ansible
/
xoxys.nginx
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: ansible:main
Branches Tags
ansible:main
ansible:docs
...
pull from: ansible:docs
Branches Tags
ansible:main
ansible:docs

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

37 changed files with 602 additions and 1800 deletions
Show Stats Expand all files Collapse all files

161
.drone.jsonnet
View File

@ -1,161 +0,0 @@
local PipelineLinting = {
kind: 'pipeline',
name: 'linting',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'ansible-later',
image: 'thegeeklab/ansible-later',
commands: [
'ansible-later',
],
},
{
name: 'python-format',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq yapf',
'[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)',
],
},
{
name: 'python-flake8',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq flake8',
'flake8',
],
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDeployment(scenario='centos7') = {
kind: 'pipeline',
name: 'testing-' + scenario,
platform: {
os: 'linux',
arch: 'amd64',
},
concurrency: {
limit: 1,
},
workspace: {
base: '/drone/src',
path: '${DRONE_REPO_NAME}',
},
steps: [
{
name: 'ansible-molecule',
image: 'thegeeklab/molecule:4',
environment: {
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
},
commands: [
'molecule test -s ' + scenario,
],
},
],
depends_on: [
'linting',
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDocumentation = {
kind: 'pipeline',
name: 'documentation',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'generate',
image: 'thegeeklab/ansible-doctor',
environment: {
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
},
},
{
name: 'publish',
image: 'plugins/gh-pages',
settings: {
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
netrc_machine: 'gitea.rknet.org',
username: { from_secret: 'gitea_username' },
password: { from_secret: 'gitea_token' },
pages_directory: '_docs/',
target_branch: 'docs',
},
when: {
ref: ['refs/heads/main'],
},
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
depends_on: [
'testing-centos7',
'testing-rocky8',
],
};
local PipelineNotification = {
kind: 'pipeline',
name: 'notification',
platform: {
os: 'linux',
arch: 'amd64',
},
clone: {
disable: true,
},
steps: [
{
name: 'matrix',
image: 'thegeeklab/drone-matrix',
settings: {
homeserver: { from_secret: 'matrix_homeserver' },
roomid: { from_secret: 'matrix_roomid' },
template: 'Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}',
username: { from_secret: 'matrix_username' },
password: { from_secret: 'matrix_password' },
},
},
],
depends_on: [
'documentation',
],
trigger: {
status: ['success', 'failure'],
ref: ['refs/heads/main', 'refs/tags/**'],
},
};
[
PipelineLinting,
PipelineDeployment(scenario='centos7'),
PipelineDeployment(scenario='rocky8'),
PipelineDocumentation,
PipelineNotification,
]

187
.drone.yml
View File

@ -1,187 +0,0 @@
---
kind: pipeline
name: linting
platform:
os: linux
arch: amd64
steps:
- name: ansible-later
image: thegeeklab/ansible-later
commands:
- ansible-later
- name: python-format
image: python:3.11
commands:
- pip install -qq yapf
- "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)"
environment:
PY_COLORS: 1
- name: python-flake8
image: python:3.11
commands:
- pip install -qq flake8
- flake8
environment:
PY_COLORS: 1
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
---
kind: pipeline
name: testing-centos7
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s centos7
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: testing-rocky8
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s rocky8
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: documentation
platform:
os: linux
arch: amd64
steps:
- name: generate
image: thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/
ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.}
ANSIBLE_DOCTOR_TEMPLATE: hugo-book
- name: publish
image: plugins/gh-pages
settings:
netrc_machine: gitea.rknet.org
pages_directory: _docs/
password:
from_secret: gitea_token
remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}
target_branch: docs
username:
from_secret: gitea_username
when:
ref:
- refs/heads/main
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- testing-centos7
- testing-rocky8
---
kind: pipeline
name: notification
platform:
os: linux
arch: amd64
clone:
disable: true
steps:
- name: matrix
image: thegeeklab/drone-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
template: "Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}"
username:
from_secret: matrix_username
trigger:
ref:
- refs/heads/main
- refs/tags/**
status:
- success
- failure
depends_on:
- documentation
---
kind: signature
hmac: 0cc44b63ef9e2c4f4459db9f4def41dccf56380ef4263fba889bb45c4124e1b8
...

13
.gitignore vendored
View File

@ -1,13 +0,0 @@
# ---> Ansible
*.retry
filter/plugins/
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# ---> Docs
/_docs

19
.later.yml
View File

@ -1,19 +0,0 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- molecule/
- "LICENSE*"
- "**/*.md"
- "**/*.ini"
exclude_filter:
- LINT0009

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

12
README.md
View File

@ -1,12 +0,0 @@
# xoxys.nginx
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server. The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/system/nginx/).
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

