---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: nginx
### ⇐ UPSTREAM BEGIN ###
- name: uninstall software
package:
name: "{{item}}"
state: absent
with_items:
# 2023-05-20: removed
- nginx-mainline
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- pkg: openresty
pre: |
# harden the systemd service
sed -ri '
/\[Unit\]/ a\
After=systemd-tmpfiles-setup.service\
After=php-fpm.service
/\[Service\]/ a\
User=http\
Group=http\
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
PrivateTmp=true\
PrivateDevices=true\
ProtectSystem=full\
ProtectHome=true\
ReadWritePaths=/var/log/nginx\
NoNewPrivileges=true\
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
s|/run/openresty.pid|/run/http/nginx.pid|g
' service
# compute the hash of the new service file
srvHash=$(sha256sum service | awk '{print $1}')
# — choose /etc/nginx as Nginx configuration location
# — choose /run/http/ for Nginx PID and lock files location
# — choose /var/log/nginx/ as Nginx compiled-in logs location
# — choose /var/tmp/ as Nginx runtime temporary folder
# — replace the old service hash with the computed one
# — remove signature source files as they make the build fail
# — disable unused features of OpenResty/Nginx
sed -ri "
s#_cfgdir=.*#_cfgdir=/etc/nginx#
/build\\(\\)/ i\\
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
sha256sums[\$_src]='$srvHash'\\
fi; done\\
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
_last=\$((\${{ '{#source[*]}' }}-1))\\
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
fi; done\\
unset _last _src
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
/^ *--with-mail|^ *#/d
s| +#.*||
" PKGBUILD
cat PKGBUILD
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: nginx
### ⇐ UPSTREAM END ###
- name: fix logrotate.d/openresty
lineinfile:
path: /etc/logrotate.d/openresty
backrefs: true
regexp: '^(\s*test -r )/run/'
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
- name: create Nginx working directories
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
d /var/log/nginx 775 http http - -
dest: /etc/tmpfiles.d/run_http.conf
mode: 0644
notify:
- create tmpfiles
- meta: flush_handlers
- name: update already-installed OpenResty packages
shell: /opt/openresty/bin/opm update
- name: OPM = install OpenResty packages (if necessary)
include_tasks: opm.yaml
vars:
pkg_name: "{{item}}"
with_items:
- fffonion/lua-resty-openssl
- name: set the number of nginx worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*worker_processes\s'
line: "worker_processes auto;"
notify:
- restart openresty.service
- name: log to systemd-journal
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*error_log\s'
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
notify:
- restart openresty.service
- name: create directories for custom nginx configuration
file:
path: /etc/nginx/{{item}}.d
state: directory
owner: root
group: http
mode: 0750
with_items:
- conf
- inc
- main.inc
- name: include main nginx configuration items
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*main.inc.d/'
line: include /etc/nginx/main.inc.d/*.inc;
insertbefore: BOF
notify:
- restart openresty.service
- name: include custom nginx configuration
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*conf.d/'
line: include /etc/nginx/conf.d/*.conf;
insertbefore: '^\s*#gzip\s'
notify:
- restart openresty.service
- name: set custom nginx configuration
template:
src: templates/10.conf.j2
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
owner: root
group: http
mode: 0640
notify:
- restart openresty.service
- name: send included conf files
template:
src: templates/{{item}}.inc.j2
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
owner: root
group: http
mode: 0640
with_items:
- 'php-fast'
- 'php-full'
- filters
- name: send the default HTML/PHP handler
template:
src: templates/00.http.inc.j2
dest: /etc/nginx/inc.d/00.http.inc
owner: root
group: http
mode: 0640
- name: test the presence of example nginx servers
lineinfile:
path: /etc/nginx/nginx.conf
backrefs: true
regexp: 'server\s*\{'
line: 'server { TO BE DELETED'
register: test_srv
- name: remove example nginx servers
shell: |
sed -i '1 b OK
$ a\
}
d
: OK
/server[[:blank:]]*{/ d
n
b OK' /etc/nginx/nginx.conf
when:
- test_srv.changed
notify:
- restart openresty.service
- name: create web files locations
file:
path: "{{item}}"
state: directory
with_items:
- /srv/http
- /srv/webapps
- name: enable openresty.service
systemd:
daemon_reload: true
name: openresty.service
enabled: true
- name: HTML test-page in test environment
copy:
content: |
TEST
HTML served by Nginx
It works!
dest: /srv/http/index.html
mode: 0644
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: nginx
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers