2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
2023-07-30 19:31:56 +02:00
|
|
|
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
|
|
|
- name: pull prerequisites from upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: uninstall software
|
|
|
|
|
package:
|
|
|
|
|
name: "{{item}}"
|
|
|
|
|
state: absent
|
|
|
|
|
with_items:
|
|
|
|
|
# 2023-05-20: removed
|
|
|
|
|
- nginx-mainline
|
|
|
|
|
|
|
|
|
|
- name: install AUR software
|
|
|
|
|
include_role:
|
|
|
|
|
name: aur.inc
|
|
|
|
|
allow_duplicates: true
|
|
|
|
|
vars:
|
|
|
|
|
packages:
|
|
|
|
|
- pkg: openresty
|
|
|
|
|
pre: |
|
|
|
|
|
# harden the systemd service
|
|
|
|
|
sed -ri '
|
|
|
|
|
/\[Unit\]/ a\
|
|
|
|
|
After=systemd-tmpfiles-setup.service\
|
|
|
|
|
After=php-fpm.service
|
|
|
|
|
/\[Service\]/ a\
|
|
|
|
|
User=http\
|
|
|
|
|
Group=http\
|
|
|
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
|
|
|
|
|
PrivateTmp=true\
|
|
|
|
|
PrivateDevices=true\
|
|
|
|
|
ProtectSystem=full\
|
|
|
|
|
ProtectHome=true\
|
|
|
|
|
ReadWritePaths=/var/log/nginx\
|
|
|
|
|
NoNewPrivileges=true\
|
|
|
|
|
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
|
|
|
|
|
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
|
|
|
|
|
s|/run/openresty.pid|/run/http/nginx.pid|g
|
|
|
|
|
' service
|
|
|
|
|
# compute the hash of the new service file
|
|
|
|
|
srvHash=$(sha256sum service | awk '{print $1}')
|
|
|
|
|
# — choose /etc/nginx as Nginx configuration location
|
|
|
|
|
# — choose /run/http/ for Nginx PID and lock files location
|
|
|
|
|
# — choose /var/log/nginx/ as Nginx compiled-in logs location
|
|
|
|
|
# — choose /var/tmp/ as Nginx runtime temporary folder
|
|
|
|
|
# — replace the old service hash with the computed one
|
|
|
|
|
# — remove signature source files as they make the build fail
|
|
|
|
|
# — disable unused features of OpenResty/Nginx
|
|
|
|
|
sed -ri "
|
|
|
|
|
s#_cfgdir=.*#_cfgdir=/etc/nginx#
|
|
|
|
|
/build\\(\\)/ i\\
|
|
|
|
|
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
|
|
|
|
|
sha256sums[\$_src]='$srvHash'\\
|
|
|
|
|
fi; done\\
|
|
|
|
|
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
|
|
|
|
|
_last=\$((\${{ '{#source[*]}' }}-1))\\
|
|
|
|
|
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
|
|
|
|
|
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
|
|
|
|
|
fi; done\\
|
|
|
|
|
unset _last _src
|
|
|
|
|
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
|
|
|
|
|
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
|
|
|
|
|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
|
|
|
|
|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
|
|
|
|
|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
|
|
|
|
|
/^ *--with-mail|^ *#/d
|
|
|
|
|
s| +#.*||
|
|
|
|
|
" PKGBUILD
|
|
|
|
|
cat PKGBUILD
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
|
|
|
- name: merge upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: fix logrotate.d/openresty
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/logrotate.d/openresty
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: '^(\s*test -r )/run/'
|
|
|
|
|
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
|
|
|
|
|
|
|
|
|
|
- name: create Nginx working directories
|
2018-09-03 20:06:05 +02:00
|
|
|
|
copy:
|
|
|
|
|
content: |
|
2023-12-30 16:32:52 +01:00
|
|
|
|
#Type Path Mode UID GID Age Argument
|
|
|
|
|
d /run/http 775 http http - -
|
|
|
|
|
d /var/log/nginx 775 http http - -
|
2018-09-03 20:06:05 +02:00
|
|
|
|
dest: /etc/tmpfiles.d/run_http.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- create tmpfiles
|
|
|
|
|
|
|
|
|
|
- meta: flush_handlers
|
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: update already-installed OpenResty packages
|
|
|
|
|
shell: /opt/openresty/bin/opm update
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: OPM = install OpenResty packages (if necessary)