197
defaults/main.yml
View File

@ -1,197 +0,0 @@
---
nginx_official_repo_enabled: True
nginx_user: nginx
nginx_group: nginx
nginx_worker_processes: 1
nginx_worker_connections: 1024
nginx_error_log:
enabled: True
file: /var/log/nginx/error.log
level: error
nginx_access_log:
enabled: True
file: /var/log/nginx/access.log
format: main
nginx_client_body_buffer_size: 10k
nginx_client_header_buffer_size: 1k
nginx_client_max_body_size: 8m
nginx_client_body_timeout: 60
nginx_client_header_timeout: 60
nginx_keepalive_timeout: 65
nginx_send_timeout: 60
nginx_reset_timedout_connection: True
nginx_gzip_enabled: True
nginx_gzip_comp_level: 2
nginx_gzip_min_length: 1000
nginx_gzip_proxied:
- expired
- no-cache
- no-store
- private
- auth
nginx_gzip_types:
- text/plain
- application/x-javascript
- text/xml
- text/css
- application/xml
nginx_tls_enabled: False
nginx_tls_versions:
- TLSv1.2
nginx_tls_certificates: []
# @var nginx_tls_certificates:example: >
# nginx_tls_certificates:
# - source: "{{ ansible_user_dir }}/files/mycert.pem"
# dest: /etc/pki/tls/certs/mycert.pem
# mode: 0644
# - source: "{{ ansible_user_dir }}/files/mykey.pem"
# dest: /etc/pki/tls/private/mykey.pem
# mode: 0600
# @end
nginx_tls_certificates_extra: []
# @var nginx_tls_dhparam_file: $ "_unset_"
nginx_tls_dhparam_size: 2048
nginx_tls_ciphers:
- ECDHE-RSA-AES256-GCM-SHA512
- DHE-RSA-AES256-GCM-SHA512
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
# @var nginx_tls_ecdh_curve: $ "_unset_"
nginx_tls_ocsp_enabled: False
# @var nginx_tls_ocsp_trusted_certificate: $ "_unset_"
nginx_tls_hsts_enabled: False
nginx_hsts_options:
- max-age=63072000
- includeSubDomains
- preload
nginx_xfo_enabled: True
nginx_xfo_policy: deny
nginx_xcto_enabled: True
nginx_csp_enabled: False
# @ var nginx_csp_options: $ "_unset_"
# @var nginx_csp_options:example: >
# nginx_csp_options:
# - directive: frame-ancestors
# parameters:
# - https://example.com
# - https://mypage.com
nginx_xxxsp_enabled: True
nginx_xxxsp_parameters:
- 1
- mode=block
nginx_rp_enabled: True
nginx_rp_option: strict-origin
nginx_maps: []
# @var nginx_maps:example: >
# nginx_maps:
# - input: $input
# output: $output
# parameters:
# - "default 0"
# - "/old/path /new_path"
# @end
nginx_maps_extra: []
nginx_error_page: []
# @var nginx_error_page:example:
# nginx_error_page:
# - code:
# - 404
# - 403
# dest: /4xx.html
# @end
nginx_error_location: []
# @var nginx_error_location: description: >
# Default error location. If set, the defined location will be automatically added once
# to every server block to handle custom error sites.
# @end
# @var nginx_error_location: example: >
# nginx_error_location:
# - match: /
# root: /var/www/vhosts/default
# index: index.html
# custom_options:
# @end
nginx_vhosts_dir: /var/www/vhosts
nginx_vhosts_default:
- file: default
servers:
- port: 80
server_name: "{{ ansible_fqdn }}"
locations:
- match: /
root: /var/www/vhosts/default
index: index.html
- match: /50x.html
root: "/usr/share/nginx/html"
custom_options:
- "error_page 500 502 503 504 /50x.html"
# @var nginx_vhosts_default:example: >
# nginx_vhosts_default:
# - file: default
# upstreams:
# - name: my_pool
# servers: []
# servers:
# - port: 80
# server_name: demo.example.com
# tls_redirect: False # skips locations if enabled
# tls_redirect_url:
# tls:
# cert: /etc/pki/tls/certs/mycert.pem
# key: /etc/pki/tls/private/mykey.pem
# dhparam:
# client_max_body_size:
# send_timeout:
# add_headers:
# - name:
# value:
# always: True
# locations:
# - match: /
# root: /var/www/vhosts/default
# index: index.html
# add_headers: []
# proxy_pass:
# proxy_pass_request_body:
# proxy_next_upstream:
# proxy_redirect:
# proxy_http_version: "1.1"
# proxy_buffering: "off"
# proxy_connect_timeout: 3600s
# proxy_read_timeout: 3600s
# proxy_send_timeout: 3600s
# proxy_set_headers: []
# proxy_hide_headers: []
# proxy_ignore_headers: []
# proxy_intercept_errors: "off"
# proxy_cache_bypass:
# proxy_no_cache:
# proxy_buffers:
# custom_options:
# custom_options:
# - 'deny: all'
nginx_vhosts_extra: []
nginx_server_names_hash_bucket_size: 32

8
handlers/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Reload nginx
service:
state: reloaded
name: nginx
listen: __nginx_reload
become: True
become_user: root

