/
main.yml
239 lines (204 loc) · 9.2 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
# Variables for nginx role
---
# These are paramters to the role
# and should be overridden
nginx_sites: []
# If you want to install multiple sites with nginx_site but enable
# them yourself (if you're using a single build for multiple deploys)
# you can skip having them link into sites-enabled and do it during boot.
nginx_skip_enable_sites: False
nginx_redirects: {}
nginx_extra_sites: []
nginx_extra_configs: []
NGINX_CMS_CLIENT_MAX_BODY_SIZE: 100M
NGINX_LMS_CLIENT_MAX_BODY_SIZE: 20M
NGINX_FORUM_CLIENT_MAX_BODY_SIZE: 1M
NGINX_EDXAPP_EXTRA_SITES: []
NGINX_EDXAPP_EXTRA_CONFIGS: []
# Override these vars to alter the memory allocated to map_hash
NGINX_OVERRIDE_DEFAULT_MAP_HASH_SIZE: False
NGINX_MAP_HASH_MAX_SIZE: 2048
NGINX_MAP_HASH_BUCKET_SIZE: 64
# Override these vars to alter the memory allocated to server_names_hash
NGINX_OVERRIDE_DEFAULT_SERVER_NAMES_HASH_SIZE: False
NGINX_SERVER_NAMES_HASH_BUCKET_SIZE: 64
# Override these vars for adding user to nginx.htpasswd
NGINX_USERS:
- name: "{{ COMMON_HTPASSWD_USER }}"
password: "{{ COMMON_HTPASSWD_PASS }}"
state: present
# Override these vars for adding user to nginx.htpasswd
# for prospectus preview basic auth
PROSPECTUS_PREVIEW_HTPASSWD_USER: "{{ COMMON_HTPASSWD_USER }}"
PROSPECTUS_PREVIEW_HTPASSWD_PASS: "{{ COMMON_HTPASSWD_PASS }}"
PROSPECTUS_PREVIEW_NGINX_USERS:
- name: "{{ PROSPECTUS_PREVIEW_HTPASSWD_USER }}"
password: "{{ PROSPECTUS_PREVIEW_HTPASSWD_PASS }}"
state: present
NGINX_ENABLE_IPV6: True
NGINX_ENABLE_SSL: False
NGINX_REDIRECT_TO_HTTPS: False
# Disable handling IP disclosure for private IP addresses. This is needed by ELB to run the health checks while using `NGINX_ENABLE_SSL`.
NGINX_ALLOW_PRIVATE_IP_ACCESS: False
NGINX_HSTS_MAX_AGE: 31536000
# Set these to real paths on your
# filesystem, otherwise nginx will
# use a self-signed snake-oil cert
#
# To use a certificate chain add the contents
# to your certificate:
#
# cat www.example.com.crt bundle.crt > www.example.com.chained.crt
# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
# It should be set to one of !!null, "scheme" or "forward_for_proto"
NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'
NGINX_SSL_CIPHERS: "'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA'"
NGINX_SSL_PROTOCOLS: "TLSv1.1 TLSv1.2"
NGINX_DH_PARAMS_PATH: "/etc/ssl/private/dhparams.pem"
NGINX_DH_KEYSIZE: 2048
NGINX_ENABLE_REQUEST_TRACKING_ID: False
# This can be one of 'p_combined' or 'ssl_combined' by default. If you
# wish to specify your own format then define it in a configuration file
# located under `nginx_conf_dir` and then use the format name specified
# in your configuration file.
NGINX_LOG_FORMAT_NAME: 'p_combined'
