ansible-personal/roles/nginx/tasks/main.yml

---
- name: Add nginx.org apt signing key
  apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
  register: add_nginx_apt_key
  tags: nginx, packages

- name: Add nginx.org repo
  template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
  register: add_nginx_apt_repository
  tags: nginx, packages

- name: Update apt cache
  apt:
    update_cache: yes
  when:
    add_nginx_apt_key is changed or
    add_nginx_apt_repository is changed

- name: Set nginx packages
  set_fact:
    nginx_packages:
      - nginx
      - ssl-cert # for ssl-cert-snakeoil.pem in nginx
  tags: nginx, packages

- name: Install nginx packages
  apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
  tags: nginx, packages

- name: Copy nginx.conf
  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
  notify:
    - reload nginx
  tags: nginx

- name: Copy extra nginx configs
  copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
  loop:
    - extra-security.conf
    - fastcgi_cache
  notify:
    - reload nginx
  tags: nginx

- name: Remove default nginx vhost
  file: path=/etc/nginx/conf.d/default.conf state=absent
  tags: nginx

- name: Create fastcgi cache dir
  file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
  tags: nginx

- name: Configure nginx virtual hosts
  include_tasks: vhosts.yml
  when: nginx_vhosts is defined
  tags: nginx

- name: Configure WordPress
  include_tasks: wordpress.yml
  when: nginx_vhosts is defined
  tags: wordpress

- name: Configure blank nginx vhost
  template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
  notify:
    - reload nginx
  tags: nginx

- name: Configure munin vhost
  copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
  notify:
    - reload nginx
  tags: nginx

- name: Start and enable nginx service
  systemd: name=nginx state=started enabled=yes
  tags: nginx

- name: Configure Let's Encrypt
  include_tasks: letsencrypt.yml
  tags: letsencrypt

# vim: set ts=2 sw=2:
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`---`
			`- name: Add nginx.org apt signing key`
roles/nginx: Add nginx signing key id to apt_key task When you give Ansible the key id it will check if the key exists before trying to download and add it. I got the long fingerprint from `sudo apt-key finger`. 2016-08-22 15:19:25 +02:00			`apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present`
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 16:29:15 +01:00			`register: add_nginx_apt_key`
Add 'packages' tag to any task doing package stuff For idempotence we need to run all apt-related tasks, like editing source files, adding keys, installing packages, etc, when running the 'packages' tag. 2016-08-14 15:33:48 +02:00			`tags: nginx, packages`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/nginx: Use template for nginx repo A template is better than ansible's `apt_repository` module because we can idempotently control the contents of the file based on vari- ables. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-24 23:15:49 +02:00			`- name: Add nginx.org repo`
roles/nginx: Rename nginx sources.list template Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-08-23 12:24:43 +02:00			`template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644`
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 16:29:15 +01:00			`register: add_nginx_apt_repository`
Add 'packages' tag to any task doing package stuff For idempotence we need to run all apt-related tasks, like editing source files, adding keys, installing packages, etc, when running the 'packages' tag. 2016-08-14 15:33:48 +02:00			`tags: nginx, packages`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
Smarter updating of apt index during playbook execution We can register changes when adding repositories and keys and then update the apt package index conditionally. This should make it be more consistent between initial host setup and subsequent re-runs. 2019-03-17 16:29:15 +01:00			`- name: Update apt cache`
			`apt:`
			`update_cache: yes`
			`when:`
			`add_nginx_apt_key is changed or`
			`add_nginx_apt_repository is changed`

roles/nginx: Use snakeoil cert from ssl-cert Instead of manually creating our own self-signed certificate we can use the one created automatically by the ssl-cert package on Debian. This is only used by the dummy default HTTPS vhost. 2021-07-01 17:11:34 +02:00			`- name: Set nginx packages`
			`set_fact:`
			`nginx_packages:`
			`- nginx`
			`- ssl-cert # for ssl-cert-snakeoil.pem in nginx`
roles/nginx: Add convenience tags to fact task 2021-07-01 17:17:14 +02:00			`tags: nginx, packages`
roles/nginx: Use snakeoil cert from ssl-cert Instead of manually creating our own self-signed certificate we can use the one created automatically by the ssl-cert package on Debian. This is only used by the dummy default HTTPS vhost. 2021-07-01 17:11:34 +02:00
			`- name: Install nginx packages`
			`apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present`
Add 'packages' tag to any task doing package stuff For idempotence we need to run all apt-related tasks, like editing source files, adding keys, installing packages, etc, when running the 'packages' tag. 2016-08-14 15:33:48 +02:00			`tags: nginx, packages`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/nginx: Updates to accomodate Debian 9 (stretch) There are currently no nginx.org builds for Debian 9, so we need to use the package from Debian's repository. This package provides a www-data user and group instead of an nginx one. We can revert some of this after Debian 9 is released and official builds come from nginx.org (though it might be useful to keep the main nginx.conf as a template). 2017-01-30 14:43:03 +01:00			`- name: Copy nginx.conf`
			`template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root`
			`notify:`
			`- reload nginx`
			`tags: nginx`

