From da08953a27e26cb59d623177a03cb40c0f2bfbc2 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Sun, 23 Aug 2020 15:44:53 +0200 Subject: [PATCH 1/4] Drop Backuppc support --- doc/site.md | 1 - .../etc/nginx/sites-available/_backuppc.j2 | 33 ------------------- tests/includes/post_Debian.yml | 16 --------- tests/includes/post_FreeBSD.yml | 21 ------------ tests/includes/pre_Debian.yml | 6 ---- tests/includes/pre_FreeBSD.yml | 2 -- tests/test.yml | 17 ---------- vars/Debian.yml | 3 -- vars/FreeBSD.yml | 3 -- vars/main.yml | 1 - 10 files changed, 103 deletions(-) delete mode 100644 templates/etc/nginx/sites-available/_backuppc.j2 diff --git a/doc/site.md b/doc/site.md index a3201c8..c3fb834 100644 --- a/doc/site.md +++ b/doc/site.md @@ -41,7 +41,6 @@ Templates --------- - `_base`: static template -- `_backuppc`: access to [BackupPC](http://backuppc.sourceforge.net/) (be careful: you need to install [fcgiwrap](https://packages.debian.org/stretch/fcgiwrap)) - `_dokuwiki` - `_redirect`: should not be called explicitly - `_phalcon`: Phalcon PHP Framework diff --git a/templates/etc/nginx/sites-available/_backuppc.j2 b/templates/etc/nginx/sites-available/_backuppc.j2 deleted file mode 100644 index 3ead87d..0000000 --- a/templates/etc/nginx/sites-available/_backuppc.j2 +++ /dev/null @@ -1,33 +0,0 @@ -{% extends "_base.j2" %} - -{% block root %} - root /usr/share/backuppc/cgi-bin; -{% endblock %} - -{% block template_try_files %} -{% endblock %} - -{% block template_index %} - index index.cgi; -{% endblock %} - -{% block template_local_content %} - location ~ /\.ht { - deny all; - } - - location /backuppc/image { - alias /usr/share/backuppc/image; - expires 60d; - } -{% endblock %} - -{% block template_upstream_location %} - location ~ \.cgi$ { - gzip off; - include fastcgi.conf; - fastcgi_pass unix:/var/run/fcgiwrap.socket; - fastcgi_index BackupPC_Admin; - fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name; - } -{% endblock %} diff --git a/tests/includes/post_Debian.yml b/tests/includes/post_Debian.yml index 027a424..849169c 100644 --- a/tests/includes/post_Debian.yml +++ b/tests/includes/post_Debian.yml @@ -1,19 +1,3 @@ --- -- name: APT | Install webapps and related tools - apt: - pkg: "{{ packages }}" - state: present - install_recommends: no - vars: - packages: - - backuppc - - samba-common-bin - - smbclient -- name: SERVICE | Ensure backuppc is started - service: - name: backuppc - state: started - register: b - failed_when: b.failed and 'Another BackupPC is running' not in b.msg diff --git a/tests/includes/post_FreeBSD.yml b/tests/includes/post_FreeBSD.yml index dae3e9d..cd21505 100644 --- a/tests/includes/post_FreeBSD.yml +++ b/tests/includes/post_FreeBSD.yml @@ -1,23 +1,2 @@ --- -#- name: APT | Install web apps -# pkgng: -# name: "backuppc" -# state: present -# -#- name: COMMAND | Activate backuppc config -# command: > -# cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl -# creates=/usr/local/etc/backuppc/config.pl -# -#- name: FILE | Fix backuppc permissions -# file: -# path: /usr/local/etc/backuppc/config.pl -# owner: backuppc -# group: backuppc -# -# -# We don't manage BackupPC on FreeBSD... too dirty. :/ -# -#- name: SERVICE | Ensure backuppc is started -# service: name=backuppc state=started enabled=yes diff --git a/tests/includes/pre_Debian.yml b/tests/includes/pre_Debian.yml index 967e2b7..a5074e6 100644 --- a/tests/includes/pre_Debian.yml +++ b/tests/includes/pre_Debian.yml @@ -17,7 +17,6 @@ - cron - curl - daemonize - - fcgiwrap - jq - nghttp2 - strace @@ -40,11 +39,6 @@ changed_when: false register: cur_php_version -- name: SERVICE | Force start fcgiwrap - service: - name: "fcgiwrap" - state: started - # Bypasses Ansible+Docker issue. With service module... php is not really started! - name: COMMAND | Force start PHP command: "service php{{ cur_php_version.stdout }}-fpm start" diff --git a/tests/includes/pre_FreeBSD.yml b/tests/includes/pre_FreeBSD.yml index 7a339fa..25f2a1a 100644 --- a/tests/includes/pre_FreeBSD.yml +++ b/tests/includes/pre_FreeBSD.yml @@ -29,7 +29,6 @@ packages: - curl - daemonize - - fcgiwrap # - GeoIP - jq - nghttp2 @@ -49,7 +48,6 @@ register: sf loop: - php-fpm - - fcgiwrap - name: STAT | Check ports stat: diff --git a/tests/test.yml b/tests/test.yml index a2315bd..39ae35b 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -229,9 +229,6 @@ state: 'absent' - name: 'redirect-to.local' redirect_to: 'http://test.local' - - name: 'backuppc.local' - template: '_backuppc' - htpasswd: 'hello' - name: 'test-ssl.local' proto: ['http', 'https'] template: '_base' @@ -429,20 +426,6 @@ password: "qwerty" force_basic_auth: yes -# -------------------------------- -# BackupPC -# -------------------------------- - - name: -- VERIFY BACKUPPC -- - uri: - url: "http://backuppc.local/" - user: "hanx" - password: "qwerty" - force_basic_auth: yes - return_content: yes - register: authbpc - when: ansible_distribution != 'FreeBSD' - failed_when: authbpc.content.find('BackupPC Server Status') == -1 - # -------------------------------- # SSL # -------------------------------- diff --git a/vars/Debian.yml b/vars/Debian.yml index b904ff2..4f7c86f 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,6 +1,3 @@ nginx_events_use: 'epoll' nginx_pid: '/run/nginx.pid' nginx_etc_dir: '/etc/nginx' - -# Specific sites -nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket' diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index f57bd00..67b8f9e 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -2,7 +2,4 @@ nginx_events_use: 'kqueue' nginx_pid: '/var/run/nginx.pid' nginx_etc_dir: '/usr/local/etc/nginx' -# Specific sites -nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock' - nginx_acmesh_bin: '/usr/local/sbin/acme.sh' diff --git a/vars/main.yml b/vars/main.yml index 3d7a7aa..0c1c288 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -40,7 +40,6 @@ nginx_dirs: owner: "root" nginx_templates_no_dir: - - '_backuppc' - '_proxy' nginx_servers_default_headers: From 204e95725e288158db216bfab23f64ee43a7fe71 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Sun, 23 Aug 2020 16:22:33 +0200 Subject: [PATCH 2/4] Manage custom templates for sites Issue #12 related --- tasks/site.yml | 14 ++++++-- tests/templates/custom_template.conf.j2 | 16 +++++++++ tests/test.yml | 44 +++++++++++++++++++++---- 3 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 tests/templates/custom_template.conf.j2 diff --git a/tasks/site.yml b/tasks/site.yml index eb7d4d0..eb0573b 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -39,12 +39,22 @@ loop_control: label: "{{ item | nginx_site_name }}" -- name: TEMPLATE | Create sites +- name: TEMPLATE | Create sites with preconfigured template template: src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2" dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}" notify: ['reload nginx', 'restart nginx freebsd'] - when: item.state is not defined or item.state != 'absent' + when: (item.state is not defined or item.state != 'absent') and item.custom_template is not defined + loop: "{{ nginx_sites }}" + loop_control: + label: "{{ item | nginx_site_name }}" + +- name: TEMPLATE | Create sites with preconfigured template + template: + src: "{{ item.custom_template }}" + dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}" + notify: ['reload nginx', 'restart nginx freebsd'] + when: (item.state is not defined or item.state != 'absent') and item.custom_template is defined loop: "{{ nginx_sites }}" loop_control: label: "{{ item | nginx_site_name }}" diff --git a/tests/templates/custom_template.conf.j2 b/tests/templates/custom_template.conf.j2 new file mode 100644 index 0000000..9c19619 --- /dev/null +++ b/tests/templates/custom_template.conf.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} - custom template + +server { + listen 80; + listen 8888 http2; + listen 9999 http2 proxy_protocol; + server_name {{ item.name }}; + + index index.html index.htm; + + root {{ item.root }}; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/tests/test.yml b/tests/test.yml index 39ae35b..4d9de65 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -277,6 +277,9 @@ ssl_name: '{{ ngrok.stdout }}' headers: 'X-acme': '1' + - name: 'test-custom-template.local' + custom_template: 'templates/custom_template.conf.j2' + root: '/tmp/custom-template' nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}" nginx_dh_length: 1024 @@ -301,6 +304,14 @@ - 'test-php-index.local' - 'test-php-index2.local' + - name: -- Add Directories -- + file: + path: "{{ item }}" + state: directory + loop: + - "{{ nginx_root }}/test-htpasswd.local/public/hello" + - "/tmp/custom-template" + - name: -- Add HTML file -- copy: dest: "{{ item }}/index.html" @@ -314,11 +325,7 @@ - '{{ nginx_root }}/test-ssl-predeployed.local/public' - '{{ nginx_root }}/test-ssl-proxy-protocol.local/public' - '{{ nginx_root }}/{{ ngrok.stdout }}/public' - - - name: -- Create directory -- - file: - path: "{{ nginx_root }}/test-htpasswd.local/public/hello" - state: directory + - '/tmp/custom-template' - name: -- Add HTML file hello -- copy: @@ -536,7 +543,7 @@ # -------------------------------- # Check HTTP2 # -------------------------------- - - name: SHELL | Check HTTP2 + - name: SHELL | Check HTTPS HTTP2 shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2 args: executable: /bin/sh @@ -544,3 +551,28 @@ when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules tags: - skip_ansible_lint + + + - block: + + - name: SHELL | Check HTTP2C (on custom template) + shell: curl --http2-prior-knowledge http://localhost:8888 + args: + executable: /bin/sh + warn: no + changed_when: false + when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules + tags: + - skip_ansible_lint + + - name: SHELL | Check HTTP2C + proxy protocol (on custom