Merge branch 'master' of ssh://git-ssh.notandy.de:2222/ansible/roles/nginx
This commit is contained in:
nd
commit
13cb31da67
6 changed files with 109 additions and 56 deletions
|
|
@ -69,6 +69,12 @@ listen:
|
|||
ssl_port: 443
|
||||
nossl: False
|
||||
nossl_port: 80
|
||||
v4: True
|
||||
v4_ip:
|
||||
- 0.0.0.0
|
||||
v6: True
|
||||
v6_ip:
|
||||
- '[::]'
|
||||
|
||||
# example: "https://upstream". If set to None no reverse proxy will be set up.
|
||||
backend: None
|
||||
|
|
|
|||
|
|
@ -14,6 +14,36 @@ nginx:
|
|||
- 8.8.8.8
|
||||
- 8.8.4.4
|
||||
|
||||
nginx_vhosts_defaults:
|
||||
listen:
|
||||
nossl: False
|
||||
nossl_port: 80
|
||||
ssl: True
|
||||
ssl_port: 443
|
||||
v4: True
|
||||
v4_ip:
|
||||
- '0.0.0.0'
|
||||
v6: True
|
||||
v6_ip:
|
||||
- '[::]'
|
||||
custom: []
|
||||
servername: []
|
||||
default_server: False
|
||||
locations: []
|
||||
includes: []
|
||||
add_headers: []
|
||||
letsencrypt: False
|
||||
crt: ~
|
||||
key: ~
|
||||
auth:
|
||||
enable: False
|
||||
path: ~
|
||||
satisfy: 'all'
|
||||
host: '$host'
|
||||
add_proxy_headers: {}
|
||||
hide_proxy_headers: {}
|
||||
backend: ~
|
||||
|
||||
nginx_forcessl_vhost:
|
||||
"https-redirect":
|
||||
listen:
|
||||
|
|
@ -25,3 +55,8 @@ nginx_forcessl_vhost:
|
|||
- match: '/'
|
||||
custom:
|
||||
- return 301 https://$host$request_uri
|
||||
|
||||
phpinidefault:
|
||||
post_max_size: 64M
|
||||
upload_max_filesize: 64M
|
||||
memory_limit: 128M
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
servers=[('http', '127.0.0.1', 5234)]
|
||||
|
|
@ -1,16 +1,19 @@
|
|||
---
|
||||
- set_fact:
|
||||
- name: store nginx vars
|
||||
set_fact:
|
||||
nginx_certs: "{{ nginx.vhosts|nginx_vhosts_to_certificates }}"
|
||||
inventory_certs: "{{ certificates.certs|d({}) }}"
|
||||
selfsigned_cert: "{ '{{ inventory_hostname }}': { 'backend': 'selfsigned' }}"
|
||||
|
||||
- include_role:
|
||||
- name: generate certificates for vhosts
|
||||
include_role:
|
||||
name: certificates
|
||||
vars:
|
||||
certificates:
|
||||
certs: "{{ {}|combine( (selfsigned_cert|from_yaml if nginx.snakeoil_default else {}), nginx_certs, inventory_certs, recursive=True) }}"
|
||||
|
||||
- debug:
|
||||
- name: debug nginx dict
|
||||
debug:
|
||||
verbosity: 1
|
||||
var: nginx
|
||||
|
||||
|
|
@ -38,34 +41,24 @@
|
|||
template:
|
||||
src: ssl_files.conf.j2
|
||||
dest: /etc/nginx/conf.d/ssl_files.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
- name: execute dns template
|
||||
- name: execute templates
|
||||
loop:
|
||||
- dns.conf
|
||||
- upstreams.conf
|
||||
- proxy.conf
|
||||
- maps.conf
|
||||
template:
|
||||
src: dns.conf.j2
|
||||
dest: /etc/nginx/conf.d/dns.conf
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
- name: execute upstream template
|
||||
template:
|
||||
src: upstreams.conf.j2
|
||||
dest: /etc/nginx/conf.d/upstreams.conf
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
- name: execute proxy template
|
||||
template:
|
||||
src: proxy.conf.j2
|
||||
dest: /etc/nginx/conf.d/proxy.conf
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
- name: execute maps template
|
||||
template:
|
||||
src: maps.conf.j2
|
||||
dest: /etc/nginx/conf.d/maps.conf
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/nginx/conf.d/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
|
|
@ -73,6 +66,9 @@
|
|||
template:
|
||||
src: vhost.conf.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.key }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
with_dict: "{{ {}|combine((nginx_forcessl_vhost if nginx.force_ssl else {}), nginx.vhosts, recursive=True) }}"
|
||||
notify:
|
||||
- restart nginx
|
||||
|
|
@ -93,7 +89,7 @@
|
|||
copy:
|
||||
src: monitoring
|
||||
dest: /etc/nginx/sites-available/nginx-status
|
||||
mode: 0755
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart nginx
|
||||
|
||||
|
|
|
|||
|
|
@ -35,6 +35,9 @@
|
|||
copy:
|
||||
src: php-fpm/snippet-php
|
||||
dest: /etc/nginx/snippets/php
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
|
|
@ -42,6 +45,9 @@
|
|||
template:
|
||||
src: php-fpm/upstream-php.conf.j2
|
||||
dest: /etc/nginx/conf.d/php.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
|
|
@ -49,22 +55,22 @@
|
|||
template:
|
||||
dest: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf"
|
||||
src: php-fpm/www.conf.j2
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart php-fpm
|
||||
|
||||
- set_fact:
|
||||
phpinidefault:
|
||||
post_max_size: 64M
|
||||
upload_max_filesize: 64M
|
||||
memory_limit: 128M
|
||||
- set_fact:
|
||||
