/
main.yml
278 lines (242 loc) · 8.87 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
---
- name: Assert that no legacy options are used
assert:
that:
- '((item.csp is defined and item.csp is string) or item.csp is undefined)'
- '(item.csp_policy is undefined)'
run_once: True
delegate_to: 'localhost'
with_flattened:
- '{{ nginx__servers }}'
- '{{ nginx__default_servers }}'
- '{{ nginx__internal_servers }}'
- '{{ nginx__dependent_servers }}'
- '{{ nginx_servers | d([]) }}'
- '{{ nginx_default_servers | d([]) }}'
- '{{ nginx_internal_servers | d([]) }}'
- '{{ nginx_dependent_servers | d([]) }}'
- name: DebOps pre_tasks hook
include: '{{ lookup("task_src", "nginx/pre_main.yml") }}'
when: (nginx__deploy_state in [ 'present' ])
- name: Check if nginx is installed
stat:
path: '/usr/sbin/nginx'
register: nginx_register_installed
- name: Add flavor APT GPG key
apt_key:
id: '{{ nginx__flavor_apt_key_id }}'
state: '{{ "present" if (nginx__deploy_state == "present") else "absent" }}'
keyserver: '{{ ansible_local.core.keyserver
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.keyserver)
else "hkp://pool.sks-keyservers.net" }}'
when: (nginx_flavor in [ 'nginx.org', 'passenger' ])
- name: Add flavor APT repository
apt_repository:
repo: '{{ nginx__flavor_apt_repository }}'
state: '{{ "present" if (nginx__deploy_state == "present") else "absent" }}'
update_cache: True
when: (nginx_flavor in [ 'nginx.org', 'passenger' ])
- name: Ensure base packages are installed
package:
name: '{{ item }}'
state: 'present'
when: (nginx__deploy_state in [ 'present' ])
with_flattened:
- '{{ nginx_base_packages }}'
- name: Ensure Nginx packages are in their desired state
package:
name: '{{ item }}'
state: '{{ "present" if (nginx__deploy_state == "present") else "absent" }}'
with_flattened:
- '{{ nginx__flavor_packages }}'
- name: Create default nginx directories
file:
path: '{{ item }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
with_items:
- '/etc/nginx/sites-default.d'
- '/etc/nginx/sites-available'
- '/etc/nginx/sites-enabled'
- '/etc/nginx/snippets'
- '{{ nginx_temp_root_path }}'
when: (nginx__deploy_state in [ 'present' ])
- name: Divert default.conf in case nginx nginx.org flavor is used
command: dpkg-divert --quiet --local --divert /etc/nginx/conf.d/default.conf.dpkg-divert
--rename /etc/nginx/conf.d/default.conf
args:
creates: '/etc/nginx/conf.d/default.conf.dpkg-divert'
when: (nginx_flavor == 'nginx.org' and nginx__deploy_state in [ 'present' ])
- include: 'passenger_config.yml'
when: (nginx_flavor == 'passenger' and nginx__deploy_state in [ 'present' ])
- name: Restart nginx on first install to bypass missing pid bug
service:
name: 'nginx'
state: 'restarted'
when: (nginx_register_installed|d() and not nginx_register_installed.stat.exists and nginx__deploy_state in [ 'present' ])
- name: Get list of nameservers configured in /etc/resolv.conf
shell: "awk '/nameserver/ {if(/:/){sub(/[0-9a-fA-F:]+/, \"[&]\", $2)}; print $2}' /etc/resolv.conf"
register: nginx_register_nameservers
changed_when: False
when: (nginx__deploy_state in [ 'present' ])
tags: [ 'role::nginx:servers' ]
- name: Convert list of nameservers to Ansible list
set_fact:
nginx_ocsp_resolvers: "{{ nginx_register_nameservers.stdout_lines }}"
when: ((nginx_register_nameservers.stdout is defined and nginx_register_nameservers.stdout) and
(nginx_ocsp_resolvers is undefined or
(nginx_ocsp_resolvers is defined and not nginx_ocsp_resolvers)) and
(nginx__deploy_state in [ 'present' ]))
tags: [ 'role::nginx:servers' ]
- name: Ensure that webadmins privileged group exists
group:
name: '{{ nginx_privileged_group }}'
state: 'present'
system: True
when: (nginx__deploy_state in [ 'present' ])
- name: Create directory for webadmins configuration
file:
path: '/etc/nginx/sites-local'
state: 'directory'
owner: 'root'
group: '{{ nginx_privileged_group }}'
mode: '0775'
when: (nginx__deploy_state in [ 'present' ])
- name: Allow webadmins to reload nginx using sudo
template:
src: 'etc/sudoers.d/nginx_webadmins.j2'
dest: '/etc/sudoers.d/nginx_webadmins'
owner: 'root'
group: 'root'
mode: '0440'
when: (nginx__deploy_state in [ 'present' ])
