From 172d6472bc66258c86830d6997e15020e68113a6 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 02:59:00 +0100
Subject: [PATCH 01/10] nginx(role): remove unnecessary apt-get update step
The nginx package gets installed with "update_cache: true" afterwards
anyway, so the apt-get update step shouldn't be necessary.
---
roles/nginx/handlers/main.yaml | 5 -----
roles/nginx/tasks/main/repo_setup.yaml | 6 ------
2 files changed, 11 deletions(-)
diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml
index bc420db..57e07fc 100644
--- a/roles/nginx/handlers/main.yaml
+++ b/roles/nginx/handlers/main.yaml
@@ -3,8 +3,3 @@
name: nginx.service
state: restarted
become: true
-
-- name: apt-get update
- ansible.builtin.apt:
- update_cache: true
- become: true
diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml
index 9edc156..253beb1 100644
--- a/roles/nginx/tasks/main/repo_setup.yaml
+++ b/roles/nginx/tasks/main/repo_setup.yaml
@@ -18,21 +18,18 @@
owner: root
group: root
become: true
- notify: apt-get update
- name: make sure NGINX APT repository is added
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true
- notify: apt-get update
- name: make sure NGINX APT source repository is added
ansible.builtin.apt_repository:
repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true
- notify: apt-get update
- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
ansible.builtin.copy:
@@ -46,6 +43,3 @@
group: root
mode: "0644"
become: true
-
-- name: Flush handlers to make sure "apt-get update" handler runs, if needed
- ansible.builtin.meta: flush_handlers
--
2.47.2
From df22074aeb78fa1f4edee001cbb5673629a087c4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:59:08 +0100
Subject: [PATCH 02/10] nginx(role): simplify installation by removing version
spec
We always just want the latest anyway and therefore don't use it, so no
need to keep the complexity introduced by that setting.
Also merge repo_setup and nginx_install task lists into one
nginx_install task list as keeping two files isn't necessary.
Finally improving naming a bit.
---
roles/nginx/README.md | 4 --
roles/nginx/meta/argument_specs.yaml | 9 ----
roles/nginx/tasks/main.yaml | 7 +--
roles/nginx/tasks/main/nginx_install.yaml | 53 ++++++++++++++++++++---
roles/nginx/tasks/main/repo_setup.yaml | 45 -------------------
5 files changed, 47 insertions(+), 71 deletions(-)
delete mode 100644 roles/nginx/tasks/main/repo_setup.yaml
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index 9abf2ea..e162123 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -20,10 +20,6 @@ The following distributions are supported:
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
-## Updates
-
-This role updates NGINX to the latest version covered by the provided version spec., if needed.
-
## `hosts`
The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed.
diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml
index d79ba9e..693e196 100644
--- a/roles/nginx/meta/argument_specs.yaml
+++ b/roles/nginx/meta/argument_specs.yaml
@@ -1,15 +1,6 @@
argument_specs:
main:
options:
- nginx__version_spec:
- description: >-
- The version specification to use for installing the `nginx` package. The
- provided version specification will be used like the following: `nginx={{
- nginx__version_spec }}*`. This makes it possible to e.g. specify
- until a minor version (like `1.3.`) and then have patch versions be
- installed automatically (like `1.3.1` and so on).