602
index.md Normal file
View File

@ -0,0 +1,602 @@
---
title: nginx
type: docs
---
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.nginx) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.nginx/src/branch/main/LICENSE)
Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server. The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
<!--more-->
- [Default Variables](#default-variables)
- [nginx_access_log](#nginx_access_log)
- [nginx_client_body_buffer_size](#nginx_client_body_buffer_size)
- [nginx_client_body_timeout](#nginx_client_body_timeout)
- [nginx_client_header_buffer_size](#nginx_client_header_buffer_size)
- [nginx_client_header_timeout](#nginx_client_header_timeout)
- [nginx_client_max_body_size](#nginx_client_max_body_size)
- [nginx_csp_enabled](#nginx_csp_enabled)
- [nginx_csp_options](#nginx_csp_options)
- [nginx_error_location](#nginx_error_location)
- [nginx_error_log](#nginx_error_log)
- [nginx_error_page](#nginx_error_page)
- [nginx_group](#nginx_group)
- [nginx_gzip_comp_level](#nginx_gzip_comp_level)
- [nginx_gzip_enabled](#nginx_gzip_enabled)
- [nginx_gzip_min_length](#nginx_gzip_min_length)
- [nginx_gzip_proxied](#nginx_gzip_proxied)
- [nginx_gzip_types](#nginx_gzip_types)
- [nginx_hsts_options](#nginx_hsts_options)
- [nginx_keepalive_timeout](#nginx_keepalive_timeout)
- [nginx_maps](#nginx_maps)
- [nginx_maps_extra](#nginx_maps_extra)
- [nginx_official_repo_enabled](#nginx_official_repo_enabled)
- [nginx_reset_timedout_connection](#nginx_reset_timedout_connection)
- [nginx_rp_enabled](#nginx_rp_enabled)
- [nginx_rp_option](#nginx_rp_option)
- [nginx_send_timeout](#nginx_send_timeout)
- [nginx_server_names_hash_bucket_size](#nginx_server_names_hash_bucket_size)
- [nginx_tls_certificates](#nginx_tls_certificates)
- [nginx_tls_certificates_extra](#nginx_tls_certificates_extra)
- [nginx_tls_ciphers](#nginx_tls_ciphers)
- [nginx_tls_dhparam_file](#nginx_tls_dhparam_file)
- [nginx_tls_dhparam_size](#nginx_tls_dhparam_size)
- [nginx_tls_ecdh_curve](#nginx_tls_ecdh_curve)
- [nginx_tls_enabled](#nginx_tls_enabled)
- [nginx_tls_hsts_enabled](#nginx_tls_hsts_enabled)
- [nginx_tls_ocsp_enabled](#nginx_tls_ocsp_enabled)
- [nginx_tls_ocsp_trusted_certificate](#nginx_tls_ocsp_trusted_certificate)
- [nginx_tls_versions](#nginx_tls_versions)
- [nginx_user](#nginx_user)
- [nginx_vhosts_default](#nginx_vhosts_default)
- [nginx_vhosts_dir](#nginx_vhosts_dir)
- [nginx_vhosts_extra](#nginx_vhosts_extra)
- [nginx_worker_connections](#nginx_worker_connections)
- [nginx_worker_processes](#nginx_worker_processes)
- [nginx_xcto_enabled](#nginx_xcto_enabled)
- [nginx_xfo_enabled](#nginx_xfo_enabled)
- [nginx_xfo_policy](#nginx_xfo_policy)
- [nginx_xxxsp_enabled](#nginx_xxxsp_enabled)
- [nginx_xxxsp_parameters](#nginx_xxxsp_parameters)
- [Discovered Tags](#discovered-tags)
- [Dependencies](#dependencies)
---
## Default Variables
### nginx_access_log
#### Default value
```YAML
nginx_access_log:
enabled: true
file: /var/log/nginx/access.log
format: main
```
### nginx_client_body_buffer_size
#### Default value
```YAML
nginx_client_body_buffer_size: 10k
```
### nginx_client_body_timeout
#### Default value
```YAML
nginx_client_body_timeout: 60
```
### nginx_client_header_buffer_size
#### Default value
```YAML
nginx_client_header_buffer_size: 1k
```
### nginx_client_header_timeout
#### Default value
```YAML
nginx_client_header_timeout: 60
```
### nginx_client_max_body_size
#### Default value
```YAML
nginx_client_max_body_size: 8m
```
### nginx_csp_enabled
#### Default value
```YAML
nginx_csp_enabled: false
```
### nginx_csp_options
#### Example usage
```YAML
nginx_csp_options:
- directive: frame-ancestors
parameters:
- https://example.com
- https://mypage.com
```
### nginx_error_location
Default error location. If set, the defined location will be automatically added once to every server block to handle custom error sites.
#### Default value
```YAML
nginx_error_location: []
```
#### Example usage
```YAML
nginx_error_location:
- match: /
root: /var/www/vhosts/default
index: index.html
custom_options:
```
### nginx_error_log
#### Default value
```YAML
nginx_error_log:
enabled: true
file: /var/log/nginx/error.log
level: error
```
### nginx_error_page
#### Default value
```YAML
nginx_error_page: []
```
#### Example usage
```YAML
```
### nginx_group
#### Default value
```YAML
nginx_group: nginx
```
### nginx_gzip_comp_level
#### Default value
```YAML
nginx_gzip_comp_level: 2
```
### nginx_gzip_enabled
#### Default value
```YAML
nginx_gzip_enabled: true
```
### nginx_gzip_min_length
#### Default value
```YAML
nginx_gzip_min_length: 1000
```
### nginx_gzip_proxied
#### Default value
```YAML
