nginx: no more "minimal" mode, but the package remains customizable.
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
cff309ff41
commit
dde2672715
|
@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
* nginx: no more "minimal" mode, but the package remains customizable.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
## [10.4.0] 2020-12-24
|
## [10.4.0] 2020-12-24
|
||||||
|
|
|
@ -4,7 +4,7 @@ nginx_minimal: False
|
||||||
# backward compatibility with a previously used variable
|
# backward compatibility with a previously used variable
|
||||||
nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}"
|
nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}"
|
||||||
|
|
||||||
nginx_package_name: "nginx-full"
|
nginx_default_package_name: "nginx-full"
|
||||||
|
|
||||||
nginx_default_ipaddr_whitelist_ips: []
|
nginx_default_ipaddr_whitelist_ips: []
|
||||||
nginx_additional_ipaddr_whitelist_ips: []
|
nginx_additional_ipaddr_whitelist_ips: []
|
||||||
|
|
|
@ -1,7 +1,152 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: main_minimal.yml
|
- debug:
|
||||||
|
msg: "Nginx minimal mode has been removed, falling back to normal mode."
|
||||||
when: nginx_minimal
|
when: nginx_minimal
|
||||||
|
|
||||||
- include: main_regular.yml
|
- include: packages.yml
|
||||||
when: not nginx_minimal
|
|
||||||
|
- include: server_status_read.yml
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
# TODO: find a way to override the main configuration
|
||||||
|
# without touching the main file
|
||||||
|
|
||||||
|
- name: customize worker_connections
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
regexp: '^(\s*worker_connections)\s+.+;'
|
||||||
|
line: ' worker_connections 1024;'
|
||||||
|
insertafter: 'events \{'
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: use epoll
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
regexp: '^(\s*use)\s+.+;'
|
||||||
|
line: ' use epoll;'
|
||||||
|
insertafter: 'events \{'
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Install Nginx http configuration
|
||||||
|
copy:
|
||||||
|
src: nginx/evolinux-defaults.conf
|
||||||
|
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
|
||||||
|
mode: "0640"
|
||||||
|
# force: yes
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
# TODO: verify that those permissions are correct :
|
||||||
|
# not too strict for ipaddr_whitelist
|
||||||
|
# and not too loose for private_htpasswd
|
||||||
|
|
||||||
|
- name: Copy ipaddr_whitelist
|
||||||
|
copy:
|
||||||
|
src: nginx/snippets/ipaddr_whitelist
|
||||||
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
directory_mode: "0640"
|
||||||
|
mode: "0640"
|
||||||
|
force: no
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- ips
|
||||||
|
|
||||||
|
- name: Include IP address whitelist task
|
||||||
|
include: ip_whitelist.yml
|
||||||
|
|
||||||
|
- name: Copy private_htpasswd
|
||||||
|
copy:
|
||||||
|
src: nginx/snippets/private_htpasswd
|
||||||
|
dest: /etc/nginx/snippets/private_htpasswd
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
directory_mode: "0640"
|
||||||
|
mode: "0640"
|
||||||
|
force: no
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: add user:pwd to private htpasswd
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_htpasswd
|
||||||
|
line: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ nginx_private_htpasswd_present }}"
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: remove user:pwd from private htpasswd
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/private_htpasswd
|
||||||
|
line: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ nginx_private_htpasswd_absent }}"
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: nginx vhost is installed
|
||||||
|
template:
|
||||||
|
src: "{{ nginx_default_template_regular }}"
|
||||||
|
dest: /etc/nginx/sites-available/evolinux-default.conf
|
||||||
|
mode: "0640"
|
||||||
|
force: "{{ nginx_force_default_template | default(False) }}"
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: default vhost is enabled
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/evolinux-default.conf
|
||||||
|
dest: /etc/nginx/sites-enabled/default
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
|
notify: reload nginx
|
||||||