- name: Divert original /etc/nginx/nginx.conf
command: dpkg-divert --quiet --local --divert /etc/nginx/nginx.conf.dpkg-divert
--rename /etc/nginx/nginx.conf
args:
creates: '/etc/nginx/nginx.conf.dpkg-divert'
when: (nginx__deploy_state in [ 'present' ])
- name: Setup /etc/nginx/nginx.conf
template:
src: 'etc/nginx/nginx.conf.j2'
dest: '/etc/nginx/nginx.conf'
owner: 'root'
group: 'root'
mode: '0644'
notify: [ 'Test nginx and reload' ]
when: (nginx__deploy_state in [ 'present' ])
- name: Generate custom nginx snippets
template:
src: 'etc/nginx/snippets/{{ item }}.conf.j2'
dest: '/etc/nginx/snippets/{{ item }}.conf'
owner: 'root'
group: 'root'
mode: '0644'
with_items: [ 'acme-challenge' ]
when: (nginx__deploy_state in [ 'present' ])
notify: [ 'Test nginx and reload' ]
# Remove temporary old files if they are present
- name: Remove remnants of dpkg-diverted configuration
command: rm -f /etc/nginx/fastcgi_params.dpkg-divert /etc/nginx/fastcgi_params.dpkg-divert.lock
args:
removes: '/etc/nginx/fastcgi_params.dpkg-divert.lock'
notify: [ 'Test nginx and reload' ]
when: (nginx__deploy_state in [ 'present' ])
- name: Disable default nginx site
file:
path: '/etc/nginx/sites-enabled/default'
state: 'absent'
notify: [ 'Test nginx and reload' ]
when: (nginx__deploy_state in [ 'present' ])
- name: Manage local server definitions - create symlinks
file:
src: '/etc/nginx/sites-local/{{ item.value }}'
path: '/etc/nginx/sites-enabled/{{ item.key }}'
state: 'link'
owner: 'root'
group: 'root'
mode: '0644'
when: (item.value and nginx__deploy_state in [ 'present' ])
with_dict: '{{ nginx_local_servers|d({}) }}'
notify: [ 'Test nginx and reload' ]
- name: Manage local server definitions - remove symlinks
file:
path: '/etc/nginx/sites-enabled/{{ item.key }}'
state: 'absent'
when: ((not item.value|d()) and nginx__deploy_state in [ 'present' ])
with_dict: '{{ nginx_local_servers|d({}) }}'
notify: [ 'Test nginx and reload' ]
# If nginx local facts are not present, assume that configuration
# is being reset and move all symlinks out of the way to prevent
# accidental failures because of old wrong configuration files
- name: Remove all configuration symlinks during config reset
shell: rm -f /etc/nginx/sites-enabled/*
args:
creates: '/etc/ansible/facts.d/nginx.fact'
warn: False
when: (nginx__deploy_state in [ 'present' ])
- name: Make sure that Ansible local facts directory is present
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: (nginx__deploy_state in [ 'present' ])
- name: Save nginx local facts
template:
src: 'etc/ansible/facts.d/nginx.fact.j2'
dest: '/etc/ansible/facts.d/nginx.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: nginx_register_local_facts
when: (nginx__deploy_state in [ 'present' ])
- name: Gather facts if they were modified
action: setup
when: (nginx_register_local_facts.changed and nginx__deploy_state in [ 'present' ])
- include: 'nginx_htpasswd.yml'
when: (nginx__deploy_state in [ 'present' ])
- include: 'nginx_configs.yml'
when: (nginx__deploy_state in [ 'present' ])
- include: 'nginx_servers.yml'
tags: [ 'role::nginx:servers' ]
when: (nginx__deploy_state in [ 'present' ])
- name: Make sure that PKI hook directory exists
file:
path: '{{ nginx_pki_hook_path }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: (nginx_pki|bool and nginx__deploy_state in [ 'present' ])
- name: Manage PKI nginx hook
template:
src: 'etc/pki/hooks/nginx.j2'
dest: '{{ nginx_pki_hook_path + "/" + nginx_pki_hook_name }}'
owner: 'root'
group: 'root'
mode: '0755'
when: (nginx_pki|bool and nginx__deploy_state in [ 'present' ])
- name: Ensure the PKI nginx hook is absent
file:
path: '{{ nginx_pki_hook_path }}'
state: 'absent'
when: (nginx__deploy_state in [ 'absent' ])
- name: Save nginx local facts
template:
src: 'etc/ansible/facts.d/nginx.fact.j2'
dest: '/etc/ansible/facts.d/nginx.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: nginx_register_local_facts
- name: Gather facts if they were modified
action: setup
when: (nginx_register_local_facts.changed and nginx__deploy_state in [ 'present' ])
- name: DebOps post_tasks hook
include: '{{ lookup("task_src", "nginx/post_main.yml") }}'
when: (nginx__deploy_state in [ 'present' ])