diff options
Diffstat (limited to 'roles/nginx')
-rw-r--r-- | roles/nginx/base/defaults/main.yml | 10 | ||||
-rw-r--r-- | roles/nginx/base/files/conf.d/connection-upgrade.conf (renamed from roles/nginx/files/conf.d/connection-upgrade.conf) | 0 | ||||
-rw-r--r-- | roles/nginx/base/files/snippets/hsts.conf (renamed from roles/nginx/files/snippets/hsts.conf) | 0 | ||||
-rw-r--r-- | roles/nginx/base/files/snippets/proxy-nobuff.conf (renamed from roles/nginx/files/snippets/proxy-nobuff.conf) | 0 | ||||
-rw-r--r-- | roles/nginx/base/files/snippets/security-headers.conf (renamed from roles/nginx/files/snippets/security-headers.conf) | 0 | ||||
-rw-r--r-- | roles/nginx/base/files/snippets/ssl.conf (renamed from roles/nginx/files/snippets/ssl.conf) | 0 | ||||
-rw-r--r-- | roles/nginx/base/handlers/main.yml (renamed from roles/nginx/handlers/main.yml) | 0 | ||||
-rw-r--r-- | roles/nginx/base/tasks/main.yml | 31 | ||||
-rw-r--r-- | roles/nginx/defaults/main.yml | 21 | ||||
-rw-r--r-- | roles/nginx/tasks/main.yml | 68 | ||||
-rw-r--r-- | roles/nginx/vhost/defaults/main.yml | 13 | ||||
-rw-r--r-- | roles/nginx/vhost/handlers/main.yml | 5 | ||||
-rw-r--r-- | roles/nginx/vhost/tasks/acme.yml (renamed from roles/nginx/tasks/acme.yml) | 8 | ||||
-rw-r--r-- | roles/nginx/vhost/tasks/main.yml | 25 | ||||
-rw-r--r-- | roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 (renamed from roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2) | 14 |
15 files changed, 95 insertions, 100 deletions
diff --git a/roles/nginx/base/defaults/main.yml b/roles/nginx/base/defaults/main.yml new file mode 100644 index 00000000..50920f20 --- /dev/null +++ b/roles/nginx/base/defaults/main.yml @@ -0,0 +1,10 @@ +--- +nginx_pkg_variant: nginx-light + +nginx_conf_d_files: + - connection-upgrade + +nginx_snippets: + - ssl + - hsts + - proxy-nobuff diff --git a/roles/nginx/files/conf.d/connection-upgrade.conf b/roles/nginx/base/files/conf.d/connection-upgrade.conf index 4153effe..4153effe 100644 --- a/roles/nginx/files/conf.d/connection-upgrade.conf +++ b/roles/nginx/base/files/conf.d/connection-upgrade.conf diff --git a/roles/nginx/files/snippets/hsts.conf b/roles/nginx/base/files/snippets/hsts.conf index 4ca8396e..4ca8396e 100644 --- a/roles/nginx/files/snippets/hsts.conf +++ b/roles/nginx/base/files/snippets/hsts.conf diff --git a/roles/nginx/files/snippets/proxy-nobuff.conf b/roles/nginx/base/files/snippets/proxy-nobuff.conf index b08de70c..b08de70c 100644 --- a/roles/nginx/files/snippets/proxy-nobuff.conf +++ b/roles/nginx/base/files/snippets/proxy-nobuff.conf diff --git a/roles/nginx/files/snippets/security-headers.conf b/roles/nginx/base/files/snippets/security-headers.conf index b94d479d..b94d479d 100644 --- a/roles/nginx/files/snippets/security-headers.conf +++ b/roles/nginx/base/files/snippets/security-headers.conf diff --git a/roles/nginx/files/snippets/ssl.conf b/roles/nginx/base/files/snippets/ssl.conf index d187a7c0..d187a7c0 100644 --- a/roles/nginx/files/snippets/ssl.conf +++ b/roles/nginx/base/files/snippets/ssl.conf diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/base/handlers/main.yml index 6deed0cd..6deed0cd 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/base/handlers/main.yml diff --git a/roles/nginx/base/tasks/main.yml b/roles/nginx/base/tasks/main.yml new file mode 100644 index 00000000..a975ce52 --- /dev/null +++ b/roles/nginx/base/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: install nginx + apt: + name: "{{ nginx_pkg_variant }}" + state: present + +- name: remove nginx default config + file: + name: /etc/nginx/sites-enabled/default + state: absent + notify: restart nginx + +- name: install nginx config.d files + loop: "{{ nginx_conf_d_files }}" + copy: + src: "conf.d/{{ item }}.conf" + dest: /etc/nginx/conf.d/ + notify: restart nginx + +- name: install nginx config snippets + loop: "{{ nginx_snippets }}" + copy: + src: "snippets/{{ item }}.conf" + dest: /etc/nginx/snippets/ + notify: restart nginx + +- name: generate Diffie-Hellman parameters + openssl_dhparam: + path: /etc/ssl/dhparams.pem + size: 2048 + notify: restart nginx diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml deleted file mode 100644 index a38a95a0..00000000 --- a/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -nginx_pkg_variant: nginx-light - -nginx_conf_d_files: - - connection-upgrade - -nginx_snippets: - - ssl - - hsts - - proxy-nobuff - -# nginx_vhosts: -# example: -# template: generic-proxy-no-buffering-with-acme -# acme: yes -# hostnames: -# - example.com -# - www.example.com -# proxy_pass: http://127.0.0.1:8080 -# other.io: -# content: "<< nginx vhost config file contents >>" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index 57816cea..00000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -- name: install nginx - apt: - name: "{{ nginx_pkg_variant }}" - state: present - -- name: remove nginx default config - file: - name: /etc/nginx/sites-enabled/default - state: absent - notify: restart nginx - -- name: install nginx config.d files - loop: "{{ nginx_conf_d_files }}" - copy: - src: "conf.d/{{ item }}.conf" - dest: /etc/nginx/conf.d/ - notify: restart nginx - -- name: install nginx config snippets - loop: "{{ nginx_snippets }}" - copy: - src: "snippets/{{ item }}.conf" - dest: /etc/nginx/snippets/ - notify: restart nginx - -- name: generate Diffie-Hellman parameters - openssl_dhparam: - path: /etc/ssl/dhparams.pem - size: 2048 - notify: restart nginx - -- name: install nginx configs from template - loop: "{{ nginx_vhosts | dict2items }}" - loop_control: - label: "{{ item.key }}" - when: "'template' in item.value" - template: - src: "{{ item.value.template }}.conf.j2" - dest: "/etc/nginx/sites-available/{{ item.key }}" - notify: restart nginx - -- name: install nginx configs from config data - loop: "{{ nginx_vhosts | dict2items }}" - loop_control: - label: "{{ item.key }}" - when: "'content' in item.value" - copy: - content: "{{ item.value.content }}" - dest: "/etc/nginx/sites-available/{{ item.key }}" - notify: restart nginx - -- name: enable vhost config - loop: "{{ nginx_vhosts | dict2items }}" - loop_control: - label: "{{ item.key }}" - file: - src: "../sites-available/{{ item.key }}" - dest: "/etc/nginx/sites-enabled/{{ item.key }}" - state: link - notify: restart nginx - -- name: generate acme certificate - loop: "{{ nginx_vhosts | dict2items }}" - loop_control: - label: "{{ item.key }} ({{ item.value.hostnames | default([]) | join(', ') }})" - when: "'acme' in item.value and item.value.acme" - include_tasks: acme.yml diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml new file mode 100644 index 00000000..dfedb50b --- /dev/null +++ b/roles/nginx/vhost/defaults/main.yml @@ -0,0 +1,13 @@ +--- +# nginx_vhost: +# name: example +# template: generic-proxy-no-buffering-with-acme +# acme: yes +# hostnames: +# - example.com +# - www.example.com +# proxy_pass: http://127.0.0.1:8080 + +# nginx_vhost: +# name: other-example +# content: "<<< content of vhost >>>" diff --git a/roles/nginx/vhost/handlers/main.yml b/roles/nginx/vhost/handlers/main.yml new file mode 100644 index 00000000..d4e42ca0 --- /dev/null +++ b/roles/nginx/vhost/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/roles/nginx/tasks/acme.yml b/roles/nginx/vhost/tasks/acme.yml index b8ab7879..99ad7856 100644 --- a/roles/nginx/tasks/acme.yml +++ b/roles/nginx/vhost/tasks/acme.yml @@ -1,6 +1,6 @@ --- - name: check if acme certs already exist - loop: "{{ item.value.hostnames }}" + loop: "{{ nginx_vhost.hostnames }}" loop_control: loop_var: acme_hostname stat: @@ -9,7 +9,7 @@ - name: set acmecert_missing_hostnames variable set_fact: - acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(item.value.hostnames) }}" + acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(nginx_vhost.hostnames) }}" - name: link nonexistent hostnames to self-signed interim cert when: acmecert_missing_hostnames | length > 0 @@ -40,5 +40,5 @@ import_role: name: acmetool/cert vars: - acmetool_cert_name: "{{ item.value.hostnames[0] }}" - acmetool_cert_hostnames: "{{ item.value.hostnames }}" + acmetool_cert_name: "{{ nginx_vhost.hostnames[0] }}" + acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml new file mode 100644 index 00000000..4de3393d --- /dev/null +++ b/roles/nginx/vhost/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: install nginx configs from template + when: "'template' in nginx_vhost" + template: + src: "{{ nginx_vhost.template }}.conf.j2" + dest: "/etc/nginx/sites-available/{{ nginx_vhost.name }}" + notify: reload nginx + +- name: install nginx configs from config data + when: "'content' in nginx_vhost" + copy: + content: "{{ nginx_vhost.content }}" + dest: "/etc/nginx/sites-available/{{ nginx_vhost.name }}" + notify: reload nginx + +- name: enable vhost config + file: + src: "../sites-available/{{ nginx_vhost.name }}" + dest: "/etc/nginx/sites-enabled/{{ nginx_vhost.name }}" + state: link + notify: reload nginx + +- name: generate acme certificate + when: "'acme' in nginx_vhost and nginx_vhost.acme" + include_tasks: acme.yml diff --git a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 index 9f165726..55bd5ac6 100644 --- a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 +++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 @@ -1,7 +1,7 @@ server { listen 80; listen [::]:80; - server_name {{ item.value.hostnames | join(' ') }}; + server_name {{ nginx_vhost.hostnames | join(' ') }}; include snippets/acmetool.conf; @@ -13,18 +13,18 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ item.value.hostnames | join(' ') }}; + server_name {{ nginx_vhost.hostnames | join(' ') }}; include snippets/acmetool.conf; include snippets/ssl.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey; + ssl_certificate /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/fullchain; + ssl_certificate_key /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/privkey; include snippets/hsts.conf; location / { include snippets/proxy-nobuff.conf; -{% if 'client_max_body_size' in item.value %} - client_max_body_size {{ item.value.client_max_body_size }}; +{% if 'client_max_body_size' in nginx_vhost %} + client_max_body_size {{ nginx_vhost.client_max_body_size }}; {% endif %} proxy_set_header Host $host; @@ -38,6 +38,6 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass {{ item.value.proxy_pass }}; + proxy_pass {{ nginx_vhost.proxy_pass }}; } } |