|
when: nginx_evolinux_default_enabled
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- include: server_status_write.yml
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Verify that the service is enabled and started
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
- name: Check if Munin is installed
|
||||||
|
stat:
|
||||||
|
path: /etc/munin/plugin-conf.d/munin-node
|
||||||
|
check_mode: no
|
||||||
|
register: stat_munin_node
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- munin
|
||||||
|
|
||||||
|
- include: munin_vhost.yml
|
||||||
|
when: stat_munin_node.stat.exists
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- munin
|
||||||
|
|
||||||
|
- include: munin_graphs.yml
|
||||||
|
when: stat_munin_node.stat.exists
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- munin
|
||||||
|
|
||||||
|
- include: logrotate.yml
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure Nginx is installed
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- nginx-light
|
|
||||||
- ssl-cert
|
|
||||||
state: present
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Copy default vhost
|
|
||||||
template:
|
|
||||||
src: "{{ nginx_default_template_minimal }}"
|
|
||||||
dest: /etc/nginx/sites-available/evolinux-default.minimal.conf
|
|
||||||
mode: 0644
|
|
||||||
force: "{{ nginx_force_default_template | default(False) }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Enable default vhost
|
|
||||||
file:
|
|
||||||
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
|
|
||||||
dest: /etc/nginx/sites-enabled/default
|
|
||||||
state: link
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Ensure Nginx is enabled
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
|
@ -1,182 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- include: packages.yml
|
|
||||||
|
|
||||||
- include: server_status_read.yml
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
# TODO: find a way to override the main configuration
|
|
||||||
# without touching the main file
|
|
||||||
|
|
||||||
- name: customize worker_connections
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/nginx/nginx.conf
|
|
||||||
regexp: '^(\s*worker_connections)\s+.+;'
|
|
||||||
line: ' worker_connections 1024;'
|
|
||||||
insertafter: 'events \{'
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: use epoll
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/nginx/nginx.conf
|
|
||||||
regexp: '^(\s*use)\s+.+;'
|
|
||||||
line: ' use epoll;'
|
|
||||||
insertafter: 'events \{'
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: Install Nginx http configuration
|
|
||||||
copy:
|
|
||||||
src: nginx/evolinux-defaults.conf
|
|
||||||
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
|
|
||||||
mode: "0640"
|
|
||||||
# force: yes
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
# TODO: verify that those permissions are correct :
|
|
||||||
# not too strict for ipaddr_whitelist
|
|
||||||
# and not too loose for private_htpasswd
|
|
||||||
|
|
||||||
- name: Copy ipaddr_whitelist
|
|
||||||
copy:
|
|
||||||
src: nginx/snippets/ipaddr_whitelist
|
|
||||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
|
||||||
owner: www-data
|
|
||||||
group: www-data
|
|
||||||
directory_mode: "0640"
|
|
||||||
mode: "0640"
|
|
||||||
force: no
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- ips
|
|
||||||
|
|
||||||
- name: Include IP address whitelist task
|
|
||||||
include: ip_whitelist.yml
|
|
||||||
|
|
||||||
- name: Copy private_htpasswd
|
|
||||||
copy:
|
|
||||||
src: nginx/snippets/private_htpasswd
|
|
||||||
dest: /etc/nginx/snippets/private_htpasswd
|
|
||||||
owner: www-data
|
|
||||||
group: www-data
|
|
||||||
directory_mode: "0640"
|
|
||||||
mode: "0640"
|
|
||||||
force: no
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: add user:pwd to private htpasswd
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/nginx/snippets/private_htpasswd
|
|
||||||
line: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ nginx_private_htpasswd_present }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: remove user:pwd from private htpasswd
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/nginx/snippets/private_htpasswd
|
|
||||||
