From 3c917ce4b2e072fa8b3ee27a7af7ea4abacc1bc0 Mon Sep 17 00:00:00 2001
From: baldo <baldo@toppoint.de>
Date: Sat, 14 Nov 2015 18:48:41 +0100
Subject: [PATCH] nginx Basis-Setup

---
 .../base/files/etc/nginx/conf.d/gzip.conf     |  18 +++
 .../base/files/etc/nginx/conf.d/logging.conf  |  11 ++
 .../files/etc/nginx/conf.d/optimizations.conf |   9 ++
 .../base/files/etc/nginx/conf.d/security.conf |  12 ++
 .../base/files/etc/nginx/include/ssl.rewrite  |   2 +-
 .../base/files/etc/nginx/nginx.conf           |  20 ---
 roles/web-server/base/tasks/main.yml          | 114 ++++++++++--------
 ...nf.j2 => ssl_hamburg_freifunk_net.conf.j2} |   0
 8 files changed, 117 insertions(+), 69 deletions(-)
 create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/gzip.conf
 create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/logging.conf
 create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf
 create mode 100644 roles/web-server/base/files/etc/nginx/conf.d/security.conf
 rename roles/web-server/base/templates/etc/nginx/include/{ssl_hamburg.freifunk.net.conf.j2 => ssl_hamburg_freifunk_net.conf.j2} (100%)

diff --git a/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf b/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf
new file mode 100644
index 0000000..125aeed
--- /dev/null
+++ b/roles/web-server/base/files/etc/nginx/conf.d/gzip.conf
@@ -0,0 +1,18 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Gzip settings
+
+gzip                    on;
+gzip_disable            "msie6";
+gzip_static             on;
+gzip_vary               on;
+gzip_proxied            any;
+gzip_comp_level         9;
+gzip_buffers            256 8k;
+gzip_http_version       1.1;
+gzip_min_length         0;
+gzip_types              text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
\ No newline at end of file
diff --git a/roles/web-server/base/files/etc/nginx/conf.d/logging.conf b/roles/web-server/base/files/etc/nginx/conf.d/logging.conf
new file mode 100644
index 0000000..4f16c2c
--- /dev/null
+++ b/roles/web-server/base/files/etc/nginx/conf.d/logging.conf
@@ -0,0 +1,11 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+##
+# Logging Settings
+##
+
+include /etc/nginx/include/no_logging.conf;
\ No newline at end of file
diff --git a/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf b/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf
new file mode 100644
index 0000000..4702ba9
--- /dev/null
+++ b/roles/web-server/base/files/etc/nginx/conf.d/optimizations.conf
@@ -0,0 +1,9 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Server optimizations
+
+server_names_hash_bucket_size 128;
\ No newline at end of file
diff --git a/roles/web-server/base/files/etc/nginx/conf.d/security.conf b/roles/web-server/base/files/etc/nginx/conf.d/security.conf
new file mode 100644
index 0000000..6b02fae
--- /dev/null
+++ b/roles/web-server/base/files/etc/nginx/conf.d/security.conf
@@ -0,0 +1,12 @@
+#
+# ACTHUNG:
+#
+# Wird via Ansible konfiguriert. Bitte nicht manuell ändern!
+#
+
+# Global security settings for nginx
+
+ignore_invalid_headers on;
+sendfile on;
+server_name_in_redirect off;
+server_tokens off;
\ No newline at end of file
diff --git a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite
index aef70f8..fd611d1 100644
--- a/roles/web-server/base/files/etc/nginx/include/ssl.rewrite
+++ b/roles/web-server/base/files/etc/nginx/include/ssl.rewrite
@@ -5,4 +5,4 @@
 #
 
 # Generischer Rewrite von HTTP nach HTTPS
-rewrite	^ https://$server_name$request_uri? permanent;
+rewrite ^ https://$server_name$request_uri? permanent;
diff --git a/roles/web-server/base/files/etc/nginx/nginx.conf b/roles/web-server/base/files/etc/nginx/nginx.conf
index 503dd32..83bff5e 100644
--- a/roles/web-server/base/files/etc/nginx/nginx.conf
+++ b/roles/web-server/base/files/etc/nginx/nginx.conf
@@ -38,26 +38,6 @@ http {
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
     ssl_prefer_server_ciphers on;
 
-    ##
-    # Logging Settings
-    ##
-
-    include /etc/nginx/include/no_logging.conf;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
     ##
     # Virtual Host Configs
     ##
diff --git a/roles/web-server/base/tasks/main.yml b/roles/web-server/base/tasks/main.yml
index 71ebaad..7b63634 100644
--- a/roles/web-server/base/tasks/main.yml
+++ b/roles/web-server/base/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-#- name: be sure nginx is installed
-#  apt: name=nginx state=latest
-#  tags: nginx
+- name: be sure nginx is installed
+  apt: name=nginx state=latest
+  tags: nginx
 
 - name: check ssl directories exist an have correct permissions
   file: >
@@ -37,48 +37,66 @@
     - nginx
     - ssl
 
-#- name: copy includes
-#  copy: >
-#    src=etc/nginx/include
-#    dest=/etc/nginx
-#    mode=0644
-#    owner=root
-#    group=root
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: apply templates
-#  template: >
-#    src="etc/nginx/{{ item }}.j2"
-#    dest="/etc/nginx/{{ item }}"
-#    mode=0644
-#    owner=root
-#    group=root
-#  items:
-#    - include/ssl_wildcard.conf
-#    - include/ssl_hamburg.freifunk.net.conf
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: remove default site
-#  file: path={{ item }} state=absent
-#  with_items:
-#    - /etc/nginx/sites-available/default
-#    - /etc/nginx/sites-enabled/default
-#    - /var/www/html
-#  notify:
-#    - restart nginx
-#  tags: nginx
-#
-#- name: configure nginx
-#  copy: >
-#    src=etc/nginx/nginx.conf
-#    dest=/etc/nginx/nginx.conf
-#    mode=0644
-#    owner=root
-#    group=root
-#  notify:
-#    - restart nginx
-#  tags: nginx
+- name: copy includes
+  copy: >
+    backup=yes
+    src=etc/nginx/include
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: copy configs
+  copy: >
+    backup=yes
+    src=etc/nginx/conf.d
+    dest=/etc/nginx
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: apply templates
+  template: >
+    backup=yes
+    src="etc/nginx/{{ item }}.j2"
+    dest="/etc/nginx/{{ item }}"
+    mode=0644
+    owner=root
+    group=root
+  with_items:
+    - include/ssl_wildcard.conf
+    - include/ssl_hamburg_freifunk_net.conf
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: remove default sites / configs
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/nginx/conf.d/default.conf_disabled
+    - /etc/nginx/conf.d/example_ssl.conf_disabled
+    - /etc/nginx/conf.d/mail.conf
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+    - /var/www/html
+  notify:
+    - restart nginx
+  tags: nginx
+
+- name: configure nginx
+  copy: >
+    backup=yes
+    src=etc/nginx/nginx.conf
+    dest=/etc/nginx/nginx.conf
+    mode=0644
+    owner=root
+    group=root
+  notify:
+    - restart nginx
+  tags: nginx
diff --git a/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2 b/roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2
similarity index 100%
rename from roles/web-server/base/templates/etc/nginx/include/ssl_hamburg.freifunk.net.conf.j2
rename to roles/web-server/base/templates/etc/nginx/include/ssl_hamburg_freifunk_net.conf.j2