├── .gitignore ├── .travis.yml ├── .yamllint ├── README.md ├── Vagrantfile ├── ansible.cfg ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── amplify.yml ├── cloudflare_configuration.yml ├── configuration.yml ├── ensure-dirs.yml ├── installation.packages.yml ├── main.yml ├── nginx-official-repo.yml ├── remove-defaults.yml ├── remove-extras.yml ├── remove-unwanted.yml └── selinux.yml ├── templates ├── auth_basic.j2 ├── config.conf.j2 ├── config_cloudflare.conf.j2 ├── config_stream.conf.j2 ├── module.conf.j2 ├── nginx.conf.j2 ├── nginx.repo.j2 └── site.conf.j2 ├── test ├── custom_bar.conf.j2 ├── example-vars.yml └── test.yml └── vars ├── Debian-12.yml ├── Debian.yml ├── FreeBSD.yml ├── RedHat.yml ├── Solaris.yml ├── empty.yml └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea 2 | ### Vagrant ### 3 | .vagrant/ -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | before_install: 5 | - sudo apt-get update -qq 6 | - sudo apt-get install -qq python-apt python-pycurl 7 | install: 8 | - pip install ansible ansible-lint 9 | - ansible --version 10 | script: 11 | - ansible-lint tasks/main.yml 12 | - echo localhost > inventory 13 | - ansible-playbook -i inventory --syntax-check --list-tasks test/test.yml -e "role_name=ansible-role-nginx" -e "hosts_group=hosts_group" 14 | - ansible-playbook -i inventory --connection=local --become -vvvv test/test.yml -u root -e "role_name=ansible-role-nginx" -e "hosts_group=localhost" 15 | - > 16 | ansible-playbook -i inventory --connection=local --become -vvvv test/test.yml -u root -e "role_name=ansible-role-nginx" -e "hosts_group=localhost" 17 | | grep -q 'changed=0.*failed=0' 18 | && (echo 'Idempotence test: pass' && exit 0) 19 | || (echo 'Idempotence test: fail' && exit 1) 20 | - cat /etc/nginx/nginx.conf 21 | - cat /etc/nginx/sites-enabled/default.conf 22 | - cat /etc/nginx/sites-enabled/foo.conf 23 | - cat /etc/nginx/sites-enabled/bar.conf 24 | - cat /etc/nginx/sites-enabled/custom_bar.conf 25 | - grep 'server_name bar.example.com;' /etc/nginx/sites-enabled/custom_bar.conf 26 | - cat /etc/nginx/conf.d/proxy.conf 27 | - cat /etc/nginx/conf.d/upstream.conf 28 | - cat /etc/nginx/conf.d/geo.conf 29 | - cat /etc/nginx/conf.d/gzip.conf 30 | - cat /etc/nginx/conf.d/cloudflare.conf 31 | - cat /etc/nginx/snippets/error_pages.conf 32 | - sudo cat /etc/nginx/auth_basic/demo 33 | - sudo nginx -t 34 | after_script: 35 | - ls -l /etc/nginx 36 | - ls -l /etc/nginx/* 37 | notifications: 38 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ 39 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | extends: default 4 | 5 | rules: 6 | braces: 7 | min-spaces-inside: 0 8 | max-spaces-inside: 0 9 | min-spaces-inside-empty: -1 10 | max-spaces-inside-empty: -1 11 | brackets: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 0 14 | min-spaces-inside-empty: -1 15 | max-spaces-inside-empty: -1 16 | colons: 17 | max-spaces-before: 0 18 | max-spaces-after: 1 19 | commas: 20 | max-spaces-before: 0 21 | min-spaces-after: 1 22 | max-spaces-after: 1 23 | comments: 24 | level: warning 25 | require-starting-space: false 26 | min-spaces-from-content: 2 27 | comments-indentation: disable 28 | document-end: disable 29 | document-start: disable 30 | empty-lines: 31 | max: 2 32 | max-start: 0 33 | max-end: 0 34 | hyphens: 35 | max-spaces-after: 1 36 | indentation: 37 | spaces: consistent 38 | indent-sequences: true 39 | check-multi-line-strings: false 40 | key-duplicates: enable 41 | line-length: 42 | max: 250 43 | allow-non-breakable-words: true 44 | allow-non-breakable-inline-mappings: false 45 | new-line-at-end-of-file: enable 46 | new-lines: 47 | type: unix 48 | trailing-spaces: enable 49 | truthy: disable 50 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | nginx 2 | ===== 3 | 4 | This role installs and configures the nginx web server. The user can specify 5 | any http configuration parameters they wish to apply their site. Any number of 6 | sites can be added with configurations of your choice. 7 | 8 | [![Build Status](https://travis-ci.org/jdauphant/ansible-role-nginx.svg?branch=master)](https://travis-ci.org/jdauphant/ansible-role-nginx) 9 | [![Ansible Galaxy](https://img.shields.io/ansible/role/466.svg)](https://galaxy.ansible.com/jdauphant/nginx/) 10 | 11 | Requirements 12 | ------------ 13 | 14 | This role requires Ansible 2.4 or higher and platform requirements are listed 15 | in the metadata file. (Some older version of the role support Ansible 1.4) 16 | For FreeBSD a working pkgng setup is required (see: https://www.freebsd.org/doc/handbook/pkgng-intro.html ) 17 | Installation of Nginx Amplify agent is only supported on CentOS, RedHat, Amazon, Debian and Ubuntu distributions. 18 | 19 | Install 20 | ------- 21 | 22 | ```sh 23 | ansible-galaxy install jdauphant.nginx 24 | ``` 25 | 26 | Role Variables 27 | -------------- 28 | 29 | The variables that can be passed to this role and a brief description about 30 | them are as follows. (For all variables, take a look at [defaults/main.yml](defaults/main.yml)) 31 | 32 | ```yaml 33 | # The user to run nginx 34 | nginx_user: "www-data" 35 | 36 | # A list of directives for the events section. 37 | nginx_events_params: 38 | - worker_connections 512 39 | - debug_connection 127.0.0.1 40 | - use epoll 41 | - multi_accept on 42 | 43 | # A list of hashes that define the servers for nginx, 44 | # as with http parameters. Any valid server parameters 45 | # can be defined here. 46 | nginx_sites: 47 | default: 48 | - listen 80 49 | - server_name _ 50 | - root "/usr/share/nginx/html" 51 | - index index.html 52 | foo: 53 | - listen 8080 54 | - server_name localhost 55 | - root "/tmp/site1" 56 | - location / { try_files $uri $uri/ /index.html; } 57 | - location /images/ { try_files $uri $uri/ /index.html; } 58 | bar: 59 | - listen 9090 60 | - server_name ansible 61 | - root "/tmp/site2" 62 | - location / { try_files $uri $uri/ /index.html; } 63 | - location /images/ { 64 | try_files $uri $uri/ /index.html; 65 | allow 127.0.0.1; 66 | deny all; 67 | } 68 | 69 | # A list of hashes that define additional configuration 70 | nginx_configs: 71 | proxy: 72 | - proxy_set_header X-Real-IP $remote_addr 73 | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for 74 | upstream: 75 | - upstream foo { server 127.0.0.1:8080 weight=10; } 76 | geo: 77 | - geo $local { 78 | default 0; 79 | 127.0.0.1 1; 80 | } 81 | gzip: 82 | - gzip on 83 | - gzip_disable msie6 84 | 85 | # A list of hashes that define configuration snippets 86 | nginx_snippets: 87 | error_pages: 88 | - error_page 500 /http_errors/500.html 89 | - error_page 502 /http_errors/502.html 90 | - error_page 503 /http_errors/503.html 91 | - error_page 504 /http_errors/504.html 92 | 93 | # A list of hashes that define user/password files 94 | nginx_auth_basic_files: 95 | demo: 96 | - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo 97 | - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo 98 | 99 | # Enable Real IP for CloudFlare requests 100 | nginx_set_real_ip_from_cloudflare: True 101 | 102 | # Enable Nginx Amplify 103 | nginx_amplify: true 104 | nginx_amplify_api_key: "your_api_key_goes_here" 105 | nginx_amplify_update_agent: true 106 | 107 | # Define modules to enable in configuration 108 | # 109 | # Nginx installed via EPEL and APT repos will also install some modules automatically. 110 | # For official Nginx repo use you will need to install module packages manually. 111 | # 112 | # When using with EPEL and APT repos, specify this section as a list of configuration 113 | # file names, minus the .conf file name extension. 114 | 115 | # When using the official Nginx repo, specify this section as list of module file 116 | # names, minus the .so file name extension. 117 | # 118 | # Available module config files in EPEL and APT repos: 119 | # (APT actually has several more, see https://wiki.debian.org/Nginx/) 120 | # - mod-http-geoip 121 | # - mod-http-image-filter 122 | # - mod-http-perl 123 | # - mod-http-xslt-filter 124 | # - mod-mail 125 | # - mod-stream 126 | # 127 | # Available module filenames in Official NGINX repo: 128 | # - ngx_http_geoip_module 129 | # - ngx_http_image_filter_module 130 | # - ngx_http_perl_module 131 | # - ngx_http_xslt_filter_module 132 | # - ngx_http_js_module 133 | # 134 | # Custom compiled modules are ok too if the .so file exists in same location as a packaged module would be: 135 | # - ngx_http_modsecurity_module 136 | # 137 | nginx_module_configs: 138 | - mod-http-geoip 139 | ``` 140 | 141 | Examples 142 | ======== 143 | 144 | ## 1) Install nginx with HTTP directives of choice, but with no sites configured and no additional configuration: 145 | 146 | ```yaml 147 | - hosts: all 148 | roles: 149 | - {role: nginx, 150 | nginx_http_params: ["sendfile on", "access_log /var/log/nginx/access.log"] 151 | } 152 | ``` 153 | 154 | ## 2) Install nginx with different HTTP directives than in the previous example, but no 155 | sites configured and no additional configuration. 156 | 157 | ```yaml 158 | - hosts: all 159 | roles: 160 | - {role: nginx, 161 | nginx_http_params: ["tcp_nodelay on", "error_log /var/log/nginx/error.log"]} 162 | ``` 163 | 164 | Note: Please make sure the HTTP directives passed are valid, as this role 165 | won't check for the validity of the directives. See the nginx documentation 166 | for details. 167 | 168 | ## 3) Install nginx and add a site to the configuration. 169 | 170 | ```yaml 171 | - hosts: all 172 | 173 | roles: 174 | - role: nginx 175 | nginx_http_params: 176 | - sendfile "on" 177 | - access_log "/var/log/nginx/access.log" 178 | nginx_sites: 179 | bar: 180 | - listen 8080 181 | - location / { try_files $uri $uri/ /index.html; } 182 | - location /images/ { try_files $uri $uri/ /index.html; } 183 | nginx_configs: 184 | proxy: 185 | - proxy_set_header X-Real-IP $remote_addr 186 | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for 187 | ``` 188 | 189 | ## 4) Install nginx and add extra variables to default config 190 | 191 | ```yaml 192 | -hosts: all 193 | vars: 194 | - my_extra_params: 195 | - client_max_body_size 200M 196 | # retain defaults and add additional `client_max_body_size` param 197 | roles: 198 | - role: jdauphant.nginx 199 | nginx_http_params: "{{ nginx_http_default_params + my_extra_params }}" 200 | ``` 201 | 202 | Note: Each site added is represented by a list of hashes, and the configurations 203 | generated are populated in /etc/nginx/site-available/ and linked from /etc/nginx/site-enable/ to /etc/nginx/site-available. 204 | 205 | The file name for the specific site configuration is specified in the hash 206 | with the key "file_name", any valid server directives can be added to the hash. 207 | Additional configurations are created in /etc/nginx/conf.d/ 208 | 209 | ## 5) Install Nginx, add 2 sites (different method) and add additional configuration 210 | 211 | ```yaml 212 | --- 213 | - hosts: all 214 | roles: 215 | - role: nginx 216 | nginx_http_params: 217 | - sendfile on 218 | - access_log /var/log/nginx/access.log 219 | nginx_sites: 220 | foo: 221 | - listen 8080 222 | - server_name localhost 223 | - root /tmp/site1 224 | - location / { try_files $uri $uri/ /index.html; } 225 | - location /images/ { try_files $uri $uri/ /index.html; } 226 | bar: 227 | - listen 9090 228 | - server_name ansible 229 | - root /tmp/site2 230 | - location / { try_files $uri $uri/ /index.html; } 231 | - location /images/ { try_files $uri $uri/ /index.html; } 232 | nginx_configs: 233 | proxy: 234 | - proxy_set_header X-Real-IP $remote_addr 235 | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for 236 | ``` 237 | 238 | ## 6) Install Nginx, add 2 sites, add additional configuration and an upstream configuration block 239 | 240 | ```yaml 241 | --- 242 | - hosts: all 243 | roles: 244 | - role: nginx 245 | nginx_error_log_level: info 246 | nginx_http_params: 247 | - sendfile on 248 | - access_log /var/log/nginx/access.log 249 | nginx_sites: 250 | foo: 251 | - listen 8080 252 | - server_name localhost 253 | - root /tmp/site1 254 | - location / { try_files $uri $uri/ /index.html; } 255 | - location /images/ { try_files $uri $uri/ /index.html; } 256 | bar: 257 | - listen 9090 258 | - server_name ansible 259 | - root /tmp/site2 260 | - if ( $host = example.com ) { rewrite ^(.