Compare commits
No commits in common. "main" and "docs" have entirely different histories.
161
.drone.jsonnet
161
.drone.jsonnet
|
@ -1,161 +0,0 @@
|
|||
local PipelineLinting = {
|
||||
kind: 'pipeline',
|
||||
name: 'linting',
|
||||
platform: {
|
||||
os: 'linux',
|
||||
arch: 'amd64',
|
||||
},
|
||||
steps: [
|
||||
{
|
||||
name: 'ansible-later',
|
||||
image: 'thegeeklab/ansible-later',
|
||||
commands: [
|
||||
'ansible-later',
|
||||
],
|
||||
},
|
||||
{
|
||||
name: 'python-format',
|
||||
image: 'python:3.11',
|
||||
environment: {
|
||||
PY_COLORS: 1,
|
||||
},
|
||||
commands: [
|
||||
'pip install -qq yapf',
|
||||
'[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)',
|
||||
],
|
||||
},
|
||||
{
|
||||
name: 'python-flake8',
|
||||
image: 'python:3.11',
|
||||
environment: {
|
||||
PY_COLORS: 1,
|
||||
},
|
||||
commands: [
|
||||
'pip install -qq flake8',
|
||||
'flake8',
|
||||
],
|
||||
},
|
||||
],
|
||||
trigger: {
|
||||
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
|
||||
},
|
||||
};
|
||||
|
||||
local PipelineDeployment(scenario='centos7') = {
|
||||
kind: 'pipeline',
|
||||
name: 'testing-' + scenario,
|
||||
platform: {
|
||||
os: 'linux',
|
||||
arch: 'amd64',
|
||||
},
|
||||
concurrency: {
|
||||
limit: 1,
|
||||
},
|
||||
workspace: {
|
||||
base: '/drone/src',
|
||||
path: '${DRONE_REPO_NAME}',
|
||||
},
|
||||
steps: [
|
||||
{
|
||||
name: 'ansible-molecule',
|
||||
image: 'thegeeklab/molecule:4',
|
||||
environment: {
|
||||
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
|
||||
},
|
||||
commands: [
|
||||
'molecule test -s ' + scenario,
|
||||
],
|
||||
},
|
||||
],
|
||||
depends_on: [
|
||||
'linting',
|
||||
],
|
||||
trigger: {
|
||||
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
|
||||
},
|
||||
};
|
||||
|
||||
local PipelineDocumentation = {
|
||||
kind: 'pipeline',
|
||||
name: 'documentation',
|
||||
platform: {
|
||||
os: 'linux',
|
||||
arch: 'amd64',
|
||||
},
|
||||
steps: [
|
||||
{
|
||||
name: 'generate',
|
||||
image: 'thegeeklab/ansible-doctor',
|
||||
environment: {
|
||||
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
|
||||
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
|
||||
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
|
||||
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
|
||||
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
|
||||
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'publish',
|
||||
image: 'plugins/gh-pages',
|
||||
settings: {
|
||||
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
|
||||
netrc_machine: 'gitea.rknet.org',
|
||||
username: { from_secret: 'gitea_username' },
|
||||
password: { from_secret: 'gitea_token' },
|
||||
pages_directory: '_docs/',
|
||||
target_branch: 'docs',
|
||||
},
|
||||
when: {
|
||||
ref: ['refs/heads/main'],
|
||||
},
|
||||
},
|
||||
],
|
||||
trigger: {
|
||||
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
|
||||
},
|
||||
depends_on: [
|
||||
'testing-centos7',
|
||||
'testing-rocky8',
|
||||
],
|
||||
};
|
||||
|
||||
local PipelineNotification = {
|
||||
kind: 'pipeline',
|
||||
name: 'notification',
|
||||
platform: {
|
||||
os: 'linux',
|
||||
arch: 'amd64',
|
||||
},
|
||||
clone: {
|
||||
disable: true,
|
||||
},
|
||||
steps: [
|
||||
{
|
||||
name: 'matrix',
|
||||
image: 'thegeeklab/drone-matrix',
|
||||
settings: {
|
||||
homeserver: { from_secret: 'matrix_homeserver' },
|
||||
roomid: { from_secret: 'matrix_roomid' },
|
||||
template: 'Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}',
|
||||
username: { from_secret: 'matrix_username' },
|
||||
password: { from_secret: 'matrix_password' },
|
||||
},
|
||||
},
|
||||
],
|
||||
depends_on: [
|
||||
'documentation',
|
||||
],
|
||||
trigger: {
|
||||
status: ['success', 'failure'],
|
||||
ref: ['refs/heads/main', 'refs/tags/**'],
|
||||
},
|
||||
};
|
||||
|
||||
[
|
||||
PipelineLinting,
|
||||
PipelineDeployment(scenario='centos7'),
|
||||
PipelineDeployment(scenario='rocky8'),
|
||||
PipelineDocumentation,
|
||||
PipelineNotification,
|
||||
]
|
187
.drone.yml
187
.drone.yml
|
@ -1,187 +0,0 @@
|
|||
---
|
||||
kind: pipeline
|
||||
name: linting
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
steps:
|
||||
- name: ansible-later
|
||||
image: thegeeklab/ansible-later
|
||||
commands:
|
||||
- ansible-later
|
||||
|
||||
- name: python-format
|
||||
image: python:3.11
|
||||
commands:
|
||||
- pip install -qq yapf
|
||||
- "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)"
|
||||
environment:
|
||||
PY_COLORS: 1
|
||||
|
||||
- name: python-flake8
|
||||
image: python:3.11
|
||||
commands:
|
||||
- pip install -qq flake8
|
||||
- flake8
|
||||
environment:
|
||||
PY_COLORS: 1
|
||||
|
||||
trigger:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
- refs/tags/**
|
||||
- refs/pull/**
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: testing-centos7
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
concurrency:
|
||||
limit: 1
|
||||
|
||||
workspace:
|
||||
base: /drone/src
|
||||
path: ${DRONE_REPO_NAME}
|
||||
|
||||
steps:
|
||||
- name: ansible-molecule
|
||||
image: thegeeklab/molecule:4
|
||||
commands:
|
||||
- molecule test -s centos7
|
||||
environment:
|
||||
HCLOUD_TOKEN:
|
||||
from_secret: hcloud_token
|
||||
|
||||
trigger:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
- refs/tags/**
|
||||
- refs/pull/**
|
||||
|
||||
depends_on:
|
||||
- linting
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: testing-rocky8
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
concurrency:
|
||||
limit: 1
|
||||
|
||||
workspace:
|
||||
base: /drone/src
|
||||
path: ${DRONE_REPO_NAME}
|
||||
|
||||
steps:
|
||||
- name: ansible-molecule
|
||||
image: thegeeklab/molecule:4
|
||||
commands:
|
||||
- molecule test -s rocky8
|
||||
environment:
|
||||
HCLOUD_TOKEN:
|
||||
from_secret: hcloud_token
|
||||
|
||||
trigger:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
- refs/tags/**
|
||||
- refs/pull/**
|
||||
|
||||
depends_on:
|
||||
- linting
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: documentation
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
steps:
|
||||
- name: generate
|
||||
image: thegeeklab/ansible-doctor
|
||||
environment:
|
||||
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
|
||||
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true
|
||||
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
|
||||
ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/
|
||||
ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.}
|
||||
ANSIBLE_DOCTOR_TEMPLATE: hugo-book
|
||||
|
||||
- name: publish
|
||||
image: plugins/gh-pages
|
||||
settings:
|
||||
netrc_machine: gitea.rknet.org
|
||||
pages_directory: _docs/
|
||||
password:
|
||||
from_secret: gitea_token
|
||||
remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}
|
||||
target_branch: docs
|
||||
username:
|
||||
from_secret: gitea_username
|
||||
when:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
|
||||
trigger:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
- refs/tags/**
|
||||
- refs/pull/**
|
||||
|
||||
depends_on:
|
||||
- testing-centos7
|
||||
- testing-rocky8
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: notification
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
clone:
|
||||
disable: true
|
||||
|
||||
steps:
|
||||
- name: matrix
|
||||
image: thegeeklab/drone-matrix
|
||||
settings:
|
||||
homeserver:
|
||||
from_secret: matrix_homeserver
|
||||
password:
|
||||
from_secret: matrix_password
|
||||
roomid:
|
||||
from_secret: matrix_roomid
|
||||
template: "Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}"
|
||||
username:
|
||||
from_secret: matrix_username
|
||||
|
||||
trigger:
|
||||
ref:
|
||||
- refs/heads/main
|
||||
- refs/tags/**
|
||||
status:
|
||||
- success
|
||||
- failure
|
||||
|
||||
depends_on:
|
||||
- documentation
|
||||
|
||||
---
|
||||
kind: signature
|
||||
hmac: 0cc44b63ef9e2c4f4459db9f4def41dccf56380ef4263fba889bb45c4124e1b8
|
||||
|
||||
...
