diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e9bb58a..b9b3f64e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release. ### Removed +* nginx: no more "minimal" mode, but the package remains customizable. + ### Security ## [10.4.0] 2020-12-24 diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index d59da758..832fe3bb 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -4,7 +4,7 @@ nginx_minimal: False # backward compatibility with a previously used variable nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}" -nginx_package_name: "nginx-full" +nginx_default_package_name: "nginx-full" nginx_default_ipaddr_whitelist_ips: [] nginx_additional_ipaddr_whitelist_ips: [] diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index e1144a39..6fe9a94e 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,7 +1,152 @@ --- -- include: main_minimal.yml +- debug: + msg: "Nginx minimal mode has been removed, falling back to normal mode." when: nginx_minimal -- include: main_regular.yml - when: not nginx_minimal +- include: packages.yml + +- include: server_status_read.yml + tags: + - nginx + +# TODO: find a way to override the main configuration +# without touching the main file + +- name: customize worker_connections + lineinfile: + dest: /etc/nginx/nginx.conf + regexp: '^(\s*worker_connections)\s+.+;' + line: ' worker_connections 1024;' + insertafter: 'events \{' + tags: + - nginx + +- name: use epoll + lineinfile: + dest: /etc/nginx/nginx.conf + regexp: '^(\s*use)\s+.+;' + line: ' use epoll;' + insertafter: 'events \{' + tags: + - nginx + +- name: Install Nginx http configuration + copy: + src: nginx/evolinux-defaults.conf + dest: /etc/nginx/conf.d/z-evolinux-defaults.conf + mode: "0640" + # force: yes + notify: reload nginx + tags: + - nginx + +# TODO: verify that those permissions are correct : +# not too strict for ipaddr_whitelist +# and not too loose for private_htpasswd + +- name: Copy ipaddr_whitelist + copy: + src: nginx/snippets/ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist + owner: www-data + group: www-data + directory_mode: "0640" + mode: "0640" + force: no + notify: reload nginx + tags: + - nginx + - ips + +- name: Include IP address whitelist task + include: ip_whitelist.yml + +- name: Copy private_htpasswd + copy: + src: nginx/snippets/private_htpasswd + dest: /etc/nginx/snippets/private_htpasswd + owner: www-data + group: www-data + directory_mode: "0640" + mode: "0640" + force: no + notify: reload nginx + tags: + - nginx + +- name: add user:pwd to private htpasswd + lineinfile: + dest: /etc/nginx/snippets/private_htpasswd + line: "{{ item }}" + state: present + with_items: "{{ nginx_private_htpasswd_present }}" + notify: reload nginx + tags: + - nginx + +- name: remove user:pwd from private htpasswd + lineinfile: + dest: /etc/nginx/snippets/private_htpasswd + line: "{{ item }}" + state: absent + with_items: "{{ nginx_private_htpasswd_absent }}" + notify: reload nginx + tags: + - nginx + +- name: nginx vhost is installed + template: + src: "{{ nginx_default_template_regular }}" + dest: /etc/nginx/sites-available/evolinux-default.conf + mode: "0640" + force: "{{ nginx_force_default_template | default(False) }}" + notify: reload nginx + tags: + - nginx + +- name: default vhost is enabled + file: + src: /etc/nginx/sites-available/evolinux-default.conf + dest: /etc/nginx/sites-enabled/default + state: link + force: yes + notify: reload nginx + when: nginx_evolinux_default_enabled + tags: + - nginx + +- include: server_status_write.yml + tags: + - nginx + +- name: Verify that the service is enabled and started + service: + name: nginx + enabled: yes + state: started + tags: + - nginx + +- name: Check if Munin is installed + stat: + path: /etc/munin/plugin-conf.d/munin-node + check_mode: no + register: stat_munin_node + tags: + - nginx + - munin + +- include: munin_vhost.yml + when: stat_munin_node.stat.exists + tags: + - nginx + - munin + +- include: munin_graphs.yml + when: stat_munin_node.stat.exists + tags: + - nginx + - munin + +- include: logrotate.yml diff --git a/nginx/tasks/main_minimal.yml b/nginx/tasks/main_minimal.yml deleted file mode 100644 index 798cf055..00000000 --- a/nginx/tasks/main_minimal.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: Ensure Nginx is installed - apt: - name: - - nginx-light - - ssl-cert - state: present - notify: reload nginx - tags: - - nginx - - packages - -- name: Copy default vhost - template: - src: "{{ nginx_default_template_minimal }}" - dest: /etc/nginx/sites-available/evolinux-default.minimal.conf - mode: 0644 - force: "{{ nginx_force_default_template | default(False) }}" - notify: reload nginx - tags: - - nginx - - packages - -- name: Enable default vhost - file: - src: /etc/nginx/sites-available/evolinux-default.minimal.conf - dest: /etc/nginx/sites-enabled/default - state: link - notify: reload nginx - tags: - - nginx - - packages - -- name: Ensure Nginx is enabled - service: - name: nginx - state: started - enabled: yes - tags: - - nginx diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml deleted file mode 100644 index c7989bee..00000000 --- a/nginx/tasks/main_regular.