*)$ http://www.example.com$1 permanent; } 261 | - location / { 262 | try_files $uri $uri/ /index.html; 263 | auth_basic "Restricted"; 264 | auth_basic_user_file auth_basic/demo; 265 | } 266 | - location /images/ { try_files $uri $uri/ /index.html; } 267 | nginx_configs: 268 | proxy: 269 | - proxy_set_header X-Real-IP $remote_addr 270 | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for 271 | upstream: 272 | # Results in: 273 | # upstream foo_backend { 274 | # server 127.0.0.1:8080 weight=10; 275 | # } 276 | - upstream foo_backend { server 127.0.0.1:8080 weight=10; } 277 | nginx_auth_basic_files: 278 | demo: 279 | - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo 280 | - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo 281 | ``` 282 | 283 | ## 7) Install Nginx, add a site and use special yaml syntax to make the location blocks multiline for clarity 284 | 285 | ```yaml 286 | --- 287 | - hosts: all 288 | roles: 289 | - role: nginx 290 | nginx_http_params: 291 | - sendfile on 292 | - access_log /var/log/nginx/access.log 293 | nginx_sites: 294 | foo: 295 | - listen 443 ssl 296 | - server_name foo.example.com 297 | - set $myhost foo.example.com 298 | - | 299 | location / { 300 | proxy_set_header Host foo.example.com; 301 | } 302 | - | 303 | location ~ /v2/users/.+?/organizations { 304 | if ($request_method = PUT) { 305 | set $myhost bar.example.com; 306 | } 307 | if ($request_method = DELETE) { 308 | set $myhost bar.example.com; 309 | } 310 | proxy_set_header Host $myhost; 311 | } 312 | ``` 313 | ## 8) Example to use this role with my ssl-certs role to generate or copy ssl certificate ( https://galaxy.ansible.com/jdauphant/ssl-certs ) 314 | ```yaml 315 | - hosts: all 316 | roles: 317 | - jdauphant.ssl-certs 318 | - role: jdauphant.nginx 319 | nginx_configs: 320 | ssl: 321 | - ssl_certificate_key {{ssl_certs_privkey_path}} 322 | - ssl_certificate {{ssl_certs_cert_path}} 323 | nginx_sites: 324 | default: 325 | - listen 443 ssl 326 | - server_name _ 327 | - root "/usr/share/nginx/html" 328 | - index index.html 329 | ``` 330 | ## 9) Site configuration using a custom template. 331 | Instead of defining a site config file using a list of attributes, 332 | you may use a hash/dictionary that includes the filename of an alternate template. 333 | Additional values are accessible within the template via the `item.value` variable. 334 | ```yaml 335 | - hosts: all 336 | 337 | roles: 338 | - role: nginx 339 | nginx_sites: 340 | custom_bar: 341 | template: custom_bar.conf.j2 342 | server_name: custom_bar.example.com 343 | ``` 344 | Custom template: custom_bar.conf.j2: 345 | ```handlebars 346 | # {{ ansible_managed }} 347 | upstream backend { 348 | server 10.0.0.101; 349 | } 350 | server { 351 | server_name {{ item.value.server_name }}; 352 | location / { 353 | proxy_pass http://backend; 354 | } 355 | } 356 | ``` 357 | Using a custom template allows for unlimited flexibility in configuring the site config file. 358 | This example demonstrates the common practice of configuring a site server block 359 | in the same file as its complementary upstream block. 360 | If you use this option: 361 | * _The hash **must** include a `template:` value, or the configuration task will fail._ 362 | * _This role cannot check tha validity of your custom template. 363 | If you use this method, the conf file formatting provided by this role is unavailable, 364 | and it is up to you to provide a template with valid content and formatting for NGINX._ 365 | 366 | ## 10) Install Nginx, add 2 sites, use snippets to configure access controls 367 | ```yaml 368 | --- 369 | - hosts: all 370 | roles: 371 | - role: nginx 372 | nginx_http_params: 373 | - sendfile on 374 | - access_log /var/log/nginx/access.log 375 | nginx_snippets: 376 | accesslist_devel: 377 | - allow 192.168.0.0/24 378 | - deny all 379 | nginx_sites: 380 | foo: 381 | - listen 8080 382 | - server_name localhost 383 | - root /tmp/site1 384 | - include snippets/accesslist_devel.conf 385 | - location / { try_files $uri $uri/ /index.html; } 386 | - location /images/ { try_files $uri $uri/ /index.html; } 387 | bar: 388 | - listen 9090 389 | - server_name ansible 390 | - root /tmp/site2 391 | - location / { try_files $uri $uri/ /index.html; } 392 | - location /images/ { try_files $uri $uri/ /index.html; } 393 | ``` 394 | 395 | Dependencies 396 | ------------ 397 | 398 | None 399 | 400 | License 401 | ------- 402 | BSD 403 | 404 | Author Information 405 | ------------------ 406 | 407 | - Original : Benno Joy 408 | - Modified by : DAUPHANT Julien 409 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! 5 | VAGRANTFILE_API_VERSION = "2" 6 | 7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 8 | # All Vagrant configuration is done here. The most common configuration 9 | # options are documented and commented below. For a complete reference, 10 | # please see the online documentation at vagrantup.com. 11 | 12 | # Every Vagrant virtual environment requires a box to build off of. 13 | config.vm.box = "ubuntu/trusty64" 14 | 15 | config.vm.provision :ansible do |ansible| 16 | ansible.playbook = "test.yml" 17 | ansible.sudo = true 18 | end 19 | end 20 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | roles_path = ../ 3 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_pkgs: 3 | - nginx 4 | 5 | nginx_install_epel_repo: True 6 | 7 | nginx_official_repo: False 8 | nginx_official_repo_mainline: False 9 | 10 | nginx_keep_only_specified: "{{ keep_only_specified | default(False) }}" 11 | 12 | # Whether load vars/{{ ansible_os_family }}.yml or not 13 | nginx_load_default_vars: true 14 | 15 | nginx_installation_type: "packages" 16 | nginx_binary_name: "nginx" 17 | nginx_service_name: "{{nginx_binary_name}}" 18 | nginx_conf_dir: /etc/nginx # For this variable, a specific value for the OS can be apply in vars/{{ ansible_os_family }}.yml 19 | nginx_default_site_template: "site.conf.j2" 20 | 21 | nginx_user: nginx # For this variable, a specific value for the OS can be apply in vars/{{ ansible_os_family }}. 