- type: str
- required: true
nginx__deploy_redirect_conf:
description: >-
Whether or not to deploy a `redirect.conf` to
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 6ecb2da..89c9be2 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -3,12 +3,7 @@
name: nginx
tasks_from: make_sure_nginx_configuration_names_are_valid
-- name: make sure NGINX repos are setup
- ansible.builtin.include_role:
- name: nginx
- tasks_from: main/repo_setup
-
-- name: make sure NGINX is installed
+- name: ensure NGINX is installed
ansible.builtin.include_role:
name: nginx
tasks_from: main/nginx_install
diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml
index 6d63ad3..b58ec69 100644
--- a/roles/nginx/tasks/main/nginx_install.yaml
+++ b/roles/nginx/tasks/main/nginx_install.yaml
@@ -1,13 +1,52 @@
-- name: make sure the `nginx` package is installed
+- name: gather package facts
+ ansible.builtin.package_facts:
+ manager: apt
+
+- name: make sure `gnupg` package is installed
ansible.builtin.apt:
- name: nginx={{ nginx__version_spec }}*
+ name: gnupg
state: present
- allow_change_held_packages: true
update_cache: true
become: true
+ when: "'gnupg' not in ansible_facts.packages"
-- name: apt-mark hold `nginx`
- ansible.builtin.dpkg_selections:
- name: nginx
- selection: hold
+- name: make sure NGINX signing key is added
+ ansible.builtin.get_url:
+ url: https://nginx.org/keys/nginx_signing.key
+ dest: /etc/apt/trusted.gpg.d/nginx.asc
+ mode: "0644"
+ owner: root
+ group: root
+ become: true
+
+- name: make sure NGINX APT repository is added
+ ansible.builtin.apt_repository:
+ repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+ state: present
+ become: true
+
+- name: make sure NGINX APT source repository is added
+ ansible.builtin.apt_repository:
+ repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+ state: present
+ become: true
+
+- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
+ ansible.builtin.copy:
+ content: |
+ Package: *
+ Pin: origin nginx.org
+ Pin: release o=nginx
+ Pin-Priority: 900
+ dest: /etc/apt/preferences.d/99nginx
+ owner: root
+ group: root
+ mode: "0644"
+ become: true
+
+- name: Ensure nginx is installed
+ ansible.builtin.apt:
+ name: nginx
+ state: present
+ update_cache: true
become: true
diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml
deleted file mode 100644
index 253beb1..0000000
--- a/roles/nginx/tasks/main/repo_setup.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: gather package facts
- ansible.builtin.package_facts:
- manager: apt
-
-- name: make sure `gnupg` package is installed
- ansible.builtin.apt:
- name: gnupg
- state: present
- update_cache: true
- become: true
- when: "'gnupg' not in ansible_facts.packages"
-
-- name: make sure NGINX signing key is added
- ansible.builtin.get_url:
- url: https://nginx.org/keys/nginx_signing.key
- dest: /etc/apt/trusted.gpg.d/nginx.asc
- mode: "0644"
- owner: root
- group: root
- become: true
-
-- name: make sure NGINX APT repository is added
- ansible.builtin.apt_repository:
- repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
- state: present
- become: true
-
-- name: make sure NGINX APT source repository is added
- ansible.builtin.apt_repository:
- repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
- state: present
- become: true
-
-- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
- ansible.builtin.copy:
- content: |
- Package: *
- Pin: origin nginx.org
- Pin: release o=nginx
- Pin-Priority: 900
- dest: /etc/apt/preferences.d/99nginx
- owner: root
- group: root
- mode: "0644"
- become: true
--
2.47.2
From 2e9f73b46bf0bc1d226a5dd2e046765bd037d5b7 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:11:46 +0100
Subject: [PATCH 03/10] nginx(role): simplify ensuring that gnupg is installed
Also improve naming.
---
roles/nginx/tasks/main/nginx_install.yaml | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml
index b58ec69..a877c67 100644
--- a/roles/nginx/tasks/main/nginx_install.yaml
+++ b/roles/nginx/tasks/main/nginx_install.yaml
@@ -1,14 +1,8 @@
-- name: gather package facts
- ansible.builtin.package_facts:
- manager: apt
-
-- name: make sure `gnupg` package is installed
+- name: Ensure gnupg is installed
ansible.builtin.apt:
name: gnupg
state: present
- update_cache: true
become: true
- when: "'gnupg' not in ansible_facts.packages"
- name: make sure NGINX signing key is added
ansible.builtin.get_url:
--
2.47.2
From 4adf39d969357e20f40c2ec15d9fba20b96468be Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:27:49 +0100
Subject: [PATCH 04/10] nginx(role): document arguments in README for better
discoverability
Document the role arguments in the README instead of in the
argument_specs for better discoverability and readability.
---
roles/nginx/README.md | 24 +++++++++++++++++++++++-
roles/nginx/meta/argument_specs.yaml | 25 -------------------------
2 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index e162123..343e50b 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -18,7 +18,29 @@ The following distributions are supported:
## Required Arguments
-For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
+None.
+
+## Optional Arguments
+
+- `nginx__deploy_redirect_conf`: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the `/.well-known/acme-challenge/` to localhost Port 31820 for certificate issuing.
+ See [`files/redirect.conf`](./files/redirect.conf) for the configuration that would be deployed.
+ Defaults to `true`.
