CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 6 Pull requests 4 Wiki Activity Actions

Use nginx role with custom nginx.conf support

Browse source
This commit is contained in:
julian 2023-04-15 18:13:22 +02:00
commit 65ac14c18b
23 changed files with 378 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

19
playbooks/roles/nginx/tasks/main.yaml Normal file
View file

@ -0,0 +1,19 @@
- name: make sure nginx configuration names are valid
ansible.builtin.include_role:
name: nginx
tasks_from: make_sure_nginx_configuration_names_are_valid
- name: make sure NGINX repos are setup
ansible.builtin.include_role:
name: nginx
tasks_from: main/repo_setup
- name: make sure NGINX is installed
ansible.builtin.include_role:
name: nginx
tasks_from: main/nginx_install
- name: make sure desirable NGINX configs are deployed
ansible.builtin.include_role:
name: nginx
tasks_from: main/config_deploy

45
playbooks/roles/nginx/tasks/main.yml
View file

@ -1,45 +0,0 @@
---
- name: Setup up repository pinning
ansible.builtin.template:
src: 99nginx.j2
dest: /etc/apt/preferences.d/99nginx
mode: "0644"
- name: Install nginx
ansible.builtin.apt:
update_cache: true
name: nginx
state: present
- name: Delete default.conf
ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
when: nginx__configs
- name: Create nginx redirect.conf
ansible.builtin.template:
src: redirect.conf.j2
dest: /etc/nginx/conf.d/redirect.conf
mode: "0644"
when: nginx__enable_https_redirect is defined and nginx__enable_https_redirect
- name: Create nginx tls.conf
ansible.builtin.template:
src: tls.conf.j2
dest: /etc/nginx/conf.d/tls.conf
mode: "0644"
- name: Download dhparam file
ansible.builtin.get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/nginx/dhparam.pem
mode: "0644"
- name: Add user specified configs
ansible.builtin.copy:
content: "{{ item.content }}"
dest: /etc/nginx/conf.d/{{ item.name }}.conf
mode: "0644"
loop: "{{ nginx__configs }}"
notify: Reload nginx
- name: Enable and start systemd service
ansible.builtin.systemd:
name: nginx.service
daemon_reload: true
enabled: true
state: started

130
playbooks/roles/nginx/tasks/main/config_deploy.yaml Normal file
View file

@ -0,0 +1,130 @@
- name: check, if a save of a previous `nginx.conf` is present
ansible.builtin.stat:
path: /etc/nginx/nginx.conf.ansiblesave
register: nginx__nginx_conf_ansiblesave_stat_result
- name: handle the case, where a custom `nginx.conf` is to be used
when: nginx__use_custom_nginx_conf
block:
- name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf.ansiblesave
mode: 0644
owner: root
group: root
remote_src: true
src: /etc/nginx/nginx.conf
become: true
- name: deploy the custom `nginx.conf`
ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf"
mode: 0644
owner: root
group: root
become: true
- name: handle the case, where no custom `nginx.conf` is to be used
when: not nginx__use_custom_nginx_conf
block:
- name: when a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf`
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf
mode: 0644
owner: root
group: root
remote_src: true
src: /etc/nginx/nginx.conf.ansiblesave
become: true
- name: delete the `nginx.conf.ansiblesave`, if it is present
when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
ansible.builtin.file:
path: /etc/nginx/nginx.conf.ansiblesave
state: absent
become: true
- name: make sure mozilla dhparam is deployed
ansible.builtin.get_url:
force: true
dest: /etc/nginx-mozilla-dhparam
mode: 0644
url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true
notify: Restart `nginx.service`
- name: set `nginx__config_files_to_exist` fact initially to an empty list
ansible.builtin.set_fact:
nginx__config_files_to_exist: [ ]
- name: handle the case, where tls.conf should be deployed
when: nginx__deploy_tls_conf
block:
- name: make sure tls.conf is deployed
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/tls.conf
mode: 0644
owner: root
group: root
src: tls.conf
become: true
notify: Restart `nginx.service`
- name: add tls.conf to nginx__config_files_to_exist
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'tls.conf' ] }}" # noqa: jinja[spacing]
- name: handle the case, where redirect.conf should be deployed
when: nginx__deploy_redirect_conf
block:
- name: make sure redirect.conf is deployed
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/redirect.conf
mode: 0644
owner: root
group: root
src: redirect.conf
become: true
notify: Restart `nginx.service`
- name: add redirect.conf to nginx__config_files_to_exist
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'redirect.conf' ] }}" # noqa: jinja[spacing]
- name: make sure all given configuration files are deployed
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
mode: 0644
owner: root
group: root
become: true
loop: "{{ nginx__configurations }}"
notify: Restart `nginx.service`
- name: add names plus suffix from `nginx__configurations` to `nginx__config_files_to_exist` fact
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing]
loop: "{{ nginx__configurations }}"
- name: find configuration files to remove
ansible.builtin.find:
paths: /etc/nginx/conf.d/
recurse: false
excludes: "{{ nginx__config_files_to_exist }}"
register: nginx__config_files_to_remove
- name: remove all configuration file, which should be removed
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
become: true
loop: "{{ nginx__config_files_to_remove.files }}"
notify: Restart `nginx.service`

13
playbooks/roles/nginx/tasks/main/nginx_install.yaml Normal file
View file

@ -0,0 +1,13 @@
- name: make sure the `nginx` package is installed
ansible.builtin.apt:
name: nginx={{ nginx__version_spec }}*
state: present
allow_change_held_packages: true
update_cache: true
become: true
- name: apt-mark hold `nginx`
ansible.builtin.dpkg_selections:
name: nginx
selection: hold
become: true

30
playbooks/roles/nginx/tasks/main/repo_setup.yaml Normal file
View file

@ -0,0 +1,30 @@
- name: make sure `gnupg` package is installed
ansible.builtin.apt:
name: gnupg
state: present
update_cache: true
become: true
- name: make sure NGINX signing key is added
ansible.builtin.apt_key:
url: https://nginx.org/keys/nginx_signing.key
state: present
become: true
notify: apt-get update
- name: make sure NGINX APT repository is added
ansible.builtin.apt_repository:
repo: deb https://nginx.org/packages/debian/ bullseye nginx
state: present
become: true
notify: apt-get update
- name: make sure NGINX APT source repository is added
ansible.builtin.apt_repository:
repo: deb-src https://nginx.org/packages/debian/ bullseye nginx
state: present
become: true
notify: apt-get update
- name: Flush handlers to make sure "apt-get update" handler runs, if needed
ansible.builtin.meta: flush_handlers

6
playbooks/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml Normal file
View file

@ -0,0 +1,6 @@
- name: make sure nginx configuration names are valid
ansible.builtin.fail:
msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`."
when: item.name == "tls"
or item.name == "redirect"
loop: "{{ nginx__configurations }}"