22 | nginx_group: "{{nginx_user}}" 23 | 24 | nginx_pid_file: '/var/run/{{nginx_service_name}}.pid' 25 | 26 | nginx_worker_processes: "{% if ansible_processor_vcpus is defined %}{{ ansible_processor_vcpus }}{% else %}auto{% endif %}" 27 | nginx_worker_rlimit_nofile: 1024 28 | nginx_log_dir: "/var/log/nginx" 29 | nginx_log_user: "{% if ansible_os_family == 'Debian' %}root{% else %}{{nginx_user}}{% endif %}" 30 | nginx_log_group: "{% if ansible_os_family == 'Debian' %}adm{% else %}{{nginx_group}}{% endif %}" 31 | nginx_log_perm: 0755 32 | nginx_error_log_level: "error" 33 | 34 | nginx_conf_user: root 35 | nginx_conf_group: root 36 | nginx_dir_perm: 0755 37 | 38 | nginx_extra_root_params: [] 39 | nginx_events_params: 40 | - worker_connections {% if nginx_max_clients is defined %}{{nginx_max_clients}}{% else %}512{% endif %} 41 | 42 | nginx_http_params: "{{ nginx_http_default_params }}" 43 | 44 | nginx_stream_params: [] 45 | 46 | nginx_sites_default_root: /usr/share/nginx/html # For this variable, a specific value for the OS can be apply in vars/{{ ansible_os_family }}. 47 | 48 | nginx_sites: 49 | default: 50 | - listen 80 default_server 51 | - server_name _ 52 | - root "{{ nginx_sites_default_root }}" 53 | - index index.html 54 | nginx_remove_sites: [] 55 | nginx_disabled_sites: [] 56 | 57 | nginx_module_configs: [] 58 | nginx_remove_modules: [] 59 | nginx_disabled_modules: [] 60 | nginx_modules_location: /usr/lib64/nginx/modules # For this variable, a specific value for the OS can be applied in vars/{{ ansible_os_family }}. 61 | 62 | nginx_configs: {} 63 | nginx_snippets: {} 64 | nginx_stream_configs: {} 65 | nginx_remove_configs: [] 66 | nginx_remove_snippets: [] 67 | 68 | nginx_auth_basic_files: {} 69 | nginx_remove_auth_basic_files: [] 70 | 71 | nginx_daemon_mode: "on" 72 | # Set wether to start the service during the role run or keep it stopped 73 | nginx_start_service: true 74 | # Set wether enable Nginx service on boot or not 75 | nginx_start_at_boot: true 76 | 77 | nginx_set_real_ip_from_cloudflare: False 78 | nginx_cloudflare_real_ip_header: "CF-Connecting-IP" # See: https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx- 79 | nginx_cloudflare_configuration_name: "cloudflare" # Name for the conf file in the conf.d directory 80 | 81 | nginx_amplify: false 82 | nginx_amplify_api_key: "" 83 | nginx_amplify_update_agent: false 84 | nginx_amplify_script_url: "https://github.com/nginxinc/nginx-amplify-agent/raw/master/packages/install.sh" 85 | nginx_amplify_script_path: "/tmp/install-amplify-agent.sh" 86 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart nginx 4 | debug: msg="checking config first" 5 | changed_when: True 6 | notify: 7 | - check nginx configuration 8 | - restart nginx - after config check 9 | 10 | - name: reload nginx 11 | debug: msg="checking config first" 12 | changed_when: True 13 | notify: 14 | - check nginx configuration 15 | - reload nginx - after config check 16 | 17 | - name: check nginx configuration 18 | command: "{{ nginx_binary_name }} -t -c {{ nginx_conf_dir }}/nginx.conf" 19 | register: result 20 | changed_when: "result.rc != 0" 21 | check_mode: no 22 | when: nginx_installation_type in nginx_installation_types_using_service 23 | 24 | - name: restart nginx - after config check 25 | service: name={{ nginx_service_name }} state=restarted 26 | when: nginx_installation_type in nginx_installation_types_using_service 27 | and nginx_daemon_mode == "on" 28 | and nginx_start_service 29 | 30 | - name: reload nginx - after config check 31 | service: name={{ nginx_service_name }} state=reloaded 32 | when: nginx_installation_type in nginx_installation_types_using_service 33 | and nginx_daemon_mode == "on" 34 | and nginx_start_service 35 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: "DAUPHANT Julien" 4 | description: Ansible role to install Nginx. 5 | license: BSD 6 | min_ansible_version: 2.4 7 | platforms: 8 | - name: EL 9 | versions: 10 | - all 11 | - name: Fedora 12 | versions: 13 | - all 14 | - name: opensuse 15 | versions: 16 | - all 17 | - name: Ubuntu 18 | versions: 19 | - all 20 | - name: Debian 21 | versions: 22 | - all 23 | - name: FreeBSD 24 | versions: 25 | - 10.0 26 | - 10.1 27 | - 10.2 28 | - 10.3 29 | - 11.0 30 | - 11.1 31 | - name: SmartOS 32 | galaxy_tags: 33 | - web 34 | allow_duplicates: yes 35 | dependencies: [] 36 | -------------------------------------------------------------------------------- /tasks/amplify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if Amplify Agent is installed 3 | package: 4 | name: nginx-amplify-agent 5 | state: present 6 | ignore_errors: true 7 | register: amplify_agent_installed 8 | tags: [packages] 9 | 10 | - name: Install Amplify Agent if not installed 11 | block: 12 | - name: Download Amplify Agent script 13 | get_url: 14 | url: "{{ nginx_amplify_script_url }}" 15 | dest: "{{ nginx_amplify_script_path }}" 16 | 17 | - name: Run Amplify Agent install.sh script 18 | command: "sh /tmp/install-amplify-agent.sh -y" 19 | environment: 20 | API_KEY: "{{ nginx_amplify_api_key }}" 21 | become: true 22 | become_user: root 23 | become_method: sudo 24 | 25 | - name: Remove installation script 26 | file: 27 | path: "{{ nginx_amplify_script_path }}" 28 | state: absent 29 | 30 | when: amplify_agent_installed.failed|bool 31 | tags: [configuration, packages] 32 | 33 | - name: Update Amplify Agent if already installed and update flag is enabled 34 | package: 35 | name: nginx-amplify-agent 36 | state: latest 37 | when: 38 | - not amplify_agent_installed.failed|bool 39 | - nginx_amplify_update_agent|bool 40 | tags: 41 | - packages 42 | - skip_ansible_lint # latest package version 43 | 44 | - name: Verify Amplify agent is up and running 45 | service: 46 | name: amplify-agent 47 | state: started 48 | enabled: true 49 | tags: [service] 50 | -------------------------------------------------------------------------------- /tasks/cloudflare_configuration.