+- `nginx__deploy_tls_conf`: Whether or not to deploy a config configuring some TLS settings reasonably.
+ See [`files/tls.conf`](./files/tls.conf) for the configuration that would be deployed.
+ Defaults to `true`.
+- `nginx__deploy_logging_conf`: Whether or not to deploy a config configuring logging to journald.
+ See [`files/logging.conf`](./files/logging.conf) for the configuration that would be deployed.
+ Defaults to `true`.
+- `nginx__configurations`: List of nginx configurations to ensure are deployed.
+- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`.
+ `tls` and `redirect` are reserved names.
+- `nginx__configurations.*.content`: This configurations content.
+- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`.
+ If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`.
+ Defaults to `false`.
+- `nginx__custom_nginx_conf`: The content to use for the custom `nginx.conf`.
+ Needs `nginx__use_custom_nginx_conf` to be set to true to work.
+ You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work.
## `hosts`
diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml
index 693e196..866cb81 100644
--- a/roles/nginx/meta/argument_specs.yaml
+++ b/roles/nginx/meta/argument_specs.yaml
@@ -2,21 +2,14 @@ argument_specs:
main:
options:
nginx__deploy_redirect_conf:
- description: >-
- Whether or not to deploy a `redirect.conf` to
- `/etc/nginx/conf.d/redirect.conf`.
type: bool
required: false
default: true
nginx__deploy_tls_conf:
- description: >-
- Whether or not to deploy a `tls.conf` to `/etc/nginx/conf.d/tls.conf`.
type: bool
required: false
default: true
nginx__deploy_logging_conf:
- description: >-
- Whether or not to deploy a `logging.conf` to `/etc/nginx/conf.d/logging.conf`.
type: bool
required: false
default: true
@@ -28,34 +21,16 @@ argument_specs:
default: [ ]
options:
name:
- description: >-
- The name of the configuration file, where the configuration should
- be deployed to. The file will be placed under `/etc/nginx/conf.d/`
- and `.conf` will be appended to the given name. So in the end the
- path will be like this: `/etc/nginx/conf.d/\{\{ name \}\}.conf`.
- Note that the names `tls` and `redirect` aren't allowed.
type: str
required: true
content:
- description: The content of the configuration.
type: str
required: true
nginx__use_custom_nginx_conf:
- description: >-
- Whether or not to use a custom `/etc/nginx/nginx.conf`. If set to
- true, you must provide a custom `nginx.conf` via
- `nginx__custom_nginx_conf`.
type: bool
required: false
default: false
nginx__custom_nginx_conf:
- description: >-
- The value for a `nginx.conf` to be placed at `/etc/nginx/nginx.conf`.
- You must set `nginx__use_custom_nginx_conf` to true for this value to
- be used.
- You should probably make sure that your custom `nginx.conf` still
- includes `/etc/nginx/conf.d/*.conf` so that the configuration provided
- using `nginx__configurations` still work.
type: str
required: false
default: ""
--
2.47.2
From 3d22f7ffae6ca142c253cf8999543a8e8a14ac61 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:35:37 +0100
Subject: [PATCH 05/10] nginx(role): document Debian 12 support
---
roles/nginx/README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index 343e50b..88467c3 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -15,6 +15,7 @@ The entry points available for external use are:
The following distributions are supported:
- Debian 11
+- Debian 12
## Required Arguments
--
2.47.2
From 5809e4015f15fc09624ed0102c84960f9a82e314 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:37:20 +0100
Subject: [PATCH 06/10] nginx(role): add "logging" to the reserved
configuration names
---
roles/nginx/README.md | 2 +-
.../tasks/make_sure_nginx_configuration_names_are_valid.yaml | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index 88467c3..c399c50 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -34,7 +34,7 @@ None.
Defaults to `true`.
- `nginx__configurations`: List of nginx configurations to ensure are deployed.
- `nginx__configurations.*.name`: This name with `.conf` appended will be used for the configurations file name under `/etc/nginx/conf.d/`.
- `tls` and `redirect` are reserved names.
+ `tls`, `redirect` and `logging` are reserved names.
- `nginx__configurations.*.content`: This configurations content.
- `nginx__use_custom_nginx_conf`: Whether or not to use a custom `/etc/nginx/nginx.conf`.