			`- name: Copy extra nginx configs`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root`
Update with_items loops to use new-ish "loop" keyword Ansible 2.4 and 2.5 are moving away from specialized loop functions and the old syntax will eventually be deprecated and removed. I did not change the with_fileglob loops because I'm not sure about their syntax yet. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html 2018-04-02 14:52:51 +02:00			`loop:`
roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-01-24 11:05:42 +01:00			`- extra-security.conf`
roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-10 21:04:28 +01:00			`- fastcgi_cache`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`notify:`
			`- reload nginx`
			`tags: nginx`

			`- name: Remove default nginx vhost`
			`file: path=/etc/nginx/conf.d/default.conf state=absent`
			`tags: nginx`

roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-02-19 16:49:39 +01:00			`- name: Create fastcgi cache dir`
			`file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755`
roles/nginx: Add missing nginx tag The creation of the fastcgi cache dir is part of the nginx role and should be labled as such. In situations where you only run nginx tasks with `-t nginx` nginx will fail to start due to the missing cache dir. 2016-04-15 11:29:35 +02:00			`tags: nginx`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
Add names to include tasks Raised by ansible-lint in the following rule: [ANSIBLE0011] All tasks should be named 2017-10-03 14:02:38 +02:00			`- name: Configure nginx virtual hosts`
roles/nginx: Use dynamic includes for tasks As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed to introduce the notion of static imports and dynamic includes. If the tasks doing the import is using variable interpolation or conditionals then the task should be dynamic. This results in quicker playbook runs due to less importing of unneccessary tasks. One side effect of this is that child tasks of dynamic includes do not inherit their parents' tags so you must tag them explicitly or a block. 2018-04-26 09:45:01 +02:00			`include_tasks: vhosts.yml`
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts Everything is TLS now (whether self-signed or not), so it's pointless to distinguish. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-12-09 23:14:47 +01:00			`when: nginx_vhosts is defined`
roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:03:34 +02:00			`tags: nginx`

roles/nginx: Move WordPress tasks to separate file Because of the shift from static imports to dynamic includes these tags will never be reached unless they have their own task that is tagged at the top-level (dynamic includes don't pass their tags to their children). 2018-04-26 16:09:09 +02:00			`- name: Configure WordPress`
			`include_tasks: wordpress.yml`
			`when: nginx_vhosts is defined`
			`tags: wordpress`

roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00			`- name: Configure blank nginx vhost`
			`template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root`
			`notify:`
			`- reload nginx`
roles/nginx: Add missing nginx tag to blank vhost task Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-05 23:05:09 +02:00			`tags: nginx`
roles/nginx: Add blank vhost For security and predictability clients should only get a reponse if they request a hostname we are actually hosting. If TLS is in use then this will use a self-signed snakeoil cert for an HTTPS-enabled blank, default vhost. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 22:30:06 +02:00
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`- name: Configure munin vhost`
			`copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root`
			`notify:`
			`- reload nginx`
			`tags: nginx`

roles/nginx: Replace "&" with "and" 2016-06-27 18:13:20 +02:00			`- name: Start and enable nginx service`
roles/nginx: Use systemd module instead of service 2017-11-03 11:19:58 +01:00			`systemd: name=nginx state=started enabled=yes`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`tags: nginx`
roles/nginx: Add vim modeline to main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:00:42 +02:00
roles/nginx: Add name to Let's Encrypt task All tasks should have names, even if they are just including other tasks. 2018-04-26 16:12:22 +02:00			`- name: Configure Let's Encrypt`
			`include_tasks: letsencrypt.yml`
roles/nginx: Use dynamic includes for Let's Encrypt As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed to introduce the notion of static imports and dynamic includes. If the tasks doing the import is using variable interpolation or conditionals then the task should be dynamic. This results in quicker playbook runs due to less importing of unneccessary tasks. One side effect of this is that child tasks of dynamic includes do not inherit their parents' tags so you must tag them explicitly or a block. Also, I had to move the letsencrypt tasks to the main task file so the tags were available (due to dynamic tasks not inheriting tags). 2018-04-26 10:00:47 +02:00			`tags: letsencrypt`

roles/nginx: Add vim modeline to main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 19:00:42 +02:00			`# vim: set ts=2 sw=2:`