From 938ca6d786a22065d938bcceadcb6ef9aea6b206 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 02:59:00 +0100 Subject: [PATCH 01/10] nginx(role): remove unnecessary apt-get update step The nginx package gets installed with "update_cache: true" afterwards anyway, so the apt-get update step shouldn't be necessary. --- roles/nginx/handlers/main.yaml | 5 ----- roles/nginx/tasks/main/repo_setup.yaml | 6 ------ 2 files changed, 11 deletions(-) diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml index bc420db..57e07fc 100644 --- a/roles/nginx/handlers/main.yaml +++ b/roles/nginx/handlers/main.yaml @@ -3,8 +3,3 @@ name: nginx.service state: restarted become: true - -- name: apt-get update - ansible.builtin.apt: - update_cache: true - become: true diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml index 9edc156..253beb1 100644 --- a/roles/nginx/tasks/main/repo_setup.yaml +++ b/roles/nginx/tasks/main/repo_setup.yaml @@ -18,21 +18,18 @@ owner: root group: root become: true - notify: apt-get update - name: make sure NGINX APT repository is added ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true - notify: apt-get update - name: make sure NGINX APT source repository is added ansible.builtin.apt_repository: repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true - notify: apt-get update - name: set up repository pinning to make sure nginx package gets installed from NGINX repositories ansible.builtin.copy: @@ -46,6 +43,3 @@ group: root mode: "0644" become: true - -- name: Flush handlers to make sure "apt-get update" handler runs, if needed - ansible.builtin.meta: flush_handlers From 9ee5c6542bf1ecb75c8f17d901e2af2b6b0ddf37 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:59:08 +0100 Subject: [PATCH 02/10] nginx(role): simplify installation by removing version spec We always just want the latest anyway and therefore don't use it, so no need to keep the complexity introduced by that setting. Also merge repo_setup and nginx_install task lists into one nginx_install task list as keeping two files isn't necessary. Finally improving naming a bit. --- roles/nginx/README.md | 4 -- roles/nginx/meta/argument_specs.yaml | 9 ---- roles/nginx/tasks/main.yaml | 7 +-- roles/nginx/tasks/main/nginx_install.yaml | 53 ++++++++++++++++++++--- roles/nginx/tasks/main/repo_setup.yaml | 45 ------------------- 5 files changed, 47 insertions(+), 71 deletions(-) delete mode 100644 roles/nginx/tasks/main/repo_setup.yaml diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 9abf2ea..e162123 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -20,10 +20,6 @@ The following distributions are supported: For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). -## Updates - -This role updates NGINX to the latest version covered by the provided version spec., if needed. - ## `hosts` The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed. diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index d79ba9e..693e196 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -1,15 +1,6 @@ argument_specs: main: options: - nginx__version_spec: - description: >- - The version specification to use for installing the `nginx` package. The - provided version specification will be used like the following: `nginx={{ - nginx__version_spec }}*`. This makes it possible to e.g. specify - until a minor version (like `1.3.`) and then have patch versions be - installed automatically (like `1.3.1` and so on). - type: str - required: true nginx__deploy_redirect_conf: description: >- Whether or not to deploy a `redirect.conf` to diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 6ecb2da..89c9be2 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -3,12 +3,7 @@ name: nginx tasks_from: make_sure_nginx_configuration_names_are_valid -- name: make sure NGINX repos are setup - ansible.builtin.include_role: - name: nginx - tasks_from: main/repo_setup - -- name: make sure NGINX is installed +- name: ensure NGINX is installed ansible.builtin.include_role: name: nginx tasks_from: main/nginx_install diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index 6d63ad3..b58ec69 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,13 +1,52 @@ -- name: make sure the `nginx` package is installed +- name: gather package facts + ansible.builtin.package_facts: + manager: apt + +- name: make sure `gnupg` package