If set to true, you must provide the content for a custom `nginx.conf` via `nginx__custom_nginx_conf`.
diff --git a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
index 54ea6f5..234b12c 100644
--- a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
+++ b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
@@ -3,4 +3,5 @@
msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`."
when: item.name == "tls"
or item.name == "redirect"
+ or item.name == "logging"
loop: "{{ nginx__configurations }}"
--
2.47.2
From 9b2ef55f867646fa3c24dc5c99a198089f58bab2 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:40:00 +0100
Subject: [PATCH 07/10] nginx(role): remove unneces. "hosts" and "entry points"
sec. from README
---
roles/nginx/README.md | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index c399c50..f990c67 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -4,12 +4,6 @@ Makes sure the `nginx` package is installed from the NGINX repos on the specifie
Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts.
For the NGINX site configurations the config template below can be used.
-## Entry Points
-
-The entry points available for external use are:
-
-- `main`
-
## Supported Distributions
The following distributions are supported:
@@ -43,10 +37,6 @@ None.
Needs `nginx__use_custom_nginx_conf` to be set to true to work.
You should probably still make sure that your custom `nginx.conf` includes `/etc/nginx/conf.d/*.conf`, so that the other configuration files still work.
-## `hosts`
-
-The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed.
-
## Config Template
Here's a config template, which can be used for new NGINX site configs, which you can supply to this role using the `nginx__configurations` argument.
--
2.47.2
From 344dd78981a5ba8db7932028143ef7e5bad7f969 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 04:07:07 +0100
Subject: [PATCH 08/10] nginx(role): use better naming, wording and file
structure
---
roles/nginx/handlers/main.yaml | 2 +-
roles/nginx/tasks/main.yaml | 21 +++---
.../tasks/main/01_validate_config_names.yaml | 7 ++
...inx_install.yaml => 02_nginx_install.yaml} | 8 +--
...nfig_deploy.yaml => 03_config_deploy.yaml} | 68 +++++++++----------
...e_nginx_configuration_names_are_valid.yaml | 7 --
6 files changed, 55 insertions(+), 58 deletions(-)
create mode 100644 roles/nginx/tasks/main/01_validate_config_names.yaml
rename roles/nginx/tasks/main/{nginx_install.yaml => 02_nginx_install.yaml} (81%)
rename roles/nginx/tasks/main/{config_deploy.yaml => 03_config_deploy.yaml} (62%)
delete mode 100644 roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml
index 57e07fc..0a366e9 100644
--- a/roles/nginx/handlers/main.yaml
+++ b/roles/nginx/handlers/main.yaml
@@ -1,4 +1,4 @@
-- name: Restart `nginx.service`
+- name: Restart nginx
ansible.builtin.systemd:
name: nginx.service
state: restarted
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 89c9be2..4a86530 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -1,14 +1,11 @@
-- name: make sure nginx configuration names are valid
- ansible.builtin.include_role:
- name: nginx
- tasks_from: make_sure_nginx_configuration_names_are_valid
+- name: Ensure valid configuration names
+ ansible.builtin.import_tasks:
+ file: main/01_validate_config_names.yaml
-- name: ensure NGINX is installed
- ansible.builtin.include_role:
- name: nginx
- tasks_from: main/nginx_install
+- name: Ensure nginx is installed
+ ansible.builtin.import_tasks:
+ file: main/02_nginx_install.yaml
-- name: make sure desirable NGINX configs are deployed
- ansible.builtin.include_role:
- name: nginx
- tasks_from: main/config_deploy
+- name: Ensure configuration deployment
+ ansible.builtin.import_tasks:
+ file: main/03_config_deploy.yaml
diff --git a/roles/nginx/tasks/main/01_validate_config_names.yaml b/roles/nginx/tasks/main/01_validate_config_names.yaml
new file mode 100644
index 0000000..7991b89
--- /dev/null
+++ b/roles/nginx/tasks/main/01_validate_config_names.yaml
@@ -0,0 +1,7 @@
+- name: Ensure that the given configuration names are valid
+ ansible.builtin.fail:
+ msg: "You used one of the reserved configuration names: '{{ item.name }}'."