|
|
@ -1,13 +0,0 @@
|
|||
# ---> Ansible
|
||||
*.retry
|
||||
filter/plugins/
|
||||
library
|
||||
|
||||
# ---> Python
|
||||
# Byte-compiled / optimized / DLL files
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
*$py.class
|
||||
|
||||
# ---> Docs
|
||||
/_docs
|
19
.later.yml
19
.later.yml
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
ansible:
|
||||
custom_modules:
|
||||
- iptables_raw
|
||||
- openssl_pkcs12
|
||||
- proxmox_kvm
|
||||
- ucr
|
||||
- corenetworks_dns
|
||||
- corenetworks_token
|
||||
|
||||
rules:
|
||||
exclude_files:
|
||||
- molecule/
|
||||
- "LICENSE*"
|
||||
- "**/*.md"
|
||||
- "**/*.ini"
|
||||
|
||||
exclude_filter:
|
||||
- LINT0009
|
21
LICENSE
21
LICENSE
|
@ -1,21 +0,0 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is furnished
|
||||
to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice (including the next
|
||||
paragraph) shall be included in all copies or substantial portions of the
|
||||
Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
|
||||
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
||||
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
|
||||
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
12
README.md
12
README.md
|
@ -1,12 +0,0 @@
|
|||
# xoxys.nginx
|
||||
|
||||
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx)
|
||||
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
|
||||
|
||||
Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server. The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
|
||||
|
||||
You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/system/nginx/).
|
||||
|
||||
## License
|
||||
|
||||
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
|
|
@ -1,197 +0,0 @@
|
|||
---
|
||||
nginx_official_repo_enabled: True
|
||||
nginx_user: nginx
|
||||
nginx_group: nginx
|
||||
nginx_worker_processes: 1
|
||||
nginx_worker_connections: 1024
|
||||
nginx_error_log:
|
||||
enabled: True
|
||||
file: /var/log/nginx/error.log
|
||||
level: error
|
||||
nginx_access_log:
|
||||
enabled: True
|
||||
file: /var/log/nginx/access.log
|
||||
format: main
|
||||
|
||||
nginx_client_body_buffer_size: 10k
|
||||
nginx_client_header_buffer_size: 1k
|
||||
nginx_client_max_body_size: 8m
|
||||
|
||||
nginx_client_body_timeout: 60
|
||||
nginx_client_header_timeout: 60
|
||||
nginx_keepalive_timeout: 65
|
||||
nginx_send_timeout: 60
|
||||
nginx_reset_timedout_connection: True
|
||||
|
||||
nginx_gzip_enabled: True
|
||||
nginx_gzip_comp_level: 2
|
||||
nginx_gzip_min_length: 1000
|
||||
nginx_gzip_proxied:
|
||||
- expired
|
||||
- no-cache
|
||||
- no-store
|
||||
- private
|
||||
- auth
|
||||
nginx_gzip_types:
|
||||
- text/plain
|
||||
- application/x-javascript
|
||||
- text/xml
|
||||
- text/css
|
||||
- application/xml
|
||||
|
||||
nginx_tls_enabled: False
|
||||
nginx_tls_versions:
|
||||
- TLSv1.2
|
||||
|
||||
nginx_tls_certificates: []
|
||||
# @var nginx_tls_certificates:example: >
|
||||
# nginx_tls_certificates:
|
||||
# - source: "{{ ansible_user_dir }}/files/mycert.pem"
|
||||
# dest: /etc/pki/tls/certs/mycert.pem
|
||||
# mode: 0644
|
||||
# - source: "{{ ansible_user_dir }}/files/mykey.pem"
|
||||
# dest: /etc/pki/tls/private/mykey.pem
|
||||
# mode: 0600
|
||||
# @end
|
||||
|
||||
nginx_tls_certificates_extra: []
|
||||
|
||||
# @var nginx_tls_dhparam_file: $ "_unset_"
|
||||
nginx_tls_dhparam_size: 2048
|
||||
|
||||
nginx_tls_ciphers:
|
||||
- ECDHE-RSA-AES256-GCM-SHA512
|
||||
- DHE-RSA-AES256-GCM-SHA512
|
||||
- ECDHE-RSA-AES256-GCM-SHA384
|
||||
- DHE-RSA-AES256-GCM-SHA384
|
||||
- ECDHE-RSA-AES256-SHA384
|
||||
# @var nginx_tls_ecdh_curve: $ "_unset_"
|
||||
|
||||
nginx_tls_ocsp_enabled: False
|
||||
# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"
|
||||
|
||||
nginx_tls_hsts_enabled: False
|
||||
nginx_hsts_options:
|
||||
- max-age=63072000
|
||||
- includeSubDomains
|
||||
- preload
|
||||
|
||||
nginx_xfo_enabled: True
|
||||
nginx_xfo_policy: deny
|
||||
|
||||
nginx_xcto_enabled: True
|
||||
nginx_csp_enabled: False
|
||||
# @ var nginx_csp_options: $ "_unset_"
|
||||
# @var nginx_csp_options:example: >
|
||||
# nginx_csp_options:
|
||||
# - directive: frame-ancestors
|
||||
# parameters:
|
||||
# - https://example.com
|
||||
# - https://mypage.com
|
||||
|
||||
nginx_xxxsp_enabled: True
|
||||
nginx_xxxsp_parameters:
|
||||
- 1
|
||||
- mode=block
|
||||
|
||||
nginx_rp_enabled: True
|
||||
nginx_rp_option: strict-origin
|
||||
|
||||
nginx_maps: []
|
||||
# @var nginx_maps:example: >
|
||||
# nginx_maps:
|
||||
# - input: $input
|
||||
# output: $output
|
||||
# parameters:
|
||||
# - "default 0"
|
||||
# - "/old/path /new_path"
|
||||
# @end
|
||||
nginx_maps_extra: []
|
||||
|
||||
nginx_error_page: []
|
||||
# @var nginx_error_page:example:
|
||||
# nginx_error_page:
|
||||
# - code:
|
||||
# - 404
|
||||
# - 403
|
||||
# dest: /4xx.html
|
||||
# @end
|
||||
|
||||
nginx_error_location: []