nginx_gzip_proxied:
- expired
- no-cache
- no-store
- private
- auth
```
### nginx_gzip_types
#### Default value
```YAML
nginx_gzip_types:
- text/plain
- application/x-javascript
- text/xml
- text/css
- application/xml
```
### nginx_hsts_options
#### Default value
```YAML
nginx_hsts_options:
- max-age=63072000
- includeSubDomains
- preload
```
### nginx_keepalive_timeout
#### Default value
```YAML
nginx_keepalive_timeout: 65
```
### nginx_maps
#### Default value
```YAML
nginx_maps: []
```
#### Example usage
```YAML
nginx_maps:
- input: $input
output: $output
parameters:
- "default 0"
- "/old/path /new_path"
```
### nginx_maps_extra
#### Default value
```YAML
nginx_maps_extra: []
```
### nginx_official_repo_enabled
#### Default value
```YAML
nginx_official_repo_enabled: true
```
### nginx_reset_timedout_connection
#### Default value
```YAML
nginx_reset_timedout_connection: true
```
### nginx_rp_enabled
#### Default value
```YAML
nginx_rp_enabled: true
```
### nginx_rp_option
#### Default value
```YAML
nginx_rp_option: strict-origin
```
### nginx_send_timeout
#### Default value
```YAML
nginx_send_timeout: 60
```
### nginx_server_names_hash_bucket_size
#### Default value
```YAML
nginx_server_names_hash_bucket_size: 32
```
### nginx_tls_certificates
#### Default value
```YAML
nginx_tls_certificates: []
```
#### Example usage
```YAML
nginx_tls_certificates:
- source: "{{ ansible_user_dir }}/files/mycert.pem"
dest: /etc/pki/tls/certs/mycert.pem
mode: 0644
- source: "{{ ansible_user_dir }}/files/mykey.pem"
dest: /etc/pki/tls/private/mykey.pem
mode: 0600
```
### nginx_tls_certificates_extra
#### Default value
```YAML
nginx_tls_certificates_extra: []
```
### nginx_tls_ciphers
#### Default value
```YAML
nginx_tls_ciphers:
- ECDHE-RSA-AES256-GCM-SHA512
- DHE-RSA-AES256-GCM-SHA512
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
```
### nginx_tls_dhparam_file
#### Default value
```YAML
nginx_tls_dhparam_file: _unset_
```
### nginx_tls_dhparam_size
#### Default value
```YAML
nginx_tls_dhparam_size: 2048
```
### nginx_tls_ecdh_curve
#### Default value
```YAML
nginx_tls_ecdh_curve: _unset_
```
### nginx_tls_enabled
#### Default value
```YAML
nginx_tls_enabled: false
```
### nginx_tls_hsts_enabled
#### Default value
```YAML
nginx_tls_hsts_enabled: false
```
### nginx_tls_ocsp_enabled
#### Default value
```YAML
nginx_tls_ocsp_enabled: false
```
### nginx_tls_ocsp_trusted_certificate
#### Default value
```YAML
nginx_tls_ocsp_trusted_certificate: _unset_
```
### nginx_tls_versions
#### Default value
```YAML
nginx_tls_versions:
- TLSv1.2
```
### nginx_user
#### Default value
```YAML
nginx_user: nginx
```
### nginx_vhosts_default
#### Default value
```YAML
nginx_vhosts_default:
- file: default
servers:
- port: 80
server_name: '{{ ansible_fqdn }}'
locations:
- match: /
root: /var/www/vhosts/default
index: index.html
- match: /50x.html
root: /usr/share/nginx/html
custom_options:
- error_page 500 502 503 504 /50x.html
```
#### Example usage
```YAML
nginx_vhosts_default:
- file: default
upstreams:
- name: my_pool
servers: []
servers:
- port: 80
server_name: demo.example.com
tls_redirect: False # skips locations if enabled
tls_redirect_url:
tls:
cert: /etc/pki/tls/certs/mycert.pem
key: /etc/pki/tls/private/mykey.pem
dhparam:
client_max_body_size:
send_timeout:
add_headers:
- name:
value:
always: True
locations:
- match: /
root: /var/www/vhosts/default
index: index.html
add_headers: []
proxy_pass:
proxy_pass_request_body:
proxy_next_upstream:
proxy_redirect:
proxy_http_version: "1.1"
proxy_buffering: "off"
proxy_connect_timeout: 3600s
proxy_read_timeout: 3600s
proxy_send_timeout: 3600s
proxy_set_headers: []
proxy_hide_headers: []
proxy_ignore_headers: []
proxy_intercept_errors: "off"
proxy_cache_bypass:
proxy_no_cache:
proxy_buffers:
custom_options:
custom_options:
- 'deny: all'
```
### nginx_vhosts_dir
#### Default value
```YAML
nginx_vhosts_dir: /var/www/vhosts
```
### nginx_vhosts_extra
#### Default value
```YAML
nginx_vhosts_extra: []
```
### nginx_worker_connections
#### Default value
```YAML
nginx_worker_connections: 1024
```
### nginx_worker_processes
#### Default value
```YAML
nginx_worker_processes: 1
```
### nginx_xcto_enabled
#### Default value
```YAML
nginx_xcto_enabled: true
```
### nginx_xfo_enabled
#### Default value
```YAML
nginx_xfo_enabled: true
```
### nginx_xfo_policy
#### Default value
```YAML
nginx_xfo_policy: deny
```
### nginx_xxxsp_enabled
#### Default value
```YAML
nginx_xxxsp_enabled: true
```
### nginx_xxxsp_parameters
#### Default value
```YAML
nginx_xxxsp_parameters:
- 1
- mode=block
```
## Discovered Tags
tls_renewal
: &nbsp;
## Dependencies
None.

