From 73f186909469d1cc24395b206dd96384eea70aac Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:10:53 +0100 Subject: [PATCH 1/6] nginx(role): simplify installation by removing version spec We always just want the latest anyway and therefore don't use it, so no need to keep the complexity introduced by that setting. Also merge repo_setup and nginx_install task lists into one nginx_install task list as keeping two files isn't necessary. Finally improving naming a bit. --- roles/nginx/meta/argument_specs.yaml | 9 ---- roles/nginx/tasks/main.yaml | 7 +-- roles/nginx/tasks/main/nginx_install.yaml | 56 +++++++++++++++++++---- roles/nginx/tasks/main/repo_setup.yaml | 45 ------------------ 4 files changed, 49 insertions(+), 68 deletions(-) delete mode 100644 roles/nginx/tasks/main/repo_setup.yaml diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index d79ba9e..693e196 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -1,15 +1,6 @@ argument_specs: main: options: - nginx__version_spec: - description: >- - The version specification to use for installing the `nginx` package. The - provided version specification will be used like the following: `nginx={{ - nginx__version_spec }}*`. This makes it possible to e.g. specify - until a minor version (like `1.3.`) and then have patch versions be - installed automatically (like `1.3.1` and so on). - type: str - required: true nginx__deploy_redirect_conf: description: >- Whether or not to deploy a `redirect.conf` to diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 6ecb2da..89c9be2 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -3,12 +3,7 @@ name: nginx tasks_from: make_sure_nginx_configuration_names_are_valid -- name: make sure NGINX repos are setup - ansible.builtin.include_role: - name: nginx - tasks_from: main/repo_setup - -- name: make sure NGINX is installed +- name: ensure NGINX is installed ansible.builtin.include_role: name: nginx tasks_from: main/nginx_install diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index 6d63ad3..04f6afe 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,13 +1,53 @@ -- name: make sure the `nginx` package is installed +- name: gather package facts + ansible.builtin.package_facts: + manager: apt + +- name: make sure `gnupg` package is installed ansible.builtin.apt: - name: nginx={{ nginx__version_spec }}* + name: gnupg + state: present + update_cache: true + become: true + when: "'gnupg' not in ansible_facts.packages" + +- name: make sure NGINX signing key is added + ansible.builtin.get_url: + url: https://nginx.org/keys/nginx_signing.key + dest: /etc/apt/trusted.gpg.d/nginx.asc + mode: "0644" + owner: root + group: root + become: true + +- name: make sure NGINX APT repository is added + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: make sure NGINX APT source repository is added + ansible.builtin.apt_repository: + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories + ansible.builtin.copy: + content: | + Package: * + Pin: origin nginx.org + Pin: release o=nginx + Pin-Priority: 900 + dest: /etc/apt/preferences.d/99nginx + owner: root + group: root + mode: "0644" + become: true + +- name: Ensure nginx is installed + ansible.builtin.apt: + name: nginx state: present allow_change_held_packages: true update_cache: true become: true - -- name: apt-mark hold `nginx` - ansible.builtin.dpkg_selections: - name: nginx - selection: hold - become: true diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml deleted file mode 100644 index 253beb1..0000000 --- a/roles/nginx/tasks/main/repo_setup.yaml +++ /dev/null @@ -1,45 +0,0 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed - ansible.builtin.apt: - name: gnupg - state: present - update_cache: true - become: true - when: "'gnupg' not in ansible_facts.packages" - -- name: make sure NGINX signing key is added - ansible.builtin.get_url: - url: https://nginx.org/keys/nginx_signing.key - dest: /etc/apt/trusted.gpg.d/nginx.asc - mode: "0644" - owner: root - group: root - become: true - -- name: make sure NGINX APT repository is added - ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: make sure NGINX APT source repository is added - ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories - ansible.builtin.copy: - content: | - Package: * - Pin: origin nginx.org - Pin: release o=nginx - Pin-Priority: 900 - dest: /etc/apt/preferences.d/99nginx - owner: root - group: root - mode: "0644" - become: true From 90dcee79c7da3f3d81fa8e61f2f305cbe9a85f4b Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:11:46 +0100 Subject: [PATCH 2/6] nginx(role): simplify ensuring that gnupg is installed Also improve naming. --- roles/nginx/tasks/main/nginx_install.