home-server/roles/dmz_nginx/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: nginx
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: "{{item}}"
    state: present
  with_items:
    - nginx-mainline
    - php-fpm

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: nginx
### ⇐ UPSTREAM END ###

- name: create a directory for the PID files
  copy:
    content: |
      #Type Path     Mode UID  GID Age Argument
      d     /run/http 775 http http -  -
    dest: /etc/tmpfiles.d/run_http.conf
    mode: 0644
  notify:
    - create tmpfiles

- meta: flush_handlers

- name: prepare to override systemd settings
  file:
    name: /etc/systemd/system/{{item}}.service.d
    state: directory
    mode: 0755
  with_items:
    - nginx
    - php-fpm

- name: secure systemd settings for php-fpm
  copy:
    content: |
      [Unit]
      After=systemd-tmpfiles-setup.service
      [Service]
      User=http
      Group=http
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
      PrivateTmp=true
      PrivateDevices=true
      ProtectSystem=true
      ProtectHome=true
      NoNewPrivileges=true
      PIDFile=/run/http/php-fpm.pid
    dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
    mode: 0644
  notify:
    - restart php-fpm.service

- name: secure systemd settings for nginx
  copy:
    content: |
      [Unit]
      After=systemd-tmpfiles-setup.service
      After=php-fpm.service
      [Service]
      User=http
      Group=http
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
      PrivateTmp=true
      PrivateDevices=true
      ProtectSystem=full
      ProtectHome=true
      NoNewPrivileges=true
      PIDFile=/run/http/nginx.pid
      ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
      ExecStart=
      ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
    dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
    mode: 0644
  notify:
    - restart nginx.service

- name: set ownership of nginx’ working directories to nginx
  file:
    path: /var/{{item}}/nginx
    state: directory
    owner: http
    group: http
    recurse: true
  with_items:
    - lib
    - log

- name: set the number of nginx worker processes
  lineinfile:
    path: /etc/nginx/nginx.conf
    regexp: '^#?\s*worker_processes\s'
    line: "worker_processes auto;"
  notify:
    - restart nginx.service

- name: log to systemd-journal
  lineinfile:
    path: /etc/nginx/nginx.conf
    regexp: '^#?\s*error_log\s'
    line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
  notify:
    - restart nginx.service

- name: create directories for custom nginx configuration
  file:
    path: /etc/nginx/{{item}}.d
    state: directory
    owner: root
    group: http
    mode: 0750
  with_items:
    - conf
    - inc
    - main.inc

- name: include main nginx configuration items
  lineinfile:
    path: /etc/nginx/nginx.conf
    regexp: '^include.*main.inc.d/'
    line: include /etc/nginx/main.inc.d/*.inc;
    insertbefore: BOF
  notify:
    - restart nginx.service

- name: include custom nginx configuration
  lineinfile:
    path: /etc/nginx/nginx.conf
    regexp: '^include.*conf.d/'
    line: include /etc/nginx/conf.d/*.conf;
    insertbefore: '^\s*#gzip\s'
  notify:
    - restart nginx.service

- name: set custom nginx configuration
  template:
    src: templates/10.conf.j2
    dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
    owner: root
    group: http
    mode: 0640
  notify:
    - restart nginx.service

- name: send included conf files
  template:
    src: templates/{{item}}.inc.j2
    dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
    owner: root
    group: http
    mode: 0640
  with_items:
    - 'php-fast'
    - 'php-full'
    - filters

- name: send the default HTML/PHP handler
  template:
    src: templates/00.http.inc.j2
    dest: /etc/nginx/inc.d/00.http.inc
    owner: root
    group: http
    mode: 0640

- name: test the presence of example nginx servers
  lineinfile:
    path: /etc/nginx/nginx.conf
    backrefs: true
    regexp: 'server\s*\{'
    line: 'server { TO BE DELETED'
  register: test_srv

- name: remove example nginx servers
  shell: |
    sed -i '1 b OK
    $ a\
    }
    d
    : OK
    /server[[:blank:]]*{/ d
    n
    b OK' /etc/nginx/nginx.conf
  when:
    - test_srv.changed
  notify:
    - restart nginx.service

- name: set the php-fpm socket path
  lineinfile:
    path: /etc/php/php-fpm.d/www.conf
    regexp: '^;*listen\s*='
    line: 'listen = /run/shared_sockets/php-fpm'
  notify:
    - restart php-fpm.service

- name: remove useless user/group specs
  lineinfile:
    path: /etc/php/php-fpm.d/www.conf
    backrefs: true
    regexp: '^({{item}}\s*=.*)'
    line: ';\1'
  with_items:
    - user
    - group
    - 'listen.group'
  
- name: set the PID file path for php-fpm
  lineinfile:
    path: /etc/php/php-fpm.conf
    regexp: '^;*pid\s*='
    line: 'pid = /run/http/php-fpm.pid'
  notify:
    - restart php-fpm.service

- name: enable php-fpm.service
  systemd:
    daemon_reload: true
    name: php-fpm.service
    enabled: true

- name: enable nginx.service
  systemd:
    daemon_reload: true
    name: nginx.service
    enabled: true

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: nginx
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers