yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity
home-server/roles/dmz_nginx/tasks/main.yml

248 lines
7.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: nginx
### ⇐ UPSTREAM BEGIN ###
- name: uninstall software
package:
name: "{{item}}"
state: absent
with_items:
# 2023-05-20: removed
- nginx-mainline
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- pkg: openresty
pre: |
# harden the systemd service
sed -ri '
/\[Unit\]/ a\
After=systemd-tmpfiles-setup.service\
After=php-fpm.service
/\[Service\]/ a\
User=http\
Group=http\
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
PrivateTmp=true\
PrivateDevices=true\
ProtectSystem=full\
ProtectHome=true\
ReadWritePaths=/var/log/nginx\
NoNewPrivileges=true\
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
s|/run/openresty.pid|/run/http/nginx.pid|g
' service
# compute the hash of the new service file
srvHash=$(sha256sum service | awk '{print $1}')
# — choose /etc/nginx as Nginx configuration location
# — choose /run/http/ for Nginx PID and lock files location
# — choose /var/log/nginx/ as Nginx compiled-in logs location
# — choose /var/tmp/ as Nginx runtime temporary folder
# — replace the old service hash with the computed one
# — remove signature source files as they make the build fail
# — disable unused features of OpenResty/Nginx
sed -ri "
s#_cfgdir=.*#_cfgdir=/etc/nginx#
/build\\(\\)/ i\\
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
sha256sums[\$_src]='$srvHash'\\
fi; done\\
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
_last=\$((\${{ '{#source[*]}' }}-1))\\
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
fi; done\\
unset _last _src
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
/^ *--with-mail|^ *#/d
s| +#.*||
" PKGBUILD
cat PKGBUILD
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: nginx
### ⇐ UPSTREAM END ###
- name: fix logrotate.d/openresty
lineinfile:
path: /etc/logrotate.d/openresty
backrefs: true
regexp: '^(\s*test -r )/run/'
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
- name: create Nginx working directories
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
d /var/log/nginx 775 http http - -
dest: /etc/tmpfiles.d/run_http.conf
mode: 0644
notify:
- create tmpfiles
- meta: flush_handlers
- name: update already-installed OpenResty packages
shell: /opt/openresty/bin/opm update
- name: OPM = install OpenResty packages (if necessary)
include_tasks: opm.yaml
vars:
pkg_name: "{{item}}"
with_items:
- fffonion/lua-resty-openssl
- name: set the number of nginx worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*worker_processes\s'
line: "worker_processes auto;"
notify:
- restart openresty.service
- name: log to systemd-journal
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*error_log\s'
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
notify:
- restart openresty.service
- name: create directories for custom nginx configuration
file:
path: /etc/nginx/{{item}}.d
state: directory
owner: root
group: http
mode: 0750
with_items:
- conf
- inc
- main.inc
- name: include main nginx configuration items
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*main.inc.d/'
line: include /etc/nginx/main.inc.d/*.inc;
insertbefore: BOF
notify:
- restart openresty.service
- name: include custom nginx configuration
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*conf.d/'
line: include /etc/nginx/conf.d/*.conf;
insertbefore: '^\s*#gzip\s'
notify:
- restart openresty.service
- name: set custom nginx configuration
template:
src: templates/10.conf.j2
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
owner: root
group: http
mode: 0640
notify:
- restart openresty.service
- name: send included conf files
template:
src: templates/{{item}}.inc.j2
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
owner: root
group: http
mode: 0640
with_items:
- 'php-fast'
- 'php-full'
- filters
- name: send the default HTML/PHP handler
template:
src: templates/00.http.inc.j2
dest: /etc/nginx/inc.d/00.http.inc
owner: root
group: http
mode: 0640
- name: test the presence of example nginx servers
lineinfile:
path: /etc/nginx/nginx.conf
backrefs: true
regexp: 'server\s*\{'
line: 'server { TO BE DELETED'
register: test_srv
- name: remove example nginx servers
shell: |
sed -i '1 b OK
$ a\
}
d
: OK
/server[[:blank:]]*{/ d
n
b OK' /etc/nginx/nginx.conf
when:
- test_srv.changed
notify:
- restart openresty.service
- name: create web files locations
file:
path: "{{item}}"
state: directory
with_items:
- /srv/http
- /srv/webapps
- name: enable openresty.service
systemd:
daemon_reload: true
name: openresty.service
enabled: true
- name: HTML test-page in test environment
copy:
content: |
<!DOCTYPE html>
<html lang="en">
<head><title>TEST</title><meta charset="UTF-8"></head>
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
</html>
dest: /srv/http/index.html
mode: 0644
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: nginx
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers
Reference in New Issue View Git Blame Copy Permalink