31
meta/main.yml
View File

@ -1,31 +0,0 @@
# Standards: 0.2
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: Robert Kaussow <mail@thegeeklab.de>
namespace: xoxys
role_name: nginx
# @meta description: >
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.nginx)
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.nginx?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.nginx)
# [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.nginx/src/branch/main/LICENSE)
#
# Setup [nginx](https://docs.nginx.com/) webserver. Nginx is an open source reverse proxy server
# for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a
# web server. The nginx project started with a strong focus on high concurrency, high performance
# and low memory usage.
# @end
description: Setup nginx webserver
license: MIT
min_ansible_version: 2.10
platforms:
- name: EL
versions:
- 7
galaxy_tags:
- nginx
- webserver
- proxy
dependencies: []
collections:
- community.general

6
molecule/centos7/converge.yml
View File

@ -1,6 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: xoxys.nginx

120
molecule/centos7/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/centos7/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/centos7/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: centos7-nginx
image: centos-7
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/centos7/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

30
molecule/centos7/tests/test_default.py
View File

@ -1,30 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_nginx_is_installed(host):
nginx = host.package("nginx")
assert nginx.is_installed
def test_nginx_running_and_enabled(host):
nginx = host.service("nginx")
assert nginx.is_running
assert nginx.is_enabled
def test_nginx_process(host):
# Verify worker procs are running
main = host.process.get(user="root", comm="nginx")
workers = host.process.filter(ppid=main.pid)
assert len(workers) > 0
def test_nginx_socket(host):
# Verify the socket is listening for HTTP traffic
assert host.socket("tcp://0.0.0.0:80").is_listening

1
molecule/default
View File

@ -1 +0,0 @@
rocky8

3
molecule/pytest.ini
View File

@ -1,3 +0,0 @@
[pytest]
filterwarnings =
ignore::DeprecationWarning

6
molecule/requirements.yml
View File

@ -1,6 +0,0 @@
---
collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general
roles: []

6
molecule/rocky8/converge.yml
View File

@ -1,6 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: xoxys.nginx

120
molecule/rocky8/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/rocky8/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/rocky8/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: rocky8-nginx
image: rocky-8
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/rocky8/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

30
molecule/rocky8/tests/test_default.py
View File

@ -1,30 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_nginx_is_installed(host):
nginx = host.package("nginx")
assert nginx.is_installed
def test_nginx_running_and_enabled(host):
nginx = host.service("nginx")
assert nginx.is_running
assert nginx.is_enabled
def test_nginx_process(host):
# Verify worker procs are running
main = host.process.get(user="root", comm="nginx")
workers = host.process.filter(ppid=main.pid)
assert len(workers) > 0
def test_nginx_socket(host):
# Verify the socket is listening for HTTP traffic
assert host.socket("tcp://0.0.0.0:80").is_listening

12
setup.cfg
View File

@ -1,12 +0,0 @@
[flake8]
ignore = D100, D101, D102, D103, D105, D107, E402, W503
max-line-length = 99
inline-quotes = double
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
[yapf]
based_on_style = google
column_limit = 99
dedent_closing_brackets = true
coalesce_brackets = true
split_before_logical_operator = true

