crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Create generic Nginx template 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-01-02 15:59:28 +01:00 committed by ynerant
parent f09ec69ef1
commit 84fb96eab6
9 changed files with 104 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
plays/mailman.yml
View File

@ -24,6 +24,7 @@
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
roles:
- mailman
- nginx
- nginx-mailman
# Deploy Mailman3

1
plays/mirror.yml
View File

@ -74,4 +74,5 @@
roles:
- ftpsync
- rsync-mirror
- nginx
- nginx-pubftp

15
roles/nginx-mailman/tasks/main.yml
View File

@ -1,13 +1,4 @@
---
- name: Install NGINX
apt:
update_cache: true
name:
- nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy configuration files
template:
src: "{{ item.src }}"
@ -35,9 +26,3 @@
force: true
when: not ansible_check_mode
notify: Reload nginx
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx-mailman
mode: 0755

18
roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2~
View File

@ -1,18 +0,0 @@
{{ ansible_header | comment }}
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info (^/[^/]*)(.*)$;
# check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
# Let NGINX handle errors
fastcgi_intercept_errors on;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/var/run/fcgiwrap.socket;

17
roles/nginx-mailman/templates/nginx/snippets/options-ssl.conf.j2
View File

@ -1,17 +0,0 @@
{{ ansible_header | comment }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};

3
roles/nginx-mailman/templates/update-motd.d/05-service.j2
View File

@ -1,3 +0,0 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

14
roles/nginx-pubftp/tasks/main.yml
View File

@ -1,12 +1,4 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy configuration files
template:
src: "{{ item.src }}"
@ -20,9 +12,3 @@
dest: /pubftp/.html/FOOTER.html
- src: html/style.min.css.j2
dest: /pubftp/.html/style.min.css
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx-pubftp
mode: 0755

102
roles/nginx/templates/nginx/sites-available/service.j2 100644
View File

@ -0,0 +1,102 @@
{{ ansible_header | comment }}
{% for upstream in nginx.upstreams -%}
upstream {{ upstream.name }} {
# Path of the server
server {{ upstream.server }};
}
{% endfor -%}
{% if nginx.default_ssl_host -%}
# Redirect all services to the main site
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
server_name {{ ngix.default_ssl_host }};
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 https://{{ nginx.default_ssl_host }}$request_uri;
}
}
{% endif -%}
{% if nginx.default_host -%}
# Redirect all services to the main site
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name {{ nginx.default_host }};
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 http://{{ nginx.default_host }}$request_uri;
}
}
{% endif -%}
{% for server in nginx.servers %}
{% if server.ssl -%}
# Redirect HTTP to HTTPS
server {
listen 80 default;
listen [::]:80 default;
server_name {{ server.server_name|join:" " }};
charset utf-8;
# Hide Nginx version
server_tokens off;
location / {
return 302 https://{{ server.server_name }}$request_uri;
}
}
{% endif -%}
server {
{% if server.ssl -%}
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
{% else -%}
listen 80 default;
listen [::]:80 default;
{% endif -%}
server_name {{ server.server_name }};
charset utf-8;
# Hide Nginx version
server_tokens off;
{% if server.root -%}
root {{ server.root }};
{% endif -%}
{% if server.index -%}
index {{ server.index }};
{% endif -%}
{% if server.access_log -%}
access_log {{ server.access_log }};
{% endif -%}
{% if server.error_log -%}
error_log {{ server.error_log }};
{% endif -%}
{% for location in server.locations -%}
location {{ location.filter }} {
{{ location.params|join:"\n "|unsafe }}
}
{% endfor -%}
}
{% endfor %}

0
roles/nginx-mailman/templates/nginx/snippets/fastcgi-mailman.conf.j2 → roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
View File