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index 04f6afe..ee91f04 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,14 +1,8 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed +- name: Ensure gnupg is installed ansible.builtin.apt: name: gnupg state: present - update_cache: true become: true - when: "'gnupg' not in ansible_facts.packages" - name: make sure NGINX signing key is added ansible.builtin.get_url: From 0bedb4a873399e409783bebc37c174a4a3c4abca Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:27:49 +0100 Subject: [PATCH 3/6] nginx(role): document arguments in README for better discoverability Document the role arguments in the README instead of in the argument_specs for better discoverability and readability. --- roles/nginx/README.md | 24 +++++++++++++++++++++++- roles/nginx/meta/argument_specs.yaml | 25 ------------------------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 9abf2ea..6aa31ee 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -18,7 +18,29 @@ The following distributions are supported: ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +None. + +## Optional Arguments + +- `nginx__deploy_redirect_conf`: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the `/.well-known/acme-challenge/` to localhost Port 31820 for certificate issuing. + See [`files/redirect.conf`](./files/redirect.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_tls_conf`: Whether or not to deploy a config configuring some TLS settings reasonably. + See [`files/tls.conf`](./files/tls.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_logging_conf`: Whether or not to deploy a config configuring logging to journald. + See [`files/logging.conf`](./files/logging.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__configurations`: List of nginx configurations to ensure are deployed. +- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`. + `tls` and `redirect` are reserved names. +- `nginx__configurations.*.content`: This configurations content. +- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`. + If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`. + Defaults to `false`. +- `nginx__custom_nginx_conf`: The content to use for the custom `nginx.conf`. + Needs `nginx__use_custom_nginx_conf` to be set to true to work. + You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work. ## Updates diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index 693e196..866cb81 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -2,21 +2,14 @@ argument_specs: main: options: nginx__deploy_redirect_conf: - description: >- - Whether or not to deploy a `redirect.conf` to - `/etc/nginx/conf.d/redirect.conf`. type: bool required: false default: true nginx__deploy_tls_conf: - description: >- - Whether or not to deploy a `tls.conf` to `/etc/nginx/conf.d/tls.conf`. type: bool required: false default: true nginx__deploy_logging_conf: - description: >- - Whether or not to deploy a `logging.conf` to `/etc/nginx/conf.d/logging.conf`. type: bool required: false default: true @@ -28,34 +21,16 @@ argument_specs: default: [ ] options: name: - description: >- - The name of the configuration file, where the configuration should - be deployed to. The file will be placed under `/etc/nginx/conf.d/` - and `.conf` will be appended to the given name. So in the end the - path will be like this: `/etc/nginx/conf.d/\{\{ name \}\}.conf`. - Note that the names `tls` and `redirect` aren't allowed. type: str required: true content: - description: The content of the configuration. type: str required: true nginx__use_custom_nginx_conf: - description: >- - Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to - true, you must provide a custom `nginx.conf` via - `nginx__custom_nginx_conf`. type: bool required: false default: false nginx__custom_nginx_conf: - description: >- - The value for a `nginx.conf` to be placed at `/etc/nginx/nginx.conf`. - You must set `nginx__use_custom_nginx_conf` to true for this value to - be used. - You should probably make sure that your custom `nginx.conf` still - includes `/etc/nginx/conf.d/*.conf` so that the configuration provided - using `nginx__configurations` still work. type: str required: false default: "" From 168f508c840c1ca0170e81efb1791d1a1fd0596d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:29:55 +0100 Subject: [PATCH 4/6] nginx(role): simplify installation by removing version spec We always just want the latest anyway