129
tasks/install.yml
View File

@ -1,129 +0,0 @@
---
- block:
- name: Add nginx repository
yum_repository:
name: nginx
file: nginx
description: NGINX High Performance Web Server
baseurl: "https://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/"
gpgkey: https://nginx.org/keys/nginx_signing.key
gpgcheck: yes
when: nginx_official_repo_enabled | bool
- name: Installing nginx
package:
name: nginx
state: present
- name: Create group '{{ nginx_group }}'
group:
name: "{{ nginx_group }}"
state: present
when: nginx_group != "nginx"
- name: Create user '{{ nginx_user }}'
user:
name: "{{ nginx_user }}"
group: "{{ nginx_group }}"
createhome: no
shell: /sbin/nologin
when: nginx_user != "nginx"
- name: Prepare vhost directories
file:
path: "{{ item }}"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_group }}"
mode: 0750
loop:
- "{{ nginx_vhosts_dir }}"
- "{{ nginx_vhosts_dir }}/default"
- name: Prepare nginx directories
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0640
loop:
- /etc/nginx/sites-available
- /etc/nginx/sites-enabled
- name: Update nginx.conf
template:
src: etc/nginx/nginx.conf.j2
dest: "/etc/nginx/nginx.conf"
owner: root
group: root
mode: 0640
notify: __nginx_reload
- name: Remove default.conf from conf.d
copy:
content: |
# Ansible managed.
# File not in use.
dest: /etc/nginx/conf.d/default.conf
mode: 0640
- name: Update header.conf
template:
src: etc/nginx/conf.d/header.conf.j2
dest: /etc/nginx/conf.d/header.conf
owner: root
group: root
mode: 0640
notify: __nginx_reload
- name: Add custom error page template
template:
src: usr/share/nginx/html/error.html.j2
dest: /usr/share/nginx/html/error.html
owner: root
group: root
mode: 0644
notify: __nginx_reload
- name: Set selinux booleans
seboolean:
name: "{{ item.name }}"
state: "{{ item.state }}"
persistent: "{{ item.persistent }}"
loop: "{{ nginx_set_sebooleans }}"
when: nginx_set_sebooleans is defined
- name: Allow to bind to custom ports
seport:
ports: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
setype: http_port_t
state: "{{ item.state | default('present') }}"
loop: "{{ nginx_set_seports }}"
loop_control:
label: "{{ item.port }}"
when: nginx_set_seports is defined
- name: Fix selinux file context mappaing for pid file
sefcontext:
target: '/var/run/nginx(/.*)?'
setype: httpd_var_run_t
state: present
- name: Apply new SELinux file context to filesystem
command: restorecon -irv /var/run
changed_when: False
become: True
become_user: root
- block:
- name: Add default page
template:
src: var/www/vhosts/default/index.html.j2
dest: /var/www/vhosts/default/index.html
owner: "{{ nginx_user }}"
group: "{{ nginx_group }}"
mode: 0750
become: True
become_user: "{{ nginx_user }}"

6
tasks/main.yml
View File

@ -1,6 +0,0 @@
---
- include_tasks: install.yml
- import_tasks: tls.yml
tags: tls_renewal
- include_tasks: vhost.yml
- include_tasks: post_tasks.yml

9
tasks/post_tasks.yml
View File

@ -1,9 +0,0 @@
---
- name: Ensure nginx service is up and running
service:
state: started
daemon_reload: yes
enabled: yes
name: nginx
become: True
become_user: root

38
tasks/tls.yml
View File

@ -1,38 +0,0 @@
---
- block:
- name: Ensur target directories exist for certificate files
file:
name: "{{ item.dest | dirname }}"
state: directory
mode: 0755
loop: "{{ nginx_tls_certificates + nginx_tls_certificates_extra }}"
loop_control:
label: "{{ item.dest }}"
- name: Copy certificate files
copy:
src: "{{ item.source }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0600') }}"
owner: "{{ item.owner | default('root') }}"
loop: "{{ nginx_tls_certificates + nginx_tls_certificates_extra }}"
loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
- name: Create Diffie-Hellman Parameter
openssl_dhparam:
path: "{{ nginx_tls_dhparam_file }}"
size: "{{ nginx_tls_dhparam_size }}"
when: nginx_tls_dhparam_file is defined
- name: Update tls.conf
template:
src: etc/nginx/conf.d/tls.conf.j2
dest: /etc/nginx/conf.d/tls.conf
owner: root
group: root
mode: 0640
notify: __nginx_reload
become: True
become_user: root

25
tasks/vhost.yml
View File

@ -1,25 +0,0 @@
---
- block:
- name: Add vhost configurations
template:
src: etc/nginx/sites-available/vhost.j2
dest: "/etc/nginx/sites-available/{{ item.file }}"
owner: root
group: root
mode: 0640
loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
loop_control:
label: "{{ item.file }}"
notify: __nginx_reload
- name: Enable vhosts
file:
src: "/etc/nginx/sites-available/{{ item.file }}"
dest: "/etc/nginx/sites-enabled/{{ item.file }}"
state: "{{ 'link' if item.enabled | default(True) | bool else 'absent' }}"
loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
loop_control:
label: "{{ item.file }}"
notify: __nginx_reload
become: True
become_user: root

35
templates/etc/nginx/conf.d/header.conf.j2
View File

@ -1,35 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
# protect against protocol downgrading and cookie hijacking
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
{% endif %}
# improve the protection against Clickjacking
# https://owasp.org/www-project-secure-headers/#x-frame-options
{% if nginx_xfo_enabled %}
add_header X-Frame-Options {{ nginx_xfo_policy }} always;
{% endif %}
{% if nginx_csp_enabled and nginx_csp_options is defined %}
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
{% endif %}
# prevent from interpreting files as something else than declared by the content type in HTTP headers
# https://owasp.org/www-project-secure-headers/#x-content-type-options
{% if nginx_xcto_enabled %}
add_header X-Content-Type-Options nosniff always;
{% endif %}
# enables the cross-site scripting (XSS) filter of the browsers
# https://owasp.org/www-project-secure-headers/#x-xss-protection
{% if nginx_xxxsp_enabled %}
add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
{% endif %}
# governs which referrer information, sent in the Referer header, should be included with requests made
# https://owasp.org/www-project-secure-headers/#referrer-policy
{% if nginx_rp_enabled %}
add_header Referrer-Policy "{{ nginx_rp_option }}" always;
{% endif %}