- name: apply php ini defaults
|
||||
set_fact:
|
||||
phpini: "{{ phpinidefault|combine( {} if (nginx.php == True) else nginx.php.ini|d({}) ) }}"
|
||||
|
||||
- name: copy php-fpm php.ini
|
||||
template:
|
||||
dest: "/etc/php/{{ php_version }}/fpm/php.ini"
|
||||
src: php-fpm/php.ini.j2
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart php-fpm
|
||||
|
|
|
|||
|
|
@ -1,23 +1,34 @@
|
|||
#jinja2:lstrip_blocks: True
|
||||
{% set vhost = item.value %}
|
||||
{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %}
|
||||
{% set vhost_name = item.key %}
|
||||
{% set vhost_listen = vhost.listen|default({}) %}
|
||||
{% set vhost_headers = nginx.add_headers|default({})|combine(vhost.add_headers|default({})) %}
|
||||
{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %}
|
||||
|
||||
{% macro nginx_listen(ips, port, options) %}
|
||||
{% for ip in ips %}
|
||||
listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %};
|
||||
{% endfor %}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
{% if vhost.servername|default([])|length > 0 %}
|
||||
{% if vhost.servername|length > 0 %}
|
||||
server_name {{ vhost.servername|join(' ') }};
|
||||
{% endif %}
|
||||
|
||||
{% if vhost_listen.ssl|default(True) %}
|
||||
listen {{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %};
|
||||
listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl http2 {% if vhost.default_server|default(False) %}default_server{% endif %};
|
||||
{% if vhost.listen.ssl %}
|
||||
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
|
||||
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{% if vhost_listen.nossl|default(False) %}
|
||||
listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
|
||||
listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
|
||||
|
||||
{% if vhost.listen.nossl %}
|
||||
{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %}
|
||||
{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% for i in vhost.listen.custom %}
|
||||
listen {{ i }};
|
||||
{% endfor %}
|
||||
|
||||
{% for header in vhost_headers if header %}
|
||||
add_header {{ header }} "{{ vhost_headers[header] }}";
|
||||
{% endfor %}
|
||||
|
|
@ -27,12 +38,12 @@ server {
|
|||
{% endfor %}
|
||||
|
||||
|
||||
{% if vhost.backend|default(False) %}
|
||||
{% if vhost.backend %}
|
||||
location / {
|
||||
proxy_pass {{ vhost.backend }};
|
||||
|
||||
# add proxy headers
|
||||
proxy_set_header Host {% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %};
|
||||
proxy_set_header Host {{ vhost.host }};
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
|
@ -40,7 +51,7 @@ server {
|
|||
proxy_set_header X-Url-Scheme $scheme;
|
||||
|
||||
# add custom proxy headers
|
||||
{% for header in vhost.add_proxy_headers|d({}) if header %}
|
||||
{% for header in vhost.add_proxy_headers if header %}
|
||||
proxy_set_header {{ header }} "{{ vhost.add_proxy_headers[header] }}";
|
||||
{% endfor %}
|
||||
|
||||
|
|
@ -50,7 +61,7 @@ server {
|
|||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# remove custom proxy headers
|
||||
{% for header in vhost.hide_proxy_headers|d({}) if header %}
|
||||
{% for header in vhost.hide_proxy_headers if header %}
|
||||
proxy_hide_header {{ header }};
|
||||
{% endfor %}
|
||||
# hide downstream headers for security reasons
|
||||
|
|
@ -64,7 +75,7 @@ server {
|
|||
}
|
||||
{% endif %}
|
||||
|
||||
{% for location in vhost.locations|default([]) %}
|
||||
{% for location in vhost.locations %}
|
||||
location {{ location.match }} {
|
||||
{% if "alias" in location %}
|
||||
alias {{ location.alias }};
|
||||
|
|
@ -75,21 +86,21 @@ server {
|
|||
}
|
||||
{% endfor %}
|
||||
|
||||
{% if vhost.auth.enable|default(False) %}
|
||||
{% if vhost.auth.enable %}
|
||||
auth_basic "restricted area";
|
||||
auth_basic_user_file {{ vhost.auth.path }};
|
||||
satisfy {{ vhost.auth.satisfy|d('all') }};
|
||||
satisfy {{ vhost.auth.satisfy }};
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% for include in vhost.includes|default([]) %}
|
||||
{% for include in vhost.includes %}
|
||||
include {{ include }};
|
||||
{% endfor %}
|
||||
|
||||
{% if vhost.letsencrypt|d(False) %}
|
||||
{% if vhost.letsencrypt %}
|
||||
ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
|
||||
ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
|
||||
{% elif vhost.crt|d(None) and vhost.key|d(None) %}
|
||||
{% elif vhost.crt and vhost.key %}
|
||||
ssl_certificate {{ vhost.crt }};
|
||||
ssl_certificate_key {{ vhost.key }};
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue