diff --git a/playbooks/check.yaml b/playbooks/check.yaml index 0945944..63ea631 100644 --- a/playbooks/check.yaml +++ b/playbooks/check.yaml @@ -29,14 +29,3 @@ - name: Print .dpkg-* files list ansible.builtin.debug: var: check__dpkg_files_list - - - name: Get all held packages - ansible.builtin.command: apt-mark showhold - when: ansible_facts['pkg_mgr'] == "apt" - changed_when: false - register: check__apt_mark_showhold - - - name: Print all held packages - ansible.builtin.debug: - var: check__apt_mark_showhold.stdout_lines - when: check__apt_mark_showhold.stdout_lines != [] diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 94668d2..9abf2ea 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -1,39 +1,32 @@ # Role `nginx` -Ensures nginx is installed from the NGINX repos and setup as specified via the arguments. +Makes sure the `nginx` package is installed from the NGINX repos on the specified hosts. +Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts. +For the NGINX site configurations the config template below can be used. + +## Entry Points + +The entry points available for external use are: + +- `main` ## Supported Distributions The following distributions are supported: - Debian 11 -- Debian 12 ## Required Arguments -None. +For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## Optional Arguments +## Updates -- `nginx__deploy_redirect_conf`: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the `/.well-known/acme-challenge/` to localhost Port 31820 for certificate issuing. - See [`files/redirect.conf`](./files/redirect.conf) for the configuration that would be deployed. - Defaults to `true`. -- `nginx__deploy_tls_conf`: Whether or not to deploy a config configuring some TLS settings reasonably. - See [`files/tls.conf`](./files/tls.conf) for the configuration that would be deployed. - Defaults to `true`. -- `nginx__deploy_logging_conf`: Whether or not to deploy a config configuring logging to journald. - See [`files/logging.conf`](./files/logging.conf) for the configuration that would be deployed. - Defaults to `true`. -- `nginx__configurations`: List of nginx configurations to ensure are deployed. -- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`. - `tls`, `redirect` and `logging` are reserved names. -- `nginx__configurations.*.content`: This configurations content. -- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`. - If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`. - Defaults to `false`. -- `nginx__custom_nginx_conf`: The content to use for the custom `nginx.conf`. - Needs `nginx__use_custom_nginx_conf` to be set to true to work. - You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work. +This role updates NGINX to the latest version covered by the provided version spec., if needed. + +## `hosts` + +The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed. ## Config Template diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml index 0a366e9..bc420db 100644 --- a/roles/nginx/handlers/main.yaml +++ b/roles/nginx/handlers/main.yaml @@ -1,5 +1,10 @@ -- name: Restart nginx +- name: Restart `nginx.service` ansible.builtin.systemd: name: nginx.service state: restarted become: true + +- name: apt-get update + ansible.builtin.apt: + update_cache: true + become: true diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index 866cb81..d79ba9e 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -1,15 +1,31 @@ argument_specs: main: options: + nginx__version_spec: + description: >- + The version specification to use for installing the `nginx` package. The + provided version specification will be used like the following: `nginx={{ + nginx__version_spec }}*`. This makes it possible to e.g. specify + until a minor version (like `1.3.`) and then have patch versions be + installed automatically (like `1.3.1` and so on). + type: str + required: true nginx__deploy_redirect_conf: + description: >- + Whether or not to deploy a `redirect.conf` to + `/etc/nginx/conf.d/redirect.conf`. type: bool required: false default: true nginx__deploy_tls_conf: + description: >- + Whether or not to deploy a `tls.conf` to `/etc/nginx/conf.d/tls.conf`. type: bool required: false default: true nginx__deploy_logging_conf: + description: >- + Whether or not to deploy a `logging.conf` to `/etc/nginx/conf.d/logging.conf`. type: bool required: false default: true @@ -21,16 +37,34 @@ argument_specs: default: [ ] options: name: + description: >- + The name of the configuration file, where the configuration should + be deployed to. The file will be placed under `/etc/nginx/conf.d/` + and `.conf` will be appended to the given name. So in the end the + path will be like this: `/etc/nginx/conf.d/\{\{ name \}\}.conf`. + Note that the names `tls` and `redirect` aren't allowed. type: str required: true content: + description: The content of the configuration. type: str required: true nginx__use_custom_nginx_conf: + description: >- + Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to + true, you must provide a custom `nginx.conf` via + `nginx__custom_nginx_conf`. type: bool required: false default: false nginx__custom_nginx_conf: + description: >- + The value for a `nginx.conf` to be placed at `/etc/nginx/nginx.conf`. + You must set `nginx__use_custom_nginx_conf` to true for