--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/defaults/main.yml	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,20 @@
+---
+munin_clients: [client]
+munin_nginx_vhosts: munin.{{ hostname }}
+munin_pkcs12_pass: big dumb passphrase
+munin_ca_vars:
+  - key: COUNTRY
+    value: RU
+  - key: PROVINCE
+    value: ''
+  - key: CITY
+    value: Irkutsk
+  - key: ORG
+    value: '{{ hostname }}'
+  - key: OU
+    value: ''
+  - key: EMAIL
+    value: hostmaster@{{ hostname }}
+  - key: NAME
+    value: Munin for {{ hostname }}
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/files/etc/munin/plugins/nginx_requests_by_vhost	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+. $MUNIN_LIBDIR/plugins/plugin.sh
+
+case $1 in
+    autoconf)
+        echo "no (quick hacky plugin)"
+        exit 0
+        ;;
+
+    config)
+        echo "graph_title Nginx requests by vhost"
+        echo 'graph_args --base 1000'
+        echo 'graph_vlabel requests / ${graph_period}'
+        echo 'graph_category nginx'
+
+        for vhost in $vhosts; do
+            name="$(clean_fieldname "$vhost")"
+            echo "${name}.label ${vhost}"
+            echo "${name}.type DERIVE"
+            echo "${name}.draw LINE1"
+            echo "${name}.min 0"
+        done
+
+        exit 0
+        ;;
+esac
+
+for vhost in $vhosts; do
+    name="$(clean_fieldname "$vhost")"
+    echo "${name}.value $(wc -l /var/log/nginx/${vhost}.access.log | cut -d' ' -f1)"
+done

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/files/etc/nginx/sites-available/nginx_status	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,12 @@
+server {
+    listen 127.0.0.1:80;
+    listen [::1]:80;
+    server_name localhost;
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
+    }
+}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/handlers/main.yml	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,4 @@
+---
+- name: restart nginx
+  service: name=nginx state=restarted
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/tasks/easy-rsa.yml	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,59 @@
+---
+- name: Set up a local easy-rsa certificates directory
+  command: make-cadir /etc/nginx/easy-rsa/
+  args:
+    creates: /etc/nginx/easy-rsa/
+
+- name: Editing vars in-place
+  lineinfile: dest=/etc/nginx/easy-rsa/vars
+  args:
+    regexp: '^export KEY_{{ item.key }}="'
+    line: 'export KEY_{{ item.key }}="{{ item.value }}"'
+  with_items: munin_ca_vars
+
+- name: Running clean-all
+  shell: . ./vars && ./clean-all
+  args:
+    chdir: /etc/nginx/easy-rsa/
+    creates: /etc/nginx/easy-rsa/keys/index.txt
+
+- name: Running build-ca
+  shell: . ./vars && ./build-ca --batch
+  args:
+    chdir: /etc/nginx/easy-rsa/
+    creates: /etc/nginx/easy-rsa/keys/ca.key
+  notify:
+    - restart nginx
+
+- name: Running build-key-server
+  shell: . ./vars && ./build-key-server --batch munin.{{ hostname }}
+  args:
+    chdir: /etc/nginx/easy-rsa/
+    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key
+  notify:
+    - restart nginx
+
+- name: Running build-key
+  shell: . ./vars && ./build-key --batch munin.{{ hostname }}.{{ item }}
+  args:
+    chdir: /etc/nginx/easy-rsa/
+    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.key
+  with_items: munin_clients
+
+- name: Export client certificate as a PKCS#12 file
+  command: >
+    openssl pkcs12
+    -export
+    -out /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12
+    -inkey /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.key
+    -in /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.crt
+    -certfile /etc/nginx/easy-rsa/keys/ca.crt
+    -passout 'pass:{{ munin_pkcs12_pass }}'
+  args:
+    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12
+  with_items: munin_clients
+
+- name: Fetch the resulting PKCS#12 file
+  fetch: src=/etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12 dest=./pkcs12/ flat=yes fail_on_missing=yes
+  with_items: munin_clients
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/tasks/main.yml	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,98 @@
+---
+- name: Install packages
+  apt: pkg={{ item }} state=present
+  with_items:
+    - easy-rsa # for munin certificate auth
+    - nginx-full
+    - libwww-perl # for munin plugins
+  tags: [packages, inert]
+
+- name: Disable default site