|
||||
# @var nginx_error_location: description: >
|
||||
# Default error location. If set, the defined location will be automatically added once
|
||||
# to every server block to handle custom error sites.
|
||||
# @end
|
||||
# @var nginx_error_location: example: >
|
||||
# nginx_error_location:
|
||||
# - match: /
|
||||
# root: /var/www/vhosts/default
|
||||
# index: index.html
|
||||
# custom_options:
|
||||
# @end
|
||||
|
||||
nginx_vhosts_dir: /var/www/vhosts
|
||||
|
||||
nginx_vhosts_default:
|
||||
- file: default
|
||||
servers:
|
||||
- port: 80
|
||||
server_name: "{{ ansible_fqdn }}"
|
||||
locations:
|
||||
- match: /
|
||||
root: /var/www/vhosts/default
|
||||
index: index.html
|
||||
- match: /50x.html
|
||||
root: "/usr/share/nginx/html"
|
||||
custom_options:
|
||||
- "error_page 500 502 503 504 /50x.html"
|
||||
|
||||
# @var nginx_vhosts_default:example: >
|
||||
# nginx_vhosts_default:
|
||||
# - file: default
|
||||
# upstreams:
|
||||
# - name: my_pool
|
||||
# servers: []
|
||||
# servers:
|
||||
# - port: 80
|
||||
# server_name: demo.example.com
|
||||
# tls_redirect: False # skips locations if enabled
|
||||
# tls_redirect_url:
|
||||
# tls:
|
||||
# cert: /etc/pki/tls/certs/mycert.pem
|
||||
# key: /etc/pki/tls/private/mykey.pem
|
||||
# dhparam:
|
||||
# client_max_body_size:
|
||||
# send_timeout:
|
||||
# add_headers:
|
||||
# - name:
|
||||
# value:
|
||||
# always: True
|
||||
# locations:
|
||||
# - match: /
|
||||
# root: /var/www/vhosts/default
|
||||
# index: index.html
|
||||
# add_headers: []
|
||||
# proxy_pass:
|
||||
# proxy_pass_request_body:
|
||||
# proxy_next_upstream:
|
||||
# proxy_redirect:
|
||||
# proxy_http_version: "1.1"
|
||||
# proxy_buffering: "off"
|
||||
# proxy_connect_timeout: 3600s
|
||||
# proxy_read_timeout: 3600s
|
||||
# proxy_send_timeout: 3600s
|
||||
# proxy_set_headers: []
|
||||
# proxy_hide_headers: []
|
||||
# proxy_ignore_headers: []
|
||||
# proxy_intercept_errors: "off"
|
||||
# proxy_cache_bypass:
|
||||
# proxy_no_cache:
|
||||
# proxy_buffers:
|
||||
# custom_options:
|
||||
# custom_options:
|
||||
# - 'deny: all'
|
||||
|
||||
nginx_vhosts_extra: []
|
||||
|
||||
nginx_server_names_hash_bucket_size: 32
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
service:
|
||||
state: reloaded
|
||||
name: nginx
|
||||
listen: __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
|
@ -0,0 +1,602 @@
|
|||
---
|
||||
title: nginx
|
||||
type: docs
|
||||
---
|
||||
|
||||
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.nginx) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.nginx/src/branch/main/LICENSE)
|
||||
|
||||
Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server. The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
|
||||
|
||||
<!--more-->
|
||||
|
||||
- [Default Variables](#default-variables)
|
||||
- [nginx_access_log](#nginx_access_log)
|
||||
- [nginx_client_body_buffer_size](#nginx_client_body_buffer_size)
|
||||
- [nginx_client_body_timeout](#nginx_client_body_timeout)
|
||||
- [nginx_client_header_buffer_size](#nginx_client_header_buffer_size)
|
||||
- [nginx_client_header_timeout](#nginx_client_header_timeout)
|
||||
- [nginx_client_max_body_size](#nginx_client_max_body_size)
|
||||
- [nginx_csp_enabled](#nginx_csp_enabled)
|
||||
- [nginx_csp_options](#nginx_csp_options)
|
||||
- [nginx_error_location](#nginx_error_location)
|
||||
- [nginx_error_log](#nginx_error_log)
|
||||
- [nginx_error_page](#nginx_error_page)
|
||||
- [nginx_group](#nginx_group)
|
||||
- [nginx_gzip_comp_level](#nginx_gzip_comp_level)
|
||||
- [nginx_gzip_enabled](#nginx_gzip_enabled)
|
||||
- [nginx_gzip_min_length](#nginx_gzip_min_length)
|
||||
- [nginx_gzip_proxied](#nginx_gzip_proxied)
|
||||
- [nginx_gzip_types](#nginx_gzip_types)
|
||||
- [nginx_hsts_options](#nginx_hsts_options)
|
||||
- [nginx_keepalive_timeout](#nginx_keepalive_timeout)
|
||||
- [nginx_maps](#nginx_maps)
|
||||
- [nginx_maps_extra](#nginx_maps_extra)
|
||||
- [nginx_official_repo_enabled](#nginx_official_repo_enabled)
|
||||
- [nginx_reset_timedout_connection](#nginx_reset_timedout_connection)
|
||||
- [nginx_rp_enabled](#nginx_rp_enabled)
|
||||
- [nginx_rp_option](#nginx_rp_option)
|
||||
- [nginx_send_timeout](#nginx_send_timeout)
|
||||
- [nginx_server_names_hash_bucket_size](#nginx_server_names_hash_bucket_size)
|
||||
- [nginx_tls_certificates](#nginx_tls_certificates)
|
||||
- [nginx_tls_certificates_extra](#nginx_tls_certificates_extra)
|
||||
- [nginx_tls_ciphers](#nginx_tls_ciphers)
|
||||
- [nginx_tls_dhparam_file](#nginx_tls_dhparam_file)
|
||||
- [nginx_tls_dhparam_size](#nginx_tls_dhparam_size)
|
||||
- [nginx_tls_ecdh_curve](#nginx_tls_ecdh_curve)
|
||||
- [nginx_tls_enabled](#nginx_tls_enabled)
|
||||
- [nginx_tls_hsts_enabled](#nginx_tls_hsts_enabled)
|
||||
- [nginx_tls_ocsp_enabled](#nginx_tls_ocsp_enabled)
|
||||
- [nginx_tls_ocsp_trusted_certificate](#nginx_tls_ocsp_trusted_certificate)
|
||||
- [nginx_tls_versions](#nginx_tls_versions)
|
||||
- [nginx_user](#nginx_user)
|
||||
- [nginx_vhosts_default](#nginx_vhosts_default)
|
||||
- [nginx_vhosts_dir](#nginx_vhosts_dir)
|
||||
- [nginx_vhosts_extra](#nginx_vhosts_extra)
|
||||
- [nginx_worker_connections](#nginx_worker_connections)
|
||||
- [nginx_worker_processes](#nginx_worker_processes)
|
||||
- [nginx_xcto_enabled](#nginx_xcto_enabled)
|
||||
- [nginx_xfo_enabled](#nginx_xfo_enabled)
|
||||
- [nginx_xfo_policy](#nginx_xfo_policy)
|
||||
- [nginx_xxxsp_enabled](#nginx_xxxsp_enabled)
|
||||
- [nginx_xxxsp_parameters](#nginx_xxxsp_parameters)
|
||||
- [Discovered Tags](#discovered-tags)
|
||||
- [Dependencies](#dependencies)
|
||||
|
||||
---
|
||||
|
||||
## Default Variables
|
||||
|
||||
### nginx_access_log
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_access_log:
|
||||
enabled: true
|
||||
file: /var/log/nginx/access.log
|
||||
format: main
|
||||
```
|
||||
|
||||
### nginx_client_body_buffer_size
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_client_body_buffer_size: 10k
|
||||
```
|
||||
|
||||
### nginx_client_body_timeout
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_client_body_timeout: 60
|
||||
```
|
||||
|
||||
### nginx_client_header_buffer_size
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_client_header_buffer_size: 1k
|
||||
```
|
||||
|
||||
### nginx_client_header_timeout
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_client_header_timeout: 60
|
||||
```
|
||||
|
||||
### nginx_client_max_body_size
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_client_max_body_size: 8m
|
||||
```
|
||||
|
||||
### nginx_csp_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_csp_enabled: false
|
||||
```
|
||||
|
||||
### nginx_csp_options
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
nginx_csp_options:
|
||||
- directive: frame-ancestors
|
||||
parameters:
|
||||
- https://example.com
|
||||
- https://mypage.com
|
||||
```
|
||||
|
||||
### nginx_error_location
|
||||
|
||||
Default error location. If set, the defined location will be automatically added once to every server block to handle custom error sites.
