From dadbca219e109927d69d70ab42385969873110aa Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Sun, 20 Sep 2020 22:44:45 -0500 Subject: [PATCH] use upstream nginx package --- roles/gitea/tasks/nginx.yaml | 11 +------- roles/grafana/tasks/nginx.yaml | 11 +------- roles/nginx/defaults/main.yaml | 17 ++++++++++++ roles/nginx/tasks/Debian.yaml | 12 ++++++++ roles/nginx/tasks/main.yml | 30 ++++++++++++++++++-- roles/nginx/templates/nginx.conf.j2 | 43 +++++++++++++++++++++++++++++ roles/nginx/vars/Debian.yaml | 4 +++ 7 files changed, 105 insertions(+), 23 deletions(-) create mode 100644 roles/nginx/tasks/Debian.yaml create mode 100644 roles/nginx/templates/nginx.conf.j2 create mode 100644 roles/nginx/vars/Debian.yaml diff --git a/roles/gitea/tasks/nginx.yaml b/roles/gitea/tasks/nginx.yaml index 6873ad9..5ae2f86 100644 --- a/roles/gitea/tasks/nginx.yaml +++ b/roles/gitea/tasks/nginx.yaml @@ -1,17 +1,8 @@ - name: configure nginx template: src: nginx.conf.j2 - dest: /etc/nginx/sites-available/gitea + dest: "{{ nginx_conf_d_path }}/gitea.conf" owner: root group: root mode: 0644 notify: reload nginx - -- name: activate site - file: - src: /etc/nginx/sites-available/gitea - dest: /etc/nginx/sites-enabled/gitea - owner: root - group: root - state: link - notify: reload nginx diff --git a/roles/grafana/tasks/nginx.yaml b/roles/grafana/tasks/nginx.yaml index 61bdf37..4a79d5a 100644 --- a/roles/grafana/tasks/nginx.yaml +++ b/roles/grafana/tasks/nginx.yaml @@ -1,17 +1,8 @@ - name: configure nginx template: src: nginx.conf.j2 - dest: /etc/nginx/sites-available/grafana + dest: "{{ nginx_conf_d_path }}/grafana.conf" owner: root group: root mode: 0644 notify: reload nginx - -- name: activate site - file: - src: /etc/nginx/sites-available/grafana - dest: /etc/nginx/sites-enabled/grafana - owner: root - group: root - state: link - notify: reload nginx diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml index 4838a71..df7f9d4 100644 --- a/roles/nginx/defaults/main.yaml +++ b/roles/nginx/defaults/main.yaml @@ -6,6 +6,21 @@ nginx_service_name: nginx nginx_service_state: started nginx_service_enabled: yes +nginx_etc_path: /etc/nginx +nginx_conf_d_path: "{{ nginx_etc_path }}/conf.d" +nginx_mime_types_path: "{{ nginx_etc_path }}/mime.types" + +nginx_user: nginx +nginx_worker_processes: auto +nginx_error_log: /var/log/nginx/error.log warn +nginx_access_log: /var/log/nginx/access.log main +nginx_pid: /var/run/nginx.pid +nginx_worker_connections: 1024 +nginx_default_type: application/octet-stream +nginx_sendfile: "on" +nginx_keepalive_timeout: 65 +nginx_gzip: "on" + nginx_root: /var/www/html nginx_index: - index.html @@ -14,3 +29,5 @@ nginx_index: nginx_acme_challenge_enabled: yes nginx_acme_challenge_path: /var/www/.acme-challenge + +nginx_conf_d: {} diff --git a/roles/nginx/tasks/Debian.yaml b/roles/nginx/tasks/Debian.yaml new file mode 100644 index 0000000..23ae53c --- /dev/null +++ b/roles/nginx/tasks/Debian.yaml @@ -0,0 +1,12 @@ +--- +- name: install nginx apt key + apt_key: + keyserver: keyserver.ubuntu.com + id: "{{ nginx_repo_key_id }}" + +- name: install nginx apt repo + apt_repository: + repo: "deb http://nginx.org/packages/mainline/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx" + update_cache: yes + filename: nginx + state: "{{ nginx_repo_state }}" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index c3e3fdf..34dd2f5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,4 +1,28 @@ --- +- name: gather os specific variables + include_vars: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - vars + +- name: include os specific tasks + include_tasks: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - tasks + - name: install passlib package: name: "{{ item }}" @@ -12,10 +36,10 @@ name: "{{ nginx_package_name }}" state: "{{ nginx_package_state }}" -- name: configure default virtual host +- name: configure nginx template: - src: default.j2 - dest: /etc/nginx/sites-available/default + src: nginx.conf.j2 + dest: "{{ nginx_etc_path }}/nginx.conf" owner: root group: root mode: 0644 diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..eb6d71c --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,43 @@ +# {{ ansible_managed }} + +user {{ nginx_user }}; +worker_processes {{ nginx_worker_processes }}; + +error_log {{ nginx_error_log }}; +pid {{ nginx_pid }}; + + +events { + worker_connections {{ nginx_worker_connections }}; +} + + +http { + include {{ nginx_mime_types_path }}; + default_type {{ nginx_default_type }}; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log {{ nginx_access_log }}; + + sendfile {{ nginx_sendfile }}; + #tcp_nopush on; + + keepalive_timeout {{ nginx_keepalive_timeout }}; + gzip {{ nginx_gzip }}; + + geo $bad_actors { + default 0; + } + + map $bad_actors $limit_key { + 0 ""; + 1 $binary_remote_addr; + } + + limit_req_zone $limit_key zone=req_bad_actors:10m rate=5r/s; + + include {{ nginx_conf_d_path }}/*.conf; +} diff --git a/roles/nginx/vars/Debian.yaml b/roles/nginx/vars/Debian.yaml new file mode 100644 index 0000000..821dc27 --- /dev/null +++ b/roles/nginx/vars/Debian.yaml @@ -0,0 +1,4 @@ +--- +nginx_repo_url: "http://nginx.org/packages/mainline/{{ ansible_distribution }} {{ ansible_distribution_release }} nginx" +nginx_repo_state: present +nginx_repo_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62