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Get list of CloudFlare IPv4 3 | uri: 4 | url: https://www.cloudflare.com/ips-v4 5 | return_content: yes 6 | register: cloudflare_ipv4_list 7 | tags: [configuration, nginx] 8 | 9 | - name: Get list of CloudFlare IPv6 10 | uri: 11 | url: https://www.cloudflare.com/ips-v6 12 | return_content: yes 13 | register: cloudflare_ipv6_list 14 | tags: [configuration, nginx] 15 | 16 | - name: Create independent configuration for CloudFlare 17 | template: 18 | src: config_cloudflare.conf.j2 19 | dest: "{{ nginx_conf_dir }}/conf.d/{{ nginx_cloudflare_configuration_name }}.conf" 20 | notify: 21 | - reload nginx -------------------------------------------------------------------------------- /tasks/configuration.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if nginx mime.types file exists 4 | stat: 5 | path: "{{ nginx_conf_dir }}/mime.types" 6 | register: nginx_mime_types_file 7 | notify: 8 | - reload nginx 9 | 10 | - name: Ensure mime.types file exists if it was missing 11 | get_url: 12 | url: https://raw.githubusercontent.com/nginx/nginx/master/conf/mime.types 13 | dest: "{{ nginx_conf_dir }}/mime.types" 14 | when: not nginx_mime_types_file.stat.exists|bool 15 | notify: 16 | - reload nginx 17 | 18 | - name: Copy the nginx configuration file 19 | template: 20 | src: nginx.conf.j2 21 | dest: "{{ nginx_conf_dir }}/nginx.conf" 22 | notify: 23 | - restart nginx 24 | 25 | - name: Ensure auth_basic files created 26 | template: 27 | src: auth_basic.j2 28 | dest: "{{ nginx_conf_dir }}/auth_basic/{{ item.key }}" 29 | mode: 0750 30 | group: "{{ nginx_group }}" 31 | with_dict: "{{ nginx_auth_basic_files }}" 32 | 33 | - name: Create the configurations for sites 34 | template: 35 | src: "{{ item.value.template | default(nginx_default_site_template) }}" 36 | dest: "{{ nginx_conf_dir }}/sites-available/{{ item.key }}.conf" 37 | with_dict: "{{ nginx_sites }}" 38 | when: item.key not in nginx_remove_sites 39 | notify: 40 | - reload nginx 41 | 42 | - name: Create links for sites-enabled 43 | file: 44 | state: link 45 | src: "{{ nginx_conf_dir }}/sites-available/{{ item.key }}.conf" 46 | dest: "{{ nginx_conf_dir }}/sites-enabled/{{ item.key }}.conf" 47 | with_dict: "{{ nginx_sites }}" 48 | when: (item.key not in nginx_remove_sites) and (item.key not in nginx_disabled_sites) 49 | ignore_errors: "{{ ansible_check_mode }}" 50 | notify: 51 | - reload nginx 52 | 53 | - name: Create the configurations for independent config file 54 | template: 55 | src: "{{ item.value.template | default('config.conf.j2') }}" 56 | dest: "{{ nginx_conf_dir }}/conf.d/{{ item.key }}.conf" 57 | with_dict: "{{ nginx_configs }}" 58 | notify: 59 | - reload nginx 60 | 61 | - name: Create configuration snippets 62 | template: 63 | src: config.conf.j2 64 | dest: "{{ nginx_conf_dir }}/snippets/{{ item.key }}.conf" 65 | with_dict: "{{ nginx_snippets }}" 66 | notify: 67 | - reload nginx 68 | 69 | - name: Create the configurations for independent config file for streams 70 | template: 71 | src: "{{ item.value.template | default('config_stream.conf.j2') }}" 72 | dest: "{{ nginx_conf_dir }}/conf.d/stream/{{ item.key }}.conf" 73 | with_dict: "{{ nginx_stream_configs }}" 74 | notify: 75 | - reload nginx 76 | when: nginx_stream_params or nginx_stream_configs 77 | 78 | - name: | 79 | Create configuration files in modules-available (only for nginx official 80 | repo or custom modules, Centos/RHEL/Debian/Ubuntu EPEL/APT repo packages 81 | have these config files already) 82 | template: 83 | src: module.conf.j2 84 | dest: "{{ nginx_conf_dir }}/modules-available/{{ item }}.conf" 85 | with_items: "{{ nginx_module_configs }}" 86 | ignore_errors: "{{ ansible_check_mode }}" 87 | notify: 88 | - reload nginx 89 | when: 90 | - (item not in nginx_remove_modules) and (item not in nginx_disabled_modules) 91 | - nginx_official_repo 92 | 93 | - name: Create links in modules-available to Centos/RHEL EPEL provided configuration files. Debian/Ubuntu APT provided packages already have these config files. 94 | file: 95 | state: link 96 | src: "/usr/share/nginx/modules/{{ item }}.conf" 97 | dest: "{{ nginx_conf_dir }}/modules-available/{{ item }}.conf" 98 | with_items: "{{ nginx_module_configs }}" 99 | ignore_errors: "{{ ansible_check_mode }}" 100 | notify: 101 | - reload nginx 102 | when: 103 | - (item not in nginx_remove_modules) and (item not in nginx_disabled_modules) 104 | - ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' 105 | - not nginx_official_repo 106 | 107 | - name: Create links in our modules-available to Debian/Ubuntu APT provided config files. 108 | file: 109 | state: link 110 | src: "/usr/share/nginx/modules-available/{{ item }}.conf" 111 | dest: "{{ nginx_conf_dir }}/modules-available/{{ item }}.conf" 112 | with_items: "{{ nginx_module_configs }}" 113 | ignore_errors: "{{ ansible_check_mode }}" 114 | notify: 115 | - reload nginx 116 | when: 117 | - (item not in nginx_remove_modules) and (item not in nginx_disabled_modules) 118 | - ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' 119 | - not nginx_official_repo 120 | 121 | - name: Move out of the way any existing "50-" style links in modules-available, only for Debian/Ubuntu APT provided packages 122 | command: "mv {{ nginx_conf_dir }}/modules-enabled/50-{{ item }}.conf {{ nginx_conf_dir }}/modules-enabled/50-{{ item }}.conf.renamedasnowmanaged" 123 | args: 124 | removes: "{{ nginx_conf_dir }}/modules-enabled/50-{{ item }}.conf" 125 | with_items: "{{ nginx_module_configs }}" 126 | ignore_errors: "{{ ansible_check_mode }}" 127 | notify: 128 | - reload nginx 129 | when: 130 | - (item not in nginx_remove_modules) and (item not in nginx_disabled_modules) 131 | - ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' 132 | - not nginx_official_repo 133 | 134 | - name: Create links in modules-enabled from modules-available 135 | file: 136 | state: link 137 | src: "{{ nginx_conf_dir }}/modules-available/{{ item }}.conf" 138 | dest: "{{ nginx_conf_dir }}/modules-enabled/{{ item }}.conf" 139 | with_items: "{{ nginx_module_configs }}" 140 | when: (item not in nginx_remove_modules) and (item not in nginx_disabled_modules) 141 | ignore_errors: "{{ ansible_check_mode }}" 142 | notify: 143 | - reload nginx 144 | -------------------------------------------------------------------------------- /tasks/ensure-dirs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the