From 13d7194e4fe987b618b4f9c50b8191993d692697 Mon Sep 17 00:00:00 2001 From: nd Date: Sun, 11 Jul 2021 04:08:39 +0200 Subject: [PATCH 1/2] add support for listen ips --- README.md | 6 +++++ defaults/main.yml | 30 +++++++++++++++++++++++ files/monitoring.cfg | 1 - templates/vhost.conf.j2 | 53 +++++++++++++++++++++++++---------------- 4 files changed, 68 insertions(+), 22 deletions(-) delete mode 100644 files/monitoring.cfg diff --git a/README.md b/README.md index 4b54767..4fa9738 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,12 @@ listen: ssl_port: 443 nossl: False nossl_port: 80 + v4: True + v4_ip: + - 0.0.0.0 + v6: True + v6_ip: + - '[::]' # example: "https://upstream". If set to None no reverse proxy will be set up. backend: None diff --git a/defaults/main.yml b/defaults/main.yml index bfff1c4..d4cbf07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,36 @@ nginx: - 8.8.8.8 - 8.8.4.4 +nginx_vhosts_defaults: + listen: + nossl: False + nossl_port: 80 + ssl: True + ssl_port: 443 + v4: True + v4_ip: + - '0.0.0.0' + v6: True + v6_ip: + - '[::]' + custom: [] + servername: [] + default_server: False + locations: [] + includes: [] + add_headers: [] + letsencrypt: False + crt: ~ + key: ~ + auth: + enable: False + path: ~ + satisfy: 'all' + host: '$host' + add_proxy_headers: {} + hide_proxy_headers: {} + backend: ~ + nginx_forcessl_vhost: "https-redirect": listen: diff --git a/files/monitoring.cfg b/files/monitoring.cfg deleted file mode 100644 index efb480d..0000000 --- a/files/monitoring.cfg +++ /dev/null @@ -1 +0,0 @@ -servers=[('http', '127.0.0.1', 5234)] diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 index 5a3f16c..ee4e200 100644 --- a/templates/vhost.conf.j2 +++ b/templates/vhost.conf.j2 @@ -1,23 +1,34 @@ #jinja2:lstrip_blocks: True -{% set vhost = item.value %} +{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %} {% set vhost_name = item.key %} -{% set vhost_listen = vhost.listen|default({}) %} -{% set vhost_headers = nginx.add_headers|default({})|combine(vhost.add_headers|default({})) %} +{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %} + +{% macro nginx_listen(ips, port, options) %} + {% for ip in ips %} + listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %}; + {% endfor %} +{% endmacro %} server { - {% if vhost.servername|default([])|length > 0 %} + {% if vhost.servername|length > 0 %} server_name {{ vhost.servername|join(' ') }}; {% endif %} - {% if vhost_listen.ssl|default(True) %} - listen {{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; - listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %}; + {% if vhost.listen.ssl %} + {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %} + {% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %} + {% endif %} - {% if vhost_listen.nossl|default(False) %} - listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; - listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %}; + + {% if vhost.listen.nossl %} + {% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %} + {% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %} {% endif %} + {% for i in vhost.listen.custom %} + listen {{ i }}; + {% endfor %} + {% for header in vhost_headers if header %} add_header {{ header }} "{{ vhost_headers[header] }}"; {% endfor %} @@ -27,12 +38,12 @@ server { {% endfor %} - {% if vhost.backend|default(False) %} + {% if vhost.backend %} location / { proxy_pass {{ vhost.backend }}; # add proxy headers - proxy_set_header Host {% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %}; + proxy_set_header Host {{ vhost.host }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; @@ -40,9 +51,9 @@ server { proxy_set_header X-Url-Scheme $scheme; # add custom proxy headers -{% for header in vhost.add_proxy_headers|d({}) if header %} + {% for header in vhost.add_proxy_headers if header %} proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}"; -{% endfor %} + {% endfor %} # Websockets proxy_http_version 1.1; @@ -50,7 +61,7 @@ server { proxy_set_header Connection "upgrade"; # remove custom proxy headers -{% for header in vhost.hide_proxy_headers|d({}) if header %} +{% for header in vhost.hide_proxy_headers if header %} proxy_hide_header {{ header }}; {% endfor %} # hide downstream headers for security reasons @@ -64,7 +75,7 @@ server { } {% endif %} - {% for location in vhost.locations|default([]) %} + {% for location in vhost.locations %} location {{ location.match }} { {% if "alias" in