added generic nginx role

8 files changed, 99 insertions, 54 deletions

diff --git a/roles/acmetool/cert/tasks/main.yml b/roles/acmetool/cert/tasks/main.yml
index c2f778f6..8f9f6d41 100644
--- a/roles/acmetool/cert/tasks/main.yml
+++ b/roles/acmetool/cert/tasks/main.yml
@@ -1,10 +1,9 @@
 - name: add acmetool desired file
-  loop:
-    - satisfy:
+  vars:
+    acmetool_desired:
+      satisfy:
         names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}"
-  loop_control:
-    label: "{{ item.satisfy.names | join(', ') }}"
   copy:
-    content: "{{ item | to_nice_yaml }}"
+    content: "{{ acmetool_desired | to_nice_yaml }}"
     dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}"
   notify: reconcile acmetool
diff --git a/roles/elevate/liquidtruth/handlers/main.yml b/roles/elevate/liquidtruth/handlers/main.yml
index 22e01ee4..03ed878a 100644
--- a/roles/elevate/liquidtruth/handlers/main.yml
+++ b/roles/elevate/liquidtruth/handlers/main.yml
@@ -2,8 +2,3 @@
 - name: update apt cache
   apt:
     update_cache: yes
-
-- name: restart nginx
-  service:
-    name: nginx
-    state: restarted
diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml
index cc5dd20e..d791c33f 100644
--- a/roles/elevate/liquidtruth/tasks/main.yml
+++ b/roles/elevate/liquidtruth/tasks/main.yml
@@ -24,7 +24,15 @@
   import_tasks: nodejs.yml
 
 - name: install and configure nginx
-  import_tasks: nginx.yml
+  import_role:
+    name: nginx
+  vars:
+    nginx_vhosts:
+      liquidtruth:
+        template: generic-proxy-no-buffering-with-acme
+        acme: true
+        hostnames: "{{ liquidtruth_hostnames }}"
+        proxy_pass: "http://127.0.0.1:8080"
 
 - name: create app user
   user:
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 00000000..ae4aa9d4
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+nginx_pkg_name: nginx-light
+
+# nginx_vhosts:
+#   example:
+#     template: generic-proxy-no-buffering-with-acme
+#     acme: yes
+#     hostnames:
+#       - example.com
+#       - www.example.com
+#     proxy_pass: http://127.0.0.1:8080
+#   other.io:
+#     contents: "<< nginx vhost config file contents >>"
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 00000000..6deed0cd
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/roles/elevate/liquidtruth/tasks/nginx.yml b/roles/nginx/tasks/acme.yml
index 2066ce27..c08c0a57 100644
--- a/roles/elevate/liquidtruth/tasks/nginx.yml
+++ b/roles/nginx/tasks/acme.yml
@@ -1,45 +1,15 @@
 ---
-- name: install nginx
-  apt:
-    name: nginx-light
-    state: present
-
-- name: remove nginx default config
-  file:
-    name: /etc/nginx/sites-enabled/default
-    state: absent
-  notify: restart nginx
-
-- name: install nginx config snippets
-  loop:
-    - ssl
-    - hsts
-  copy:
-    src: "{{ global_files_dir }}/common/nginx-snippets/{{ item }}.conf"
-    dest: /etc/nginx/snippets/
-  notify: restart nginx
-
-- name: generate Diffie-Hellman parameters
-  openssl_dhparam:
-    path: /etc/ssl/dhparams.pem
-    size: 2048
-  notify: restart nginx
-
-- name: install nginx config
-  template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/sites-available/liquidtruth
-  notify: restart nginx
-
 - name: check if acme certs already exist
-  loop: "{{ liquidtruth_hostnames }}"
+  loop: "{{ item.value.hostnames }}"
+  loop_control:
+    loop_var: acme_hostname
   stat:
-    path: "/var/lib/acme/live/{{ item }}"
+    path: "/var/lib/acme/live/{{ acme_hostname }}"
   register: acme_cert_stat
 
 - name: set acmecert_missing_hostnames variable
   set_fact:
-    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(liquidtruth_hostnames) }}"
+    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(item.value.hostnames) }}"
 
 - name: link nonexistent hostnames to self-signed interim cert
   when: acmecert_missing_hostnames | length > 0
@@ -56,9 +26,11 @@
 
     - name: link to snakeoil cert for nonexistent hostnames
       loop: "{{ acmecert_missing_hostnames }}"
+      loop_control:
+        loop_var: acme_missing_hostname
       file:
         src: "../certs/{{ selfsigned_interim_cert_id }}"
-        dest: "/var/lib/acme/live/{{ item }}"
+        dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
         state: link
 
 - name: enable vhost config using acme cert
@@ -74,5 +46,5 @@
   import_role:
     name: acmetool/cert
   vars:
-    acmetool_cert_name: "{{ liquidtruth_hostnames[0] }}"
-    acmetool_cert_hostnames: "{{ liquidtruth_hostnames }}"
+    acmetool_cert_name: "{{ item.value.hostnames[0] }}"
+    acmetool_cert_hostnames: "{{ item.value.hostnames }}"
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 00000000..19791235
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: install nginx
+  apt:
+    name: "{{ nginx_pkg_name }}"
+    state: present
+
+- name: remove nginx default config
+  file:
+    name: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: restart nginx
+
+- name: install nginx config snippets
+  loop:
+    - ssl
+    - hsts
+  copy:
+    src: "{{ global_files_dir }}/common/nginx-snippets/{{ item }}.conf"
+    dest: /etc/nginx/snippets/
+  notify: restart nginx
+
+- name: generate Diffie-Hellman parameters
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 2048
+  notify: restart nginx
+
+- name: install nginx configs from template
+  loop: "{{ nginx_vhosts | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  when: "'template' in item.value"
+  template:
+    src: "{{ item.value.template }}.conf.j2"
+    dest: "/etc/nginx/sites-available/{{ item.key }}"
+  notify: restart nginx
+
+- name: install nginx configs from config data
+  loop: "{{ nginx_vhosts | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  when: "'contents' in item.value"
+  copy:
+    contents: "{{ item.value.contents }}"
+    dest: "/etc/nginx/sites-available/{{ item.key }}"
+  notify: restart nginx
+
+- name: generate acme certificate
+  loop: "{{ nginx_vhosts | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.hostnames | join(', ') }})"
+  when: item.value.acme
+  include_tasks: acme.yml
diff --git a/roles/elevate/liquidtruth/templates/nginx.conf.j2 b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2
index ef690b1c..784b2590 100644
--- a/roles/elevate/liquidtruth/templates/nginx.conf.j2
+++ b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2
@@ -8,7 +8,7 @@ map $http_upgrade $connection_upgrade {
 server {
     listen 80;
     listen [::]:80;
-    server_name {{ liquidtruth_hostnames | join(' ') }};
+    server_name {{ item.value.hostnames | join(' ') }};
 
     include snippets/acmetool.conf;
 
@@ -20,12 +20,12 @@ server {
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name {{ liquidtruth_hostnames | join(' ') }};
+    server_name {{ item.value.hostnames | join(' ') }};
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate     /var/lib/acme/live/{{ liquidtruth_hostnames[0] }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ liquidtruth_hostnames[0] }}/privkey;
+    ssl_certificate     /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey;
     include snippets/hsts.conf;
 
     location / {
@@ -43,6 +43,6 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
-        proxy_pass http://127.0.0.1:8080;
+        proxy_pass {{ item.value.proxy_pass }};
     }
 }