+ when: item.name == "tls"
+ or item.name == "redirect"
+ or item.name == "logging"
+ loop: "{{ nginx__configurations }}"
diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/02_nginx_install.yaml
similarity index 81%
rename from roles/nginx/tasks/main/nginx_install.yaml
rename to roles/nginx/tasks/main/02_nginx_install.yaml
index a877c67..9ceb323 100644
--- a/roles/nginx/tasks/main/nginx_install.yaml
+++ b/roles/nginx/tasks/main/02_nginx_install.yaml
@@ -4,7 +4,7 @@
state: present
become: true
-- name: make sure NGINX signing key is added
+- name: Ensure NGINX signing key is added
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /etc/apt/trusted.gpg.d/nginx.asc
@@ -13,19 +13,19 @@
group: root
become: true
-- name: make sure NGINX APT repository is added
+- name: Ensure NGINX APT repository is added
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true
-- name: make sure NGINX APT source repository is added
+- name: Ensure NGINX APT source repository is added
ansible.builtin.apt_repository:
repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
state: present
become: true
-- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
+- name: Ensure repository pinning to make sure nginx package gets installed from NGINX repositories is set up
ansible.builtin.copy:
content: |
Package: *
diff --git a/roles/nginx/tasks/main/config_deploy.yaml b/roles/nginx/tasks/main/03_config_deploy.yaml
similarity index 62%
rename from roles/nginx/tasks/main/config_deploy.yaml
rename to roles/nginx/tasks/main/03_config_deploy.yaml
index 01580b1..2f0c834 100644
--- a/roles/nginx/tasks/main/config_deploy.yaml
+++ b/roles/nginx/tasks/main/03_config_deploy.yaml
@@ -1,13 +1,13 @@
-- name: check, if a save of a previous `nginx.conf` is present
+- name: Check, if a save of a previous `nginx.conf` is present
ansible.builtin.stat:
path: /etc/nginx/nginx.conf.ansiblesave
- register: nginx__nginx_conf_ansiblesave_stat_result
+ register: nginx__nginx_conf_ansiblesave_stat
-- name: handle the case, where a custom `nginx.conf` is to be used
+- name: Handle the case, where a custom `nginx.conf` is to be used
when: nginx__use_custom_nginx_conf
block:
- - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
- when: not nginx__nginx_conf_ansiblesave_stat_result.stat.exists
+ - name: When no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
+ when: not nginx__nginx_conf_ansiblesave_stat.stat.exists
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf.ansiblesave
@@ -18,7 +18,7 @@
src: /etc/nginx/nginx.conf
become: true
- - name: deploy the custom `nginx.conf`
+ - name: Ensure the custom `nginx.conf` is deployed
ansible.builtin.copy:
content: "{{ nginx__custom_nginx_conf }}"
dest: "/etc/nginx/nginx.conf"
@@ -26,13 +26,13 @@
owner: root
group: root
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
-- name: handle the case, where no custom `nginx.conf` is to be used
+- name: Handle the case, where no custom `nginx.conf` is to be used
when: not nginx__use_custom_nginx_conf
block:
- - name: when a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf`
- when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
+ - name: When a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf`
+ when: nginx__nginx_conf_ansiblesave_stat.stat.exists
ansible.builtin.copy:
force: true
dest: /etc/nginx/nginx.conf
@@ -42,32 +42,32 @@
remote_src: true
src: /etc/nginx/nginx.conf.ansiblesave
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
- - name: delete the `nginx.conf.ansiblesave`, if it is present
- when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
+ - name: Ensure no `nginx.conf.ansiblesave` is present
+ when: nginx__nginx_conf_ansiblesave_stat.stat.exists
ansible.builtin.file:
path: /etc/nginx/nginx.conf.ansiblesave
state: absent
become: true
-- name: make sure mozilla dhparam is deployed
+- name: Ensure mozilla dhparam is deployed
ansible.builtin.get_url:
force: true
dest: /etc/nginx-mozilla-dhparam
mode: "0644"
url: https://ssl-config.mozilla.org/ffdhe2048.txt
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
-- name: set `nginx__config_files_to_exist` fact initially to an empty list
+- name: Set `nginx__config_files_to_exist` fact initially to an empty list
ansible.builtin.set_fact:
nginx__config_files_to_exist: [ ]
-- name: handle the case, where tls.conf should be deployed
+- name: Handle the case, where tls.conf should be deployed
when: nginx__deploy_tls_conf
block:
- - name: make sure tls.conf is deployed
+ - name: Ensure tls.conf is deployed
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/tls.conf
@@ -76,16 +76,16 @@
group: root
src: tls.conf
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
- - name: add tls.conf to nginx__config_files_to_exist