line: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items: "{{ nginx_private_htpasswd_absent }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: nginx vhost is installed
|
|
||||||
template:
|
|
||||||
src: "{{ nginx_default_template_regular }}"
|
|
||||||
dest: /etc/nginx/sites-available/evolinux-default.conf
|
|
||||||
mode: "0640"
|
|
||||||
force: "{{ nginx_force_default_template | default(False) }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: default vhost is enabled
|
|
||||||
file:
|
|
||||||
src: /etc/nginx/sites-available/evolinux-default.conf
|
|
||||||
dest: /etc/nginx/sites-enabled/default
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
||||||
notify: reload nginx
|
|
||||||
when: nginx_evolinux_default_enabled
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- include: server_status_write.yml
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
# - block:
|
|
||||||
# - name: generate random string for phpmyadmin suffix
|
|
||||||
# command: "apg -a 1 -M N -n 1"
|
|
||||||
# changed_when: False
|
|
||||||
# register: random_phpmyadmin_suffix
|
|
||||||
#
|
|
||||||
# - name: overwrite nginx_phpmyadmin_suffix
|
|
||||||
# set_fact:
|
|
||||||
# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
|
|
||||||
# when: nginx_phpmyadmin_suffix == ""
|
|
||||||
#
|
|
||||||
# - name: replace phpmyadmin suffix in default site index
|
|
||||||
# replace:
|
|
||||||
# dest: /var/www/index.html
|
|
||||||
# regexp: '__PHPMYADMIN_SUFFIX__'
|
|
||||||
# replace: "{{ nginx_phpmyadmin_suffix }}"
|
|
||||||
#
|
|
||||||
# - block:
|
|
||||||
# - name: generate random string for serverstatus suffix
|
|
||||||
# command: "apg -a 1 -M N -n 1"
|
|
||||||
# changed_when: False
|
|
||||||
# register: random_serverstatus_suffix
|
|
||||||
#
|
|
||||||
# - name: overwrite nginx_serverstatus_suffix
|
|
||||||
# set_fact:
|
|
||||||
# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
|
|
||||||
# when: nginx_serverstatus_suffix == ""
|
|
||||||
#
|
|
||||||
# - name: replace server-status suffix in default site index
|
|
||||||
# replace:
|
|
||||||
# dest: /var/www/index.html
|
|
||||||
# regexp: '__SERVERSTATUS_SUFFIX__'
|
|
||||||
# replace: "{{ nginx_serverstatus_suffix }}"
|
|
||||||
|
|
||||||
- name: Verify that the service is enabled and started
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: Check if Munin is installed
|
|
||||||
stat:
|
|
||||||
path: /etc/munin/plugin-conf.d/munin-node
|
|
||||||
check_mode: no
|
|
||||||
register: stat_munin_node
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- munin
|
|
||||||
|
|
||||||
- include: munin_vhost.yml
|
|
||||||
when: stat_munin_node.stat.exists
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- munin
|
|
||||||
|
|
||||||
- include: munin_graphs.yml
|
|
||||||
when: stat_munin_node.stat.exists
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- munin
|
|
||||||
|
|
||||||
- include: logrotate.yml
|
|
|
@ -1,3 +1,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
nginx_package_name_default: nginx-light
|
||||||
|
when: nginx_minimal
|
||||||
|
|
||||||
- include: packages_backports.yml
|
- include: packages_backports.yml
|
||||||
when: nginx_backports
|
when: nginx_backports
|
||||||
|
|
||||||
|
@ -5,7 +11,7 @@
|
||||||
|
|
||||||
- name: Ensure Nginx is installed
|
- name: Ensure Nginx is installed
|
||||||
apt:
|
apt:
|
||||||
name: "{{ nginx_package_name }}"
|
name: "{{ nginx_package_name | default(nginx_default_package_name) }}"
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80 default_server;
|
|
||||||
listen [::]:80 default_server;
|
|
||||||
|
|
||||||
listen 443 ssl default_server;
|
|
||||||
listen [::]:443 ssl default_server;
|
|
||||||
|
|
||||||
if ($host != "{{ ansible_fqdn }}") {
|
|
||||||
rewrite ^ https://{{ ansible_fqdn }}$request_uri permanent;
|
|
||||||
}
|
|
||||||
|
|
||||||
include snippets/snakeoil.conf;
|
|
||||||
|
|
||||||
if ($https != "on") {
|
|
||||||
return 301 https://{{ ansible_fqdn }}$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
root /var/www/;
|
|
||||||
|
|
||||||
location /munin {
|
|
||||||
alias /var/cache/munin/www;
|
|
||||||
}
|
|
||||||
|
|
||||||
index index.html;
|
|
||||||
|
|
||||||
server_name _;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in a new issue