22
templates/etc/nginx/conf.d/tls.conf.j2
View File

@ -1,22 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
ssl_ciphers {{ nginx_tls_ciphers | join(":") }};
ssl_prefer_server_ciphers on;
{% if nginx_tls_ecdh_curve is defined %}
ssl_ecdh_curve {{ nginx_tls_ecdh_curve | join(":") }};
{% endif %}
{% if nginx_tls_dhparam_file is defined %}
ssl_dhparam {{ nginx_tls_dhparam_file }};
{% endif %}
ssl_protocols {{ nginx_tls_versions | join(" ") }};
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
{% if nginx_tls_ocsp_enabled %}
ssl_stapling on;
ssl_trusted_certificate {{ nginx_tls_ocsp_trusted_certificate }};
ssl_stapling_verify on;
{% endif %}

85
templates/etc/nginx/nginx.conf.j2
View File

@ -1,85 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
user {{ nginx_user }} {{ nginx_group }};
worker_processes {{ nginx_worker_processes }};
pid /var/run/nginx.pid;
events {
worker_connections {{ nginx_worker_connections }};
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
{% if nginx_error_log.enabled %}
error_log {{ nginx_error_log.file }} {{ nginx_error_log.level }};
{% else %}
error_log off;
{% endif %}
{% if nginx_access_log.enabled %}
access_log {{ nginx_access_log.file }} {{ nginx_access_log.format }};
{% else %}
access_log off;
{% endif %}
{% if nginx_error_page is defined and nginx_error_page | length > 0 %}
{% for error in nginx_error_page %}
error_page {{ error.code | join(" ") }} {{ error.dest }};
{% endfor %}
{% endif %}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for map in nginx_maps + nginx_maps_extra %}
map {{ map.input }} {{ map.output }} {
{% for param in map.parameters %}
{{ param }};
{% endfor %}
}
{% endfor %}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;
## Buffers
client_body_buffer_size {{ nginx_client_body_buffer_size }};
client_header_buffer_size {{ nginx_client_header_buffer_size }};
client_max_body_size {{ nginx_client_max_body_size }};
## Timeouts
client_body_timeout {{ nginx_client_body_timeout }};
client_header_timeout {{ nginx_client_header_timeout }};
keepalive_timeout {{ nginx_keepalive_timeout }};
send_timeout {{ nginx_send_timeout }};
{% if nginx_reset_timedout_connection %}
reset_timedout_connection on;
{% endif %}
## Gzip Settings
{% if nginx_gzip_enabled %}
gzip on;
gzip_comp_level {{ nginx_gzip_comp_level }};
gzip_min_length {{ nginx_gzip_min_length }};
gzip_proxied {{ nginx_gzip_proxied | join(" ") }};
gzip_types {{ nginx_gzip_types | join(" ") }};
{% endif %}
# Load modular configuration files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/*.conf;
## Virtual Host Configs
include /etc/nginx/sites-enabled/*;
server_names_hash_bucket_size {{ nginx_server_names_hash_bucket_size }};
}

