yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity
home-server/roles/dmz_nginx/tasks/main.yml

249 lines
5.8 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: nginx
### ⇐ UPSTREAM BEGIN ###
- name: install software
package:
name: "{{item}}"
state: present
with_items:
- nginx-mainline
- php-fpm
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: nginx
### ⇐ UPSTREAM END ###
- name: create a directory for the PID files
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
dest: /etc/tmpfiles.d/run_http.conf
mode: 0644
notify:
- create tmpfiles
- meta: flush_handlers
- name: prepare to override systemd settings
file:
name: /etc/systemd/system/{{item}}.service.d
state: directory
mode: 0755
with_items:
- nginx
- php-fpm
- name: secure systemd settings for php-fpm
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=true
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/php-fpm.pid
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart php-fpm.service
- name: secure systemd settings for nginx
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
After=php-fpm.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/nginx.pid
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
ExecStart=
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart nginx.service
- name: set ownership of nginx working directories to nginx
file:
path: /var/{{item}}/nginx
state: directory
owner: http
group: http
recurse: true
with_items:
- lib
- log
- name: set the number of nginx worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*worker_processes\s'
line: "worker_processes auto;"
notify:
- restart nginx.service
- name: log to systemd-journal
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^#?\s*error_log\s'
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
notify:
- restart nginx.service
- name: create directories for custom nginx configuration
file:
path: /etc/nginx/{{item}}.d
state: directory
owner: root
group: http
mode: 0750
with_items:
- conf
- inc
- main.inc
- name: include main nginx configuration items
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*main.inc.d/'
line: include /etc/nginx/main.inc.d/*.inc;
insertbefore: BOF
notify:
- restart nginx.service
- name: include custom nginx configuration
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^include.*conf.d/'
line: include /etc/nginx/conf.d/*.conf;
insertbefore: '^\s*#gzip\s'
notify:
- restart nginx.service
- name: set custom nginx configuration
template:
src: templates/10.conf.j2
dest: "/etc/nginx/conf.d/10_{{nickname}}.conf"
owner: root
group: http
mode: 0640
notify:
- restart nginx.service
- name: send included conf files
template:
src: templates/{{item}}.inc.j2
dest: "/etc/nginx/inc.d/{{nickname}}_{{item}}.inc"
owner: root
group: http
mode: 0640
with_items:
- 'php-fast'
- 'php-full'
- filters
- name: send the default HTML/PHP handler
template:
src: templates/00.http.inc.j2
dest: /etc/nginx/inc.d/00.http.inc
owner: root
group: http
mode: 0640
- name: test the presence of example nginx servers
lineinfile:
path: /etc/nginx/nginx.conf
backrefs: true
regexp: 'server\s*\{'
line: 'server { TO BE DELETED'
register: test_srv
- name: remove example nginx servers
shell: |
sed -i '1 b OK
$ a\
}
d
: OK
/server[[:blank:]]*{/ d
n
b OK' /etc/nginx/nginx.conf
when:
- test_srv.changed
notify:
- restart nginx.service
- name: set the php-fpm socket path
lineinfile:
path: /etc/php/php-fpm.d/www.conf
regexp: '^;*listen\s*='
line: 'listen = /run/shared_sockets/php-fpm'
notify:
- restart php-fpm.service
- name: remove useless user/group specs
lineinfile:
path: /etc/php/php-fpm.d/www.conf
backrefs: true
regexp: '^({{item}}\s*=.*)'
line: ';\1'
with_items:
- user
- group
- 'listen.group'
- name: set the PID file path for php-fpm
lineinfile:
path: /etc/php/php-fpm.conf
regexp: '^;*pid\s*='
line: 'pid = /run/http/php-fpm.pid'
notify:
- restart php-fpm.service
- name: enable php-fpm.service
systemd:
daemon_reload: true
name: php-fpm.service
enabled: true
- name: enable nginx.service
systemd:
daemon_reload: true
name: nginx.service
enabled: true
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: nginx
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers
Reference in New Issue View Git Blame Copy Permalink