ansible-personal/roles/nginx/tasks/main.yml

---
- name: Remove nginx apt signing key from apt-key
  ansible.builtin.apt_key:
    id: "053473772654754373614404074646527257655730117366337542"
    state: absent
  tags:
    - packages
    - nginx

- name: Download nginx apt signing key
  ansible.builtin.get_url:
    url: https://nginx.org/keys/nginx_signing.key
    dest: /usr/share/keyrings/nginx_signing.key
    owner: root
    group: root
    mode: "0644"
    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
  register: download_nginx_signing_key
  tags:
    - packages
    - nginx

- name: Add nginx.org repo
  ansible.builtin.template:
    src: nginx_org_sources.list.j2
    dest: /etc/apt/sources.list.d/nginx_org_sources.list
    owner: root
    group: root
    mode: "0644"
  register: add_nginx_apt_repository
  tags:
    - nginx
    - packages

- name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed

- name: Install nginx
  ansible.builtin.apt:
    pkg: nginx
    cache_valid_time: 3600
    state: present
  tags:
    - nginx
    - packages

- name: Copy nginx.conf
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx

- name: Copy extra nginx configs
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/nginx/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - extra-security.conf
    - fastcgi_cache
  notify:
    - reload nginx
  tags: nginx

- name: Remove default nginx vhost
  ansible.builtin.file:
    path: /etc/nginx/conf.d/default.conf
    state: absent
  tags: nginx

- name: Create fastcgi cache dir
  ansible.builtin.file:
    path: /var/cache/nginx/cached/fastcgi
    state: directory
    owner: nginx
    group: nginx
    mode: "0755"
  tags: nginx

- name: Configure nginx virtual hosts
  ansible.builtin.include_tasks: vhosts.yml
  when: nginx_vhosts is defined
  tags: nginx

- name: Configure WordPress
  ansible.builtin.include_tasks: wordpress.yml
  when: nginx_vhosts is defined
  tags: wordpress

- name: Configure blank nginx vhost
  ansible.builtin.template:
    src: blank-vhost.conf.j2
    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx

- name: Configure munin vhost
  ansible.builtin.copy:
    src: munin.conf
    dest: /etc/nginx/conf.d/munin.conf
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx

- name: Start and enable nginx service
  ansible.builtin.systemd:
    name: nginx
    state: started
    enabled: true
  tags: nginx

- name: Configure Let's Encrypt
  ansible.builtin.include_tasks: letsencrypt.yml
  tags: letsencrypt

# vim: set ts=2 sw=2:
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`---`
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00			`- name: Remove nginx apt signing key from apt-key`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.apt_key:`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`id: "053473772654754373614404074646527257655730117366337542"`
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00			`state: absent`
			`tags:`
			`- packages`
			`- nginx`

			`- name: Download nginx apt signing key`
			`ansible.builtin.get_url:`
			`url: https://nginx.org/keys/nginx_signing.key`
			`dest: /usr/share/keyrings/nginx_signing.key`
			`owner: root`
			`group: root`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0644"`
roles/nginx: update signing key 2024-06-25 08:11:59 +03:00			`checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a`
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00			`register: download_nginx_signing_key`
			`tags:`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`- packages`
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00			`- nginx`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00
roles/nginx: Use template for nginx repo A template is better than ansible's `apt_repository` module because we can idempotently control the contents of the file based on vari- ables. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-25 00:15:49 +03:00			`- name: Add nginx.org repo`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.template:`
			`src: nginx_org_sources.list.j2`
			`dest: /etc/apt/sources.list.d/nginx_org_sources.list`
			`owner: root`
			`group: root`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0644"`
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 17:29:15 +02:00			`register: add_nginx_apt_repository`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`tags:`
			`- nginx`
			`- packages`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 17:29:15 +02:00			`- name: Update apt cache`
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00			`ansible.builtin.apt: # noqa no-handler`
roles: strict truthy values According to Ansible we can use yes, true, True, "or any quoted st- ring" for a boolean true, but ansible-lint wants us to use either true or false. See: https://chronicler.tech/red-hat-ansible-yes-no-and/ 2022-09-10 22:33:19 +03:00			`update_cache: true`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed`
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 17:29:15 +02:00
roles/nginx: generate snakeoil cert manually The ssl-cert does this, but it includes the hostname of the server as the subject name in the cert, which is a huge leak of privacy. 2021-09-27 10:48:24 +03:00			`- name: Install nginx`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.apt:`
			`pkg: nginx`
			`cache_valid_time: 3600`
			`state: present`
			`tags:`
			`- nginx`
			`- packages`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00
roles/nginx: Updates to accomodate Debian 9 (stretch) There are currently no nginx.org builds for Debian 9, so we need to use the package from Debian's repository. This package provides a www-data user and group instead of an nginx one. We can revert some of this after Debian 9 is released and official builds come from nginx.org (though it might be useful to keep the main nginx.conf as a template). 2017-01-30 15:43:03 +02:00			`- name: Copy nginx.conf`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.template:`
			`src: nginx.conf.j2`
			`dest: /etc/nginx/nginx.conf`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0644"`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`owner: root`
			`group: root`
roles/nginx: Updates to accomodate Debian 9 (stretch) There are currently no nginx.org builds for Debian 9, so we need to use the package from Debian's repository. This package provides a www-data user and group instead of an nginx one. We can revert some of this after Debian 9 is released and official builds come from nginx.org (though it might be useful to keep the main nginx.conf as a template). 2017-01-30 15:43:03 +02:00			`notify:`
			`- reload nginx`
			`tags: nginx`

