diff --git a/basics.yml b/basics.yml
index 9a52ef0..58772c7 100644
--- a/basics.yml
+++ b/basics.yml
@@ -1,5 +1,5 @@
---
-- hosts: all
+- hosts: ffhh
roles:
- basics
- ffhh-basics
@@ -9,3 +9,8 @@
roles:
- certsync
tags: certsync
+
+- hosts: nginx
+ roles:
+ - nginx
+ tags: nginx
diff --git a/host_vars/srv02 b/host_vars/srv02
index 97c415a..d38f4b1 100644
--- a/host_vars/srv02
+++ b/host_vars/srv02
@@ -4,3 +4,4 @@ basics_autoupdate_origins:
- o=TorProject,n=${distro_codename}
hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
+nginx_resolver: 127.0.0.1
diff --git a/production b/production
index 05513d0..0786974 100644
--- a/production
+++ b/production
@@ -10,11 +10,15 @@ srv03
[hopglass-frontend]
srv02
+[nginx]
+gw03-new ansible_host=gw03-new.hamburg.freifunk.net
+
[updates]
srv01
srv03
[vms]
+gw03-new
srv01
srv02
srv03
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 3640390..f4915de 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,2 +1,6 @@
-letsencrypt_webroot: /var/www/letsencrypt
-nginx_resolver: 127.0.0.1 [::1]
+---
+nginx_access_log: "off"
+nginx_error_log: "/dev/null error"
+nginx_package: nginx
+nginx_worker_connections: 512
+nginx_worker_processes: auto
diff --git a/roles/nginx/files/error-pages/502.html b/roles/nginx/files/error-pages/502.html
new file mode 100644
index 0000000..16fdca7
--- /dev/null
+++ b/roles/nginx/files/error-pages/502.html
@@ -0,0 +1,10 @@
+
+
+
+
+ 502 Bad Gateway
+
+
+
+
+
diff --git a/roles/nginx/files/error-pages/bad_gateway.png b/roles/nginx/files/error-pages/bad_gateway.png
new file mode 100644
index 0000000..1bfdffa
Binary files /dev/null and b/roles/nginx/files/error-pages/bad_gateway.png differ
diff --git a/roles/nginx/files/error-pages/style.css b/roles/nginx/files/error-pages/style.css
new file mode 100644
index 0000000..8652fc6
--- /dev/null
+++ b/roles/nginx/files/error-pages/style.css
@@ -0,0 +1,4 @@
+img.singleton {
+ display: block;
+ margin: 10px auto;
+}
diff --git a/roles/nginx/files/etc/nginx/include/headers_hsts.conf b/roles/nginx/files/etc/nginx/include/headers_hsts.conf
deleted file mode 100644
index 01adcb4..0000000
--- a/roles/nginx/files/etc/nginx/include/headers_hsts.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Header bitte nur auf "location" Ebene inkludieren:
-# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
-
-add_header Strict-Transport-Security max-age=31536000;
diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf b/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
deleted file mode 100644
index abb27a7..0000000
--- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-location ^~ /.well-known/acme-challenge {
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://srv02.hamburg.freifunk.net$request_uri;
-}
diff --git a/roles/nginx/files/etc/nginx/include/no_logging.conf b/roles/nginx/files/etc/nginx/include/no_logging.conf
deleted file mode 100644
index ed0e771..0000000
--- a/roles/nginx/files/etc/nginx/include/no_logging.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# Deaktiviert Logging
-
-access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
-
-# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-# So stellen wir sicher, dass keine IPs geloggt werden.
-error_log /dev/null crit;
diff --git a/roles/nginx/files/etc/nginx/include/no_symlinks.conf b/roles/nginx/files/etc/nginx/include/no_symlinks.conf
deleted file mode 100644
index 12a2b2a..0000000
--- a/roles/nginx/files/etc/nginx/include/no_symlinks.conf
+++ /dev/null
@@ -1 +0,0 @@
-disable_symlinks on from=$document_root;
diff --git a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf b/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
deleted file mode 100644
index 16b1e9a..0000000
--- a/roles/nginx/files/etc/nginx/include/ssl_rewrite.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Generischer Rewrite von HTTP nach HTTPS
-location / {
- return 302 https://$server_name$request_uri;
-}
diff --git a/roles/nginx/files/etc/nginx/include/listing.conf b/roles/nginx/files/snippets/autoindex.conf
similarity index 100%
rename from roles/nginx/files/etc/nginx/include/listing.conf
rename to roles/nginx/files/snippets/autoindex.conf
diff --git a/roles/nginx/files/snippets/error-pages.conf b/roles/nginx/files/snippets/error-pages.conf
new file mode 100644
index 0000000..aecc17c
--- /dev/null
+++ b/roles/nginx/files/snippets/error-pages.conf
@@ -0,0 +1,5 @@
+error_page 502 /_error-pages/502.html;
+
+location ^~ /_error-pages {
+ root /var/www;
+}
diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf
new file mode 100644
index 0000000..a5e357f
--- /dev/null
+++ b/roles/nginx/files/snippets/header-hsts.conf
@@ -0,0 +1 @@
+add_header Strict-Transport-Security 'max-age=31536000';
diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf b/roles/nginx/files/snippets/location-acme-srv01.conf
similarity index 90%
rename from roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf
rename to roles/nginx/files/snippets/location-acme-srv01.conf
index 60dc5cf..fed6e58 100644
--- a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf
+++ b/roles/nginx/files/snippets/location-acme-srv01.conf
@@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
+ access_log off;
}
diff --git a/roles/nginx/files/snippets/location-acme.conf b/roles/nginx/files/snippets/location-acme.conf
new file mode 100644
index 0000000..fca5835
--- /dev/null
+++ b/roles/nginx/files/snippets/location-acme.conf
@@ -0,0 +1,5 @@
+location ^~ /.well-known/acme-challenge {
+ root /var/www/_acme-challenge;
+ try_files $uri $uri/ =404;
+ access_log off;
+}
diff --git a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf b/roles/nginx/files/snippets/no-unsafe-files.conf
similarity index 71%
rename from roles/nginx/files/etc/nginx/include/no_dotfiles.conf
rename to roles/nginx/files/snippets/no-unsafe-files.conf
index 4c26b8c..6f00246 100644
--- a/roles/nginx/files/etc/nginx/include/no_dotfiles.conf
+++ b/roles/nginx/files/snippets/no-unsafe-files.conf
@@ -1,7 +1,8 @@
+disable_symlinks on from=$document_root;