+ - name: Add tls.conf to nginx__config_files_to_exist
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'tls.conf' ] }}" # noqa: jinja[spacing]
-- name: handle the case, where redirect.conf should be deployed
+- name: Handle the case, where redirect.conf should be deployed
when: nginx__deploy_redirect_conf
block:
- - name: make sure redirect.conf is deployed
+ - name: Ensure redirect.conf is deployed
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/redirect.conf
@@ -94,16 +94,16 @@
group: root
src: redirect.conf
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
- - name: add redirect.conf to nginx__config_files_to_exist
+ - name: Add redirect.conf to nginx__config_files_to_exist
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'redirect.conf' ] }}" # noqa: jinja[spacing]
-- name: handle the case, where logging.conf should be deployed
+- name: Handle the case, where logging.conf should be deployed
when: nginx__deploy_logging_conf
block:
- - name: make sure logging.conf is deployed
+ - name: Ensure logging.conf is deployed
ansible.builtin.copy:
force: true
dest: /etc/nginx/conf.d/logging.conf
@@ -112,13 +112,13 @@
group: root
src: logging.conf
become: true
- notify: Restart `nginx.service`
+ notify: Restart nginx
- - name: add logging.conf to nginx__config_files_to_exist
+ - name: Add logging.conf to nginx__config_files_to_exist
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'logging.conf' ] }}" # noqa: jinja[spacing]
-- name: make sure all given configuration files are deployed
+- name: Ensure all given configuration files are deployed
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
@@ -127,24 +127,24 @@
group: root
become: true
loop: "{{ nginx__configurations }}"
- notify: Restart `nginx.service`
+ notify: Restart nginx
-- name: add names plus suffix from `nginx__configurations` to `nginx__config_files_to_exist` fact
+- name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact
ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing]
loop: "{{ nginx__configurations }}"
-- name: find configuration files to remove
+- name: Find configuration files to remove
ansible.builtin.find:
paths: /etc/nginx/conf.d/
recurse: false
excludes: "{{ nginx__config_files_to_exist }}"
register: nginx__config_files_to_remove
-- name: remove all configuration file, which should be removed
+- name: Remove all configuration file, which should be removed
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
become: true
loop: "{{ nginx__config_files_to_remove.files }}"
- notify: Restart `nginx.service`
+ notify: Restart nginx
diff --git a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml b/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
deleted file mode 100644
index 234b12c..0000000
--- a/roles/nginx/tasks/make_sure_nginx_configuration_names_are_valid.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: make sure nginx configuration names are valid
- ansible.builtin.fail:
- msg: "You used the following name: `{{ item.name }}`. Please make sure to not use the following names: `tls`, `redirect`."
- when: item.name == "tls"
- or item.name == "redirect"
- or item.name == "logging"
- loop: "{{ nginx__configurations }}"
--
2.47.2
From 34b9ee2fa4c2b19403d180fb44e4a160ced299da Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 04:11:33 +0100
Subject: [PATCH 09/10] nginx(role): simplify description in README
---
roles/nginx/README.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index f990c67..94668d2 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -1,8 +1,6 @@
# Role `nginx`
-Makes sure the `nginx` package is installed from the NGINX repos on the specified hosts.
-Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts.
-For the NGINX site configurations the config template below can be used.
+Ensures nginx is installed from the NGINX repos and setup as specified via the arguments.
## Supported Distributions
--
2.47.2
From 5e5c980f147c855bb9c5e6b78762dcf58c36195b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 04:28:08 +0100
Subject: [PATCH 10/10] check(playbook): print all held packages
---
playbooks/check.yaml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/playbooks/check.yaml b/playbooks/check.yaml
index 63ea631..0945944 100644
--- a/playbooks/check.yaml
+++ b/playbooks/check.yaml
@@ -29,3 +29,14 @@
- name: Print .dpkg-* files list
ansible.builtin.debug:
var: check__dpkg_files_list
+
+ - name: Get all held packages
+ ansible.builtin.command: apt-mark showhold
+ when: ansible_facts['pkg_mgr'] == "apt"
+ changed_when: false
+ register: check__apt_mark_showhold
+
+ - name: Print all held packages
+ ansible.builtin.debug:
+ var: check__apt_mark_showhold.stdout_lines
+ when: check__apt_mark_showhold.stdout_lines != []
--
2.47.2