ansible-infra/playbooks/roles/nginx
2024-11-23 02:49:23 +01:00
..
defaults fix all ansible-lint yaml errors (except for line-length) 2024-11-23 02:49:23 +01:00
files Enable standalone nginx/certbox config 2024-01-26 20:46:26 +01:00
handlers Use nginx role with custom nginx.conf support 2023-04-15 18:13:22 +02:00
meta cert, nginx: Update for debian 12 2023-07-09 00:03:38 +02:00
tasks fix all ansible-lint yaml errors (except for line-length) 2024-11-23 02:49:23 +01:00
README.md Setup repo pin. to ensure nginx package gets installed from NGINX repos 2023-07-30 05:19:22 +02:00

Role nginx

Makes sure the nginx package is installed from the NGINX repos on the specified hosts. Also makes sure a desirable baseline of NGINX configs is deployed on the specified hosts. For the NGINX site configurations the config template below can be used.

Entry Points

The entry points available for external use are:

  • main

Supported Distributions

The following distributions are supported:

  • Debian 11

Required Arguments

For the required arguments look at the argument_specs.yaml.

Updates

This role updates NGINX to the latest version covered by the provided version spec., if needed.

hosts

The hosts for this role need to be the machines, for which you want to make sure the nginx package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed.

Config Template

Here's a config template, which can be used for new NGINX site configs, which you can supply to this role using the nginx__configurations argument. Just replace the placeholder values with real ones and extend and edit it as needed.

# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;
    server_name replace_me;

    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}