is installed ansible.builtin.apt: - name: nginx={{ nginx__version_spec }}* + name: gnupg state: present - allow_change_held_packages: true update_cache: true become: true + when: "'gnupg' not in ansible_facts.packages" -- name: apt-mark hold `nginx` - ansible.builtin.dpkg_selections: - name: nginx - selection: hold +- name: make sure NGINX signing key is added + ansible.builtin.get_url: + url: https://nginx.org/keys/nginx_signing.key + dest: /etc/apt/trusted.gpg.d/nginx.asc + mode: "0644" + owner: root + group: root + become: true + +- name: make sure NGINX APT repository is added + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: make sure NGINX APT source repository is added + ansible.builtin.apt_repository: + repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" + state: present + become: true + +- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories + ansible.builtin.copy: + content: | + Package: * + Pin: origin nginx.org + Pin: release o=nginx + Pin-Priority: 900 + dest: /etc/apt/preferences.d/99nginx + owner: root + group: root + mode: "0644" + become: true + +- name: Ensure nginx is installed + ansible.builtin.apt: + name: nginx + state: present + update_cache: true become: true diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml deleted file mode 100644 index 253beb1..0000000 --- a/roles/nginx/tasks/main/repo_setup.yaml +++ /dev/null @@ -1,45 +0,0 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed - ansible.builtin.apt: - name: gnupg - state: present - update_cache: true - become: true - when: "'gnupg' not in ansible_facts.packages" - -- name: make sure NGINX signing key is added - ansible.builtin.get_url: - url: https://nginx.org/keys/nginx_signing.key - dest: /etc/apt/trusted.gpg.d/nginx.asc - mode: "0644" - owner: root - group: root - become: true - -- name: make sure NGINX APT repository is added - ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: make sure NGINX APT source repository is added - ansible.builtin.apt_repository: - repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - state: present - become: true - -- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories - ansible.builtin.copy: - content: | - Package: * - Pin: origin nginx.org - Pin: release o=nginx - Pin-Priority: 900 - dest: /etc/apt/preferences.d/99nginx - owner: root - group: root - mode: "0644" - become: true From bbf8e56b4b092f680f7ce1100dd859d428143e4c Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:11:46 +0100 Subject: [PATCH 03/10] nginx(role): simplify ensuring that gnupg is installed Also improve naming. --- roles/nginx/tasks/main/nginx_install.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml index b58ec69..a877c67 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/nginx_install.yaml @@ -1,14 +1,8 @@ -- name: gather package facts - ansible.builtin.package_facts: - manager: apt - -- name: make sure `gnupg` package is installed +- name: Ensure gnupg is installed ansible.builtin.apt: name: gnupg state: present - update_cache: true become: true - when: "'gnupg' not in ansible_facts.packages" - name: make sure NGINX signing key is added ansible.builtin.get_url: From ceb5598f6cf42745aa85d5936355909509141f4a Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:27:49 +0100 Subject: [PATCH 04/10] nginx(role): document arguments in README for better discoverability Document the role arguments in the README instead of in the argument_specs for better discoverability and readability. --- roles/nginx/README.md | 24 +++++++++++++++++++++++- roles/nginx/meta/argument_specs.yaml | 25 ------------------------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index e162123..343e50b 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -18,7 +18,29 @@ The following distributions are supported: ## Required Arguments -For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml). +None. + +## Optional Arguments + +- `nginx__deploy_redirect_conf`: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the `/.well-known/acme-challenge/` to localhost Port 31820 for certificate issuing. + See [`files/redirect.conf`](./files/redirect.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_tls_conf`: Whether or not to deploy a config configuring some TLS settings reasonably. + See [`files/tls.conf`](./files/tls.