248 lines
7.1 KiB
YAML
248 lines
7.1 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: uninstall software
|
||
package:
|
||
name: "{{item}}"
|
||
state: absent
|
||
with_items:
|
||
# 2023-05-20: removed
|
||
- nginx-mainline
|
||
|
||
- name: install AUR software
|
||
include_role:
|
||
name: aur.inc
|
||
allow_duplicates: true
|
||
vars:
|
||
packages:
|
||
- pkg: openresty
|
||
pre: |
|
||
# harden the systemd service
|
||
sed -ri '
|
||
/\[Unit\]/ a\
|
||
After=systemd-tmpfiles-setup.service\
|
||
After=php-fpm.service
|
||
/\[Service\]/ a\
|
||
User=http\
|
||
Group=http\
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
|
||
PrivateTmp=true\
|
||
PrivateDevices=true\
|
||
ProtectSystem=full\
|
||
ProtectHome=true\
|
||
ReadWritePaths=/var/log/nginx\
|
||
NoNewPrivileges=true\
|
||
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
|
||
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
|
||
s|/run/openresty.pid|/run/http/nginx.pid|g
|
||
' service
|
||
# compute the hash of the new service file
|
||
srvHash=$(sha256sum service | awk '{print $1}')
|
||
# — choose /etc/nginx as Nginx configuration location
|
||
# — choose /run/http/ for Nginx PID and lock files location
|
||
# — choose /var/log/nginx/ as Nginx compiled-in logs location
|
||
# — choose /var/tmp/ as Nginx runtime temporary folder
|
||
# — replace the old service hash with the computed one
|
||
# — remove signature source files as they make the build fail
|
||
# — disable unused features of OpenResty/Nginx
|
||
sed -ri "
|
||
s#_cfgdir=.*#_cfgdir=/etc/nginx#
|
||
/build\\(\\)/ i\\
|
||
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
|
||
sha256sums[\$_src]='$srvHash'\\
|
||
fi; done\\
|
||
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
|
||
_last=\$((\${{ '{#source[*]}' }}-1))\\
|
||
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
|
||
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
|
||
fi; done\\
|
||
unset _last _src
|
||
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
|
||
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
|
||
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
|
||
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
|
||
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
|
||
/^ *--with-mail|^ *#/d
|
||
s| +#.*||
|
||
" PKGBUILD
|
||
cat PKGBUILD
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: fix logrotate.d/openresty
|
||
lineinfile:
|
||
path: /etc/logrotate.d/openresty
|
||
backrefs: true
|
||
regexp: '^(\s*test -r )/run/'
|
||
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
|
||
|
||
- name: create Nginx working directories
|
||
copy:
|
||
content: |
|
||
#Type Path Mode UID GID Age Argument
|
||
d /run/http 775 http http - -
|
||
d /var/log/nginx 775 http http - -
|
||
dest: /etc/tmpfiles.d/run_http.conf
|
||
mode: 0644
|
||
notify:
|
||
- create tmpfiles
|
||
|
||
- meta: flush_handlers
|
||
|
||
- name: update already-installed OpenResty packages
|
||
shell: /opt/openresty/bin/opm update
|
||
|
||
- name: OPM = install OpenResty packages (if necessary)
|
||
include_tasks: opm.yaml
|
||
vars:
|
||
pkg_name: "{{item}}"
|
||
with_items:
|
||
- fffonion/lua-resty-openssl
|
||
|
||
- name: set the number of nginx worker processes
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^#?\s*worker_processes\s'
|
||
line: "worker_processes auto;"
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: log to systemd-journal
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^#?\s*error_log\s'
|
||
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: create directories for custom nginx configuration
|
||
file:
|
||
path: /etc/nginx/{{item}}.d
|
||
state: directory
|
||
owner: root
|
||
group: http
|
||
mode: 0750
|
||
with_items:
|
||
- conf
|
||
- inc
|
||
- main.inc
|
||
|
||
- name: include main nginx configuration items
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^include.*main.inc.d/'
|
||
line: include /etc/nginx/main.inc.d/*.inc;
|
||
insertbefore: BOF
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: include custom nginx configuration
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^include.*conf.d/'
|
||
line: include /etc/nginx/conf.d/*.conf;
|
||
insertbefore: '^\s*#gzip\s'
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: set custom nginx configuration
|
||
template:
|
||
src: templates/10.conf.j2
|
||
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: send included conf files
|
||
template:
|
||
src: templates/{{item}}.inc.j2
|
||
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
with_items:
|
||
- 'php-fast'
|
||
- 'php-full'
|
||
- filters
|
||
|
||
- name: send the default HTML/PHP handler
|
||
template:
|
||
src: templates/00.http.inc.j2
|
||
dest: /etc/nginx/inc.d/00.http.inc
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
|
||
- name: test the presence of example nginx servers
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
backrefs: true
|
||
regexp: 'server\s*\{'
|
||
line: 'server { TO BE DELETED'
|
||
register: test_srv
|
||
|
||
- name: remove example nginx servers
|
||
shell: |
|
||
sed -i '1 b OK
|
||
$ a\
|
||
}
|
||
d
|
||
: OK
|
||
/server[[:blank:]]*{/ d
|
||
n
|
||
b OK' /etc/nginx/nginx.conf
|
||
when:
|
||
- test_srv.changed
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
- name: create web files locations
|
||
file:
|
||
path: "{{item}}"
|
||
state: directory
|
||
with_items:
|
||
- /srv/http
|
||
- /srv/webapps
|
||
|
||
- name: enable openresty.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: openresty.service
|
||
enabled: true
|
||
|
||
- name: HTML test-page in test environment
|
||
copy:
|
||
content: |
|
||
<!DOCTYPE html>
|
||
<html lang="en">
|
||
<head><title>TEST</title><meta charset="UTF-8"></head>
|
||
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
|
||
</html>
|
||
dest: /srv/http/index.html
|
||
mode: 0644
|
||
when: (env == 'dev')
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|