+
# Do not serve dotfiles.
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
-
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index 9b55c2a..d4e42ca 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,9 +1,4 @@
---
-- name: restart nginx
- service:
- name: nginx
- state: restarted
-
- name: reload nginx
service:
name: nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index baf15ab..ef4a286 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,39 +1,36 @@
---
- name: install nginx
apt:
- name: nginx
- state: present
- tags: nginx
+ name: "{{ nginx_package }}"
+ cache_valid_time: 86400
-- name: disable default site
+- name: create directories
file:
- path: /etc/nginx/sites-enabled/default
- state: absent
- notify: restart nginx
- tags: nginx
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - /var/www/_acme-challenge
+ - /var/www/_error-pages
-- name: copy includes
+- name: copy error-pages
copy:
- src: etc/nginx/include
- dest: /etc/nginx
- mode: 0644
- owner: root
- group: root
- notify: restart nginx
- tags: nginx
+ src: error-pages/
+ dest: /var/www/_error-pages/
-- name: template letsencrypt.conf
- template:
- src: letsencrypt.conf.j2
- dest: /etc/nginx/include/letsencrypt.conf
+- name: copy snippets
+ copy:
+ src: snippets/
+ dest: /etc/nginx/snippets/
- name: template nginx.conf
template:
- src: templates/nginx.conf.j2
+ src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
- mode: 0644
- owner: root
- group: root
backup: yes
- notify: restart nginx
- tags: nginx
+ notify: reload nginx
+
+- name: remove default site
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
+ notify: reload nginx
diff --git a/roles/nginx/templates/letsencrypt.conf.j2 b/roles/nginx/templates/letsencrypt.conf.j2
deleted file mode 100644
index 29732db..0000000
--- a/roles/nginx/templates/letsencrypt.conf.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-location ^~ /.well-known/acme-challenge {
- root {{ letsencrypt_webroot }};
- try_files $uri $uri/ =404;
-}
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index 4293b90..d278f8e 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -1,91 +1,75 @@
user www-data;
-worker_processes auto;
+worker_processes {{ nginx_worker_processes }};
pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
events {
- worker_connections 768;
- # multi_accept on;
+ worker_connections {{ nginx_worker_connections }};
+ # multi_accept on;
}
http {
- ##
- # Basic Settings
- ##
+ ##
+ # Basic Settings
+ ##
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 2048;
- server_tokens off;
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ server_tokens off;
+{% if nginx_resolver is defined %}
+ resolver {{ nginx_resolver }};
+{% endif %}
- # server_names_hash_bucket_size 64;
- # server_name_in_redirect off;
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
- ##
- # SSL Settings
- ##
+ ##
+ # SSL Settings
+ ##
- ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_stapling on;
- ssl_stapling_verify on;
+ ssl_protocols TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
+ ssl_session_cache shared:SSL:1M;
+ ssl_session_timeout 10m;
+{% if nginx_resolver is defined %}
+ ssl_stapling on;
+ ssl_stapling_verify on;
+{% endif %}
- resolver {{ nginx_resolver }};
+ ##
+ # Logging Settings
+ ##
- ##
- # Logging Settings
- ##
+ log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent';
+ access_log {{ nginx_access_log }};
+ error_log {{ nginx_error_log }};
- include /etc/nginx/include/no_logging.conf;
+ ##
+ # Gzip Settings
+ ##
- ##
- # Gzip Settings
- ##
+ gzip on;
+ gzip_disable "msie6";
- gzip on;
- gzip_disable "msie6";
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
- # gzip_vary on;
- # gzip_proxied any;
- # gzip_comp_level 6;
- # gzip_buffers 16 8k;
- # gzip_http_version 1.1;
- # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+ ##
+ # Virtual Host Configs
+ ##
- ##
- # Virtual Host Configs
- ##
-
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*;
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
}
-
-
-#mail {
-# # See sample authentication script at:
-# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-# # auth_http localhost/auth.php;
-# # pop3_capabilities "TOP" "USER";
-# # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-# server {
-# listen localhost:110;
-# protocol pop3;
-# proxy on;
-# }
-#
-# server {
-# listen localhost:143;
-# protocol imap;
-# proxy on;
-# }
-#}