location %} alias {{ location.alias }}; @@ -75,21 +86,21 @@ server { } {% endfor %} - {% if vhost.auth.enable|default(False) %} + {% if vhost.auth.enable %} auth_basic "restricted area"; auth_basic_user_file {{ vhost.auth.path }}; - satisfy {{ vhost.auth.satisfy|d('all') }}; + satisfy {{ vhost.auth.satisfy }}; {% endif %} - {% for include in vhost.includes|default([]) %} + {% for include in vhost.includes %} include {{ include }}; {% endfor %} - {% if vhost.letsencrypt|d(False) %} + {% if vhost.letsencrypt %} ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt; ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key; - {% elif vhost.crt|d(None) and vhost.key|d(None) %} + {% elif vhost.crt and vhost.key %} ssl_certificate {{ vhost.crt }}; ssl_certificate_key {{ vhost.key }}; {% endif %} From 630a536c7fe52df7297c4b559fed58b593ce315c Mon Sep 17 00:00:00 2001 From: nd Date: Sat, 17 Jul 2021 01:41:43 +0200 Subject: [PATCH 2/2] fix linter --- defaults/main.yml | 5 +++++ tasks/main.yml | 52 ++++++++++++++++++++++------------------------- tasks/php-fpm.yml | 18 ++++++++++------ 3 files changed, 41 insertions(+), 34 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d4cbf07..4479272 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -55,3 +55,8 @@ nginx_forcessl_vhost: - match: '/' custom: - return 301 https://$host$request_uri + +phpinidefault: + post_max_size: 64M + upload_max_filesize: 64M + memory_limit: 128M diff --git a/tasks/main.yml b/tasks/main.yml index 2d36610..92d764c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,16 +1,19 @@ --- -- set_fact: +- name: store nginx vars + set_fact: nginx_certs: "{{ nginx.vhosts|nginx_vhosts_to_certificates }}" inventory_certs: "{{ certificates.certs|d({}) }}" selfsigned_cert: "{ '{{ inventory_hostname }}': { 'backend': 'selfsigned' }}" -- include_role: +- name: generate certificates for vhosts + include_role: name: certificates vars: certificates: certs: "{{ {}|combine( (selfsigned_cert|from_yaml if nginx.snakeoil_default else {}), nginx_certs, inventory_certs, recursive=True) }}" -- debug: +- name: debug nginx dict + debug: verbosity: 1 var: nginx @@ -38,34 +41,24 @@ template: src: ssl_files.conf.j2 dest: /etc/nginx/conf.d/ssl_files.conf + owner: root + group: root + mode: 0644 notify: - restart nginx -- name: execute dns template +- name: execute templates + loop: + - dns.conf + - upstreams.conf + - proxy.conf + - maps.conf template: - src: dns.conf.j2 - dest: /etc/nginx/conf.d/dns.conf - notify: - - restart nginx - -- name: execute upstream template - template: - src: upstreams.conf.j2 - dest: /etc/nginx/conf.d/upstreams.conf - notify: - - restart nginx - -- name: execute proxy template - template: - src: proxy.conf.j2 - dest: /etc/nginx/conf.d/proxy.conf - notify: - - restart nginx - -- name: execute maps template - template: - src: maps.conf.j2 - dest: /etc/nginx/conf.d/maps.conf + src: "{{ item }}.j2" + dest: "/etc/nginx/conf.d/{{ item }}" + owner: root + group: root + mode: 0644 notify: - restart nginx @@ -73,6 +66,9 @@ template: src: vhost.conf.j2 dest: "/etc/nginx/sites-available/{{ item.key }}" + owner: root + group: root + mode: 0644 with_dict: "{{ {}|combine((nginx_forcessl_vhost if nginx.force_ssl else {}), nginx.vhosts, recursive=True) }}" notify: - restart nginx @@ -93,7 +89,7 @@ copy: src: monitoring dest: /etc/nginx/sites-available/nginx-status - mode: 0755 + mode: 0644 notify: - restart nginx diff --git a/tasks/php-fpm.yml b/tasks/php-fpm.yml index 820e2a9..7aa989c 100644 --- a/tasks/php-fpm.yml +++ b/tasks/php-fpm.yml @@ -35,6 +35,9 @@ copy: src: php-fpm/snippet-php dest: /etc/nginx/snippets/php + owner: root + group: root + mode: 0644 notify: - reload nginx @@ -42,6 +45,9 @@ template: src: php-fpm/upstream-php.conf.j2 dest: /etc/nginx/conf.d/php.conf + owner: root + group: root + mode: 0644 notify: - reload nginx @@ -49,22 +55,22 @@ template: dest: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf" src: php-fpm/www.conf.j2 + owner: root + group: root mode: 0644 notify: - restart php-fpm -- set_fact: - phpinidefault: - post_max_size: 64M - upload_max_filesize: 64M - memory_limit: 128M -- set_fact: +- name: apply php ini defaults + set_fact: phpini: "{{ phpinidefault|combine( {} if (nginx.php == True) else nginx.php.ini|d({}) ) }}" - name: copy php-fpm php.ini template: dest: "/etc/php/{{ php_version }}/fpm/php.ini" src: php-fpm/php.ini.j2 + owner: root + group: root mode: 0644 notify: - restart php-fpm