this value to + be used. + You should probably make sure that your custom `nginx.conf` still + includes `/etc/nginx/conf.d/*.conf` so that the configuration provided + using `nginx__configurations` still work. type: str required: false default: "" diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 4a86530..6ecb2da 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -1,11 +1,19 @@ -- name: Ensure valid configuration names - ansible.builtin.import_tasks: - file: main/01_validate_config_names.yaml +- name: make sure nginx configuration names are valid + ansible.builtin.include_role: + name: nginx + tasks_from: make_sure_nginx_configuration_names_are_valid -- name: Ensure nginx is installed - ansible.builtin.import_tasks: - file: main/02_nginx_install.yaml +- name: make sure NGINX repos are setup + ansible.builtin.include_role: + name: nginx + tasks_from: main/repo_setup -- name: Ensure configuration deployment - ansible.builtin.import_tasks: - file: main/03_config_deploy.yaml +- name: make sure NGINX is installed + ansible.builtin.include_role: + name: nginx + tasks_from: main/nginx_install + +- name: make sure desirable NGINX configs are deployed + ansible.builtin.include_role: + name: nginx + tasks_from: main/config_deploy diff --git a/roles/nginx/tasks/main/01_validate_config_names.yaml b/roles/nginx/tasks/main/01_validate_config_names.yaml deleted file mode 100644 index 7991b89..0000000 --- a/roles/nginx/tasks/main/01_validate_config_names.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Ensure that the given configuration names are valid - ansible.builtin.fail: - msg: "You used one of the reserved configuration names: '{{ item.name }}'." - when: item.name == "tls" - or item.name == "redirect" - or item.name == "logging" - loop: "{{ nginx__configurations }}" diff --git a/roles/nginx/tasks/main/03_config_deploy.yaml b/roles/nginx/tasks/main/config_deploy.yaml similarity index 62% rename from roles/nginx/tasks/main/03_config_deploy.yaml rename to roles/nginx/tasks/main/config_deploy.yaml index 2f0c834..01580b1 100644 --- a/roles/nginx/tasks/main/03_config_deploy.yaml +++ b/roles/nginx/tasks/main/config_deploy.yaml @@ -1,13 +1,13 @@ -- name: Check, if a save of a previous `nginx.conf` is present +- name: check, if a save of a previous `nginx.conf` is present ansible.builtin.stat: path: /etc/nginx/nginx.conf.ansiblesave - register: nginx__nginx_conf_ansiblesave_stat + register: nginx__nginx_conf_ansiblesave_stat_result -- name: Handle the case, where a custom `nginx.conf` is to be used +- name: handle the case, where a custom `nginx.conf` is to be used when: nginx__use_custom_nginx_conf block: - - name: When no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` - when: not nginx__nginx_conf_ansiblesave_stat.stat.exists + - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` + when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists ansible.builtin.copy: force: true dest: /etc/nginx/nginx.conf.ansiblesave @@ -18,7 +18,7 @@ src: /etc/nginx/nginx.conf become: true - - name: Ensure the custom `nginx.conf` is deployed + - name: deploy the custom `nginx.conf` ansible.builtin.copy: content: "{{ nginx__custom_nginx_conf }}" dest: "/etc/nginx/nginx.conf" @@ -26,13 +26,13 @@ owner: root group: root become: true - notify: Restart nginx + notify: Restart `nginx.service` -- name: Handle the case, where no custom `nginx.conf` is to be used +- name: handle the case, where no custom `nginx.conf` is to be used when: not nginx__use_custom_nginx_conf block: - - name: When a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf` - when: nginx__nginx_conf_ansiblesave_stat.stat.exists + - name: when a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf` + when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists ansible.builtin.copy: force: true dest: /etc/nginx/nginx.conf @@ -42,32 +42,32 @@ remote_src: true src: /etc/nginx/nginx.conf.ansiblesave become: true - notify: Restart nginx + notify: Restart `nginx.service` - - name: Ensure no `nginx.conf.ansiblesave` is present - when: nginx__nginx_conf_ansiblesave_stat.stat.exists + - name: delete the `nginx.conf.ansiblesave`, if it is present + when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists ansible.builtin.file: path: /etc/nginx/nginx.conf.ansiblesave state: absent become: true -- name: Ensure mozilla dhparam is deployed +- name: make sure mozilla dhparam is deployed ansible.builtin.get_url: force: true dest: /etc/nginx-mozilla-dhparam mode: "0644" url: https://ssl-config.mozilla.org/ffdhe2048.txt become: true - notify: Restart nginx + notify: Restart `nginx.service` -- name: Set `nginx__config_files_to_exist` fact initially to an empty list +- name: set `nginx__config_files_to_exist` fact initially to an empty list ansible.builtin.set_fact: nginx__config_files_to_exist: [ ] -- name: Handle the case, where tls.conf should be deployed +- name: handle the case, where tls.conf should be deployed when: nginx__deploy_tls_conf block: - - name: Ensure tls.conf is deployed + - name: make sure tls.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/tls.conf @@ -76,16 +76,16 @@ group: root src: tls.conf become: true - notify: Restart nginx + notify: Restart `nginx.service` - - name: Add tls.conf to nginx__config_files_to_exist + - name: add tls.