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__deploy_logging_conf`: Whether or not to deploy a config configuring logging to journald. + See [`files/logging.conf`](./files/logging.conf) for the configuration that would be deployed. + Defaults to `true`. +- `nginx__configurations`: List of nginx configurations to ensure are deployed. +- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`. + `tls` and `redirect` are reserved names. +- `nginx__configurations.*.content`: This configurations content. +- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`. + If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`. + Defaults to `false`. +- `nginx__custom_nginx_conf`: The content to use for the custom `nginx.conf`. + Needs `nginx__use_custom_nginx_conf` to be set to true to work. + You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work. ## `hosts` diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml index 693e196..866cb81 100644 --- a/roles/nginx/meta/argument_specs.yaml +++ b/roles/nginx/meta/argument_specs.yaml @@ -2,21 +2,14 @@ argument_specs: main: options: nginx__deploy_redirect_conf: - description: >- - Whether or not to deploy a `redirect.conf` to - `/etc/nginx/conf.d/redirect.conf`. type: bool required: false default: true nginx__deploy_tls_conf: - description: >- - Whether or not to deploy a `tls.conf` to `/etc/nginx/conf.d/tls.conf`. type: bool required: false default: true nginx__deploy_logging_conf: - description: >- - Whether or not to deploy a `logging.conf` to `/etc/nginx/conf.d/logging.conf`. type: bool required: false default: true @@ -28,34 +21,16 @@ argument_specs: default: [ ] options: name: - description: >- - The name of the configuration file, where the configuration should - be deployed to. The file will be placed under `/etc/nginx/conf.d/` - and `.conf` will be appended to the given name. So in the end the - path will be like this: `/etc/nginx/conf.d/\{\{ name \}\}.conf`. - Note that the names `tls` and `redirect` aren't allowed. type: str required: true content: - description: The content of the configuration. type: str required: true nginx__use_custom_nginx_conf: - description: >- - Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to - true, you must provide a custom `nginx.conf` via - `nginx__custom_nginx_conf`. type: bool required: false default: false nginx__custom_nginx_conf: - description: >- - The value for a `nginx.conf` to be placed at `/etc/nginx/nginx.conf`. - You must set `nginx__use_custom_nginx_conf` to true for this value to - be used. - You should probably make sure that your custom `nginx.conf` still - includes `/etc/nginx/conf.d/*.conf` so that the configuration provided - using `nginx__configurations` still work. type: str required: false default: "" From f59c5996bbc587477725623f4f8449c759ff5a44 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:35:37 +0100 Subject: [PATCH 05/10] nginx(role): document Debian 12 support --- roles/nginx/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 343e50b..88467c3 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -15,6 +15,7 @@ The entry points available for external use are: The following distributions are supported: - Debian 11 +- Debian 12 ## Required Arguments From 177ad7d3be967d57aad8dc0ea8daf01e85198ff6 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:37:20 +0100 Subject: [PATCH 06/10] nginx(role): add "logging" to the reserved configuration names --- roles/nginx/README.md | 2 +- .../tasks/make_sure_nginx_configuration_names_are_valid.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 88467c3..c399c50 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -34,7 +34,7 @@ None. Defaults to `true`. - `nginx__configurations`: List of nginx configurations to ensure are deployed. - `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`. - `tls` and `redirect` are reserved names. + `tls`, `redirect` and `logging` are reserved names. - `nginx__configurations.