# When set to False, nginx will pass X-Forwarded-For, X-Forwarded-Port,
# and X-Forwarded-Proto headers through to the backend unmodified.
# This is desired when nginx is deployed behind another load balancer
# which takes care of properly setting the X-Forwarded-* headers.
# When there is no other load balancer in front of nginx, set this
# variable to True to force nginx to set the values of the X-Forwarded-*
# headers to reflect the properties of the incoming request.
NGINX_SET_X_FORWARDED_HEADERS: False
# Increasing these values allows studio to process more complex operations.
# Default timeouts limit CMS connections to 60 seconds.
NGINX_CMS_PROXY_CONNECT_TIMEOUT: !!null
NGINX_CMS_PROXY_SEND_TIMEOUT: !!null
NGINX_CMS_PROXY_READ_TIMEOUT: 60s
NGINX_LMS_PROXY_READ_TIMEOUT: 60s
NGINX_FORUM_PROXY_READ_TIMEOUT: 60s
NGINX_SERVER_ERROR_IMG: 'https://upload.wikimedia.org/wikipedia/commons/thumb/1/11/Pendleton_Sinking_Ship.jpg/640px-Pendleton_Sinking_Ship.jpg'
NGINX_SERVER_ERROR_IMG_ALT: ''
NGINX_SERVER_ERROR_LANG: 'en'
NGINX_SERVER_ERROR_STYLE_H1: 'font-family: "Helvetica Neue",Helvetica,Roboto,Arial,sans-serif; margin-bottom: .3em; font-size: 2.0em; line-height: 1.25em; text-rendering: optimizeLegibility; font-weight: bold; color: #000000;'
NGINX_SERVER_ERROR_STYLE_P_H2: 'font-family: "Helvetica Neue",Helvetica,Roboto,Arial,sans-serif; margin-bottom: .3em; line-height: 1.25em; text-rendering: optimizeLegibility; font-weight: bold; font-size: 1.8em; color: #5b5e63;'
NGINX_SERVER_ERROR_STYLE_P: 'font-family: Georgia,Cambria,"Times New Roman",Times,serif; margin: auto; margin-bottom: 1em; font-weight: 200; line-height: 1.4em; font-size: 1.1em; max-width: 80%;'
NGINX_SERVER_ERROR_STYLE_DIV: 'margin: auto; width: 800px; text-align: center; padding:20px 0px 0px 0px;'
NGINX_SERVER_HTML_FILES_TEMPLATE: "edx/var/nginx/server-static/server-template.j2"
NGINX_SERVER_HTML_FILES:
- file: rate-limit.html
lang: "{{ NGINX_SERVER_ERROR_LANG }}"
title: 'Rate limit exceeded'
msg: 'We are aware of the error and are working to find a resolution.'
img: "{{ NGINX_SERVER_ERROR_IMG }}"
img_alt: "{{ NGINX_SERVER_ERROR_IMG_ALT }}"
heading: 'Uh oh, we are having some server issues..'
style_h1: "{{ NGINX_SERVER_ERROR_STYLE_H1 }}"
style_p_h2: "{{ NGINX_SERVER_ERROR_STYLE_P_H2 }}"
style_p: "{{ NGINX_SERVER_ERROR_STYLE_P }}"
style_div: "{{ NGINX_SERVER_ERROR_STYLE_DIV }}"
- file: server-error.html
lang: "{{ NGINX_SERVER_ERROR_LANG }}"
title: 'Server error'
msg: 'We are aware of the error and are working to find a resolution.'
img: "{{ NGINX_SERVER_ERROR_IMG }}"
img_alt: "{{ NGINX_SERVER_ERROR_IMG_ALT }}"
heading: 'Uh oh, we are having some server issues..'