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'tls.conf' ] }}" # noqa: jinja[spacing] -- name: Handle the case, where redirect.conf should be deployed +- name: handle the case, where redirect.conf should be deployed when: nginx__deploy_redirect_conf block: - - name: Ensure redirect.conf is deployed + - name: make sure redirect.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/redirect.conf @@ -94,16 +94,16 @@ group: root src: redirect.conf become: true - notify: Restart nginx + notify: Restart `nginx.service` - - name: Add redirect.conf to nginx__config_files_to_exist + - name: add redirect.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'redirect.conf' ] }}" # noqa: jinja[spacing] -- name: Handle the case, where logging.conf should be deployed +- name: handle the case, where logging.conf should be deployed when: nginx__deploy_logging_conf block: - - name: Ensure logging.conf is deployed + - name: make sure logging.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/logging.conf @@ -112,13 +112,13 @@ group: root src: logging.conf become: true - notify: Restart nginx + notify: Restart `nginx.service` - - name: Add logging.conf to nginx__config_files_to_exist + - name: add logging.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'logging.conf' ] }}" # noqa: jinja[spacing] -- name: Ensure all given configuration files are deployed +- name: make sure all given configuration files are deployed ansible.builtin.copy: content: "{{ item.content }}" dest: "/etc/nginx/conf.d/{{ item.name }}.conf" @@ -127,24 +127,24 @@ group: root become: true loop: "{{ nginx__configurations }}" - notify: Restart nginx + notify: Restart `nginx.service` -- name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact +- name: add names plus suffix from `nginx__configurations` to `nginx__config_files_to_exist` fact ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing] loop: "{{ nginx__configurations }}" -- name: Find configuration files to remove +- name: find configuration files to remove ansible.builtin.find: paths: /etc/nginx/conf.d/ recurse: false excludes: "{{ nginx__config_files_to_exist }}" register: nginx__config_files_to_remove -- name: Remove all configuration file, which should be removed +- name: remove all configuration file, which should be removed ansible.builtin.file: path: "{{ item.path }}" state: absent become: true loop: "{{ nginx__config_files_to_remove.files }}" - notify: Restart nginx + notify: Restart `nginx.service` diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml new file mode 100644 index 0000000..6d63ad3 --- /dev/null +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -0,0 +1,13 @@ +- name: make sure the `nginx` package is installed + ansible.builtin.apt: + name: nginx={{ nginx__version_spec }}* + state: present + allow_change_held_packages: true + update_cache: true + become: true + +- name: apt-mark hold `nginx` + ansible.builtin.dpkg_selections: + name: nginx + selection: hold + become: true diff --git a/roles/nginx/tasks/main/02_nginx_install.yaml b/roles/nginx/tasks/main/repo_setup.yaml similarity index 61% rename from roles/nginx/tasks/main/02_nginx_install.yaml rename to roles/nginx/tasks/main/repo_setup.yaml index 9ceb323..9edc156 100644 --- a/roles/nginx/tasks/main/02_nginx_install.yaml +++ b/roles/nginx/tasks/main/repo_setup.yaml @@ -1,10 +1,16 @@ -- name: Ensure gnupg is installed +- name: gather package facts + ansible.builtin.package_facts: + manager: apt + +- name: make sure `gnupg` package is installed ansible.builtin.apt: name: gnupg state: present + update_cache: true become: true + when: "'gnupg' not in ansible_facts.packages" -- name: Ensure NGINX signing key is added +- name: make sure NGINX signing key is added ansible.builtin.get_url: url: https://nginx.org/keys/nginx_signing.key dest: /etc/apt/trusted.gpg.d/nginx.asc @@ -12,20 +18,23 @@ owner: root group: root become: true + notify: apt-get update -- name: Ensure NGINX APT repository is added +- name: make sure NGINX APT repository is added ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true + notify: apt-get update -- name: Ensure NGINX APT source repository is added +- name: make sure NGINX APT source repository is added ansible.builtin.apt_repository: repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true + notify: apt-get update -- name: Ensure repository pinning to make sure nginx package gets installed from NGINX repositories is set up +- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories ansible.builtin.copy: content: | Package: * @@ -38,9 +47,5 @@ mode: "0644" become: true -- name: Ensure nginx is installed - ansible.builtin.apt: - name: nginx - state: present - update_cache: true - become: true +- name: Flush handlers to make sure "apt-get update" handler runs, if needed + ansible.builtin.meta: flush_handlers diff --git a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml new file mode 100644 index 0000000..54ea6f5 --- /dev/null +++ b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml @@ -0,0 +1,6 @@ +- name: make sure nginx configuration names are valid + ansible.builtin.fail: + msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`." + when: item.name == "tls" + or item.name == "redirect" + loop: "{{ nginx__configurations }}"