forked from debops/ansible-nginx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
236 lines (200 loc) · 6.72 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
---
- name: DebOps pre_tasks hook
include: "{{ lookup('task_src', 'nginx/pre_main.yml') }}"
- name: Check if nginx is installed
stat: path=/usr/sbin/nginx
register: nginx_register_installed
- include: passenger.yml
when: nginx_flavor == 'passenger'
- include: nginx_org_packages.yml
when: nginx_flavor == 'nginx.org'
- name: Install nginx packages
apt:
name: '{{ item }}'
state: 'present'
install_recommends: False
with_flattened:
- '{{ nginx_flavor_package_map[nginx_flavor] }}'
- '{{ nginx_base_packages }}'
- name: Create default nginx directories
file:
path: '{{ item }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
with_items:
- '/etc/nginx/site-default.d'
- '/etc/nginx/sites-available'
- '/etc/nginx/sites-enabled'
- '/etc/nginx/snippets'
- name: Divert default.conf in case nginx nginx.org flavor is used
command: dpkg-divert --quiet --local --divert /etc/nginx/conf.d/default.conf.dpkg-divert
--rename /etc/nginx/conf.d/default.conf
args:
creates: '/etc/nginx/conf.d/default.conf.dpkg-divert'
when: nginx_flavor == 'nginx.org'
- include: passenger_config.yml
when: nginx_flavor == 'passenger'
- name: Restart nginx on first install to bypass missing pid bug
service:
name: 'nginx'
state: 'restarted'
when: ((nginx_register_installed is defined and nginx_register_installed) and
not nginx_register_installed.stat.exists)
- name: Check nginx version
shell: /usr/sbin/nginx -v 2>&1 | sed -e 's#^.*/##'
register: nginx_register_version
changed_when: False
tags: [ 'role::nginx:servers' ]
- name: Define nginx version
set_fact:
nginx_version: '{{ nginx_register_version.stdout | default("0.0") }}'
tags: [ 'role::nginx:servers' ]
- name: Get list of nameservers configured in /etc/resolv.conf
shell: "grep -E '^nameserver\\s' /etc/resolv.conf | awk '{print $2}'"
register: nginx_register_nameservers
changed_when: False
tags: [ 'role::nginx:servers' ]
- name: Convert list of nameservers to Ansible list
set_fact:
nginx_ocsp_resolvers: "{{ nginx_register_nameservers.stdout_lines }}"
when: ((nginx_register_nameservers.stdout is defined and nginx_register_nameservers.stdout) and
(nginx_ocsp_resolvers is undefined or
(nginx_ocsp_resolvers is defined and not nginx_ocsp_resolvers)))
tags: [ 'role::nginx:servers' ]
- name: Ensure that webadmins privileged group exists
group:
name: '{{ nginx_privileged_group }}'
state: 'present'
system: True
- name: Create directory for webadmins configuration
file:
path: '/etc/nginx/sites-local'
state: 'directory'
owner: 'root'
group: '{{ nginx_privileged_group }}'
mode: '0775'
- name: Allow webadmins to reload nginx using sudo
template:
src: 'etc/sudoers.d/nginx_webadmins.j2'
dest: '/etc/sudoers.d/nginx_webadmins'
owner: 'root'
group: 'root'
mode: '0440'
- name: Divert original /etc/nginx/nginx.conf
command: dpkg-divert --quiet --local --divert /etc/nginx/nginx.conf.dpkg-divert
--rename /etc/nginx/nginx.conf
args:
creates: '/etc/nginx/nginx.conf.dpkg-divert'
- name: Setup /etc/nginx/nginx.conf
template:
src: 'etc/nginx/nginx.conf.j2'
dest: '/etc/nginx/nginx.conf'
owner: 'root'
group: 'root'
mode: '0644'
notify: [ 'Test nginx and reload' ]
- name: Generate custom nginx snippets
template:
src: 'etc/nginx/snippets/{{ item }}.conf.j2'
dest: '/etc/nginx/snippets/{{ item }}.conf'
owner: 'root'
group: 'root'
mode: '0644'
with_items: [ 'acme-challenge' ]
notify: [ 'Test nginx and reload' ]
# Remove temporary old files if they are present
- name: Remove remnants of dpkg-diverted configuration
command: rm -f /etc/nginx/fastcgi_params.dpkg-divert /etc/nginx/fastcgi_params.dpkg-divert.lock
args:
removes: '/etc/nginx/fastcgi_params.dpkg-divert.lock'
notify: [ 'Test nginx and reload' ]
- name: Disable default nginx site
file:
path: '/etc/nginx/sites-enabled/default'
state: 'absent'
notify: [ 'Test nginx and reload' ]
- name: Manage local server definitions - create symlinks
file:
src: '/etc/nginx/sites-local/{{ item.0 }}'
path: '/etc/nginx/sites-enabled/{{ item.1 }}'
state: 'link'
owner: 'root'
group: 'root'
mode: '0644'
with_together:
- '{{ nginx_local_servers.values() }}'
- '{{ nginx_local_servers.keys() }}'
notify: [ 'Test nginx and reload' ]
when: ((nginx_local_servers is defined and nginx_local_servers) and
(item.0 is defined and item.0))
- name: Manage local server definitions - remove symlinks
file:
path: '/etc/nginx/sites-enabled/{{ item.1 }}'
state: 'absent'
with_together:
- '{{ nginx_local_servers.values() }}'
- '{{ nginx_local_servers.keys() }}'
notify: [ 'Test nginx and reload' ]
when: ((nginx_local_servers is defined and nginx_local_servers) and
(item.0 is undefined or (item.0 is defined and not item.0)))
# If nginx local facts are not present, assume that configuration
# is being reset and move all symlinks out of the way to prevent
# accidental failures because of old wrong configuration files
- name: Remove all configuration symlinks during config reset
shell: rm -f /etc/nginx/sites-enabled/*
args:
creates: '/etc/ansible/facts.d/nginx.fact'
warn: False
- name: Make sure that Ansible local facts directory is present
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save nginx local facts
template:
src: 'etc/ansible/facts.d/nginx.fact.j2'
dest: '/etc/ansible/facts.d/nginx.fact'
owner: 'root'
group: 'root'
mode: '0644'
register: nginx_register_local_facts
- name: Gather facts if they were modified
action: setup
when: nginx_register_local_facts.changed
- include: nginx_htpasswd.yml
- include: nginx_configs.yml
- include: nginx_servers.yml
tags: [ 'role::nginx:servers' ]
- name: Make sure that PKI hook directory exists
file:
path: '{{ nginx_pki_hook_path }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: nginx_pki | bool
- name: Manage PKI nginx hook
template:
src: 'etc/pki/hooks/nginx.j2'
dest: '{{ nginx_pki_hook_path + "/" + nginx_pki_hook_name }}'
owner: 'root'
group: 'root'
mode: '0755'
when: nginx_pki | bool
- name: Save nginx local facts
template:
src: 'etc/ansible/facts.d/nginx.fact.j2'
dest: '/etc/ansible/facts.d/nginx.fact'
owner: 'root'
group: 'root'
mode: '0644'
register: nginx_register_local_facts
- name: Gather facts if they were modified
action: setup
when: nginx_register_local_facts.changed
- name: DebOps post_tasks hook
include: "{{ lookup('task_src', 'nginx/post_main.yml') }}"