use upstream nginx package

2020-09-20 22:44:45 -05:00 · 2020-09-20 22:44:45 -05:00 · dadbca219e
commit dadbca219e
parent 66312d4a90
7 changed files with 105 additions and 23 deletions
--- a/roles/gitea/tasks/nginx.yaml
+++ b/roles/gitea/tasks/nginx.yaml
@ -1,17 +1,8 @@
 - name: configure nginx
  template:
    src: nginx.conf.j2
-    dest: /etc/nginx/sites-available/gitea
+    dest: "{{ nginx_conf_d_path }}/gitea.conf"
    owner: root
    group: root
    mode: 0644
  notify: reload nginx
-
- name: activate site
-  file:
-    src: /etc/nginx/sites-available/gitea
-    dest: /etc/nginx/sites-enabled/gitea
-    owner: root
-    group: root
-    state: link
-  notify: reload nginx
--- a/roles/grafana/tasks/nginx.yaml
+++ b/roles/grafana/tasks/nginx.yaml
@ -1,17 +1,8 @@
 - name: configure nginx
  template:
    src: nginx.conf.j2
-    dest: /etc/nginx/sites-available/grafana
+    dest: "{{ nginx_conf_d_path }}/grafana.conf"
    owner: root
    group: root
    mode: 0644
  notify: reload nginx
-
- name: activate site
-  file:
-    src: /etc/nginx/sites-available/grafana
-    dest: /etc/nginx/sites-enabled/grafana
-    owner: root
-    group: root
-    state: link
-  notify: reload nginx
--- a/roles/nginx/defaults/main.yaml
+++ b/roles/nginx/defaults/main.yaml
@ -6,6 +6,21 @@ nginx_service_name: nginx
 nginx_service_state: started
 nginx_service_enabled: yes

+nginx_etc_path: /etc/nginx
+nginx_conf_d_path: "{{ nginx_etc_path }}/conf.d"
+nginx_mime_types_path: "{{ nginx_etc_path }}/mime.types"
+
+nginx_user: nginx
+nginx_worker_processes: auto
+nginx_error_log: /var/log/nginx/error.log warn
+nginx_access_log: /var/log/nginx/access.log main
+nginx_pid: /var/run/nginx.pid
+nginx_worker_connections: 1024
+nginx_default_type: application/octet-stream
+nginx_sendfile: "on"
+nginx_keepalive_timeout: 65
+nginx_gzip: "on"
+
 nginx_root: /var/www/html
 nginx_index:
  - index.html
@ -14,3 +29,5 @@ nginx_index:

 nginx_acme_challenge_enabled: yes
 nginx_acme_challenge_path: /var/www/.acme-challenge
+
+nginx_conf_d: {}
--- a/roles/nginx/tasks/Debian.yaml
+++ b/roles/nginx/tasks/Debian.yaml
@ -0,0 +1,12 @@
+---
+- name: install nginx apt key
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: "{{ nginx_repo_key_id }}"
+
+- name: install nginx apt repo
+  apt_repository:
+    repo: "deb http://nginx.org/packages/mainline/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx"
+    update_cache: yes
+    filename: nginx
+    state: "{{ nginx_repo_state }}"
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,4 +1,28 @@
 ---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
 - name: install passlib
  package:
    name: "{{ item }}"
@ -12,10 +36,10 @@
    name: "{{ nginx_package_name }}"
    state: "{{ nginx_package_state }}"

- name: configure default virtual host
+- name: configure nginx
  template:
-    src: default.j2
-    dest: /etc/nginx/sites-available/default
+    src: nginx.conf.j2
+    dest: "{{ nginx_etc_path }}/nginx.conf"
    owner: root
    group: root
    mode: 0644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+
+user {{ nginx_user }};
+worker_processes {{ nginx_worker_processes }};
+
+error_log {{ nginx_error_log }};
+pid {{ nginx_pid }};
+
+
+events {
+    worker_connections {{ nginx_worker_connections }};
+}
+
+
+http {
+    include {{ nginx_mime_types_path }};
+    default_type {{ nginx_default_type }};
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log {{ nginx_access_log }};
+
+    sendfile {{ nginx_sendfile }};
+    #tcp_nopush on;
+
+    keepalive_timeout {{ nginx_keepalive_timeout }};
+    gzip {{ nginx_gzip }};
+
+    geo $bad_actors {
+        default 0;
+    }
+    
+    map $bad_actors $limit_key {
+        0 "";
+        1 $binary_remote_addr;
+    }
+    
+    limit_req_zone $limit_key zone=req_bad_actors:10m rate=5r/s;
+
+    include {{ nginx_conf_d_path }}/*.conf;
+}
--- a/roles/nginx/vars/Debian.yaml
+++ b/roles/nginx/vars/Debian.yaml
@ -0,0 +1,4 @@
+---
+nginx_repo_url: "http://nginx.org/packages/mainline/{{ ansible_distribution }} {{ ansible_distribution_release }} nginx"
+nginx_repo_state: present
+nginx_repo_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62