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_error_location: []
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
nginx_error_location:
|
||||
- match: /
|
||||
root: /var/www/vhosts/default
|
||||
index: index.html
|
||||
custom_options:
|
||||
```
|
||||
|
||||
### nginx_error_log
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_error_log:
|
||||
enabled: true
|
||||
file: /var/log/nginx/error.log
|
||||
level: error
|
||||
```
|
||||
|
||||
### nginx_error_page
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_error_page: []
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
|
||||
```
|
||||
|
||||
### nginx_group
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_group: nginx
|
||||
```
|
||||
|
||||
### nginx_gzip_comp_level
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_gzip_comp_level: 2
|
||||
```
|
||||
|
||||
### nginx_gzip_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_gzip_enabled: true
|
||||
```
|
||||
|
||||
### nginx_gzip_min_length
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_gzip_min_length: 1000
|
||||
```
|
||||
|
||||
### nginx_gzip_proxied
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_gzip_proxied:
|
||||
- expired
|
||||
- no-cache
|
||||
- no-store
|
||||
- private
|
||||
- auth
|
||||
```
|
||||
|
||||
### nginx_gzip_types
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_gzip_types:
|
||||
- text/plain
|
||||
- application/x-javascript
|
||||
- text/xml
|
||||
- text/css
|
||||
- application/xml
|
||||
```
|
||||
|
||||
### nginx_hsts_options
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_hsts_options:
|
||||
- max-age=63072000
|
||||
- includeSubDomains
|
||||
- preload
|
||||
```
|
||||
|
||||
### nginx_keepalive_timeout
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_keepalive_timeout: 65
|
||||
```
|
||||
|
||||
### nginx_maps
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_maps: []
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
nginx_maps:
|
||||
- input: $input
|
||||
output: $output
|
||||
parameters:
|
||||
- "default 0"
|
||||
- "/old/path /new_path"
|
||||
```
|
||||
|
||||
### nginx_maps_extra
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_maps_extra: []
|
||||
```
|
||||
|
||||
### nginx_official_repo_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_official_repo_enabled: true
|
||||
```
|
||||
|
||||
### nginx_reset_timedout_connection
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_reset_timedout_connection: true
|
||||
```
|
||||
|
||||
### nginx_rp_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_rp_enabled: true
|
||||
```
|
||||
|
||||
### nginx_rp_option
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_rp_option: strict-origin
|
||||
```
|
||||
|
||||
### nginx_send_timeout
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_send_timeout: 60
|
||||
```
|
||||
|
||||
### nginx_server_names_hash_bucket_size
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_server_names_hash_bucket_size: 32
|
||||
```
|
||||
|
||||
### nginx_tls_certificates
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_certificates: []
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
nginx_tls_certificates:
|
||||
- source: "{{ ansible_user_dir }}/files/mycert.pem"
|
||||
dest: /etc/pki/tls/certs/mycert.pem
|
||||
mode: 0644
|
||||
- source: "{{ ansible_user_dir }}/files/mykey.pem"
|
||||
dest: /etc/pki/tls/private/mykey.pem
|
||||
mode: 0600
|
||||
```
|
||||
|
||||
### nginx_tls_certificates_extra
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_certificates_extra: []
|
||||
```
|
||||
|
||||
### nginx_tls_ciphers
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_ciphers:
|
||||
- ECDHE-RSA-AES256-GCM-SHA512
|
||||
- DHE-RSA-AES256-GCM-SHA512
|
||||
- ECDHE-RSA-AES256-GCM-SHA384
|
||||
- DHE-RSA-AES256-GCM-SHA384
|
||||
- ECDHE-RSA-AES256-SHA384
|
||||
```
|
||||
|
||||
### nginx_tls_dhparam_file
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_dhparam_file: _unset_
|
||||
```
|
||||
|
||||
### nginx_tls_dhparam_size
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_dhparam_size: 2048
|
||||
```
|
||||
|
||||
### nginx_tls_ecdh_curve
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_ecdh_curve: _unset_
|
||||
```
|
||||
|
||||
### nginx_tls_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_enabled: false
|
||||
```
|
||||
|
||||
### nginx_tls_hsts_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_hsts_enabled: false
|
||||
```
|
||||
|
||||
### nginx_tls_ocsp_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_ocsp_enabled: false
|
||||
```
|
||||
|
||||
### nginx_tls_ocsp_trusted_certificate
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_ocsp_trusted_certificate: _unset_
|
||||
```
|
||||
|
||||
### nginx_tls_versions
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_tls_versions:
|
||||
- TLSv1.2
|
||||
```
|
||||
|
||||
### nginx_user
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_user: nginx
|
||||
```
|
||||
|
||||
### nginx_vhosts_default
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_vhosts_default:
|
||||
- file: default
|
||||
servers:
|
||||
- port: 80
|
||||
server_name: '{{ ansible_fqdn }}'
|
||||
locations:
|
||||
- match: /
|
||||
root: /var/www/vhosts/default
|
||||
index: index.html
|
||||
- match: /50x.html
|
||||
root: /usr/share/nginx/html
|
||||
custom_options:
|
||||
- error_page 500 502 503 504 /50x.html
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
nginx_vhosts_default:
|
||||
- file: default
|
||||
upstreams:
|
||||
- name: my_pool
|
||||
servers: []
|
||||
servers:
|
||||
- port: 80
|
||||
server_name: demo.example.com
|
||||
tls_redirect: False # skips locations if enabled
|
||||
tls_redirect_url:
|
||||
tls:
|
||||
cert: /etc/pki/tls/certs/mycert.pem
|
||||
key: /etc/pki/tls/private/mykey.pem
|
||||
dhparam:
|
||||
client_max_body_size:
|
||||
send_timeout:
|
||||
add_headers:
|
||||
- name:
|
||||
value:
|
||||
always: True
|
||||
locations:
|
||||
- match: /
|
||||
root: /var/www/vhosts/default
|
||||
index: index.html
|
||||
add_headers: []
|
||||
proxy_pass:
|
||||
proxy_pass_request_body:
|
||||
proxy_next_upstream:
|
||||
proxy_redirect:
|
||||
proxy_http_version: "1.1"
|
||||
proxy_buffering: "off"
|
||||
proxy_connect_timeout: 3600s
|
||||
proxy_read_timeout: 3600s
|
||||
proxy_send_timeout: 3600s
|
||||
proxy_set_headers: []
|
||||
proxy_hide_headers: []
|
||||
proxy_ignore_headers: []
|
||||
proxy_intercept_errors: "off"
|
||||
proxy_cache_bypass:
|
||||
proxy_no_cache:
|
||||
proxy_buffers:
|
||||
custom_options:
|
||||
custom_options:
|
||||
- 'deny: all'
|
||||
```
|
||||
|
||||
### nginx_vhosts_dir
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_vhosts_dir: /var/www/vhosts
|
||||
```
|
||||
|
||||
### nginx_vhosts_extra
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_vhosts_extra: []
|
||||
```
|
||||
|
||||
### nginx_worker_connections
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_worker_connections: 1024
|
||||
```
|
||||
|
||||
### nginx_worker_processes
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_worker_processes: 1
|
||||
```
|
||||
|
||||
### nginx_xcto_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_xcto_enabled: true
|
||||
```
|
||||
|
||||
### nginx_xfo_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_xfo_enabled: true
|
||||
```
|
||||
|
||||
### nginx_xfo_policy
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_xfo_policy: deny
|
||||
```
|
||||
|
||||
### nginx_xxxsp_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_xxxsp_enabled: true
|
||||
```
|
||||
|
||||
### nginx_xxxsp_parameters
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
nginx_xxxsp_parameters:
|
||||
- 1
|
||||
- mode=block
|
||||
```
|
||||
|
||||
## Discovered Tags
|
||||
|
||||
tls_renewal
|
||||
:
|
||||
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
|
@ -1,31 +0,0 @@
|
|||
# Standards: 0.2
|
||||
---
|
||||
galaxy_info:
|
||||
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
|
||||
author: Robert Kaussow <mail@thegeeklab.de>
|
||||
namespace: xoxys
|
||||
role_name: nginx
|
||||
# @meta description: >
|
||||
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.nginx)
|
||||
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx)
|
||||
# [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.nginx/src/branch/main/LICENSE)
|
||||
#
|
||||
# Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server
|
||||
# for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a
|
||||
# web server. The nginx project started with a strong focus on high concurrency, high performance
|
||||
# and low memory usage.
|
||||
# @end
|
||||
description: Setup nginx webserver
|
||||
license: MIT
|
||||
min_ansible_version: 2.10
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
galaxy_tags:
|
||||
- nginx
|
||||
- webserver
|
||||
- proxy
|
||||
dependencies: []
|
||||
collections:
|
||||
- community.general
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
|
||||
roles:
|
||||
- role: xoxys.nginx
|
|
@ -1,120 +0,0 @@
|
|||
---
|
||||
- name: Create
|
||||
hosts: localhost
|
||||
connection: local
|
||||
gather_facts: false
|
||||
no_log: "{{ molecule_no_log }}"
|
||||
vars:
|
||||
ssh_port: 22
|
||||
ssh_user: root
|
||||
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
|
||||
tasks:
|
||||
- name: Create SSH key
|
||||
user:
|
||||
name: "{{ lookup('env', 'USER') }}"
|
||||
generate_ssh_key: true
|
||||
ssh_key_file: "{{ ssh_path }}"
|
||||
force: true
|
||||
register: generated_ssh_key
|
||||
|
||||
- name: Register the SSH key name
|
||||
set_fact:
|
||||
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
|
||||
|
||||
- name: Register SSH key for test instance(s)
|
||||
hcloud_ssh_key:
|
||||
name: "{{ ssh_key_name }}"
|
||||
public_key: "{{ generated_ssh_key.ssh_public_key }}"
|
||||
state: present
|
||||
|
||||
- name: Create molecule instance(s)
|
||||
hcloud_server:
|
||||
name: "{{ item.name }}"
|
||||
server_type: "{{ item.server_type }}"
|
||||
ssh_keys:
|
||||
- "{{ ssh_key_name }}"
|
||||
image: "{{ item.image }}"
|
||||
location: "{{ item.location | default(omit) }}"
|
||||
datacenter: "{{ item.datacenter | default(omit) }}"
|
||||
user_data: "{{ item.user_data | default(omit) }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: present
|
||||
register: server
|
||||
loop: "{{ molecule_yml.platforms }}"
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for instance(s) creation to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_jobs
|
||||
until: hetzner_jobs.finished
|
||||
retries: 300
|
||||
loop: "{{ server.results }}"
|
||||
|
||||
- name: Create volume(s)
|
||||
hcloud_volume:
|
||||
name: "{{ item.name }}"
|
||||
server: "{{ item.name }}"
|
||||
location: "{{ item.location | default(omit) }}"
|
||||
size: "{{ item.volume_size | default(10) }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: "present"
|
||||
loop: "{{ molecule_yml.platforms }}"
|
||||
when: item.volume | default(False) | bool
|
||||
register: volumes
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for volume(s) creation to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_volumes
|
||||
until: hetzner_volumes.finished
|
||||
retries: 300
|
||||
when: volumes.changed
|
||||
loop: "{{ volumes.results }}"
