2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
|
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
|
|
|
- name: pull prerequisites from upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
|
|
|
|
|
|
- name: install software
|
|
|
|
|
package:
|
|
|
|
|
name: "{{item}}"
|
|
|
|
|
state: present
|
|
|
|
|
with_items:
|
|
|
|
|
- nginx-mainline
|
|
|
|
|
- php-fpm
|
|
|
|
|
|
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
|
|
|
- name: merge upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
|
|
|
|
|
|
- name: create a directory for the PID files
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
#Type Path Mode UID GID Age Argument
|
|
|
|
|
d /run/http 775 http http - -
|
|
|
|
|
dest: /etc/tmpfiles.d/run_http.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- create tmpfiles
|
|
|
|
|
|
|
|
|
|
- meta: flush_handlers
|
|
|
|
|
|
|
|
|
|
- name: prepare to override systemd settings
|
|
|
|
|
file:
|
|
|
|
|
name: /etc/systemd/system/{{item}}.service.d
|
|
|
|
|
state: directory
|
|
|
|
|
mode: 0755
|
|
|
|
|
with_items:
|
|
|
|
|
- nginx
|
|
|
|
|
- php-fpm
|
|
|
|
|
|
|
|
|
|
- name: secure systemd settings for php-fpm
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
[Unit]
|
|
|
|
|
After=systemd-tmpfiles-setup.service
|
|
|
|
|
[Service]
|
|
|
|
|
User=http
|
|
|
|
|
Group=http
|
|
|
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
ProtectSystem=true
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
PIDFile=/run/http/php-fpm.pid
|
|
|
|
|
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- restart php-fpm.service
|
|
|
|
|
|
|
|
|
|
- name: secure systemd settings for nginx
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
[Unit]
|
|
|
|
|
After=systemd-tmpfiles-setup.service
|
|
|
|
|
After=php-fpm.service
|
|
|
|
|
[Service]
|
|
|
|
|
User=http
|
|
|
|
|
Group=http
|
|
|
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
ProtectSystem=full
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
PIDFile=/run/http/nginx.pid
|
|
|
|
|
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
|
|
|
|
|
ExecStart=
|
|
|
|
|
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
|
|
|
|
|
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: set ownership of nginx’ working directories to nginx
|
|
|
|
|
file:
|
|
|
|
|
path: /var/{{item}}/nginx
|
|
|
|
|
state: directory
|
|
|
|
|
owner: http
|
|
|
|
|
group: http
|
|
|
|
|
recurse: true
|
|
|
|
|
with_items:
|
|
|
|
|
- lib
|
|
|
|
|
- log
|
|
|
|
|
|
|
|
|
|
- name: set the number of nginx worker processes
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^#?\s*worker_processes\s'
|
|
|
|
|
line: "worker_processes auto;"
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: log to systemd-journal
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^#?\s*error_log\s'
|
|
|
|
|
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: create directories for custom nginx configuration
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/nginx/{{item}}.d
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0750
|
|
|
|
|
with_items:
|
|
|
|
|
- conf
|
|
|
|
|
- inc
|
|
|
|
|
- main.inc
|
|
|
|
|
|
|
|
|
|
- name: include main nginx configuration items
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^include.*main.inc.d/'
|
|
|
|
|
line: include /etc/nginx/main.inc.d/*.inc;
|
|
|
|
|
insertbefore: BOF
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: include custom nginx configuration
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
regexp: '^include.*conf.d/'
|
|
|
|
|
line: include /etc/nginx/conf.d/*.conf;
|
|
|
|
|
insertbefore: '^\s*#gzip\s'
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: set custom nginx configuration
|
|
|
|
|
template:
|
|
|
|
|
src: templates/10.conf.j2
|
|
|
|
|
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: send included conf files
|
|
|
|
|
template:
|
|
|
|
|
src: templates/{{item}}.inc.j2
|
|
|
|
|
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
with_items:
|
|
|
|
|
- 'php-fast'
|
|
|
|
|
- 'php-full'
|
|
|
|
|
- filters
|
|
|
|
|
|
|
|
|
|
- name: send the default HTML/PHP handler
|
|
|
|
|
template:
|
|
|
|
|
src: templates/00.http.inc.j2
|
|
|
|
|
dest: /etc/nginx/inc.d/00.http.inc
|
|
|
|
|
owner: root
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0640
|
|
|
|
|
|
|
|
|
|
- name: test the presence of example nginx servers
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/nginx/nginx.conf
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: 'server\s*\{'
|
|
|
|
|
line: 'server { TO BE DELETED'
|
|
|
|
|
register: test_srv
|
|
|
|
|
|
|
|
|
|
- name: remove example nginx servers
|
|
|
|
|
shell: |
|
|
|
|
|
sed -i '1 b OK
|
|
|
|
|
$ a\
|
|
|
|
|
}
|
|
|
|
|
d
|
|
|
|
|
: OK
|
|
|
|
|
/server[[:blank:]]*{/ d
|
|
|
|
|
n
|
|
|
|
|
b OK' /etc/nginx/nginx.conf
|
|
|
|
|
when:
|
|
|
|
|
- test_srv.changed
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
- name: set the php-fpm settings
|
2018-09-03 20:06:05 +02:00
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/php/php-fpm.d/www.conf
|
2021-05-02 21:14:27 +02:00
|
|
|
|
regexp: '^;*{{item.key}}\s*='
|
|
|
|
|
line: '{{item.key}} = {{item.value}}'
|
|
|
|
|
with_dict:
|
|
|
|
|
listen: /run/shared_sockets/php-fpm
|
|
|
|
|
pm: dynamic
|
|
|
|
|
'pm.max_children': '{{php_max_workers}}'
|
|
|
|
|
'pm.start_servers': 1
|
|
|
|
|
'pm.min_spare_servers': 1
|
|
|
|
|
'pm.max_spare_servers': '{{php_max_workers}}'
|
|
|
|
|
'pm.max_requests': '{{php_worker_max_reqs}}'
|
2018-09-03 20:06:05 +02:00
|
|
|
|
notify:
|
|
|
|
|
- restart php-fpm.service
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
- name: disable useless user/group specs
|
2018-09-03 20:06:05 +02:00
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/php/php-fpm.d/www.conf
|
|
|
|
|
backrefs: true
|
|
|
|
|
regexp: '^({{item}}\s*=.*)'
|
|
|
|
|
line: ';\1'
|
|
|
|
|
with_items:
|
|
|
|
|
- user
|
|
|
|
|
- group
|
|
|
|
|
- 'listen.group'
|
|
|
|
|
|
|
|
|
|
- name: set the PID file path for php-fpm
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/php/php-fpm.conf
|
|
|
|
|
regexp: '^;*pid\s*='
|
|
|
|
|
line: 'pid = /run/http/php-fpm.pid'
|
|
|
|
|
notify:
|
|
|
|
|
- restart php-fpm.service
|
|
|
|
|
|
|
|
|
|
- name: enable php-fpm.service
|
|
|
|
|
systemd:
|
|
|
|
|
daemon_reload: true
|
|
|
|
|
name: php-fpm.service
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
- name: enable nginx.service
|
|
|
|
|
systemd:
|
|
|
|
|
daemon_reload: true
|
|
|
|
|
name: nginx.service
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
|
|
|
- name: commit local changes
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: nginx
|
|
|
|
|
### ⇐ LOCAL COMMIT ###
|
|
|
|
|
- meta: flush_handlers
|