			`- name: Copy extra nginx configs`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.copy:`
			`src: "{{ item }}"`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`dest: /etc/nginx/{{ item }}`
			`mode: "0644"`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`owner: root`
			`group: root`
Update with_items loops to use new-ish "loop" keyword Ansible 2.4 and 2.5 are moving away from specialized loop functions and the old syntax will eventually be deprecated and removed. I did not change the with_fileglob loops because I'm not sure about their syntax yet. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html 2018-04-02 15:52:51 +03:00			`loop:`
roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-01-24 13:05:42 +03:00			`- extra-security.conf`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 23:04:28 +03:00			`- fastcgi_cache`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`notify:`
			`- reload nginx`
			`tags: nginx`

			`- name: Remove default nginx vhost`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.file:`
			`path: /etc/nginx/conf.d/default.conf`
			`state: absent`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`tags: nginx`

roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-19 18:49:39 +03:00			`- name: Create fastcgi cache dir`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.file:`
			`path: /var/cache/nginx/cached/fastcgi`
			`state: directory`
			`owner: nginx`
			`group: nginx`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0755"`
roles/nginx: Add missing nginx tag The creation of the fastcgi cache dir is part of the nginx role and should be labled as such. In situations where you only run nginx tasks with `-t nginx` nginx will fail to start due to the missing cache dir. 2016-04-15 12:29:35 +03:00			`tags: nginx`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00
Add names to include tasks Raised by ansible-lint in the following rule: [ANSIBLE0011] All tasks should be named 2017-10-03 15:02:38 +03:00			`- name: Configure nginx virtual hosts`
roles: use fully qualified module names 2022-09-10 18:09:12 +03:00			`ansible.builtin.include_tasks: vhosts.yml`
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts Everything is TLS now (whether self-signed or not), so it's pointless to distinguish. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-10 00:14:47 +02:00			`when: nginx_vhosts is defined`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 20:03:34 +03:00			`tags: nginx`

roles/nginx: Move WordPress tasks to separate file Because of the shift from static imports to dynamic includes these tags will never be reached unless they have their own task that is tagged at the top-level (dynamic includes don't pass their tags to their children). 2018-04-26 17:09:09 +03:00			`- name: Configure WordPress`
roles: use fully qualified module names 2022-09-10 18:09:12 +03:00			`ansible.builtin.include_tasks: wordpress.yml`
roles/nginx: Move WordPress tasks to separate file Because of the shift from static imports to dynamic includes these tags will never be reached unless they have their own task that is tagged at the top-level (dynamic includes don't pass their tags to their children). 2018-04-26 17:09:09 +03:00			`when: nginx_vhosts is defined`
			`tags: wordpress`

roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:30:06 +03:00			`- name: Configure blank nginx vhost`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.template:`
			`src: blank-vhost.conf.j2`
			`dest: "{{ nginx_confd_path }}/blank-vhost.conf"`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0644"`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`owner: root`
			`group: root`
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:30:06 +03:00			`notify:`
			`- reload nginx`
roles/nginx: Add missing nginx tag to blank vhost task Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-06 00:05:09 +03:00			`tags: nginx`
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:30:06 +03:00
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`- name: Configure munin vhost`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.copy:`
			`src: munin.conf`
			`dest: /etc/nginx/conf.d/munin.conf`
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00			`mode: "0644"`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`owner: root`
			`group: root`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`notify:`
			`- reload nginx`
			`tags: nginx`

roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00			`- name: Start and enable nginx service`
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00			`ansible.builtin.systemd:`
			`name: nginx`
			`state: started`
			`enabled: true`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`tags: nginx`
roles/nginx: Add vim modeline to main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 20:00:42 +03:00
roles/nginx: Add name to Let's Encrypt task All tasks should have names, even if they are just including other tasks. 2018-04-26 17:12:22 +03:00			`- name: Configure Let's Encrypt`
roles: use fully qualified module names 2022-09-10 18:09:12 +03:00			`ansible.builtin.include_tasks: letsencrypt.yml`
roles/nginx: Use dynamic includes for Let's Encrypt As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed to introduce the notion of static imports and dynamic includes. If the tasks doing the import is using variable interpolation or conditionals then the task should be dynamic. This results in quicker playbook runs due to less importing of unneccessary tasks. One side effect of this is that child tasks of dynamic includes do not inherit their parents' tags so you must tag them explicitly or a block. Also, I had to move the letsencrypt tasks to the main task file so the tags were available (due to dynamic tasks not inheriting tags). 2018-04-26 11:00:47 +03:00			`tags: letsencrypt`

roles/nginx: Add vim modeline to main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 20:00:42 +03:00			`# vim: set ts=2 sw=2:`