13:5304db8ea096
Anton Shestakov <av6@dwimlabs.net>, Fri, 30 Jun 2017 10:10:40 +0800
nginx: newer versions support "always" in add_header

next change 15:1b10fcb0d7a2
previous change 11:4dcb8d9d09dc

roles/nginx/tasks/main.yml

Permissions: -rw-r--r--

Other formats: Feeds:
---
- name: Install packages
apt:
pkg: '{{ item }}'
state: present
with_items:
- easy-rsa # for munin certificate auth
- nginx-full
- libwww-perl # for munin plugins
tags: [packages, inert]
- name: Disable default site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify:
- restart nginx
- name: Add Nginx status server
copy:
src: etc/nginx/sites-available/nginx_status
dest: /etc/nginx/sites-available/nginx_status
notify:
- restart nginx
- name: Enable Nginx status server
file:
src: /etc/nginx/sites-available/nginx_status
dest: /etc/nginx/sites-enabled/nginx_status
state: link
notify:
- restart nginx
- include: easy-rsa.yml
- name: Create a Diffie-Hellman key exchange parameters file
command: >
openssl dhparam
{% if ansible_virtualization_type == "virtualbox" %}-dsaparam{% endif %}
-out /etc/nginx/dh-2048.pem
2048
args:
creates: /etc/nginx/dh-2048.pem
notify:
- restart nginx
- name: Extract information for HPKP header
shell: >
openssl rsa -in /etc/nginx/easy-rsa/keys/{{ item }} -outform der -pubout
| openssl dgst -sha256 -binary
| openssl enc -base64
with_items:
- munin.{{ hostname }}.key
- ca.key
register: hpkpinfo
changed_when: false
failed_when: "'unable' in hpkpinfo.stderr"
always_run: yes
tags: [munin]
- name: Add munin.{{ hostname }}
template:
src: etc/nginx/sites-available/munin
dest: /etc/nginx/sites-available/munin.{{ hostname }}
notify:
- restart nginx
tags: [munin]
- name: Enable munin.{{ hostname }}
file:
src: /etc/nginx/sites-available/munin.{{ hostname }}
dest: /etc/nginx/sites-enabled/99munin.{{ hostname }}
state: link
notify:
- restart nginx
tags: [munin]
- name: Enable extra Munin plugins
file:
src: /usr/share/munin/plugins/{{ item }}
dest: /etc/munin/plugins/{{ item }}
state: link
with_items:
- nginx_request
- nginx_status
notify:
- restart munin-node
tags: [munin]
- name: Copy custom Nginx-related Munin plugins
copy:
src: etc/munin/plugins/{{ item }}
dest: /etc/munin/plugins/{{ item }}
mode: 0755
with_items:
- nginx_requests_by_vhost
notify:
- restart munin-node
tags: [munin]
- name: Configure custom Munin plugins
template:
src: etc/munin/plugin-conf.d/{{ item }}
dest: /etc/munin/plugin-conf.d/{{ item }}
with_items:
- nginx_requests_by_vhost
notify:
- restart munin-node
tags: [munin]
- name: Monitor Nginx with Monit
file:
src: /etc/monit/conf-available/nginx
dest: /etc/monit/conf-enabled/nginx
state: link
notify:
- reload monit
tags: [monit]
- name: Allow HTTP and HTTPS
ufw:
name: '{{ item }}'
rule: allow
with_items:
- Nginx HTTP
- Nginx HTTPS
tags: [ufw]
...