Initial commit

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00
commit 60b8ecdd4c
36 changed files with 1450 additions and 0 deletions
--- a/roles/nginx/files/munin.conf
+++ b/roles/nginx/files/munin.conf
@ -0,0 +1,23 @@
+# nginx status module + munin aliases
+server {
+    listen localhost:80;
+
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+    }
+
+    location /munin/static/ {
+        alias /etc/munin/static/;
+        expires modified +1w;
+    }
+
+    location /munin/ {
+        alias /var/cache/munin/www/;
+        expires modified +310s;
+    }
+}
+
+# vim: set ts=4 sw=4:
--- a/roles/nginx/files/nginx.conf
+++ b/roles/nginx/files/nginx.conf
@ -0,0 +1,41 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log error;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server_tokens off;
+
+    access_log off;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 860;
+    gzip_disable "msie6";
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css text/xml application/rss+xml application/javascript;
+
+    client_max_body_size 12m;
+
+    include /etc/nginx/conf.d/*.conf;
+}
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service: name=nginx state=reloaded
+
+# vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,48 @@
+---
+- name: Add nginx.org apt signing key
+  apt_key: url=http://nginx.org/keys/nginx_signing.key state=present
+  tags: nginx
+
+- name: Add nginx.org stable repo
+  apt_repository: repo="deb http://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx" state=present
+  tags: nginx
+
+- name: Install nginx
+  apt: pkg=nginx update_cache=yes
+  tags: nginx
+
+- name: Copy nginx config
+  copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+  with_items:
+    - nginx.conf
+  notify:
+    - reload nginx
+  tags: nginx
+
+- name: Remove default nginx vhost
+  file: path=/etc/nginx/conf.d/default.conf state=absent
+  tags: nginx
+
+# need to modularize so we can have different vhosts in different files (apples.com and bananas.com in separate config files)
+- name: Configure nginx vhosts
+  template: src={{ item }} dest=/etc/nginx/conf.d/{{ inventory_hostname }}.conf mode=0644 owner=root group=root
+  with_first_found:
+    - "../templates/{{ inventory_hostname }}.conf.j2"
+    - "../templates/default.conf.j2"
+  notify:
+    - reload nginx
+  tags: nginx
+
+- name: Configure munin vhost
+  copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  notify:
+    - reload nginx
+  tags: nginx
+
+- name: Generate 2048-bit dhparam
+  command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
+  tags: nginx
+
+- name: Start & enable nginx service
+  service: name=nginx state=started enabled=yes
+  tags: nginx
--- a/roles/nginx/templates/default.conf.j2
+++ b/roles/nginx/templates/default.conf.j2
@ -0,0 +1,9 @@
+server {
+    listen       80;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+}
--- a/roles/nginx/templates/web01.conf.j2
+++ b/roles/nginx/templates/web01.conf.j2
@ -0,0 +1,35 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server ipv6only=on;
+
+    root /usr/share/nginx/html;
+
+    server_name web01.mjanja.co.ke;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+
+    location ~ \.php$ {
+        # Zero-day exploit defense.
+        # http://forum.nginx.org/read.php?2,88845,page=3
+        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
+        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
+        try_files $uri =404;
+
+        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+        fastcgi_pass php5-fpm-sock;
+        fastcgi_index index.php;
+        # set script path relative to document root in server block
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+    }
+}