249 lines
5.8 KiB
YAML
249 lines
5.8 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software
|
||
package:
|
||
name: "{{item}}"
|
||
state: present
|
||
with_items:
|
||
- nginx-mainline
|
||
- php-fpm
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: create a directory for the PID files
|
||
copy:
|
||
content: |
|
||
#Type Path Mode UID GID Age Argument
|
||
d /run/http 775 http http - -
|
||
dest: /etc/tmpfiles.d/run_http.conf
|
||
mode: 0644
|
||
notify:
|
||
- create tmpfiles
|
||
|
||
- meta: flush_handlers
|
||
|
||
- name: prepare to override systemd settings
|
||
file:
|
||
name: /etc/systemd/system/{{item}}.service.d
|
||
state: directory
|
||
mode: 0755
|
||
with_items:
|
||
- nginx
|
||
- php-fpm
|
||
|
||
- name: secure systemd settings for php-fpm
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
After=systemd-tmpfiles-setup.service
|
||
[Service]
|
||
User=http
|
||
Group=http
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||
PrivateTmp=true
|
||
PrivateDevices=true
|
||
ProtectSystem=true
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
PIDFile=/run/http/php-fpm.pid
|
||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart php-fpm.service
|
||
|
||
- name: secure systemd settings for nginx
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
After=systemd-tmpfiles-setup.service
|
||
After=php-fpm.service
|
||
[Service]
|
||
User=http
|
||
Group=http
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||
PrivateTmp=true
|
||
PrivateDevices=true
|
||
ProtectSystem=full
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
PIDFile=/run/http/nginx.pid
|
||
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
|
||
ExecStart=
|
||
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
|
||
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: set ownership of nginx’ working directories to nginx
|
||
file:
|
||
path: /var/{{item}}/nginx
|
||
state: directory
|
||
owner: http
|
||
group: http
|
||
recurse: true
|
||
with_items:
|
||
- lib
|
||
- log
|
||
|
||
- name: set the number of nginx worker processes
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^#?\s*worker_processes\s'
|
||
line: "worker_processes auto;"
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: log to systemd-journal
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^#?\s*error_log\s'
|
||
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: create directories for custom nginx configuration
|
||
file:
|
||
path: /etc/nginx/{{item}}.d
|
||
state: directory
|
||
owner: root
|
||
group: http
|
||
mode: 0750
|
||
with_items:
|
||
- conf
|
||
- inc
|
||
- main.inc
|
||
|
||
- name: include main nginx configuration items
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^include.*main.inc.d/'
|
||
line: include /etc/nginx/main.inc.d/*.inc;
|
||
insertbefore: BOF
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: include custom nginx configuration
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
regexp: '^include.*conf.d/'
|
||
line: include /etc/nginx/conf.d/*.conf;
|
||
insertbefore: '^\s*#gzip\s'
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: set custom nginx configuration
|
||
template:
|
||
src: templates/10.conf.j2
|
||
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: send included conf files
|
||
template:
|
||
src: templates/{{item}}.inc.j2
|
||
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
with_items:
|
||
- 'php-fast'
|
||
- 'php-full'
|
||
- filters
|
||
|
||
- name: send the default HTML/PHP handler
|
||
template:
|
||
src: templates/00.http.inc.j2
|
||
dest: /etc/nginx/inc.d/00.http.inc
|
||
owner: root
|
||
group: http
|
||
mode: 0640
|
||
|
||
- name: test the presence of example nginx servers
|
||
lineinfile:
|
||
path: /etc/nginx/nginx.conf
|
||
backrefs: true
|
||
regexp: 'server\s*\{'
|
||
line: 'server { TO BE DELETED'
|
||
register: test_srv
|
||
|
||
- name: remove example nginx servers
|
||
shell: |
|
||
sed -i '1 b OK
|
||
$ a\
|
||
}
|
||
d
|
||
: OK
|
||
/server[[:blank:]]*{/ d
|
||
n
|
||
b OK' /etc/nginx/nginx.conf
|
||
when:
|
||
- test_srv.changed
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: set the php-fpm socket path
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.d/www.conf
|
||
regexp: '^;*listen\s*='
|
||
line: 'listen = /run/shared_sockets/php-fpm'
|
||
notify:
|
||
- restart php-fpm.service
|
||
|
||
- name: remove useless user/group specs
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.d/www.conf
|
||
backrefs: true
|
||
regexp: '^({{item}}\s*=.*)'
|
||
line: ';\1'
|
||
with_items:
|
||
- user
|
||
- group
|
||
- 'listen.group'
|
||
|
||
- name: set the PID file path for php-fpm
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.conf
|
||
regexp: '^;*pid\s*='
|
||
line: 'pid = /run/http/php-fpm.pid'
|
||
notify:
|
||
- restart php-fpm.service
|
||
|
||
- name: enable php-fpm.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: php-fpm.service
|
||
enabled: true
|
||
|
||
- name: enable nginx.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: nginx.service
|
||
enabled: true
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: nginx
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|