nginx: no more "minimal" mode, but the package remains customizable.
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Jérémy Lecour 2021-02-04 11:31:36 +01:00 committed by Jérémy Lecour
parent cff309ff41
commit dde2672715
7 changed files with 159 additions and 259 deletions

View File

@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release.
### Removed
* nginx: no more "minimal" mode, but the package remains customizable.
### Security
## [10.4.0] 2020-12-24

View File

@ -4,7 +4,7 @@ nginx_minimal: False
# backward compatibility with a previously used variable
nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}"
nginx_package_name: "nginx-full"
nginx_default_package_name: "nginx-full"
nginx_default_ipaddr_whitelist_ips: []
nginx_additional_ipaddr_whitelist_ips: []

View File

@ -1,7 +1,152 @@
---
- include: main_minimal.yml
- debug:
msg: "Nginx minimal mode has been removed, falling back to normal mode."
when: nginx_minimal
- include: main_regular.yml
when: not nginx_minimal
- include: packages.yml
- include: server_status_read.yml
tags:
- nginx
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy ipaddr_whitelist
copy:
src: nginx/snippets/ipaddr_whitelist
dest: /etc/nginx/snippets/ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- ips
- name: Include IP address whitelist task
include: ip_whitelist.yml
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: "{{ nginx_default_template_regular }}"
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
- include: server_status_write.yml
tags:
- nginx
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml

View File

@ -1,40 +0,0 @@
---
- name: Ensure Nginx is installed
apt:
name:
- nginx-light
- ssl-cert
state: present
notify: reload nginx
tags:
- nginx
- packages
- name: Copy default vhost
template:
src: "{{ nginx_default_template_minimal }}"
dest: /etc/nginx/sites-available/evolinux-default.minimal.conf
mode: 0644
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- packages
- name: Enable default vhost
file:
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
dest: /etc/nginx/sites-enabled/default
state: link
notify: reload nginx
tags:
- nginx
- packages
- name: Ensure Nginx is enabled
service:
name: nginx
state: started
enabled: yes
tags:
- nginx

View File

@ -1,182 +0,0 @@
---
- include: packages.yml
- include: server_status_read.yml
tags:
- nginx
# TODO: find a way to override the main configuration
# without touching the main file
- name: customize worker_connections
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*worker_connections)\s+.+;'
line: ' worker_connections 1024;'
insertafter: 'events \{'
tags:
- nginx
- name: use epoll
lineinfile:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*use)\s+.+;'
line: ' use epoll;'
insertafter: 'events \{'
tags:
- nginx
- name: Install Nginx http configuration
copy:
src: nginx/evolinux-defaults.conf
dest: /etc/nginx/conf.d/z-evolinux-defaults.conf
mode: "0640"
# force: yes
notify: reload nginx
tags:
- nginx
# TODO: verify that those permissions are correct :
# not too strict for ipaddr_whitelist
# and not too loose for private_htpasswd
- name: Copy ipaddr_whitelist
copy:
src: nginx/snippets/ipaddr_whitelist
dest: /etc/nginx/snippets/ipaddr_whitelist
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- ips
- name: Include IP address whitelist task
include: ip_whitelist.yml
- name: Copy private_htpasswd
copy:
src: nginx/snippets/private_htpasswd
dest: /etc/nginx/snippets/private_htpasswd
owner: www-data
group: www-data
directory_mode: "0640"
mode: "0640"
force: no
notify: reload nginx
tags:
- nginx
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ nginx_private_htpasswd_present }}"
notify: reload nginx
tags:
- nginx
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/nginx/snippets/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ nginx_private_htpasswd_absent }}"
notify: reload nginx
tags:
- nginx
- name: nginx vhost is installed
template:
src: "{{ nginx_default_template_regular }}"
dest: /etc/nginx/sites-available/evolinux-default.conf
mode: "0640"
force: "{{ nginx_force_default_template | default(False) }}"
notify: reload nginx
tags:
- nginx
- name: default vhost is enabled
file:
src: /etc/nginx/sites-available/evolinux-default.conf
dest: /etc/nginx/sites-enabled/default
state: link
force: yes
notify: reload nginx
when: nginx_evolinux_default_enabled
tags:
- nginx
- include: server_status_write.yml
tags:
- nginx
# - block:
# - name: generate random string for phpmyadmin suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_phpmyadmin_suffix
#
# - name: overwrite nginx_phpmyadmin_suffix
# set_fact:
# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_phpmyadmin_suffix == ""
#
# - name: replace phpmyadmin suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__PHPMYADMIN_SUFFIX__'
# replace: "{{ nginx_phpmyadmin_suffix }}"
#
# - block:
# - name: generate random string for serverstatus suffix
# command: "apg -a 1 -M N -n 1"
# changed_when: False
# register: random_serverstatus_suffix
#
# - name: overwrite nginx_serverstatus_suffix
# set_fact:
# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
# when: nginx_serverstatus_suffix == ""
#
# - name: replace server-status suffix in default site index
# replace:
# dest: /var/www/index.html
# regexp: '__SERVERSTATUS_SUFFIX__'
# replace: "{{ nginx_serverstatus_suffix }}"
- name: Verify that the service is enabled and started
service:
name: nginx
enabled: yes
state: started
tags:
- nginx
- name: Check if Munin is installed
stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: stat_munin_node
tags:
- nginx
- munin
- include: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml

View File

@ -1,3 +1,9 @@
- set_fact:
nginx_package_name_default: nginx-light
when: nginx_minimal
- include: packages_backports.yml
when: nginx_backports
@ -5,7 +11,7 @@
- name: Ensure Nginx is installed
apt:
name: "{{ nginx_package_name }}"
name: "{{ nginx_package_name | default(nginx_default_package_name) }}"
state: present
tags:
- nginx

View File

@ -1,31 +0,0 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
if ($host != "{{ ansible_fqdn }}") {
rewrite ^ https://{{ ansible_fqdn }}$request_uri permanent;
}
include snippets/snakeoil.conf;
if ($https != "on") {
return 301 https://{{ ansible_fqdn }}$request_uri;
}
root /var/www/;
location /munin {
alias /var/cache/munin/www;
}
index index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}