|
||||
|
||||
# Mandatory configuration for Molecule to function.
|
||||
|
||||
- name: Populate instance config dict
|
||||
set_fact:
|
||||
instance_conf_dict:
|
||||
{
|
||||
"instance": "{{ item.hcloud_server.name }}",
|
||||
"ssh_key_name": "{{ ssh_key_name }}",
|
||||
"address": "{{ item.hcloud_server.ipv4_address }}",
|
||||
"user": "{{ ssh_user }}",
|
||||
"port": "{{ ssh_port }}",
|
||||
"identity_file": "{{ ssh_path }}",
|
||||
"volume": "{{ item.item.item.volume | default(False) | bool }}",
|
||||
}
|
||||
loop: "{{ hetzner_jobs.results }}"
|
||||
register: instance_config_dict
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Convert instance config dict to a list
|
||||
set_fact:
|
||||
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Dump instance config
|
||||
copy:
|
||||
content: |
|
||||
# Molecule managed
|
||||
|
||||
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||
dest: "{{ molecule_instance_config }}"
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Wait for SSH
|
||||
wait_for:
|
||||
port: "{{ ssh_port }}"
|
||||
host: "{{ item.address }}"
|
||||
search_regex: SSH
|
||||
delay: 10
|
||||
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
|
||||
|
||||
- name: Wait for VM to settle down
|
||||
pause:
|
||||
seconds: 30
|
|
@ -1,78 +0,0 @@
|
|||
---
|
||||
- name: Destroy
|
||||
hosts: localhost
|
||||
connection: local
|
||||
gather_facts: false
|
||||
no_log: "{{ molecule_no_log }}"
|
||||
tasks:
|
||||
- name: Check existing instance config file
|
||||
stat:
|
||||
path: "{{ molecule_instance_config }}"
|
||||
register: cfg
|
||||
|
||||
- name: Populate the instance config
|
||||
set_fact:
|
||||
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
|
||||
|
||||
- name: Destroy molecule instance(s)
|
||||
hcloud_server:
|
||||
name: "{{ item.instance }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: absent
|
||||
register: server
|
||||
loop: "{{ instance_conf }}"
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for instance(s) deletion to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_jobs
|
||||
until: hetzner_jobs.finished
|
||||
retries: 300
|
||||
loop: "{{ server.results }}"
|
||||
|
||||
- pause:
|
||||
seconds: 5
|
||||
|
||||
- name: Destroy volume(s)
|
||||
hcloud_volume:
|
||||
name: "{{ item.instance }}"
|
||||
server: "{{ item.instance }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: "absent"
|
||||
register: volumes
|
||||
loop: "{{ instance_conf }}"
|
||||
when: item.volume | default(False) | bool
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for volume(s) deletion to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_volumes
|
||||
until: hetzner_volumes.finished
|
||||
retries: 300
|
||||
when: volumes.changed
|
||||
loop: "{{ volumes.results }}"
|
||||
|
||||
- name: Remove registered SSH key
|
||||
hcloud_ssh_key:
|
||||
name: "{{ instance_conf[0].ssh_key_name }}"
|
||||
state: absent
|
||||
when: (instance_conf | default([])) | length > 0
|
||||
|
||||
# Mandatory configuration for Molecule to function.
|
||||
|
||||
- name: Populate instance config
|
||||
set_fact:
|
||||
instance_conf: {}
|
||||
|
||||
- name: Dump instance config
|
||||
copy:
|
||||
content: |
|
||||
# Molecule managed
|
||||
|
||||
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||
dest: "{{ molecule_instance_config }}"
|
||||
when: server.changed | bool
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
role-file: molecule/requirements.yml
|
||||
requirements-file: molecule/requirements.yml
|
||||
env:
|
||||
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
|
||||
driver:
|
||||
name: delegated
|
||||
platforms:
|
||||
- name: centos7-nginx
|
||||
image: centos-7
|
||||
server_type: cx11
|
||||
lint: |
|
||||
/usr/local/bin/flake8
|
||||
provisioner:
|
||||
name: ansible
|
||||
env:
|
||||
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
|
||||
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
|
||||
log: False
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: Bootstrap python for Ansible
|
||||
raw: |
|
||||
command -v python3 python || (
|
||||
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
|
||||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
|
||||
echo "Warning: Python not boostrapped due to unknown platform."
|
||||
)
|
||||
become: true
|
||||
changed_when: false
|
|
@ -1,30 +0,0 @@
|
|||
import os
|
||||
|
||||
import testinfra.utils.ansible_runner
|
||||
|
||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||
).get_hosts("all")
|
||||
|
||||
|
||||
def test_nginx_is_installed(host):
|
||||
nginx = host.package("nginx")
|
||||
assert nginx.is_installed
|
||||
|
||||
|
||||
def test_nginx_running_and_enabled(host):
|
||||
nginx = host.service("nginx")
|
||||
assert nginx.is_running
|
||||
assert nginx.is_enabled
|
||||
|
||||
|
||||
def test_nginx_process(host):
|
||||
# Verify worker procs are running
|
||||
main = host.process.get(user="root", comm="nginx")
|
||||
workers = host.process.filter(ppid=main.pid)
|
||||
assert len(workers) > 0
|
||||
|
||||
|
||||
def test_nginx_socket(host):
|
||||
# Verify the socket is listening for HTTP traffic
|
||||
assert host.socket("tcp://0.0.0.0:80").is_listening
|
|
@ -1 +0,0 @@
|
|||
rocky8
|
|
@ -1,3 +0,0 @@
|
|||
[pytest]
|
||||
filterwarnings =
|
||||
ignore::DeprecationWarning
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
collections:
|
||||
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
|
||||
- name: community.general
|
||||
|
||||
roles: []
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
|
||||
roles:
|
||||
- role: xoxys.nginx
|
|
@ -1,120 +0,0 @@
|
|||
---
|
||||
- name: Create
|
||||
hosts: localhost
|
||||
connection: local
|
||||
gather_facts: false
|
||||
no_log: "{{ molecule_no_log }}"
|
||||
vars:
|
||||
ssh_port: 22
|
||||
ssh_user: root
|
||||
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
|
||||
tasks:
|
||||
- name: Create SSH key
|
||||
user:
|
||||
name: "{{ lookup('env', 'USER') }}"
|
||||
generate_ssh_key: true
|
||||
ssh_key_file: "{{ ssh_path }}"
|
||||
force: true
|
||||
register: generated_ssh_key
|
||||
|
||||
- name: Register the SSH key name
|
||||
set_fact:
|
||||
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
|
||||
|
||||
- name: Register SSH key for test instance(s)
|
||||
hcloud_ssh_key:
|
||||
name: "{{ ssh_key_name }}"
|
||||
public_key: "{{ generated_ssh_key.ssh_public_key }}"
|
||||
state: present
|
||||
|
||||
- name: Create molecule instance(s)
|
||||
hcloud_server:
|
||||
name: "{{ item.name }}"
|
||||
server_type: "{{ item.server_type }}"
|
||||
ssh_keys:
|
||||
- "{{ ssh_key_name }}"
|
||||
image: "{{ item.image }}"
|
||||
location: "{{ item.location | default(omit) }}"
|
||||
datacenter: "{{ item.datacenter | default(omit) }}"
|
||||
user_data: "{{ item.user_data | default(omit) }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: present
|
||||
register: server
|
||||
loop: "{{ molecule_yml.platforms }}"
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for instance(s) creation to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_jobs
|
||||
until: hetzner_jobs.finished
|
||||
retries: 300
|
||||
loop: "{{ server.results }}"
|
||||
|
||||
- name: Create volume(s)
|
||||
hcloud_volume:
|
||||
name: "{{ item.name }}"
|
||||
server: "{{ item.name }}"
|
||||
location: "{{ item.location | default(omit) }}"
|
||||
size: "{{ item.volume_size | default(10) }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: "present"
|
||||
loop: "{{ molecule_yml.platforms }}"
|
||||
when: item.volume | default(False) | bool
|
||||
register: volumes
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for volume(s) creation to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_volumes
|
||||
until: hetzner_volumes.finished
|
||||
retries: 300
|
||||
when: volumes.changed
|
||||
loop: "{{ volumes.results }}"
