx_default_package_name: "nginx-full"
nginx_default_ipaddr_whitelist_ips: []
nginx_additional_ipaddr_whitelist_ips: []

151
nginx/tasks/main.yml
View File

@ -1,7 +1,152 @@
---
- include: main_minimal.yml
- debug:
msg: "Nginx minimal mode has been removed, falling back to normal mode."
when: nginx_minimal
- include: main_regular.yml
when: not nginx_minimal
- include: packages.yml
- include: server_status_read.yml
tags:
- nginx
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy ipaddr_whitelist
copy:
src: nginx/snippets/ipaddr_whitelist
dest: /etc/nginx/snippets/ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- ips
- name: Include IP address whitelist task
include: ip_whitelist.yml
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: "{{ nginx_default_template_regular }}"
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
- include: server_status_write.yml
tags:
- nginx
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml

40
nginx/tasks/main_minimal.yml
View File

@ -1,40 +0,0 @@
---
- name: Ensure Nginx is installed
apt:
name:
- nginx-light
- ssl-cert
state: present
notify: reload nginx
tags:
- nginx
- packages
- name: Copy default vhost
template:
src: "{{ nginx_default_template_minimal }}"
dest: /etc/nginx/sites-available/evolinux-default.minimal.conf
mode: 0644
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- packages
- name: Enable default vhost
file:
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
dest: /etc/nginx/sites-enabled/default
state: link
notify: reload nginx
tags:
- nginx
- packages
- name: Ensure Nginx is enabled
service:
name: nginx
state: started
enabled: yes
tags:
- nginx

182
nginx/tasks/main_regular.yml
View File

@ -1,182 +0,0 @@
---
- include: packages.yml
- include: server_status_read.yml
tags:
- nginx
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy ipaddr_whitelist
copy:
src: nginx/snippets/ipaddr_whitelist
dest: /etc/nginx/snippets/ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- ips
- name: Include IP address whitelist task
include: ip_whitelist.yml
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: "{{ nginx_default_template_regular }}"
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
- include: server_status_write.yml
tags:
- nginx
# - block:
# - name: generate random string for phpmyadmin suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_phpmyadmin_suffix
#
# - name: overwrite nginx_phpmyadmin_suffix
# set_fact:
# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_phpmyadmin_suffix == ""
#
# - name: replace phpmyadmin suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__PHPMYADMIN_SUFFIX__'
# replace: "{{ nginx_phpmyadmin_suffix }}"
#
# - block:
# - name: generate random string for serverstatus suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_serverstatus_suffix
#
# - name: overwrite nginx_serverstatus_suffix
# set_fact:
# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_serverstatus_suffix == ""
#
# - name: replace server-status suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__SERVERSTATUS_SUFFIX__'
# replace: "{{ nginx_serverstatus_suffix }}"
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml

10
nginx/tasks/packages.yml
View File

@ -1,3 +1,9 @@
- set_fact:
nginx_package_name_default: nginx-light
when: nginx_minimal
- include: packages_backports.yml
when: nginx_backports
@ -5,12 +11,12 @@
- name: Ensure Nginx is installed
apt:
name: "{{ nginx_package_name }}"
name: "{{ nginx_package_name | default(nginx_default_package_name) }}"
state: present
tags:
- nginx
- packages
- name: Ensure nginx service is running as configured.
service:
name: nginx

31
nginx/templates/evolinux-default.minimal.conf.j2
View File

@ -1,31 +0,0 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
if ($host != "{{ ansible_fqdn }}") {
rewrite ^ https://{{ ansible_fqdn }}$request_uri permanent;
}
include snippets/snakeoil.conf;
if ($https != "on") {
return 301 https://{{ ansible_fqdn }}$request_uri;
}
root /var/www/;
location /munin {
alias /var/cache/munin/www;
}
index index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
Write Preview
Loading…
Cancel
Save