and therefore don't use it, so no need to keep the complexity introduced by that setting. Also merge repo_setup and nginx_install task lists into one nginx_install task list as keeping two files isn't necessary. Finally improving naming a bit. --- roles/nginx/README.md | 4 -- roles/nginx/meta/argument_specs.yaml | 9 ---- roles/nginx/tasks/main.yaml | 7 +-- roles/nginx/tasks/main/nginx_install.yaml | 56 +++++++++++++++++++---- roles/nginx/tasks/main/repo_setup.yaml | 45 ------------------ 5 files changed, 49 insertions(+), 72 deletions(-) delete mode 100644 roles/nginx/tasks/main/repo_setup.yaml diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 9abf2ea..e162123 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -20,10 +20,6 @@ The following distributions are supported: For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## Updates - -This role updates NGINX to the latest version covered by the provided version spec., if needed. - ## `hosts` The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed. diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index d79ba9e..693e196 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -1,15 +1,6 @@ argument_specs: main: options: - nginx__version_spec: - description: >- - The version specification to use for installing the `nginx` package. The - provided version specification will be used like the following: `nginx={{ - nginx__version_spec }}*`. This makes it possible to e.g. specify - until a minor version (like `1.3.`) and then have patch versions be - installed automatically (like `1.3.1` and so on). - type: str - required: true nginx__deploy_redirect_conf: description: >- Whether or not to deploy a `redirect.conf` to diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 6ecb2da..89c9be2 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -3,12 +3,7 @@ name: nginx tasks_from: make_sure_nginx_configuration_names_are_valid -- name: make sure NGINX repos are setup - ansible.builtin.include_role: - name: nginx - tasks_from: main/repo_setup - -- name: make sure NGINX is installed +- name: ensure NGINX is installed ansible.builtin.include_role: name: nginx tasks_from: main/nginx_install diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index 6d63ad3..04f6afe 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,13 +1,53 @@ -- name: make sure the `nginx` package is installed +- name: gather package facts + ansible.builtin.package_facts: + manager: apt + +- name: make sure `gnupg` package is installed ansible.builtin.apt: - name: nginx={{ nginx__version_spec }}* + name: gnupg + state: present + update_cache: true + become: true + when: "'gnupg' not in ansible_facts.packages" + +- name: make sure NGINX signing key is added + ansible.builtin.get_url: + url: https://nginx.org/keys/nginx_signing.key + dest: /etc/apt/trusted.gpg.d/nginx.asc + mode: "0644" + owner: root + group: root + become: true + +- name: make sure NGINX APT repository is added + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: make sure NGINX APT source repository is added + ansible.builtin.apt_repository: + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories + ansible.builtin.copy: + content: | + Package: * + Pin: origin nginx.org + Pin: release o=nginx + Pin-Priority: 900 + dest: /etc/apt/preferences.d/99nginx + owner: root + group: root + mode: "0644" + become: true + +- name: Ensure nginx is installed + ansible.builtin.apt: + name: nginx state: present allow_change_held_packages: true update_cache: true become: true - -- name: apt-mark hold `nginx` - ansible.builtin.dpkg_selections: - name: nginx - selection: hold - become: true diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml deleted file mode 100644 index 253beb1..0000000 --- a/roles/nginx/tasks/main/repo_setup.yaml +++ /dev/null @@ -1,45 +0,0 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed - ansible.builtin.apt: - name: gnupg - state: present - update_cache: true - become: true - when: "'gnupg' not in ansible_facts.packages" - -- name: make sure NGINX signing key is added - ansible.builtin.get_url: - url: https://nginx.org/keys/nginx_signing.key - dest: /etc/apt/trusted.gpg.d/nginx.asc - mode: "0644" - owner: root - group: root - become: true - -- name: make sure NGINX APT repository is added - ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: make sure NGINX APT source repository is added - ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories - ansible.builtin.copy: - content: | - Package: * - Pin: origin nginx.org - Pin: release o=nginx - Pin-Priority: 900 - dest: /etc/apt/preferences.d/99nginx - owner: root - group: root - mode: "0644" - become: true From 023e51d3ba6d7d2f4d3c1810516de9ec10c278a8 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:11:46 +0100 Subject: [PATCH 5/6] nginx(role): simplify ensuring that gnupg is installed Also improve naming. --- roles/nginx/tasks/main/nginx_install.