New nginx role

basics.yml

@@ -1,5 +1,5 @@
 ---
-- hosts: all
+- hosts: ffhh
   roles:
     - basics
     - ffhh-basics
@@ -9,3 +9,8 @@
   roles:
     - certsync
   tags: certsync
+
+- hosts: nginx
+  roles:
+    - nginx
+  tags: nginx

host_vars/srv02

@@ -4,3 +4,4 @@ basics_autoupdate_origins:
   - o=TorProject,n=${distro_codename}
 hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
 hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
+nginx_resolver: 127.0.0.1

production

@@ -10,11 +10,15 @@ srv03
 [hopglass-frontend]
 srv02
 
+[nginx]
+gw03-new ansible_host=gw03-new.hamburg.freifunk.net
+
 [updates]
 srv01
 srv03
 
 [vms]
+gw03-new
 srv01
 srv02
 srv03

roles/nginx/defaults/main.yml

@@ -1,2 +1,6 @@
-letsencrypt_webroot: /var/www/letsencrypt
-nginx_resolver: 127.0.0.1 [::1]
+---
+nginx_access_log: "off"
+nginx_error_log: "/dev/null error"
+nginx_package: nginx
+nginx_worker_connections: 512
+nginx_worker_processes: auto

roles/nginx/files/error-pages/502.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>502 Bad Gateway</title>
+  <link rel="stylesheet" href="/_error-pages/style.css">
+</head>
+<body>
+  <img src="/_error-pages/bad_gateway.png" alt="Bad Gateway Sign" class="singleton">
+</body>

roles/nginx/files/error-pages/style.css

@@ -0,0 +1,4 @@
+img.singleton {
+  display: block;
+  margin: 10px auto;
+}

roles/nginx/files/etc/nginx/include/headers_hsts.conf

@@ -1,4 +0,0 @@
-# Header bitte nur auf "location" Ebene inkludieren:
-# https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
-
-add_header Strict-Transport-Security max-age=31536000;

roles/nginx/files/etc/nginx/include/letsencrypt_srv02.conf

@@ -1,5 +0,0 @@
-location ^~ /.well-known/acme-challenge {
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_pass http://srv02.hamburg.freifunk.net$request_uri;
-}

roles/nginx/files/etc/nginx/include/no_logging.conf

@@ -1,7 +0,0 @@
-# Deaktiviert Logging
-
-access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitors loggen.
-
-# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-# So stellen wir sicher, dass keine IPs geloggt werden.
-error_log /dev/null crit;

roles/nginx/files/etc/nginx/include/no_symlinks.conf

@@ -1 +0,0 @@
-disable_symlinks on from=$document_root;

roles/nginx/files/etc/nginx/include/ssl_rewrite.conf

@@ -1,4 +0,0 @@
-# Generischer Rewrite von HTTP nach HTTPS
-location / {
-    return 302 https://$server_name$request_uri;
-}

roles/nginx/files/snippets/error-pages.conf

@@ -0,0 +1,5 @@
+error_page 502 /_error-pages/502.html;
+
+location ^~ /_error-pages {
+    root /var/www;
+}

roles/nginx/files/snippets/header-hsts.conf

@@ -0,0 +1 @@
+add_header Strict-Transport-Security 'max-age=31536000';

roles/nginx/files/snippets/location-acme-srv01.conf

@@ -2,4 +2,5 @@ location ^~ /.well-known/acme-challenge {
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass http://srv01.hamburg.freifunk.net$request_uri;
+    access_log off;
 }

roles/nginx/files/snippets/location-acme.conf

@@ -0,0 +1,5 @@
+location ^~ /.well-known/acme-challenge {
+    root /var/www/_acme-challenge;
+    try_files $uri $uri/ =404;
+    access_log off;
+}

roles/nginx/files/snippets/no-unsafe-files.conf

@@ -1,7 +1,8 @@
+disable_symlinks on from=$document_root;
+
 # Do not serve dotfiles.
 location ~ /\. {
     deny all;
     access_log off;
     log_not_found off;
 }
-

