Automate light server

Co-authored-by: J <j@jsts.xyz>

playbooks/roles/nginx/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Reload nginx
+  ansible.builtin.systemd:
+    service: nginx
+    state: reloaded

playbooks/roles/nginx/meta/argument_specs.yml

@@ -0,0 +1,20 @@
+---
+argument_specs:
+  main:
+    options:
+      nginx__enable_https_redirect:
+        description: Redirect HTTP traffic to HTTPS
+        type: bool
+        required: false
+      nginx__configs:
+        description: Configuration files to add to /etc/nginx/conf.d/
+        type: list
+        elements: dict
+        required: false
+        options:
+          name:
+            description: Name of the config file without file extension
+            type: str
+          content:
+            description: Content of the config file
+            type: str

playbooks/roles/nginx/meta/main.yml

@@ -0,0 +1,16 @@
+dependencies:
+  - role: distribution_check
+    vars:
+      distribution_check__supported_distributions:
+        - name: Debian
+          versions:
+            - "10"
+            - "11"
+  - role: add_apt_repository
+    vars:
+      add_apt_repository__https_repo: false
+      add_apt_repository__keyring_url: https://nginx.org/keys/nginx_signing.key
+      add_apt_repository__keyring_path: /usr/share/keyrings/nginx-archive-keyring.gpg
+      add_apt_repository__repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg]
+         http://nginx.org/packages/{{ ansible_facts.distribution | lower }} {{ ansible_facts.lsb.codename }} nginx
+      add_apt_repository__filename: nginx.list

playbooks/roles/nginx/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Setup up repository pinning
+  ansible.builtin.template:
+    src: 99nginx.j2
+    dest: /etc/apt/preferences.d/99nginx
+    mode: "0644"
+- name: Install nginx
+  ansible.builtin.apt:
+    update_cache: true
+    name: nginx
+    state: present
+- name: Delete default.conf
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
+  when: nginx__configs
+- name: Create nginx redirect.conf
+  ansible.builtin.template:
+    src: redirect.conf.j2
+    dest: /etc/nginx/conf.d/redirect.conf
+    mode: "0644"
+  when: nginx__enable_https_redirect is defined and nginx__enable_https_redirect
+- name: Create nginx tls.conf
+  ansible.builtin.template:
+    src: tls.conf.j2
+    dest: /etc/nginx/conf.d/tls.conf
+    mode: "0644"
+- name: Download dhparam file
+  ansible.builtin.get_url:
+    url: https://ssl-config.mozilla.org/ffdhe2048.txt
+    dest: /etc/nginx/dhparam.pem
+    mode: "0644"
+- name: Add user specified configs
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: /etc/nginx/conf.d/{{ item.name }}.conf
+    mode: "0644"
+  loop: "{{ nginx__configs }}"
+  notify: Reload nginx
+- name: Enable and start systemd service
+  ansible.builtin.systemd:
+    name: nginx.service
+    daemon_reload: true
+    enabled: true
+    state: started

playbooks/roles/nginx/templates/99nginx.j2

@@ -0,0 +1,4 @@
+Package: *
+Pin: origin nginx.org
+Pin: release o=nginx
+Pin-Priority: 900

playbooks/roles/nginx/templates/redirect.conf.j2

@@ -0,0 +1,9 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}

playbooks/roles/nginx/templates/tls.conf.j2

@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;