--- # The home-server project produces a multi-purpose setup using Ansible. # Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing. ### UPSTREAM BEGIN ⇒ ### - name: pull prerequisites from upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml vars: msg: nginx ### ⇐ UPSTREAM BEGIN ### - name: install software package: name: "{{item}}" state: present with_items: - nginx-mainline - php-fpm ### UPSTREAM END ⇒ ### - name: merge upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml vars: msg: nginx ### ⇐ UPSTREAM END ### - name: create a directory for the PID files copy: content: | #Type Path Mode UID GID Age Argument d /run/http 775 http http - - dest: /etc/tmpfiles.d/run_http.conf mode: 0644 notify: - create tmpfiles - meta: flush_handlers - name: prepare to override systemd settings file: name: /etc/systemd/system/{{item}}.service.d state: directory mode: 0755 with_items: - nginx - php-fpm - name: secure systemd settings for php-fpm copy: content: | [Unit] After=systemd-tmpfiles-setup.service [Service] User=http Group=http CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT PrivateTmp=true PrivateDevices=true ProtectSystem=true ProtectHome=true NoNewPrivileges=true PIDFile=/run/http/php-fpm.pid dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf mode: 0644 notify: - restart php-fpm.service - name: secure systemd settings for nginx copy: content: | [Unit] After=systemd-tmpfiles-setup.service After=php-fpm.service [Service] User=http Group=http CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT PrivateTmp=true PrivateDevices=true ProtectSystem=full ProtectHome=true NoNewPrivileges=true PIDFile=/run/http/nginx.pid ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp' ExecStart= ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;' dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf mode: 0644 notify: - restart nginx.service - name: set ownership of nginx’ working directories to nginx file: path: /var/{{item}}/nginx state: directory owner: http group: http recurse: true with_items: - lib - log - name: set the number of nginx worker processes lineinfile: path: /etc/nginx/nginx.conf regexp: '^#?\s*worker_processes\s' line: "worker_processes auto;" notify: - restart nginx.service - name: log to systemd-journal lineinfile: path: /etc/nginx/nginx.conf regexp: '^#?\s*error_log\s' line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};" notify: - restart nginx.service - name: create directories for custom nginx configuration file: path: /etc/nginx/{{item}}.d state: directory owner: root group: http mode: 0750 with_items: - conf - inc - main.inc - name: include main nginx configuration items lineinfile: path: /etc/nginx/nginx.conf regexp: '^include.*main.inc.d/' line: include /etc/nginx/main.inc.d/*.inc; insertbefore: BOF notify: - restart nginx.service - name: include custom nginx configuration lineinfile: path: /etc/nginx/nginx.conf regexp: '^include.*conf.d/' line: include /etc/nginx/conf.d/*.conf; insertbefore: '^\s*#gzip\s' notify: - restart nginx.service - name: set custom nginx configuration template: src: templates/10.conf.j2 dest: "/etc/nginx/conf.d/10_{{nickname}}.conf" owner: root group: http mode: 0640 notify: - restart nginx.service - name: send included conf files template: src: templates/{{item}}.inc.j2 dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc" owner: root group: http mode: 0640 with_items: - 'php-fast' - 'php-full' - filters - name: send the default HTML/PHP handler template: src: templates/00.http.inc.j2 dest: /etc/nginx/inc.d/00.http.inc owner: root group: http mode: 0640 - name: test the presence of example nginx servers lineinfile: path: /etc/nginx/nginx.conf backrefs: true regexp: 'server\s*\{' line: 'server { TO BE DELETED' register: test_srv - name: remove example nginx servers shell: | sed -i '1 b OK $ a\ } d : OK /server[[:blank:]]*{/ d n b OK' /etc/nginx/nginx.conf when: - test_srv.changed notify: - restart nginx.service - name: set the php-fpm settings lineinfile: path: /etc/php/php-fpm.d/www.conf regexp: '^;*{{item.key}}\s*=' line: '{{item.key}} = {{item.value}}' with_dict: listen: /run/shared_sockets/php-fpm pm: dynamic 'pm.max_children': '{{php_max_workers}}' 'pm.start_servers': 1 'pm.min_spare_servers': 1 'pm.max_spare_servers': '{{php_max_workers}}' 'pm.max_requests': '{{php_worker_max_reqs}}' notify: - restart php-fpm.service - name: disable useless user/group specs lineinfile: path: /etc/php/php-fpm.d/www.conf backrefs: true regexp: '^({{item}}\s*=.*)' line: ';\1' with_items: - user - group - 'listen.group' - name: set the PID file path for php-fpm lineinfile: path: /etc/php/php-fpm.conf regexp: '^;*pid\s*=' line: 'pid = /run/http/php-fpm.pid' notify: - restart php-fpm.service - name: enable php-fpm.service systemd: daemon_reload: true name: php-fpm.service enabled: true - name: enable nginx.service systemd: daemon_reload: true name: nginx.service enabled: true ### LOCAL COMMIT ⇒ ### - name: commit local changes include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml vars: msg: nginx ### ⇐ LOCAL COMMIT ### - meta: flush_handlers