|
||||
|
||||
# Mandatory configuration for Molecule to function.
|
||||
|
||||
- name: Populate instance config dict
|
||||
set_fact:
|
||||
instance_conf_dict:
|
||||
{
|
||||
"instance": "{{ item.hcloud_server.name }}",
|
||||
"ssh_key_name": "{{ ssh_key_name }}",
|
||||
"address": "{{ item.hcloud_server.ipv4_address }}",
|
||||
"user": "{{ ssh_user }}",
|
||||
"port": "{{ ssh_port }}",
|
||||
"identity_file": "{{ ssh_path }}",
|
||||
"volume": "{{ item.item.item.volume | default(False) | bool }}",
|
||||
}
|
||||
loop: "{{ hetzner_jobs.results }}"
|
||||
register: instance_config_dict
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Convert instance config dict to a list
|
||||
set_fact:
|
||||
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Dump instance config
|
||||
copy:
|
||||
content: |
|
||||
# Molecule managed
|
||||
|
||||
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||
dest: "{{ molecule_instance_config }}"
|
||||
when: server.changed | bool
|
||||
|
||||
- name: Wait for SSH
|
||||
wait_for:
|
||||
port: "{{ ssh_port }}"
|
||||
host: "{{ item.address }}"
|
||||
search_regex: SSH
|
||||
delay: 10
|
||||
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
|
||||
|
||||
- name: Wait for VM to settle down
|
||||
pause:
|
||||
seconds: 30
|
|
@ -1,78 +0,0 @@
|
|||
---
|
||||
- name: Destroy
|
||||
hosts: localhost
|
||||
connection: local
|
||||
gather_facts: false
|
||||
no_log: "{{ molecule_no_log }}"
|
||||
tasks:
|
||||
- name: Check existing instance config file
|
||||
stat:
|
||||
path: "{{ molecule_instance_config }}"
|
||||
register: cfg
|
||||
|
||||
- name: Populate the instance config
|
||||
set_fact:
|
||||
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
|
||||
|
||||
- name: Destroy molecule instance(s)
|
||||
hcloud_server:
|
||||
name: "{{ item.instance }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: absent
|
||||
register: server
|
||||
loop: "{{ instance_conf }}"
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for instance(s) deletion to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_jobs
|
||||
until: hetzner_jobs.finished
|
||||
retries: 300
|
||||
loop: "{{ server.results }}"
|
||||
|
||||
- pause:
|
||||
seconds: 5
|
||||
|
||||
- name: Destroy volume(s)
|
||||
hcloud_volume:
|
||||
name: "{{ item.instance }}"
|
||||
server: "{{ item.instance }}"
|
||||
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
||||
state: "absent"
|
||||
register: volumes
|
||||
loop: "{{ instance_conf }}"
|
||||
when: item.volume | default(False) | bool
|
||||
async: 7200
|
||||
poll: 0
|
||||
|
||||
- name: Wait for volume(s) deletion to complete
|
||||
async_status:
|
||||
jid: "{{ item.ansible_job_id }}"
|
||||
register: hetzner_volumes
|
||||
until: hetzner_volumes.finished
|
||||
retries: 300
|
||||
when: volumes.changed
|
||||
loop: "{{ volumes.results }}"
|
||||
|
||||
- name: Remove registered SSH key
|
||||
hcloud_ssh_key:
|
||||
name: "{{ instance_conf[0].ssh_key_name }}"
|
||||
state: absent
|
||||
when: (instance_conf | default([])) | length > 0
|
||||
|
||||
# Mandatory configuration for Molecule to function.
|
||||
|
||||
- name: Populate instance config
|
||||
set_fact:
|
||||
instance_conf: {}
|
||||
|
||||
- name: Dump instance config
|
||||
copy:
|
||||
content: |
|
||||
# Molecule managed
|
||||
|
||||
{{ instance_conf | to_nice_yaml(indent=2) }}
|
||||
dest: "{{ molecule_instance_config }}"
|
||||
when: server.changed | bool
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
role-file: molecule/requirements.yml
|
||||
requirements-file: molecule/requirements.yml
|
||||
env:
|
||||
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
|
||||
driver:
|
||||
name: delegated
|
||||
platforms:
|
||||
- name: rocky8-nginx
|
||||
image: rocky-8
|
||||
server_type: cx11
|
||||
lint: |
|
||||
/usr/local/bin/flake8
|
||||
provisioner:
|
||||
name: ansible
|
||||
env:
|
||||
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
|
||||
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
|
||||
log: False
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: Bootstrap python for Ansible
|
||||
raw: |
|
||||
command -v python3 python || (
|
||||
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
|
||||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
|
||||
echo "Warning: Python not boostrapped due to unknown platform."
|
||||
)
|
||||
become: true
|
||||
changed_when: false
|
|
@ -1,30 +0,0 @@
|
|||
import os
|
||||
|
||||
import testinfra.utils.ansible_runner
|
||||
|
||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||
).get_hosts("all")
|
||||
|
||||
|
||||
def test_nginx_is_installed(host):
|
||||
nginx = host.package("nginx")
|
||||
assert nginx.is_installed
|
||||
|
||||
|
||||
def test_nginx_running_and_enabled(host):
|
||||
nginx = host.service("nginx")
|
||||
assert nginx.is_running
|
||||
assert nginx.is_enabled
|
||||
|
||||
|
||||
def test_nginx_process(host):
|
||||
# Verify worker procs are running
|
||||
main = host.process.get(user="root", comm="nginx")
|
||||
workers = host.process.filter(ppid=main.pid)
|
||||
assert len(workers) > 0
|
||||
|
||||
|
||||
def test_nginx_socket(host):
|
||||
# Verify the socket is listening for HTTP traffic
|
||||
assert host.socket("tcp://0.0.0.0:80").is_listening
|
12
setup.cfg
12
setup.cfg
|
@ -1,12 +0,0 @@
|
|||
[flake8]
|
||||
ignore = D100, D101, D102, D103, D105, D107, E402, W503
|
||||
max-line-length = 99
|
||||
inline-quotes = double
|
||||
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
|
||||
|
||||
[yapf]
|
||||
based_on_style = google
|
||||
column_limit = 99
|
||||
dedent_closing_brackets = true
|
||||
coalesce_brackets = true
|
||||
split_before_logical_operator = true
|
|
@ -1,129 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Add nginx repository
|
||||
yum_repository:
|
||||
name: nginx
|
||||
file: nginx
|
||||
description: NGINX High Performance Web Server
|
||||
baseurl: "https://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/"
|
||||
gpgkey: https://nginx.org/keys/nginx_signing.key
|
||||
gpgcheck: yes
|
||||
when: nginx_official_repo_enabled | bool
|
||||
|
||||
- name: Installing nginx
|
||||
package:
|
||||
name: nginx
|
||||
state: present
|
||||
|
||||
- name: Create group '{{ nginx_group }}'
|
||||
group:
|
||||
name: "{{ nginx_group }}"
|
||||
state: present
|
||||
when: nginx_group != "nginx"
|
||||
|
||||
- name: Create user '{{ nginx_user }}'
|
||||
user:
|
||||
name: "{{ nginx_user }}"
|
||||
group: "{{ nginx_group }}"
|
||||
createhome: no
|
||||
shell: /sbin/nologin
|
||||
when: nginx_user != "nginx"
|
||||
|
||||
- name: Prepare vhost directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_group }}"
|
||||
mode: 0750
|
||||
loop:
|
||||
- "{{ nginx_vhosts_dir }}"
|
||||
- "{{ nginx_vhosts_dir }}/default"
|
||||
|
||||
- name: Prepare nginx directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
loop:
|
||||
- /etc/nginx/sites-available
|
||||
- /etc/nginx/sites-enabled
|
||||
|
||||
- name: Update nginx.conf
|
||||
template:
|
||||
src: etc/nginx/nginx.conf.j2
|
||||
dest: "/etc/nginx/nginx.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Remove default.conf from conf.d
|
||||
copy:
|
||||
content: |
|
||||
# Ansible managed.
|
||||
# File not in use.
|
||||
dest: /etc/nginx/conf.d/default.conf
|
||||
mode: 0640
|
||||
|
||||
- name: Update header.conf
|
||||
template:
|
||||
src: etc/nginx/conf.d/header.conf.j2
|
||||
dest: /etc/nginx/conf.d/header.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Add custom error page template
|
||||
template:
|
||||
src: usr/share/nginx/html/error.html.j2
|
||||
dest: /usr/share/nginx/html/error.html
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Set selinux booleans
|
||||
seboolean:
|
||||
name: "{{ item.name }}"
|
||||
state: "{{ item.state }}"
|
||||
persistent: "{{ item.persistent }}"
|
||||
loop: "{{ nginx_set_sebooleans }}"
|
||||
when: nginx_set_sebooleans is defined
|
||||
|
||||
- name: Allow to bind to custom ports
|
||||
seport:
|
||||
ports: "{{ item.port }}"
|
||||
proto: "{{ item.proto | default('tcp') }}"
|
||||
setype: http_port_t
|
||||
state: "{{ item.state | default('present') }}"
|
||||
loop: "{{ nginx_set_seports }}"
|
||||
loop_control:
|
||||
label: "{{ item.port }}"
|
||||
when: nginx_set_seports is defined
|
||||
|
||||
- name: Fix selinux file context mappaing for pid file
|
||||
sefcontext:
|
||||
target: '/var/run/nginx(/.*)?'
|
||||
setype: httpd_var_run_t
|
||||
state: present
|
||||
|
||||
- name: Apply new SELinux file context to filesystem
|
||||
command: restorecon -irv /var/run
|
||||
changed_when: False
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Add default page
|
||||
template:
|
||||
src: var/www/vhosts/default/index.html.j2
|
||||
dest: /var/www/vhosts/default/index.html
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_group }}"
|
||||
mode: 0750
|
||||
become: True
|
||||
become_user: "{{ nginx_user }}"
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- include_tasks: install.yml
|
||||
- import_tasks: tls.yml
|
||||
tags: tls_renewal
|
||||
- include_tasks: vhost.yml
|
||||
- include_tasks: post_tasks.yml
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
- name: Ensure nginx service is up and running
|
||||
service:
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
name: nginx
|
||||
become: True
|
||||
become_user: root
|
|
@ -1,38 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Ensur target directories exist for certificate files
|
||||
file:
|
||||
name: "{{ item.dest | dirname }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
loop: "{{ nginx_tls_certificates + nginx_tls_certificates_extra }}"
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
|
||||
- name: Copy certificate files
|
||||
copy:
|
||||
src: "{{ item.source }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode | default('0600') }}"
|
||||
owner: "{{ item.owner | default('root') }}"
|
||||
loop: "{{ nginx_tls_certificates + nginx_tls_certificates_extra }}"
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Create Diffie-Hellman Parameter
|
||||
openssl_dhparam:
|
||||
path: "{{ nginx_tls_dhparam_file }}"
|
||||
size: "{{ nginx_tls_dhparam_size }}"
|
||||
when: nginx_tls_dhparam_file is defined
|
||||
|
||||
- name: Update tls.conf
|
||||
template:
|
||||
src: etc/nginx/conf.d/tls.conf.j2
|
||||
dest: /etc/nginx/conf.d/tls.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Add vhost configurations
|
||||
template:
|
||||
src: etc/nginx/sites-available/vhost.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
|
||||
loop_control:
|
||||
label: "{{ item.file }}"
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Enable vhosts
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ item.file }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item.file }}"
|
||||
state: "{{ 'link' if item.enabled | default(True) | bool else 'absent' }}"
|
||||
loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
|
||||
loop_control:
|
||||
label: "{{ item.file }}"
|
||||
notify: __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
|
@ -1,35 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# protect against protocol downgrading and cookie hijacking
|
||||
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
|
||||
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
|
||||
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
|
||||
{% endif %}
|
||||
|
||||
# improve the protection against Clickjacking
|
||||
# https://owasp.org/www-project-secure-headers/#x-frame-options
|
||||
{% if nginx_xfo_enabled %}
|
||||
add_header X-Frame-Options {{ nginx_xfo_policy }} always;
|
||||
{% endif %}
|
||||
{% if nginx_csp_enabled and nginx_csp_options is defined %}
|
||||
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
|
||||
{% endif %}
|
||||
|
||||
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
||||
# https://owasp.org/www-project-secure-headers/#x-content-type-options
|
||||
{% if nginx_xcto_enabled %}
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
{% endif %}
|
||||
|
||||
# enables the cross-site scripting (XSS) filter of the browsers
|
||||
# https://owasp.org/www-project-secure-headers/#x-xss-protection
|
||||
{% if nginx_xxxsp_enabled %}
|
||||
add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
|
||||
{% endif %}
|
||||
|
||||
# governs which referrer information, sent in the Referer header, should be included with requests made
|
||||
# https://owasp.org/www-project-secure-headers/#referrer-policy
|
||||
{% if nginx_rp_enabled %}
|
||||
add_header Referrer-Policy "{{ nginx_rp_option }}" always;
|
||||
{% endif %}
|
|
@ -1,22 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
ssl_ciphers {{ nginx_tls_ciphers | join(":") }};
|
||||
ssl_prefer_server_ciphers on;
|
||||
{% if nginx_tls_ecdh_curve is defined %}
|
||||
ssl_ecdh_curve {{ nginx_tls_ecdh_curve | join(":") }};
|
||||
{% endif %}
|
||||
{% if nginx_tls_dhparam_file is defined %}
|
||||
ssl_dhparam {{ nginx_tls_dhparam_file }};
|
||||
{% endif %}
|
||||
|
||||
ssl_protocols {{ nginx_tls_versions | join(" ") }};
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
{% if nginx_tls_ocsp_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_trusted_certificate {{ nginx_tls_ocsp_trusted_certificate }};
|
||||
ssl_stapling_verify on;
|
||||
{% endif %}
|
|
@ -1,85 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
user {{ nginx_user }} {{ nginx_group }};
|
||||
worker_processes {{ nginx_worker_processes }};
|
||||
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections {{ nginx_worker_connections }};
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
{% if nginx_error_log.enabled %}
|
||||
error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }};
|
||||
{% else %}
|
||||
error_log off;
|
||||
{% endif %}
|
||||
{% if nginx_access_log.enabled %}
|
||||
access_log {{ nginx_access_log.file }} {{ nginx_access_log.format }};
|
||||
{% else %}
|
||||
access_log off;
|
||||
{% endif %}
|
||||
{% if nginx_error_page is defined and nginx_error_page | length > 0 %}
|
||||
|
||||
{% for error in nginx_error_page %}
|
||||
error_page {{ error.code | join(" ") }} {{ error.dest }};
|
||||
{% endfor %}
|
||||
|
||||
{% endif %}
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
{% for map in nginx_maps + nginx_maps_extra %}
|
||||
map {{ map.input }} {{ map.output }} {
|
||||
{% for param in map.parameters %}
|
||||
{{ param }};
|
||||
{% endfor %}
|
||||
}
|
||||
{% endfor %}
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
## Buffers
|
||||
client_body_buffer_size {{ nginx_client_body_buffer_size }};
|
||||
client_header_buffer_size {{ nginx_client_header_buffer_size }};
|
||||
client_max_body_size {{ nginx_client_max_body_size }};
|
||||
|
||||
## Timeouts
|
||||
client_body_timeout {{ nginx_client_body_timeout }};
|
||||
client_header_timeout {{ nginx_client_header_timeout }};
|
||||
keepalive_timeout {{ nginx_keepalive_timeout }};
|
||||
send_timeout {{ nginx_send_timeout }};
|
||||
{% if nginx_reset_timedout_connection %}
|
||||
reset_timedout_connection on;
|
||||
{% endif %}
|
||||
|
||||
## Gzip Settings
|
||||
{% if nginx_gzip_enabled %}
|
||||
gzip on;
|
||||
gzip_comp_level {{ nginx_gzip_comp_level }};
|
||||
gzip_min_length {{ nginx_gzip_min_length }};
|
||||
gzip_proxied {{ nginx_gzip_proxied | join(" ") }};
|
||||
gzip_types {{ nginx_gzip_types | join(" ") }};
|
||||
{% endif %}
|