directories for site specific configurations 3 | file: 4 | path: "{{ nginx_conf_dir }}/{{ item }}" 5 | state: directory 6 | owner: "{{ nginx_conf_user }}" 7 | group: "{{ nginx_conf_group }}" 8 | mode: "{{ nginx_dir_perm }}" 9 | with_items: 10 | - "sites-available" 11 | - "sites-enabled" 12 | - "auth_basic" 13 | - "conf.d" 14 | - "conf.d/stream" 15 | - "snippets" 16 | - "modules-available" 17 | - "modules-enabled" 18 | 19 | - name: Ensure log directory exist 20 | file: 21 | path: "{{ nginx_log_dir }}" 22 | state: directory 23 | owner: "{{ nginx_log_user }}" 24 | group: "{{ nginx_log_group }}" 25 | mode: "{{ nginx_log_perm }}" 26 | -------------------------------------------------------------------------------- /tasks/installation.packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install the epel packages for EL distributions 3 | package: name=epel-release state=present 4 | when: nginx_is_el|bool and nginx_install_epel_repo|bool 5 | 6 | - name: Install the nginx packages from official repo for EL distributions 7 | yum: name="{{ nginx_pkgs }}" state=present enablerepo="nginx" 8 | when: nginx_is_el|bool and nginx_official_repo 9 | 10 | - name: Install the nginx packages for all other distributions 11 | package: name="{{ nginx_pkgs }}" state=present 12 | environment: "{{ nginx_env }}" 13 | when: not nginx_is_el|bool or not nginx_official_repo 14 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: include OS dependent vars 4 | include_vars: "{{ item }}" 5 | with_first_found: 6 | - "../vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}" 7 | - "../vars/{{ ansible_os_family }}.yml" 8 | - "../vars/empty.yml" 9 | when: nginx_load_default_vars 10 | tags: [always] 11 | 12 | - include_tasks: selinux.yml 13 | when: ansible_selinux and ansible_selinux.status == "enabled" 14 | tags: [packages, selinux, nginx] 15 | 16 | - include_tasks: nginx-official-repo.yml 17 | when: nginx_official_repo|bool 18 | tags: [packages, nginx] 19 | 20 | - include_tasks: installation.packages.yml 21 | when: nginx_installation_type == "packages" 22 | tags: [packages, nginx] 23 | 24 | - import_tasks: ensure-dirs.yml 25 | tags: [configuration, nginx] 26 | 27 | - include_tasks: remove-defaults.yml 28 | when: not nginx_keep_only_specified 29 | tags: [configuration, nginx] 30 | 31 | - include_tasks: remove-extras.yml 32 | when: nginx_keep_only_specified 33 | tags: [configuration, nginx] 34 | 35 | - import_tasks: remove-unwanted.yml 36 | tags: [configuration, nginx] 37 | 38 | - import_tasks: configuration.yml 39 | tags: [configuration, nginx] 40 | 41 | - include_tasks: cloudflare_configuration.yml 42 | when: nginx_set_real_ip_from_cloudflare|bool 43 | tags: [configuration, nginx] 44 | 45 | - include_tasks: amplify.yml 46 | when: nginx_amplify|bool and (ansible_distribution in ['RedHat', 'CentOS', 'Debian', 'Amazon', 'Ubuntu']) 47 | tags: [amplify, nginx] 48 | 49 | - name: Start the nginx service 50 | service: name={{ nginx_service_name }} state={{ nginx_start_service | ternary('started', 'stopped') }} enabled={{ nginx_start_at_boot }} 51 | when: nginx_installation_type in nginx_installation_types_using_service and nginx_daemon_mode == "on" 52 | tags: [service, nginx] 53 | -------------------------------------------------------------------------------- /tasks/nginx-official-repo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure APT official nginx key 3 | apt_key: url=http://nginx.org/keys/nginx_signing.key 4 | environment: "{{ nginx_env }}" 5 | when: ansible_os_family == 'Debian' 6 | 7 | - name: Ensure APT official nginx repository 8 | apt_repository: repo="deb http://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx" 9 | environment: "{{ nginx_env }}" 10 | when: ansible_os_family == 'Debian' and not nginx_official_repo_mainline 11 | 12 | - name: Ensure APT official nginx repository (mainline) 13 | apt_repository: repo="deb http://nginx.org/packages/mainline/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} nginx" 14 | environment: "{{ nginx_env }}" 15 | when: ansible_os_family == 'Debian' and nginx_official_repo_mainline 16 | 17 | - name: Ensure RPM official nginx key 18 | rpm_key: key=http://nginx.org/keys/nginx_signing.key 19 | environment: "{{ nginx_env }}" 20 | when: ansible_os_family == 'RedHat' 21 | 22 | - name: Ensure YUM official nginx repository 23 | template: src=nginx.repo.j2 dest=/etc/yum.repos.d/nginx.repo 24 | when: ansible_os_family == 'RedHat' 25 | 26 | - name: Ensure zypper official nginx repository 27 | zypper_repository: repo="http://nginx.org/packages/sles/12" name="nginx" disable_gpg_check=yes 28 | environment: "{{ nginx_env }}" 29 | when: ansible_distribution == 'SLES' and ansible_distribution_version == '12' and not nginx_official_repo_mainline 30 | 31 | - name: Ensure zypper official nginx repository (mainline) 32 | zypper_repository: repo="http://nginx.org/packages/mainline/sles/12" name="nginx" disable_gpg_check=yes 33 | environment: "{{ nginx_env }}" 34 | when: ansible_distribution == 'SLES' and ansible_distribution_version == '12' and nginx_official_repo_mainline 35 | -------------------------------------------------------------------------------- /tasks/remove-defaults.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Disable the default site 3 | file: 4 | path: "{{ nginx_conf_dir }}/sites-enabled/default" 5 | state: absent 6 | notify: 7 | - reload nginx 8 | 9 | - name: Disable the default site (on newer nginx versions) 10 | file: 11 | path: "{{ nginx_conf_dir }}/sites-enabled/default.conf" 12 | state: absent 13 | notify: 14 | - reload nginx 15 | when: > 16 | 'default' not in nginx_sites.keys() 17 | 18 | - name: Remove the default configuration 19 | file: 20 | path: "{{ nginx_conf_dir }}/conf.d/default.conf" 21 | state: absent 22 | when: > 23 | 'default' not in nginx_configs.keys() 24 | notify: 25 | - reload nginx 26 | -------------------------------------------------------------------------------- /tasks/remove-extras.