roles/nginx/handlers/main.yml

@@ -1,9 +1,4 @@
 ---
-- name: restart nginx
-  service:
-    name: nginx
-    state: restarted
-
 - name: reload nginx
   service:
     name: nginx

roles/nginx/tasks/main.yml

@@ -1,39 +1,36 @@
 ---
 - name: install nginx
   apt:
-    name: nginx
-    state: present
-  tags: nginx
+    name: "{{ nginx_package }}"
+    cache_valid_time: 86400
 
-- name: disable default site
+- name: create directories
   file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-  notify: restart nginx
-  tags: nginx
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - /var/www/_acme-challenge
+    - /var/www/_error-pages
 
-- name: copy includes
+- name: copy error-pages
   copy:
-    src: etc/nginx/include
-    dest: /etc/nginx
-    mode: 0644
-    owner: root
-    group: root
-  notify: restart nginx
-  tags: nginx
+    src: error-pages/
+    dest: /var/www/_error-pages/
 
-- name: template letsencrypt.conf
-  template:
-    src: letsencrypt.conf.j2
-    dest: /etc/nginx/include/letsencrypt.conf
+- name: copy snippets
+  copy:
+    src: snippets/
+    dest: /etc/nginx/snippets/
 
 - name: template nginx.conf
   template:
-    src: templates/nginx.conf.j2
+    src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: 0644
-    owner: root
-    group: root
     backup: yes
-  notify: restart nginx
-  tags: nginx
+  notify: reload nginx
+
+- name: remove default site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: reload nginx

roles/nginx/templates/letsencrypt.conf.j2

@@ -1,4 +0,0 @@
-location ^~ /.well-known/acme-challenge {
-  root {{ letsencrypt_webroot }};
-  try_files $uri $uri/ =404;
-}

roles/nginx/templates/nginx.conf.j2

@@ -1,9 +1,10 @@
 user www-data;
-worker_processes auto;
+worker_processes {{ nginx_worker_processes }};
 pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
 
 events {
-        worker_connections 768;
+    worker_connections {{ nginx_worker_connections }};
     # multi_accept on;
 }
 
@@ -19,6 +20,9 @@ http {
     keepalive_timeout 65;
     types_hash_max_size 2048;
     server_tokens off;
+{% if nginx_resolver is defined %}
+    resolver {{ nginx_resolver }};
+{% endif %}
 
     # server_names_hash_bucket_size 64;
     # server_name_in_redirect off;
@@ -30,21 +34,23 @@ http {
     # SSL Settings
     ##
 
-        ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:+SHA1;
+    ssl_protocols TLSv1.2;
     ssl_prefer_server_ciphers on;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_session_cache shared:SSL:10m;
+    ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+AES:!SHA1;
+    ssl_session_cache shared:SSL:1M;
     ssl_session_timeout 10m;
+{% if nginx_resolver is defined %}
     ssl_stapling on;
     ssl_stapling_verify on;
-
-        resolver {{ nginx_resolver }};
+{% endif %}
 
     ##
     # Logging Settings
     ##
 
-        include /etc/nginx/include/no_logging.conf;
+    log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent';
+    access_log {{ nginx_access_log }};
+    error_log {{ nginx_error_log }};
 
     ##
     # Gzip Settings
@@ -67,25 +73,3 @@ http {
     include /etc/nginx/conf.d/*.conf;
     include /etc/nginx/sites-enabled/*;
 }
-
-
-#mail {
-#       # See sample authentication script at:
-#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#       # auth_http localhost/auth.php;
-#       # pop3_capabilities "TOP" "USER";
-#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#       server {
-#               listen     localhost:110;
-#               protocol   pop3;
-#               proxy      on;
-#       }
-#
-#       server {
-#               listen     localhost:143;
-#               protocol   imap;
-#               proxy      on;
-#       }
-#}