template) + shell: curl --http2-prior-knowledge --haproxy-protocol http://localhost:9999 + args: + executable: /bin/sh + warn: no + changed_when: false + when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules + tags: + - skip_ansible_lint + + when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq')) From 0f8688f290c12adaa53b85e0c0ad1750f03a7982 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Sun, 23 Aug 2020 17:35:44 +0200 Subject: [PATCH 3/4] Travis: don't install ansible buggy versions --- .travis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 4bd0c05..171f438 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,10 +3,10 @@ env: - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.6,<2.7' - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.7,<2.8' - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.7,<2.8' - - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.8,<2.9' - - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.8,<2.9' - - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.9,<2.10' - - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.9,<2.10' + - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.8,<2.9,!=2.8.14' + - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.8,<2.9,!=2.8.14' + - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.9,<2.10,!=2.9.12' + - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.9,<2.10,!=2.9.12' matrix: fast_finish: true From 40ebe61c57f97a09664ad851d618aed42e4fc443 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Sun, 23 Aug 2020 18:10:34 +0200 Subject: [PATCH 4/4] Add doc for custom site templates --- doc/site.md | 95 +++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 82 insertions(+), 13 deletions(-) diff --git a/doc/site.md b/doc/site.md index c3fb834..8f8c940 100644 --- a/doc/site.md +++ b/doc/site.md @@ -9,14 +9,30 @@ Common ------ - `name`: (M) Domain or list of domain used. -- `template`: (D) template used to create site. Optional if you set `state`=`absent` or using `redirect_to`. -- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation. - `state`: (O) Site status. Can be "present" (default), "absent" and "disabled". +- `filename`: (O) Specify filename in `/etc/nginx/sites-*`. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation. + +(O): Optional +(M): Mandatory +(D): Depends other keys... + +You can use 2 config (at the same time time): + +- pre-built: Some configuration are templated (Wordpress, Symfony...), auto create root dir, perform an "A+" on ssllabs for https... etc +- custom: Push your own site config template. Usefull when you have a complex configuration. + + +Pre-built site config +--------------------- + +# Keys + +- `template`: (M) template used to create site. Optional if you set `state`=`absent` or using `redirect_to`. - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme). - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html). - `redirect_to_code`: Redirect code (default: 302) -- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```. +- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to `['https']`. - `location`: (O) Add new custom locations (it does not overwrite!) - `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)). - `location_before`: (O) Add new custom locations before generated location by template @@ -33,12 +49,7 @@ Common - `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port. - `hsts` (O) overwrite default header for hsts -(O): Optional -(M): Mandatory -(D): Depends other keys... - -Templates ---------- +### Templates - `_base`: static template - `_dokuwiki` @@ -51,8 +62,7 @@ Templates Templates works as parent-child. -About proxy template --------------------- +### About proxy template Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins... @@ -63,10 +73,69 @@ You have many key added to site key: (O) : Optional -Default sites --------------- +### Default sites You can manage default site by setting domain name to these variables. - `nginx_default_site` - `nginx_default_site_ssl` + +*IT WORKS ONLY WITH PRE-BUIT SITES* + + +### Example + + +```yaml +- nginx_sites: + - name: 'mywebsite.com' + template: '_wordpress' + headers: + x-ansibled: '1' + manage_local_content: false +``` + + +Custom site config +------------------ + +### Keys + +- `custom_template`: (M) template path used + +You can add some extra infos if needed. + +### Example: + +```yaml +- nginx_sites: + - name: 'mycustom-website.com' + custom_template: 'my/template_dir/the-template.conf.j2' + allow_admin: '192.168.0.0/24' +``` + +In `my/template_dir/the-template.conf.j2`: + +``` +# +# {{ ansible_managed }} - {{ item.name }} +# + +server { + listen 8080 http2 proxy_protocol; + server_name {{ item.name }}; + index index.html; + root /var/www/{{ item.name }}; + + location / { + try_files $uri $uri/ =404; + } + + location /admin { + allow {{ item.allow_admin }}; + deny all; + } +} +``` + +