*.content`: This configurations content. - `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`. diff --git a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml index 54ea6f5..234b12c 100644 --- a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml +++ b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml @@ -3,4 +3,5 @@ msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`." when: item.name == "tls" or item.name == "redirect" + or item.name == "logging" loop: "{{ nginx__configurations }}" From 8a390f6d6b6e03eadfa3a5e5c20b9bc74050230d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 03:40:00 +0100 Subject: [PATCH 07/10] nginx(role): remove unneces. "hosts" and "entry points" sec. from README --- roles/nginx/README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index c399c50..f990c67 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -4,12 +4,6 @@ Makes sure the `nginx` package is installed from the NGINX repos on the specifie Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts. For the NGINX site configurations the config template below can be used. -## Entry Points - -The entry points available for external use are: - -- `main` - ## Supported Distributions The following distributions are supported: @@ -43,10 +37,6 @@ None. Needs `nginx__use_custom_nginx_conf` to be set to true to work. You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work. -## `hosts` - -The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed. - ## Config Template Here's a config template, which can be used for new NGINX site configs, which you can supply to this role using the `nginx__configurations` argument. From eb8254bcafc19c9eecdbd71dd85575a3a671465d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 04:07:07 +0100 Subject: [PATCH 08/10] nginx(role): use better naming, wording and file structure --- roles/nginx/handlers/main.yaml | 2 +- roles/nginx/tasks/main.yaml | 21 +++--- .../tasks/main/01_validate_config_names.yaml | 7 ++ ...inx_install.yaml => 02_nginx_install.yaml} | 8 +-- ...nfig_deploy.yaml => 03_config_deploy.yaml} | 68 +++++++++---------- ...e_nginx_configuration_names_are_valid.yaml | 7 -- 6 files changed, 55 insertions(+), 58 deletions(-) create mode 100644 roles/nginx/tasks/main/01_validate_config_names.yaml rename roles/nginx/tasks/main/{nginx_install.yaml => 02_nginx_install.yaml} (81%) rename roles/nginx/tasks/main/{config_deploy.yaml => 03_config_deploy.yaml} (62%) delete mode 100644 roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml index 57e07fc..0a366e9 100644 --- a/roles/nginx/handlers/main.yaml +++ b/roles/nginx/handlers/main.yaml @@ -1,4 +1,4 @@ -- name: Restart `nginx.service` +- name: Restart nginx ansible.builtin.systemd: name: nginx.service state: restarted diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 89c9be2..4a86530 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -1,14 +1,11 @@ -- name: make sure nginx configuration names are valid - ansible.builtin.include_role: - name: nginx - tasks_from: make_sure_nginx_configuration_names_are_valid +- name: Ensure valid configuration names + ansible.builtin.import_tasks: + file: main/01_validate_config_names.yaml -- name: ensure NGINX is installed - ansible.builtin.include_role: - name: nginx - tasks_from: main/nginx_install +- name: Ensure nginx is installed + ansible.builtin.import_tasks: + file: main/02_nginx_install.yaml -- name: make sure desirable NGINX configs are deployed - ansible.builtin.include_role: - name: nginx - tasks_from: main/config_deploy +- name: Ensure configuration deployment + ansible.builtin.import_tasks: + file: main/03_config_deploy.yaml diff --git a/roles/nginx/tasks/main/01_validate_config_names.yaml b/roles/nginx/tasks/main/01_validate_config_names.yaml new file mode 100644 index 0000000..7991b89 --- /dev/null +++ b/roles/nginx/tasks/main/01_validate_config_names.yaml @@ -0,0 +1,7 @@ +- name: Ensure that the given configuration names are valid + ansible.builtin.fail: + msg: "You used one of the reserved configuration names: '{{ item.name }}'." + when: item.name == "tls" + or item.name == "redirect" + or item.name == "logging" + loop: "{{ nginx__configurations }}" diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/02_nginx_install.yaml similarity index 81% rename from roles/nginx/tasks/main/nginx_install.yaml rename to roles/nginx/tasks/main/02_nginx_install.yaml index a877c67..9ceb323 100644 --- a/roles/nginx/tasks/main/nginx_install.yaml +++ b/roles/nginx/tasks/main/02_nginx_install.yaml @@ -4,7 +4,7 @@ state: present become: true -- name: make sure NGINX signing key is added +- name: Ensure NGINX signing key is added ansible.builtin.get_url: url: https://nginx.org/keys/nginx_signing.key dest: /etc/apt/trusted.gpg.d/nginx.asc @@ -13,19 +13,19 @@ group: root become: true -- name: make sure NGINX APT repository is added +- name: Ensure NGINX APT repository is added ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true -- name: make sure NGINX APT source repository is added +- name: Ensure NGINX APT source repository is added ansible.builtin.apt_repository: repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" state: present become: true -- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories +- name: Ensure repository pinning to make sure nginx package gets installed from NGINX repositories is set up ansible.builtin.copy: content: | Package: * diff --git a/roles/nginx/tasks/main/config_deploy.yaml b/roles/nginx/tasks/main/03_config_deploy.yaml similarity index 62% rename from roles/nginx/tasks/main/config_deploy.yaml rename to roles/nginx/tasks/main/03_config_deploy.yaml index 01580b1..2f0c834 100644 --- a/roles/nginx/tasks/main/config_deploy.yaml +++ b/roles/nginx/tasks/main/03_config_deploy.yaml @@ -1,13 +1,13 @@ -- name: check, if a save of a previous `nginx.conf` is present +- name: Check, if a save of a previous `nginx.conf` is present ansible.builtin.stat: path: /etc/nginx/nginx.conf.ansiblesave - register: nginx__nginx_conf_ansiblesave_stat_result + register: nginx__nginx_conf_ansiblesave_stat -- name: handle the case, where a custom `nginx.conf` is to be used +- name: Handle the case, where a custom `nginx.conf` is to be used when: nginx__use_custom_nginx_conf block: - - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` - when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists + - name: When no `nginx.conf.ansiblesave` is present, save the current `nginx.conf` + when: not nginx__nginx_conf_ansiblesave_stat.stat.exists ansible.builtin.copy: force: true dest: /etc/nginx/nginx.conf.ansiblesave @@ -18,7 +18,7 @@ src: /etc/nginx/nginx.conf become: true - - name: deploy the custom `nginx.conf` + - name: Ensure the custom `nginx.conf` is deployed ansible.builtin.copy: content: "{{ nginx__custom_nginx_conf }}" dest: "/etc/nginx/nginx.conf" @@ -26,13 +26,13 @@ owner: root group: root become: true - notify: Restart `nginx.service` + notify: Restart nginx -- name: handle the case, where no custom `nginx.conf` is to be used +- name: Handle the case, where no custom `nginx.conf` is to be used when: not nginx__use_custom_nginx_conf block: - - name: when a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf` - when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists + - name: When a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf` + when: nginx__nginx_conf_ansiblesave_stat.stat.exists ansible.builtin.copy: force: true dest: /etc/nginx/nginx.conf @@ -42,32 +42,32 @@ remote_src: true src: /etc/nginx/nginx.conf.ansiblesave become: true - notify: Restart `nginx.service` + notify: Restart nginx - - name: delete the `nginx.conf.ansiblesave`, if it is present - when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists + - name: Ensure no `nginx.conf.ansiblesave` is present + when: nginx__nginx_conf_ansiblesave_stat.stat.exists ansible.builtin.file: path: /etc/nginx/nginx.conf.ansiblesave state: absent become: true -- name: make sure mozilla dhparam is deployed +- name: Ensure mozilla dhparam is deployed ansible.builtin.get_url: force: true dest: /etc/nginx-mozilla-dhparam mode: "0644" url: https://ssl-config.mozilla.org/ffdhe2048.txt become: true - notify: Restart `nginx.service` + notify: Restart nginx -- name: set `nginx__config_files_to_exist` fact initially to an empty list +- name: Set `nginx__config_files_to_exist` fact initially to an empty list ansible.builtin.set_fact: nginx__config_files_to_exist: [ ] -- name: handle the case, where tls.conf should be deployed +- name: Handle the case, where tls.conf should be deployed when: nginx__deploy_tls_conf block: - - name: make sure tls.conf is deployed + - name: Ensure tls.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/tls.conf @@ -76,16 +76,16 @@ group: root src: tls.conf become: true - notify: Restart `nginx.service` + notify: Restart nginx - - name: add tls.conf to nginx__config_files_to_exist + - name: Add tls.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'tls.conf' ] }}" # noqa: jinja[spacing] -- name: handle the case, where redirect.conf should be deployed +- name: Handle the case, where redirect.conf should be deployed when: nginx__deploy_redirect_conf block: - - name: make sure redirect.conf is deployed + - name: Ensure redirect.