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Find enabled sites 3 | shell: ls -1 {{ nginx_conf_dir }}/sites-enabled || true 4 | register: enabled_sites 5 | changed_when: False 6 | 7 | - name: Disable unmanaged sites 8 | file: 9 | path: "{{ nginx_conf_dir }}/sites-enabled/{{ item }}" 10 | state: absent 11 | with_items: "{{ enabled_sites.stdout_lines | default([]) }}" 12 | # 'item.conf' => 'item' 13 | when: item[:-5] not in nginx_sites.keys() 14 | notify: 15 | - reload nginx 16 | 17 | - name: Find config files 18 | shell: find {{ nginx_conf_dir }}/conf.d -maxdepth 1 -type f -name '*.conf' -exec basename {} \; 19 | register: config_files 20 | changed_when: False 21 | 22 | - name: Remove unmanaged config files 23 | file: 24 | name: "{{ nginx_conf_dir }}/conf.d/{{ item }}" 25 | state: absent 26 | with_items: "{{ config_files.stdout_lines | default([]) }}" 27 | # 'item.conf' => 'item' 28 | when: item[:-5] not in nginx_configs.keys() 29 | notify: 30 | - reload nginx 31 | -------------------------------------------------------------------------------- /tasks/remove-unwanted.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Remove unwanted sites 3 | file: 4 | path: "{{ nginx_conf_dir }}/{{ item[0] }}/{{ item[1] }}.conf" 5 | state: absent 6 | with_nested: 7 | - ['sites-enabled', 'sites-available'] 8 | - "{{ nginx_remove_sites }}" 9 | notify: 10 | - reload nginx 11 | 12 | - name: Remove unwanted conf 13 | file: 14 | path: "{{ nginx_conf_dir }}/conf.d/{{ item }}.conf" 15 | state: absent 16 | with_items: "{{ nginx_remove_configs }}" 17 | notify: 18 | - reload nginx 19 | 20 | - name: Remove unwanted snippets 21 | file: 22 | path: "{{ nginx_conf_dir }}/snippets/{{ item }}.conf" 23 | state: absent 24 | with_items: "{{ nginx_remove_snippets }}" 25 | notify: 26 | - reload nginx 27 | 28 | - name: Remove unwanted auth_basic_files 29 | file: 30 | path: "{{ nginx_conf_dir }}/auth_basic/{{ item }}" 31 | state: absent 32 | with_items: "{{ nginx_remove_auth_basic_files }}" 33 | notify: 34 | - reload nginx 35 | -------------------------------------------------------------------------------- /tasks/selinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install the selinux python module 3 | package: name={{ nginx_python_selinux_pkgs | default(omit) }} state=present 4 | when: ansible_os_family == "RedHat" or ansible_os_family == "Debian" 5 | 6 | - name: Set SELinux boolean to allow nginx to set rlimit 7 | seboolean: name=httpd_setrlimit state=yes persistent=yes 8 | -------------------------------------------------------------------------------- /templates/auth_basic.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | {% for v in item.value %} 4 | {{ v }} 5 | {% endfor %} 6 | -------------------------------------------------------------------------------- /templates/config.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | {% for v in item.value %} 4 | {% if v.find('\n') != -1 %} 5 | {{v}} 6 | {% else %} 7 | {% if v != "" %}{{ v.replace(";",";\n ").replace(" {"," {\n ").replace(" }"," \n}\n") }}{% if v.find('{') == -1%}; 8 | {% endif %}{% endif %}{% endif %} 9 | {% endfor %} 10 | -------------------------------------------------------------------------------- /templates/config_cloudflare.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | {% if cloudflare_ipv4_list is defined %} 4 | {% for cidr in cloudflare_ipv4_list.content.split('\n') %} 5 | {% if cidr %} 6 | set_real_ip_from {{ cidr }}; 7 | {% endif %} 8 | {% endfor %} 9 | {% endif %} 10 | 11 | {% if cloudflare_ipv6_list is defined %} 12 | {% for cidr in cloudflare_ipv6_list.content.split('\n') %} 13 | {% if cidr %} 14 | set_real_ip_from {{ cidr }}; 15 | {% endif %} 16 | {% endfor %} 17 | {% endif %} 18 | 19 | real_ip_header {{ nginx_cloudflare_real_ip_header }}; -------------------------------------------------------------------------------- /templates/config_stream.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | {% for v in item.value %} 4 | {% if v.find('\n') != -1 %} 5 | {{v}} 6 | {% else %} 7 | {% if v != "" %}{{ v.replace(";",";\n ").replace(" {"," {\n ").replace(" }"," \n}\n") }}{% if v.find('{') == -1%}; 8 | {% endif %}{% endif %}{% endif %} 9 | {% endfor %} 10 | -------------------------------------------------------------------------------- /templates/module.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | load_module "{{ nginx_modules_location }}/{{ item }}.so"; 4 | -------------------------------------------------------------------------------- /templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | user {{ nginx_user }} {{ nginx_group }}; 3 | 4 | worker_processes {{ nginx_worker_processes }}; 5 | 6 | {% if nginx_pid_file %} 7 | pid {{ nginx_pid_file }}; 8 | {% endif %} 9 | 10 | worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; 11 | 12 | include {{ nginx_conf_dir }}/modules-enabled/*.conf; 13 | 14 | {% if nginx_extra_root_params is defined and nginx_extra_root_params is iterable %} 15 | {% for line in nginx_extra_root_params %} 16 | {{ line }}; 17 | {% endfor %} 18 | {% endif %} 19 | 20 | events { 21 | {% for v in nginx_events_params %} 22 | {{ v }}; 23 | {% endfor %} 24 | } 25 | 26 | 27 | http { 28 | 29 | include {{ nginx_conf_dir }}/mime.types; 30 | default_type application/octet-stream; 31 | {% for v in nginx_http_params %} 32 | {{ v if "}" in v[-2:] else v+";" }} 33 | {% endfor %} 34 | 35 | include {{ nginx_conf_dir }}/conf.d/*.conf; 36 | include {{ nginx_conf_dir }}/sites-enabled/*; 37 | } 38 | 39 | {% if nginx_stream_params or nginx_stream_configs %} 40 | stream { 41 | 42 | {% for v in nginx_stream_params %} 43 | {{ v }}; 44 | {% endfor %} 45 | 46 | include {{ nginx_conf_dir }}/conf.d/stream/*.conf; 47 | } 48 | {% endif %} 49 | 50 | {% if nginx_daemon_mode == "off" %} 51 | daemon off; 52 | {% endif %} 53 | -------------------------------------------------------------------------------- /templates/nginx.repo.j2: -------------------------------------------------------------------------------- 1 | [nginx] 2 | name=nginx repo 3 | {% if nginx_official_repo_mainline %} 4 | baseurl=http://nginx.org/packages/mainline/{{"rhel" if ansible_distribution == "RedHat" else "centos"}}/{{ansible_distribution_version.split('.')