153
templates/etc/nginx/sites-available/vhost.j2
View File

@ -1,153 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% if item.upstreams is defined and item.upstreams %}
{% for upstream in item.upstreams %}
upstream {{ upstream.name }} {
{% for upserver in upstream.servers %}
server {{ upserver }};
{% endfor %}
}
{% endfor %}
{% endif %}
{% for server in item.servers %}
server {
listen {{ server.port }}{{ ' ssl' if server.tls is defined and server.tls else '' }};
{% if not server.server_name is string and server.server_name is iterable %}
server_name {{ server.server_name | join(" ") }};
{% else %}
server_name {{ server.server_name }};
{% endif %}
{% if server.tls is defined and server.tls %}
ssl_certificate {{ server.tls.cert }};
ssl_certificate_key {{ server.tls.key }};
{% if server.tls.dhparam is defined %}
ssl_dhparam {{ item.value.ssl.dhparam }};
{% endif %}
{% endif %}
{% if server.tls_redirect | default(False) %}
return 301 https://{% if server.tls_redirect_url is defined %}{{ server.tls_redirect_url }}{% else %}$server_name{% endif %}$request_uri;
{% else %}
{% if server.client_max_body_size is defined and server.client_max_body_size %}
client_max_body_size {{ server.client_max_body_size }};
{% endif %}
{% if server.send_timeout is defined and server.send_timeout %}
send_timeout {{ server.send_timeout }};
{% endif %}
{% if server.add_headers is defined and server.add_headers %}
include /etc/nginx/conf.d/header.conf;
{% for add in server.add_headers %}
add_header {{ add.name }} {{ add.value }}{{ " always" if add.always | default(True) | bool else "" }};
{% endfor %}
{% endif %}
{% if server.custom_options is defined and server.custom_options %}
{% for inline_option in server.custom_options %}
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
{% endfor %}
{% endif %}
{% for location in server.locations %}
location {{ location.match }} {
{% if location.root is defined and location.root %}
root {{ location.root }};
{% endif %}
{% if location.index is defined and location.index %}
index {{ location.index }};
{% endif %}
{% if location.add_headers is defined and location.add_headers %}
include /etc/nginx/conf.d/header.conf;
{% for add in location.add_headers %}
add_header {{ add.name }} {{ add.value }}{{ " always" if add.always | default(True) | bool else "" }};
{% endfor %}
{% endif %}
{% if location.proxy_pass is defined and location.proxy_pass %}
proxy_pass {{ location.proxy_pass }};
{% if location.proxy_pass_request_body is defined and location.proxy_pass_request_body %}
proxy_pass_request_body {{ location.proxy_pass_request_body }};
{% endif %}
{% if location.proxy_next_upstream is defined and location.proxy_next_upstream %}
proxy_next_upstream {{ location.proxy_next_upstream }};
{% endif %}
{% if location.proxy_redirect is defined and location.proxy_redirect %}
proxy_redirect {{ location.proxy_redirect }};
{% endif %}
{% if location.proxy_http_version is defined and location.proxy_http_version %}
proxy_http_version {{ location.proxy_http_version }};
{% endif %}
{% if location.proxy_buffering is defined and location.proxy_buffering %}
proxy_buffering {{ location.proxy_buffering }};
{% endif %}
{% if location.proxy_connect_timeout is defined and location.proxy_connect_timeout %}
proxy_connect_timeout {{ location.proxy_connect_timeout }};
{% endif %}
{% if location.proxy_read_timeout is defined and location.proxy_read_timeout %}
proxy_read_timeout {{ location.proxy_read_timeout }};
{% endif %}
{% if location.proxy_send_timeout is defined and location.proxy_send_timeout %}
proxy_send_timeout {{ location.proxy_send_timeout }};
{% endif %}
{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %}
proxy_intercept_errors {{ location.proxy_intercept_errors }};
{% endif %}
{% if location.proxy_cache_bypass is defined and location.proxy_cache_bypass %}
proxy_cache_bypass {{ location.proxy_cache_bypass }};
{% endif %}
{% if location.proxy_no_cache is defined and location.proxy_no_cache %}
proxy_no_cache {{ location.proxy_no_cache }};
{% endif %}
{% if location.proxy_buffers is defined and location.proxy_buffers %}
proxy_buffers {{ location.proxy_buffers }};
{% endif %}
{% if location.proxy_set_headers is defined and location.proxy_set_headers %}
{% for set in location.proxy_set_headers %}
proxy_set_header {{ set }};
{% endfor %}
{% endif %}
{% if location.proxy_hide_headers is defined and location.proxy_hide_headers %}
{% for hide in location.proxy_hide_headers %}
proxy_hide_header {{ hide }};
{% endfor %}
{% endif %}
{% if location.proxy_ignore_headers is defined and location.proxy_ignore_headers %}
proxy_ignore_headers {{ location.proxy_ignore_headers | join(" ") }};
{% endif %}
{% endif %}
{% if location.custom_options is defined and location.custom_options %}
{% for inline_option in location.custom_options %}
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
{% endfor %}
{% endif %}
}
{% endfor %}
{% for error_location in nginx_error_location %}
location {{ error_location.match }} {
{% if error_location.root is defined and error_location.root %}
root {{ error_location.root }};
{% endif %}
{% if error_location.index is defined and error_location.index %}
index {{ error_location.index }};
{% endif %}
{% if error_location.custom_options is defined and error_location.custom_options %}
{% for inline_option in error_location.custom_options %}
{{ inline_option }}{{ "" if inline_option.startswith("if ") else ";" }}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
}
{% endfor %}

79
templates/usr/share/nginx/html/error.html.j2
View File

@ -1,79 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta
name="viewport"
content="width=device-width, initial-scale=1, shrink-to-fit=no"
/>
<meta name="robots" content="noindex, nofollow" />
<title>Oops! You're lost</title>
<style>
html,
body {
height: 100%;
min-height: 100%;
margin: 0;
padding: 0;
}
body {
cursor: default;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI",
Roboto, "Helvetica Neue", Arial, sans-serif;
font-size: 1rem;
font-weight: normal;
line-height: 1.5;
color: #383e4b;
background-color: #f5f5f5;
}
h1 {
font-size: 4.5rem;
font-weight: 300;
margin: 0 1.5rem 0 0;
}
h4 {
font-size: 1.5rem;
margin: 0;
}
p {
font-weight: 500;
line-height: 1;
color: #9da0a8;
padding: 0;
margin: 0;
}
.container {
display: flex;
margin: 0;
align-items: center;
justify-content: center;
box-sizing: border-box;
height: 100%;
min-width: 380px;
}
.no-wrap {
flex-shrink: 0;
}
</style>
</head>
<body>
<div class="container">
<div>
<h1><!--# echo var="status" default="" --></h1>
</div>
<div class="no-wrap">
<h4>Oops! You're lost.</h4>
<p><!--# echo var="status_text" default="Something goes wrong" --></p>
</div>
</div>
</body>
</html>

2
templates/var/www/vhosts/default/index.html.j2
View File

@ -1,2 +0,0 @@
{{ ansible_managed | comment("plain", prefix="<!--", postfix="-->") }}
{{ ansible_fqdn }}