||||
|
||||
# Load modular configuration files from the /etc/nginx/conf.d directory
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
## Virtual Host Configs
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }};
|
||||
}
|
|
@ -1,153 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
{% if item.upstreams is defined and item.upstreams %}
|
||||
{% for upstream in item.upstreams %}
|
||||
|
||||
upstream {{ upstream.name }} {
|
||||
{% for upserver in upstream.servers %}
|
||||
server {{ upserver }};
|
||||
{% endfor %}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for server in item.servers %}
|
||||
|
||||
server {
|
||||
listen {{ server.port }}{{ ' ssl' if server.tls is defined and server.tls else '' }};
|
||||
{% if not server.server_name is string and server.server_name is iterable %}
|
||||
server_name {{ server.server_name | join(" ") }};
|
||||
{% else %}
|
||||
server_name {{ server.server_name }};
|
||||
{% endif %}
|
||||
{% if server.tls is defined and server.tls %}
|
||||
|
||||
ssl_certificate {{ server.tls.cert }};
|
||||
ssl_certificate_key {{ server.tls.key }};
|
||||
{% if server.tls.dhparam is defined %}
|
||||
ssl_dhparam {{ item.value.ssl.dhparam }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if server.tls_redirect | default(False) %}
|
||||
|
||||
return 301 https://{% if server.tls_redirect_url is defined %}{{ server.tls_redirect_url }}{% else %}$server_name{% endif %}$request_uri;
|
||||
{% else %}
|
||||
{% if server.client_max_body_size is defined and server.client_max_body_size %}
|
||||
client_max_body_size {{ server.client_max_body_size }};
|
||||
{% endif %}
|
||||
{% if server.send_timeout is defined and server.send_timeout %}
|
||||
send_timeout {{ server.send_timeout }};
|
||||
{% endif %}
|
||||
{% if server.add_headers is defined and server.add_headers %}
|
||||
|
||||
include /etc/nginx/conf.d/header.conf;
|
||||
{% for add in server.add_headers %}
|
||||
add_header {{ add.name }} {{ add.value }}{{ " always" if add.always | default(True) | bool else "" }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if server.custom_options is defined and server.custom_options %}
|
||||
|
||||
{% for inline_option in server.custom_options %}
|
||||
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% for location in server.locations %}
|
||||
location {{ location.match }} {
|
||||
{% if location.root is defined and location.root %}
|
||||
root {{ location.root }};
|
||||
{% endif %}
|
||||
{% if location.index is defined and location.index %}
|
||||
index {{ location.index }};
|
||||
|
||||
{% endif %}
|
||||
{% if location.add_headers is defined and location.add_headers %}
|
||||
include /etc/nginx/conf.d/header.conf;
|
||||
{% for add in location.add_headers %}
|
||||
add_header {{ add.name }} {{ add.value }}{{ " always" if add.always | default(True) | bool else "" }};
|
||||
{% endfor %}
|
||||
|
||||
{% endif %}
|
||||
{% if location.proxy_pass is defined and location.proxy_pass %}
|
||||
proxy_pass {{ location.proxy_pass }};
|
||||
{% if location.proxy_pass_request_body is defined and location.proxy_pass_request_body %}
|
||||
proxy_pass_request_body {{ location.proxy_pass_request_body }};
|
||||
{% endif %}
|
||||
{% if location.proxy_next_upstream is defined and location.proxy_next_upstream %}
|
||||
proxy_next_upstream {{ location.proxy_next_upstream }};
|
||||
{% endif %}
|
||||
{% if location.proxy_redirect is defined and location.proxy_redirect %}
|
||||
proxy_redirect {{ location.proxy_redirect }};
|
||||
{% endif %}
|
||||
{% if location.proxy_http_version is defined and location.proxy_http_version %}
|
||||
proxy_http_version {{ location.proxy_http_version }};
|
||||
{% endif %}
|
||||
{% if location.proxy_buffering is defined and location.proxy_buffering %}
|
||||
proxy_buffering {{ location.proxy_buffering }};
|
||||
{% endif %}
|
||||
{% if location.proxy_connect_timeout is defined and location.proxy_connect_timeout %}
|
||||
proxy_connect_timeout {{ location.proxy_connect_timeout }};
|
||||
{% endif %}
|
||||
{% if location.proxy_read_timeout is defined and location.proxy_read_timeout %}
|
||||
proxy_read_timeout {{ location.proxy_read_timeout }};
|
||||
{% endif %}
|
||||
{% if location.proxy_send_timeout is defined and location.proxy_send_timeout %}
|
||||
proxy_send_timeout {{ location.proxy_send_timeout }};
|
||||
{% endif %}
|
||||
{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %}
|
||||
proxy_intercept_errors {{ location.proxy_intercept_errors }};
|
||||
{% endif %}
|
||||
{% if location.proxy_cache_bypass is defined and location.proxy_cache_bypass %}
|
||||
proxy_cache_bypass {{ location.proxy_cache_bypass }};
|
||||
{% endif %}
|
||||
{% if location.proxy_no_cache is defined and location.proxy_no_cache %}
|
||||
proxy_no_cache {{ location.proxy_no_cache }};
|
||||
{% endif %}
|
||||
{% if location.proxy_buffers is defined and location.proxy_buffers %}
|
||||
proxy_buffers {{ location.proxy_buffers }};
|
||||
{% endif %}
|
||||
{% if location.proxy_set_headers is defined and location.proxy_set_headers %}
|
||||
|
||||
{% for set in location.proxy_set_headers %}
|
||||
proxy_set_header {{ set }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if location.proxy_hide_headers is defined and location.proxy_hide_headers %}
|
||||
|
||||
{% for hide in location.proxy_hide_headers %}
|
||||
proxy_hide_header {{ hide }};
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if location.proxy_ignore_headers is defined and location.proxy_ignore_headers %}
|
||||
|
||||
proxy_ignore_headers {{ location.proxy_ignore_headers | join(" ") }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if location.custom_options is defined and location.custom_options %}
|
||||
|
||||
{% for inline_option in location.custom_options %}
|
||||
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
{% for error_location in nginx_error_location %}
|
||||
location {{ error_location.match }} {
|
||||
{% if error_location.root is defined and error_location.root %}
|
||||
root {{ error_location.root }};
|
||||
{% endif %}
|
||||
{% if error_location.index is defined and error_location.index %}
|
||||
index {{ error_location.index }};
|
||||
|
||||
{% endif %}
|
||||
{% if error_location.custom_options is defined and error_location.custom_options %}
|
||||
|
||||
{% for inline_option in error_location.custom_options %}
|
||||
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
{% endfor %}
|
|
@ -1,79 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
|
||||
<meta
|
||||
name="viewport"
|
||||
content="width=device-width, initial-scale=1, shrink-to-fit=no"
|
||||
/>
|
||||
<meta name="robots" content="noindex, nofollow" />
|
||||
|
||||
<title>Oops! You're lost</title>
|
||||
|
||||
<style>
|
||||
html,
|
||||
body {
|
||||
height: 100%;
|
||||
min-height: 100%;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
body {
|
||||
cursor: default;
|
||||
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI",
|
||||
Roboto, "Helvetica Neue", Arial, sans-serif;
|
||||
font-size: 1rem;
|
||||
font-weight: normal;
|
||||
line-height: 1.5;
|
||||
color: #383e4b;
|
||||
background-color: #f5f5f5;
|
||||
}
|
||||
|
||||
h1 {
|
||||
font-size: 4.5rem;
|
||||
font-weight: 300;
|
||||
margin: 0 1.5rem 0 0;
|
||||
}
|
||||
h4 {
|
||||
font-size: 1.5rem;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
p {
|
||||
font-weight: 500;
|
||||
line-height: 1;
|
||||
color: #9da0a8;
|
||||
padding: 0;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
.container {
|
||||
display: flex;
|
||||
margin: 0;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
box-sizing: border-box;
|
||||
height: 100%;
|
||||
min-width: 380px;
|
||||
}
|
||||
|
||||
.no-wrap {
|
||||
flex-shrink: 0;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="container">
|
||||
<div>
|
||||
<h1><!--# echo var="status" default="" --></h1>
|
||||
</div>
|
||||
<div class="no-wrap">
|
||||
<h4>Oops! You're lost.</h4>
|
||||
<p><!--# echo var="status_text" default="Something goes wrong" --></p>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -1,2 +0,0 @@
|
|||
{{ ansible_managed | comment("plain", prefix="<!--", postfix="-->") }}
|
||||
{{ ansible_fqdn }}
|
Loading…
Reference in New Issue