History

June 0e4df5b590 nginx(role): make loop output manageable using loop_control label		2025-02-18 06:07:47 +01:00
..
defaults	set nginx logging to use journald	2025-01-19 20:30:53 +01:00
files	set nginx logging to use journald	2025-01-19 20:30:53 +01:00
handlers	nginx(role): use better naming, wording and file structure	2025-02-18 04:32:43 +01:00
meta	nginx(role): document arguments in README for better discoverability	2025-02-18 04:32:43 +01:00
tasks	nginx(role): make loop output manageable using loop_control label	2025-02-18 06:07:47 +01:00
README.md	nginx(role): simplify description in README	2025-02-18 04:32:43 +01:00

README.md

Role `nginx`

Ensures nginx is installed from the NGINX repos and setup as specified via the arguments.

Supported Distributions

The following distributions are supported:

Debian 11
Debian 12

Required Arguments

None.

Optional Arguments

nginx__deploy_redirect_conf: Whether or not to deploy a config redirecting from HTTP to HTTPS, while still forwarding the /.well-known/acme-challenge/ to localhost Port 31820 for certificate issuing.
See files/redirect.conf for the configuration that would be deployed.
Defaults to true.
nginx__deploy_tls_conf: Whether or not to deploy a config configuring some TLS settings reasonably.
See files/tls.conf for the configuration that would be deployed.
Defaults to true.
nginx__deploy_logging_conf: Whether or not to deploy a config configuring logging to journald.
See files/logging.conf for the configuration that would be deployed.
Defaults to true.
nginx__configurations: List of nginx configurations to ensure are deployed.
nginx__configurations.*.name: This name with .conf appended will be used for the configurations file name under /etc/nginx/conf.d/.
tls, redirect and logging are reserved names.
nginx__configurations.*.content: This configurations content.
nginx__use_custom_nginx_conf: Whether or not to use a custom /etc/nginx/nginx.conf. If set to true, you must provide the content for a custom nginx.conf via nginx__custom_nginx_conf.
Defaults to false.
nginx__custom_nginx_conf: The content to use for the custom nginx.conf. Needs nginx__use_custom_nginx_conf to be set to true to work.
You should probably still make sure that your custom nginx.conf includes /etc/nginx/conf.d/*.conf, so that the other configuration files still work.

Config Template

Here's a config template, which can be used for new NGINX site configs, which you can supply to this role using the nginx__configurations argument. Just replace the placeholder values with real ones and extend and edit it as needed.

# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;
    server_name replace_me;

    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}

Links & Resources

https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#installing-prebuilt-debian-packages