+  file: path=/etc/nginx/sites-enabled/default state=absent
+  notify:
+    - restart nginx
+
+- name: Add nginx status server
+  copy: src=etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-available/nginx_status
+  notify:
+    - restart nginx
+
+  file: src=/etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-enabled/nginx_status state=link
+- name: Enable Nginx status server
+  notify:
+    - restart nginx
+
+- include: easy-rsa.yml
+
+- name: Create a Diffie-Hellman key exchange parameters file
+  command: >
+    openssl dhparam
+    {% if ansible_virtualization_type == "virtualbox" %}-dsaparam{% endif %}
+    -out /etc/nginx/dh-2048.pem
+    2048
+  args:
+    creates: /etc/nginx/dh-2048.pem
+  notify:
+    - restart nginx
+
+- name: Extract information for HPKP header
+  shell: openssl rsa -in /etc/nginx/easy-rsa/keys/{{ item }} -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+  with_items:
+    - munin.{{ hostname }}.key
+    - ca.key
+  register: hpkpinfo
+  changed_when: false
+  failed_when: "'unable' in hpkpinfo.stderr"
+  always_run: yes
+  tags: [munin]
+
+- name: Add munin.{{ hostname }}
+  template: src=etc/nginx/sites-available/munin dest=/etc/nginx/sites-available/munin.{{ hostname }}
+  notify:
+    - restart nginx
+  tags: [munin]
+
+- name: Enable munin.{{ hostname }}
+  file: src=/etc/nginx/sites-available/munin.{{ hostname }} dest=/etc/nginx/sites-enabled/99munin.{{ hostname }} state=link
+  notify:
+    - restart nginx
+  tags: [munin]
+
+- name: Enable extra Munin plugins
+  file: src=/usr/share/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} state=link
+  with_items:
+    - nginx_request
+    - nginx_status
+  notify:
+    - restart munin-node
+  tags: [munin]
+
+- name: Copy custom Nginx-related Munin plugins
+  copy: src=etc/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} mode=0755
+  with_items:
+    - nginx_requests_by_vhost
+  notify:
+    - restart munin-node
+  tags: [munin]
+
+- name: Configure custom Munin plugins
+  template: src=etc/munin/plugin-conf.d/{{ item }} dest=/etc/munin/plugin-conf.d/{{ item }}
+  with_items:
+    - nginx_requests_by_vhost
+  notify:
+    - restart munin-node
+  tags: [munin]
+
+- name: Monitor Nginx with Monit
+  file: src=/etc/monit/monitrc.d/nginx dest=/etc/monit/conf.d/nginx state=link
+  notify:
+    - reload monit
+  tags: [monit]
+
+- name: Allow HTTP and HTTPS
+  ufw: rule=allow name='{{ item }}'
+  with_items:
+    - Nginx HTTP
+    - Nginx HTTPS
+  tags: [ufw]
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/templates/etc/munin/plugin-conf.d/nginx_requests_by_vhost	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,3 @@
+[nginx_requests_by_vhost]
+user www-data
+env.vhosts {{ munin_nginx_vhosts }}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/nginx/templates/etc/nginx/sites-available/munin	Thu Jan 21 01:50:21 2016 +0800
@@ -0,0 +1,50 @@
+server {
+    server_name munin.{{ hostname }};
+
+    listen 80;
+    listen [::]:80;
+
+    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
+    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
+
+    return 301 https://munin.{{ hostname }}$request_uri;
+}
+
+server {
+    server_name munin.{{ hostname }};
+
+    listen 443 ssl spdy;
+    listen [::]:443 ssl spdy;
+
+    ssl_certificate /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.crt;
+    ssl_certificate_key /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key;
+    ssl_trusted_certificate /etc/nginx/easy-rsa/keys/ca.crt;
+    ssl_client_certificate /etc/nginx/easy-rsa/keys/ca.crt; # XXX: should work without this?
+    ssl_verify_client on;
+    ssl_dhparam /etc/nginx/dh-2048.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout 10m;
+
+    # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
+    add_header X-Frame-Options 'SAMEORIGIN';
+
+    # HPKP: 5184000 = 60 days
+    add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';
+
+    # HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
+    add_header Strict-Transport-Security 'max-age=31536000';
+
+    # Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
+
+    add_header Cache-Control private;
+
+    access_log /var/log/nginx/munin.{{ hostname }}.access.log;
+    error_log /var/log/nginx/munin.{{ hostname }}.error.log;
+
+    root /var/cache/munin/www;
+
+    location ~* \.png$ {
+        access_log off;
+    }
+}