Create generic Nginx template

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

plays/mailman.yml

@@ -24,6 +24,7 @@
         trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
   roles:
     - mailman
+    - nginx
     - nginx-mailman
 
 # Deploy Mailman3

plays/mirror.yml

@@ -74,4 +74,5 @@
   roles:
     - ftpsync
     - rsync-mirror
+    - nginx
     - nginx-pubftp

roles/nginx-mailman/tasks/main.yml

@@ -1,13 +1,4 @@
 ---
-- name: Install NGINX
-  apt:
-    update_cache: true
-    name:
-      - nginx
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
 - name: Copy configuration files
   template:
     src: "{{ item.src }}"
@@ -35,9 +26,3 @@
     force: true
   when: not ansible_check_mode
   notify: Reload nginx
-
-- name: Indicate role in motd
-  template:
-    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-nginx-mailman
-    mode: 0755

roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~

@@ -1,18 +0,0 @@
-{{ ansible_header | comment }}
-
-# regex to split $uri to $fastcgi_script_name and $fastcgi_path
-fastcgi_split_path_info (^/[^/]*)(.*)$;
-
-# check that the PHP script exists before passing it
-try_files $fastcgi_script_name =404;
-
-# Bypass the fact that try_files resets $fastcgi_path_info
-# see: http://trac.nginx.org/nginx/ticket/321
-set $path_info $fastcgi_path_info;
-fastcgi_param PATH_INFO $path_info;
-
-# Let NGINX handle errors
-fastcgi_intercept_errors on;
-
-include /etc/nginx/fastcgi.conf;
-fastcgi_pass unix:/var/run/fcgiwrap.socket;

roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2

@@ -1,17 +0,0 @@
-{{ ansible_header | comment }}
-
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.key }};
-ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;
-ssl_session_tickets off;
-ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-ssl_protocols TLSv1.2 TLSv1.3;
-
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-ssl_prefer_server_ciphers off;
-
-# Enable OCSP Stapling, point to certificate chain
-ssl_stapling on;
-ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};

roles/nginx-mailman/templates/update-motd.d/05-service.j2

@@ -1,3 +0,0 @@
-#!/usr/bin/tail +14
-{{ ansible_header | comment }}
-> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

roles/nginx-pubftp/tasks/main.yml

@@ -1,12 +1,4 @@
 ---
-- name: Install NGINX
-  apt:
-    update_cache: true
-    name: nginx
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
 - name: Copy configuration files
   template:
     src: "{{ item.src }}"
@@ -20,9 +12,3 @@
       dest: /pubftp/.html/FOOTER.html
     - src: html/style.min.css.j2
       dest: /pubftp/.html/style.min.css
-
-- name: Indicate role in motd
-  template:
-    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-nginx-pubftp
-    mode: 0755

roles/nginx/templates/nginx/sites-available/service.j2

@@ -0,0 +1,102 @@
+{{ ansible_header | comment }}
+
+{% for upstream in nginx.upstreams -%}
+upstream {{ upstream.name }} {
+    # Path of the server
+    server {{ upstream.server }};
+}
+{% endfor -%}
+
+{% if nginx.default_ssl_host -%}
+# Redirect all services to the main site
+server {
+    listen 443 default_server ssl;
+    listen [::]:443 default_server ssl;
+    include "/etc/nginx/snippets/options-ssl.conf";
+
+    server_name {{ ngix.default_ssl_host }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+    location / {
+        return 302 https://{{ nginx.default_ssl_host }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% if nginx.default_host -%}
+# Redirect all services to the main site
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name {{ nginx.default_host }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+    location / {
+        return 302 http://{{ nginx.default_host }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% for server in nginx.servers %}
+{% if server.ssl -%}
+# Redirect HTTP to HTTPS
+server {
+    listen 80 default;
+    listen [::]:80 default;
+
+    server_name {{ server.server_name|join:" " }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+    location / {
+        return 302 https://{{ server.server_name }}$request_uri;
+    }
+}
+{% endif -%}
+
+server {
+    {% if server.ssl -%}
+    listen 443 default_server ssl;
+    listen [::]:443 default_server ssl;
+    include "/etc/nginx/snippets/options-ssl.conf";
+    {% else -%}
+    listen 80 default;
+    listen [::]:80 default;
+    {% endif -%}
+
+    server_name {{ server.server_name }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+    {% if server.root -%}
+    root {{ server.root }};
+    {% endif -%}
+    {% if server.index -%}
+    index {{ server.index }};
+    {% endif -%}
+
+    {% if server.access_log -%}
+    access_log {{ server.access_log }};
+    {% endif -%}
+    {% if server.error_log -%}
+    error_log {{ server.error_log }};
+    {% endif -%}
+
+    {% for location in server.locations -%}
+    location {{ location.filter }} {
+        {{ location.params|join:"\n        "|unsafe }}
+    }
+    {% endfor -%}
+}
+{% endfor %}