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- - -- include: packages.yml - -- include: server_status_read.yml - tags: - - nginx - -# TODO: find a way to override the main configuration -# without touching the main file - -- name: customize worker_connections - lineinfile: - dest: /etc/nginx/nginx.conf - regexp: '^(\s*worker_connections)\s+.+;' - line: ' worker_connections 1024;' - insertafter: 'events \{' - tags: - - nginx - -- name: use epoll - lineinfile: - dest: /etc/nginx/nginx.conf - regexp: '^(\s*use)\s+.+;' - line: ' use epoll;' - insertafter: 'events \{' - tags: - - nginx - -- name: Install Nginx http configuration - copy: - src: nginx/evolinux-defaults.conf - dest: /etc/nginx/conf.d/z-evolinux-defaults.conf - mode: "0640" - # force: yes - notify: reload nginx - tags: - - nginx - -# TODO: verify that those permissions are correct : -# not too strict for ipaddr_whitelist -# and not too loose for private_htpasswd - -- name: Copy ipaddr_whitelist - copy: - src: nginx/snippets/ipaddr_whitelist - dest: /etc/nginx/snippets/ipaddr_whitelist - owner: www-data - group: www-data - directory_mode: "0640" - mode: "0640" - force: no - notify: reload nginx - tags: - - nginx - - ips - -- name: Include IP address whitelist task - include: ip_whitelist.yml - -- name: Copy private_htpasswd - copy: - src: nginx/snippets/private_htpasswd - dest: /etc/nginx/snippets/private_htpasswd - owner: www-data - group: www-data - directory_mode: "0640" - mode: "0640" - force: no - notify: reload nginx - tags: - - nginx - -- name: add user:pwd to private htpasswd - lineinfile: - dest: /etc/nginx/snippets/private_htpasswd - line: "{{ item }}" - state: present - with_items: "{{ nginx_private_htpasswd_present }}" - notify: reload nginx - tags: - - nginx - -- name: remove user:pwd from private htpasswd - lineinfile: - dest: /etc/nginx/snippets/private_htpasswd - line: "{{ item }}" - state: absent - with_items: "{{ nginx_private_htpasswd_absent }}" - notify: reload nginx - tags: - - nginx - -- name: nginx vhost is installed - template: - src: "{{ nginx_default_template_regular }}" - dest: /etc/nginx/sites-available/evolinux-default.conf - mode: "0640" - force: "{{ nginx_force_default_template | default(False) }}" - notify: reload nginx - tags: - - nginx - -- name: default vhost is enabled - file: - src: /etc/nginx/sites-available/evolinux-default.conf - dest: /etc/nginx/sites-enabled/default - state: link - force: yes - notify: reload nginx - when: nginx_evolinux_default_enabled - tags: - - nginx - -- include: server_status_write.yml - tags: - - nginx - -# - block: -# - name: generate random string for phpmyadmin suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: random_phpmyadmin_suffix -# -# - name: overwrite nginx_phpmyadmin_suffix -# set_fact: -# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}" -# when: nginx_phpmyadmin_suffix == "" -# -# - name: replace phpmyadmin suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__PHPMYADMIN_SUFFIX__' -# replace: "{{ nginx_phpmyadmin_suffix }}" -# -# - block: -# - name: generate random string for serverstatus suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: random_serverstatus_suffix -# -# - name: overwrite nginx_serverstatus_suffix -# set_fact: -# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}" -# when: nginx_serverstatus_suffix == "" -# -# - name: replace server-status suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__SERVERSTATUS_SUFFIX__' -# replace: "{{ nginx_serverstatus_suffix }}" - -- name: Verify that the service is enabled and started - service: - name: nginx - enabled: yes - state: started - tags: - - nginx - -- name: Check if Munin is installed - stat: - path: /etc/munin/plugin-conf.d/munin-node - check_mode: no - register: stat_munin_node - tags: - - nginx - - munin - -- include: munin_vhost.yml - when: stat_munin_node.stat.exists - tags: - - nginx - - munin - -- include: munin_graphs.yml - when: stat_munin_node.stat.exists - tags: - - nginx - - munin - -- include: logrotate.yml diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml index 76350424..05c033b4 100644 --- a/nginx/tasks/packages.yml +++ b/nginx/tasks/packages.yml @@ -1,3 +1,9 @@ + + +- set_fact: + nginx_package_name_default: nginx-light + when: nginx_minimal + - include: packages_backports.yml when: nginx_backports @@ -5,12 +11,12 @@ - name: Ensure Nginx is installed apt: - name: "{{ nginx_package_name }}" + name: "{{ nginx_package_name | default(nginx_default_package_name) }}" state: present tags: - nginx - packages - + - name: Ensure nginx service is running as configured. service: name: nginx diff --git a/nginx/templates/evolinux-default.minimal.conf.j2 b/nginx/templates/evolinux-default.minimal.conf.j2 deleted file mode 100644 index 919a7a1f..00000000 --- a/nginx/templates/evolinux-default.minimal.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - if ($host != "{{ ansible_fqdn }}") { - rewrite ^ https://{{ ansible_fqdn }}$request_uri permanent; - } - - include snippets/snakeoil.conf; - - if ($https != "on") { - return 301 https://{{ ansible_fqdn }}$request_uri; - } - - root /var/www/; - - location /munin { - alias /var/cache/munin/www; - } - - index index.html; - - server_name _; - - location / { - try_files $uri $uri/ =404; - } -}