style_h1: "{{ NGINX_SERVER_ERROR_STYLE_H1 }}"
style_p_h2: "{{ NGINX_SERVER_ERROR_STYLE_P_H2 }}"
style_p: "{{ NGINX_SERVER_ERROR_STYLE_P }}"
style_div: "{{ NGINX_SERVER_ERROR_STYLE_DIV }}"
NGINX_SERVER_STATIC_FILES: []
NGINX_APT_REPO: deb http://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
nginx_server_static_dir: "{{ nginx_data_dir }}/server-static"
nginx_server_cache_dir: "{{ nginx_data_dir }}/cache"
nginx_conf_dir: "{{ nginx_app_dir }}/conf.d"
nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
nginx_sites_enabled_dir: "/etc/nginx/sites-enabled"
nginx_user: root
nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"
nginx_default_sites: []
nginx_release_specific_debian_pkgs:
xenial:
- python-passlib
- python3-passlib
bionic:
- python-passlib
focal:
- python3-passlib
nginx_debian_pkgs: "{{ nginx_release_specific_debian_pkgs[ansible_distribution_release] }}"
NGINX_EDXAPP_ENABLE_S3_MAINTENANCE: False
nginx_default_error_page: "/server/server-error.html"
NGINX_EDXAPP_ERROR_PAGES:
"500": "{{ nginx_default_error_page }}"
"502": "{{ nginx_default_error_page }}"
"504": "{{ nginx_default_error_page }}"
NGINX_EDXAPP_PROXY_INTERCEPT_ERRORS: false
NGINX_EDXAPP_FAVICON_PATH: "/static/{{ NGINX_EDXAPP_DEFAULT_SITE_THEME }}images/favicon.ico"
CMS_HOSTNAME: '~^((stage|prod)-)?studio.*'
nginx_template_dir: "edx/app/nginx/sites-available"
nginx_xqueue_gunicorn_hosts:
- 127.0.0.1
nginx_lms_gunicorn_hosts:
- 127.0.0.1
nginx_lms_preview_gunicorn_hosts:
- 127.0.0.1
nginx_cms_gunicorn_hosts:
- 127.0.0.1
nginx_analytics_api_gunicorn_hosts:
- 127.0.0.1
nginx_insights_gunicorn_hosts:
- 127.0.0.1
nginx_gitreload_gunicorn_hosts:
- 127.0.0.1
nginx_edx_notes_api_gunicorn_hosts:
- 127.0.0.1
nginx_ecommerce_gunicorn_hosts:
- 127.0.0.1
nginx_credentails_gunicorn_hosts:
- 127.0.0.1
NGINX_ROBOT_RULES: [ ]
NGINX_EDXAPP_EMBARGO_CIDRS: []
NGINX_P3P_MESSAGE: 'CP="Open edX does not have a P3P policy."'
COMMON_ENABLE_BASIC_AUTH: False
REDIRECT_NGINX_PORT: "{{ EDXAPP_LMS_NGINX_PORT }}"
REDIRECT_SSL_NGINX_PORT: "{{ EDXAPP_LMS_SSL_NGINX_PORT }}"
ECOMMERCE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_CMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_LMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
KIBANA_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
PROSPECTUS_PREVIEW_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
XQUEUE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
NGINX_CREATE_HTPASSWD_FILE: >
{{
ECOMMERCE_ENABLE_BASIC_AUTH|bool or
EDXAPP_CMS_ENABLE_BASIC_AUTH|bool or
EDXAPP_LMS_ENABLE_BASIC_AUTH|bool or
EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH|bool or
KIBANA_ENABLE_BASIC_AUTH|bool or
XQUEUE_ENABLE_BASIC_AUTH|bool
}}
# Extra settings to add to site configuration for Studio
NGINX_EDXAPP_CMS_APP_EXTRA: ""
# Extra settings to add to site configuration for LMS
NGINX_EDXAPP_LMS_APP_EXTRA: ""
# If comprehensive theme enabled, write down the name of
# the theme as in EDXAPP_DEFAULT_SITE_THEME ending with /
# to allow to override favicon properly.
# Example: "your-site-theme/"
NGINX_EDXAPP_DEFAULT_SITE_THEME: ""
# List of subnet or IP addressess to allow to access admin endpoints
NGINX_ADMIN_ACCESS_CIDRS: []
# Set trusted network subnets or IP addresses to send correct replacement addresses
NGINX_TRUSTED_IP_CIDRS: "0.0.0.0/0"
EDXAPP_SET_PROXY_BUFFER_SIZE: False
EDXAPP_PROXY_BUFFER_SIZE: 128k
EDXAPP_PROXY_BUFFERS_SIZE: 256k
EDXAPP_PROXY_BUFFERS_NUMBER: 4
EDXAPP_PROXY_BUSY_BUFFERS_SIZE: 256k