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index 04f6afe..ee91f04 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,14 +1,8 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed +- name: Ensure gnupg is installed ansible.builtin.apt: name: gnupg state: present - update_cache: true become: true - when: "'gnupg' not in ansible_facts.packages" - name: make sure NGINX signing key is added ansible.builtin.get_url: From 791c517de39af2289313e907ab5ddff8f9f6c93d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:27:49 +0100 Subject: [PATCH 6/6] nginx(role): document arguments in README for better discoverability Document the role arguments in the README instead of in the argument_specs for better discoverability and readability. --- roles/nginx/README.md | 24 +++++++++++++++++++++++- roles/nginx/meta/argument_specs.yaml | 25 ------------------------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index e162123..343e50b 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -18,7 +18,29 @@ The following distributions are supported: ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +None. + +## Optional Arguments + +- `nginx__deploy_redirect_conf`: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the `/.well-known/acme-challenge/` to localhost Port 31820 for certificate issuing. + See [`files/redirect.conf`](./files/redirect.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_tls_conf`: Whether or not to deploy a config configuring some TLS settings reasonably. + See [`files/tls.conf`](./files/tls.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_logging_conf`: Whether or not to deploy a config configuring logging to journald. + See [`files/logging.conf`](./files/logging.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__configurations`: List of nginx configurations to ensure are deployed. +- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`. + `tls` and `redirect` are reserved names. +- `nginx__configurations.*.content`: This configurations content. +- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`. + If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`. + Defaults to `false`. +- `nginx__custom_nginx_conf`: The content to use for the custom `nginx.conf`. + Needs `nginx__use_custom_nginx_conf` to be set to true to work. + You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work. ## `hosts` diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index 693e196..866cb81 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -2,21 +2,14 @@ argument_specs: main: options: nginx__deploy_redirect_conf: - description: >- - Whether or not to deploy a `redirect.conf` to - `/etc/nginx/conf.d/redirect.conf`. type: bool required: false default: true nginx__deploy_tls_conf: - description: >- - Whether or not to deploy a `tls.conf` to `/etc/nginx/conf.d/tls.conf`. type: bool required: false default: true nginx__deploy_logging_conf: - description: >- - Whether or not to deploy a `logging.conf` to `/etc/nginx/conf.d/logging.conf`. type: bool required: false default: true @@ -28,34 +21,16 @@ argument_specs: default: [ ] options: name: - description: >- - The name of the configuration file, where the configuration should - be deployed to. The file will be placed under `/etc/nginx/conf.d/` - and `.conf` will be appended to the given name. So in the end the - path will be like this: `/etc/nginx/conf.d/\{\{ name \}\}.conf`. - Note that the names `tls` and `redirect` aren't allowed. type: str required: true content: - description: The content of the configuration. type: str required: true nginx__use_custom_nginx_conf: - description: >- - Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to - true, you must provide a custom `nginx.conf` via - `nginx__custom_nginx_conf`. type: bool required: false default: false nginx__custom_nginx_conf: - description: >- - The value for a `nginx.conf` to be placed at `/etc/nginx/nginx.conf`. - You must set `nginx__use_custom_nginx_conf` to true for this value to - be used. - You should probably make sure that your custom `nginx.conf` still - includes `/etc/nginx/conf.d/*.conf` so that the configuration provided - using `nginx__configurations` still work. type: str required: false default: ""