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/redirect.conf @@ -94,16 +94,16 @@ group: root src: redirect.conf become: true - notify: Restart `nginx.service` + notify: Restart nginx - - name: add redirect.conf to nginx__config_files_to_exist + - name: Add redirect.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'redirect.conf' ] }}" # noqa: jinja[spacing] -- name: handle the case, where logging.conf should be deployed +- name: Handle the case, where logging.conf should be deployed when: nginx__deploy_logging_conf block: - - name: make sure logging.conf is deployed + - name: Ensure logging.conf is deployed ansible.builtin.copy: force: true dest: /etc/nginx/conf.d/logging.conf @@ -112,13 +112,13 @@ group: root src: logging.conf become: true - notify: Restart `nginx.service` + notify: Restart nginx - - name: add logging.conf to nginx__config_files_to_exist + - name: Add logging.conf to nginx__config_files_to_exist ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'logging.conf' ] }}" # noqa: jinja[spacing] -- name: make sure all given configuration files are deployed +- name: Ensure all given configuration files are deployed ansible.builtin.copy: content: "{{ item.content }}" dest: "/etc/nginx/conf.d/{{ item.name }}.conf" @@ -127,24 +127,24 @@ group: root become: true loop: "{{ nginx__configurations }}" - notify: Restart `nginx.service` + notify: Restart nginx -- name: add names plus suffix from `nginx__configurations` to `nginx__config_files_to_exist` fact +- name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact ansible.builtin.set_fact: nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing] loop: "{{ nginx__configurations }}" -- name: find configuration files to remove +- name: Find configuration files to remove ansible.builtin.find: paths: /etc/nginx/conf.d/ recurse: false excludes: "{{ nginx__config_files_to_exist }}" register: nginx__config_files_to_remove -- name: remove all configuration file, which should be removed +- name: Remove all configuration file, which should be removed ansible.builtin.file: path: "{{ item.path }}" state: absent become: true loop: "{{ nginx__config_files_to_remove.files }}" - notify: Restart `nginx.service` + notify: Restart nginx diff --git a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml deleted file mode 100644 index 234b12c..0000000 --- a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- name: make sure nginx configuration names are valid - ansible.builtin.fail: - msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`." - when: item.name == "tls" - or item.name == "redirect" - or item.name == "logging" - loop: "{{ nginx__configurations }}" From 381811d58d01c3f8e2ad7416054b7f5cc30c17d3 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 04:11:33 +0100 Subject: [PATCH 09/10] nginx(role): simplify description in README --- roles/nginx/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/nginx/README.md b/roles/nginx/README.md index f990c67..94668d2 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -1,8 +1,6 @@ # Role `nginx` -Makes sure the `nginx` package is installed from the NGINX repos on the specified hosts. -Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts. -For the NGINX site configurations the config template below can be used. +Ensures nginx is installed from the NGINX repos and setup as specified via the arguments. ## Supported Distributions From b1336705441e092a4291677cf885ffc6922e876c Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 04:28:08 +0100 Subject: [PATCH 10/10] check(playbook): print all held packages --- playbooks/check.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/playbooks/check.yaml b/playbooks/check.yaml index 63ea631..0945944 100644 --- a/playbooks/check.yaml +++ b/playbooks/check.yaml @@ -29,3 +29,14 @@ - name: Print .dpkg-* files list ansible.builtin.debug: var: check__dpkg_files_list + + - name: Get all held packages + ansible.builtin.command: apt-mark showhold + when: ansible_facts['pkg_mgr'] == "apt" + changed_when: false + register: check__apt_mark_showhold + + - name: Print all held packages + ansible.builtin.debug: + var: check__apt_mark_showhold.stdout_lines + when: check__apt_mark_showhold.stdout_lines != []