[0]}}/{{ansible_architecture}}/ 5 | {% else %} 6 | baseurl=http://nginx.org/packages/{{"rhel" if ansible_distribution == "RedHat" else "centos"}}/{{ansible_distribution_version.split('.')[0]}}/{{ansible_architecture}}/ 7 | {% endif %} 8 | enabled=1 9 | -------------------------------------------------------------------------------- /templates/site.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | 3 | server { 4 | {% for v in item.value %} 5 | {% if v.find('\n') != -1 %} 6 | {{v.replace("\n","\n ")}} 7 | {% else %} 8 | {% if v != "" %}{{ v.replace(";",";\n ").replace(" {"," {\n ").replace(" }"," \n }\n") }}{% if v.find('{') == -1%}; 9 | {% endif %}{% endif %}{% endif %} 10 | {% endfor %} 11 | } 12 | -------------------------------------------------------------------------------- /test/custom_bar.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | upstream backend { 3 | server 10.0.0.101; 4 | } 5 | server { 6 | server_name {{ item.value.server_name }}; 7 | location / { 8 | proxy_pass http://backend; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /test/example-vars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # The user to run nginx 3 | nginx_user: "www-data" 4 | 5 | nginx_hhvm: | 6 | add_header X-backend hhvm; 7 | try_files $uri $uri/ /index.php?$args; 8 | location ~ \.(hh|php)$ { 9 | try_files $uri =404; 10 | fastcgi_pass unix:/var/run/hhvm/sock; 11 | fastcgi_index index.php; 12 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 13 | include fastcgi_params; 14 | } 15 | 16 | # A list of directives for the events section. 17 | nginx_events_params: 18 | - worker_connections 512 19 | 20 | # A list of hashs that define the servers for nginx, 21 | # as with http parameters. Any valid server parameters 22 | # can be defined here. 23 | 24 | nginx_sites: 25 | default: 26 | - listen 80 27 | - server_name _ 28 | - root "/usr/share/nginx/html" 29 | - index index.html 30 | foo: 31 | - listen 8080 32 | - server_name localhost 33 | - root "/tmp/site1" 34 | - location / { try_files $uri $uri/ /index.html; } 35 | - location /images/ { try_files $uri $uri/ /index.html; } 36 | bar: 37 | - listen 9090 38 | - server_name ansible 39 | - root "/tmp/site2" 40 | - location / { try_files $uri $uri/ /index.html; } 41 | - location /images/ { 42 | try_files $uri $uri/ /index.html; 43 | allow 127.0.0.1; 44 | deny all; 45 | } 46 | - auth_basic "Restricted" 47 | - auth_basic_user_file auth_basic/demo 48 | hhvm_test: 49 | - | 50 | listen 80; 51 | server_name test_hhvm; 52 | root "/tmp/hhvm"; 53 | {{nginx_hhvm}} 54 | custom_bar: 55 | template: custom_bar.conf.j2 56 | server_name: bar.example.com 57 | 58 | # A list of hashs that define additional configuration 59 | nginx_configs: 60 | proxy: 61 | - proxy_set_header X-Real-IP $remote_addr 62 | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for 63 | upstream: 64 | - upstream foo { server 127.0.0.1:8080 weight=10; } 65 | geo: 66 | - geo $local { 67 | default 0; 68 | 127.0.0.1 1; 69 | } 70 | gzip: 71 | - gzip on 72 | - gzip_disable msie6 73 | 74 | # A list of hashes that define configuration snippets 75 | nginx_snippets: 76 | error_pages: 77 | - error_page 500 /http_errors/500.html 78 | - error_page 502 /http_errors/502.html 79 | - error_page 503 /http_errors/503.html 80 | - error_page 504 /http_errors/504.html 81 | 82 | # A list of hashs that define uer/password files 83 | nginx_auth_basic_files: 84 | demo: 85 | - foo:$apr1$mEJqnFmy$zioG2q1iDWvRxbHuNepIh0 # foo:demo , generated by : htpasswd -nb foo demo 86 | - bar:$apr1$H2GihkSo$PwBeV8cVWFFQlnAJtvVCQ. # bar:demo , generated by : htpasswd -nb bar demo 87 | 88 | # Enable CloudFlare real ip configuration 89 | nginx_set_real_ip_from_cloudflare: True -------------------------------------------------------------------------------- /test/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: "{{hosts_group|default('all')}}" 3 | vars_files: 4 | - 'example-vars.yml' 5 | roles: 6 | - "{{role_name|default('nginx')}}" 7 | -------------------------------------------------------------------------------- /vars/Debian-12.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_user: www-data 3 | 4 | nginx_python_selinux_pkgs: 5 | - python3-selinux 6 | - python3-semanage 7 | 8 | nginx_modules_location: /usr/lib/nginx/modules 9 | -------------------------------------------------------------------------------- /vars/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_user: www-data 3 | 4 | nginx_python_selinux_pkgs: 5 | - python-selinux 6 | - python-semanage 7 | 8 | nginx_modules_location: /usr/lib/nginx/modules 9 | -------------------------------------------------------------------------------- /vars/FreeBSD.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_conf_dir: /usr/local/etc/nginx 3 | nginx_user: www 4 | nginx_sites_default_root: /usr/local/www/nginx-dist 5 | nginx_conf_group: wheel 6 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_python_selinux_pkgs: 3 | - libselinux-python 4 | - libsemanage-python 5 | 6 | nginx_modules_location: /usr/lib64/nginx/modules 7 | 8 | -------------------------------------------------------------------------------- /vars/Solaris.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_conf_dir: /opt/local/etc/nginx 3 | nginx_user: www 4 | nginx_sites_default_root: /opt/local/www 5 | -------------------------------------------------------------------------------- /vars/empty.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This file intentionally does not define any variables. 3 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx_env: 3 | RUNLEVEL: 1 4 | 5 | nginx_installation_types_using_service: ["packages", "configuration-only"] 6 | 7 | nginx_is_el: "{{ ansible_distribution in ['RedHat', 'CentOS'] }}" 8 | 9 | nginx_http_default_params: 10 | - sendfile on 11 | - tcp_nopush on 12 | - tcp_nodelay on 13 | - server_tokens off 14 | - access_log "{{nginx_log_dir}}/access.log" 15 | - error_log "{{nginx_log_dir}}/error.log" {{nginx_error_log_level}} 16 | 17 | nginx_python_selinux_pkgs: [] 18 | --------------------------------------------------------------------------------