|
|
|
|
|
include_tasks: opm.yaml
|
|
|
|
|
vars:
|
|
|
|
|
pkg_name: "{{item}}"
|
2018-09-03 20:06:05 +02:00
|
|
|
|
with_items:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- fffonion/lua-resty-openssl
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: set the number of nginx worker processes
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^#?\s*worker_processes\s'
|
|
|
|
|
line: "worker_processes auto;"
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: log to systemd-journal
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^#?\s*error_log\s'
|
|
|
|
|
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: create directories for custom nginx configuration
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/nginx/{{item}}.d
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0750
|
|
|
|
|
with_items:
|
|
|
|
|
- conf
|
|
|
|
|
- inc
|
|
|
|
|
- main.inc
|
|
|
|
|
|
|
|
|
|
- name: include main nginx configuration items
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^include.*main.inc.d/'
|
|
|
|
|
line: include /etc/nginx/main.inc.d/*.inc;
|
|
|
|
|
insertbefore: BOF
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: include custom nginx configuration
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^include.*conf.d/'
|
|
|
|
|
line: include /etc/nginx/conf.d/*.conf;
|
|
|
|
|
insertbefore: '^\s*#gzip\s'
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: set custom nginx configuration
|
|
|
|
|
template:
|
|
|
|
|
src: templates/10.conf.j2
|
|
|
|
|
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: send included conf files
|
|
|
|
|
template:
|
|
|
|
|
src: templates/{{item}}.inc.j2
|
|
|
|
|
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
with_items:
|
|
|
|
|
- 'php-fast'
|
|
|
|
|
- 'php-full'
|
|
|
|
|
- filters
|
|
|
|
|
|
|
|
|
|
- name: send the default HTML/PHP handler
|
|
|
|
|
template:
|
|
|
|
|
src: templates/00.http.inc.j2
|
|
|
|
|
dest: /etc/nginx/inc.d/00.http.inc
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
|
|
|
|
|
- name: test the presence of example nginx servers
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: 'server\s*\{'
|
|
|
|
|
line: 'server { TO BE DELETED'
|
|
|
|
|
register: test_srv
|
|
|
|
|
|
|
|
|
|
- name: remove example nginx servers
|
|
|
|
|
shell: |
|
|
|
|
|
sed -i '1 b OK
|
|
|
|
|
$ a\
|
|
|
|
|
}
|
|
|
|
|
d
|
|
|
|
|
: OK
|
|
|
|
|
/server[[:blank:]]*{/ d
|
|
|
|
|
n
|
|
|
|
|
b OK' /etc/nginx/nginx.conf
|
|
|
|
|
when:
|
|
|
|
|
- test_srv.changed
|
|
|
|
|
notify:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- restart openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: create web files locations
|
|
|
|
|
file:
|
|
|
|
|
path: "{{item}}"
|
|
|
|
|
state: directory
|
2018-09-03 20:06:05 +02:00
|
|
|
|
with_items:
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- /srv/http
|
|
|
|
|
- /srv/webapps
|
2023-07-30 19:31:56 +02:00
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: enable openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
systemd:
|
|
|
|
|
daemon_reload: true
|
2023-12-30 16:32:52 +01:00
|
|
|
|
name: openresty.service
|
2018-09-03 20:06:05 +02:00
|
|
|
|
enabled: true
|
|
|
|
|
|
2023-12-30 16:32:52 +01:00
|
|
|
|
- name: HTML test-page in test environment
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
<!DOCTYPE html>
|
|
|
|
|
<html lang="en">
|
|
|
|
|
<head><title>TEST</title><meta charset="UTF-8"></head>
|
|
|
|
|
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
|
|
|
|
|
</html>
|
|
|
|
|
dest: /srv/http/index.html
|
|
|
|
|
mode: 0644
|
|
|
|
|
when: (env == 'dev')
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
|
|
|
- name: commit local changes
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ LOCAL COMMIT ###
|
|
|
|
|
- meta: flush_handlers
|