diff --git a/.travis.yml b/.travis.yml index 4bd0c05..562b855 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,5 @@ +--- + env: - PLATFORM='docker-debian-stretch' ANSIBLE_VERSION='ansible>=2.6,<2.7' - PLATFORM='docker-debian-buster' ANSIBLE_VERSION='ansible>=2.6,<2.7' diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 0000000..53974a0 --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,6 @@ +--- + +extends: default + +rules: + line-length: disable diff --git a/defaults/main.yml b/defaults/main.yml index d106b14..70eb1c5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,7 +14,7 @@ nginx_log_dir: '/var/log/nginx' nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4'] nginx_resolver_valid: '300s' nginx_resolver_timeout: '5s' -nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log +nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log nginx_auto_config_httpv2: true nginx_default_site: null nginx_default_site_ssl: null diff --git a/meta/main.yml b/meta/main.yml index 43d12cf..0f3be65 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,4 +1,5 @@ --- + galaxy_info: author: Emilien Mantel description: Nginx for Debian / FreeBSD @@ -6,25 +7,25 @@ galaxy_info: license: GPLv2 min_ansible_version: 2.11 platforms: - - name: Debian - versions: - - stretch - - buster - - bullseye - - name: FreeBSD - versions: - - 11.0 - - 11.1 - - 12.0 + - name: Debian + versions: + - stretch + - buster + - bullseye + - name: FreeBSD + versions: + - 11.0 + - 11.1 + - 12.0 galaxy_tags: - - web - - debian - - proxy - - http - - http2 - - https - - ssl - - tls - - nginx - - cdn + - web + - debian + - proxy + - http + - http2 + - https + - ssl + - tls + - nginx + - cdn dependencies: [] diff --git a/tasks/install_Debian.yml b/tasks/install_Debian.yml index 0980fe2..93fb078 100644 --- a/tasks/install_Debian.yml +++ b/tasks/install_Debian.yml @@ -7,7 +7,7 @@ - name: APT | Update cache apt: - update_cache: yes + update_cache: true cache_valid_time: 3600 changed_when: false @@ -33,22 +33,21 @@ - block: - - name: APT | Install git - apt: - pkg: git + - name: APT | Install git + apt: + pkg: git - - name: GIT | Get acme.sh - git: - repo: 'https://github.com/Neilpang/acme.sh.git' - dest: '{{ nginx_acmesh_git_dir }}' - update: no - version: master + - name: GIT | Get acme.sh + git: + repo: 'https://github.com/Neilpang/acme.sh.git' + dest: '{{ nginx_acmesh_git_dir }}' + update: false + version: master - - name: COMMAND | Install acme.sh - command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}" - args: - chdir: "{{ nginx_acmesh_git_dir }}" - creates: "{{ nginx_acmesh_dir }}" + - name: COMMAND | Install acme.sh + command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}" + args: + chdir: "{{ nginx_acmesh_git_dir }}" + creates: "{{ nginx_acmesh_dir }}" when: not acme.stat.exists - diff --git a/tasks/install_FreeBSD.yml b/tasks/install_FreeBSD.yml index f9310db..b0d0568 100644 --- a/tasks/install_FreeBSD.yml +++ b/tasks/install_FreeBSD.yml @@ -56,4 +56,4 @@ - name: SERVICE | Enable nginx service: name: nginx - enabled: yes + enabled: true diff --git a/tasks/prepare.yml b/tasks/prepare.yml index ec94cc1..cf3a8a7 100644 --- a/tasks/prepare.yml +++ b/tasks/prepare.yml @@ -6,7 +6,7 @@ executable: /bin/sh register: nginx_version changed_when: false - check_mode: no + check_mode: false tags: - skip_ansible_lint @@ -22,7 +22,7 @@ executable: /bin/sh register: shell_modules changed_when: false - check_mode: no + check_mode: false tags: - skip_ansible_lint diff --git a/tasks/ssl/acme.yml b/tasks/ssl/acme.yml index eb5ded3..e18c1ff 100644 --- a/tasks/ssl/acme.yml +++ b/tasks/ssl/acme.yml @@ -20,79 +20,79 @@ - name: BLOCK | Start acme block: - - name: TEMPLATE | Create fake site - template: - src: "etc/nginx/conf.d/FAKESITE.conf.j2" - dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" - loop: "{{ acme_create }}" - register: fake_site + - name: TEMPLATE | Create fake site + template: + src: "etc/nginx/conf.d/FAKESITE.conf.j2" + dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" + loop: "{{ acme_create }}" + register: fake_site - - name: FILE | Delete current site if needed - file: - path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}" - state: absent - loop: "{{ acme_create }}" - when: fake_site.changed + - name: FILE | Delete current site if needed + file: + path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}" + state: absent + loop: "{{ acme_create }}" + when: fake_site.changed - - name: SERVICE | Restart nginx - service: - name: nginx - state: restarted - when: fake_site.changed and ansible_virtualization_type != 'docker' + - name: SERVICE | Restart nginx + service: + name: nginx + state: restarted + when: fake_site.changed and ansible_virtualization_type != 'docker' - - name: COMMAND | Restart nginx - command: service nginx restart - args: - warn: false - when: fake_site.changed and ansible_virtualization_type == 'docker' + - name: COMMAND | Restart nginx + command: service nginx restart + args: + warn: false + when: fake_site.changed and ansible_virtualization_type == 'docker' - - name: COMMAND | Get certificates - command: | - {{ nginx_acmesh_bin }} - --home {{ nginx_acmesh_dir }} - --issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %} - --nginx - {% if nginx_acmesh_test %}--test --log{% endif %} - args: - creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/fullchain.cer" - loop: "{{ acme_create }}" - register: acme_get - failed_when: acme_get.rc != 0 and acme_get.rc != 2 - no_log: "{{ not nginx_debug_role }}" + - name: COMMAND | Get certificates + command: | + {{ nginx_acmesh_bin }} + --home {{ nginx_acmesh_dir }} + --issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %} + --nginx + {% if nginx_acmesh_test %}--test --log{% endif %} + args: + creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/fullchain.cer" + loop: "{{ acme_create }}" + register: acme_get + failed_when: acme_get.rc != 0 and acme_get.rc != 2 + no_log: "{{ not nginx_debug_role }}" - - name: FILE | Create SSL dir per site - file: - path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}" - loop: "{{ acme_create }}" + - name: FILE | Create SSL dir per site + file: + path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}" + loop: "{{ acme_create }}" - - name: COMMAND | Install certificates - command: | - {{ nginx_acmesh_bin }} - --home {{ nginx_acmesh_dir }} - --install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }} - --fullchain-file {{ item | nginx_cert_path(nginx_ssl_dir) }} - --key-file {{ item | nginx_key_path(nginx_ssl_dir) }} - --reloadcmd "service nginx reload" - args: - creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}" - loop: "{{ nginx_ssl_pairs }}" - when: item.acme is defined and item.acme - notify: restart nginx + - name: COMMAND | Install certificates + command: | + {{ nginx_acmesh_bin }} + --home {{ nginx_acmesh_dir }} + --install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }} + --fullchain-file {{ item | nginx_cert_path(nginx_ssl_dir) }} + --key-file {{ item | nginx_key_path(nginx_ssl_dir) }} + --reloadcmd "service nginx reload" + args: + creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}" + loop: "{{ nginx_ssl_pairs }}" + when: item.acme is defined and item.acme + notify: restart nginx rescue: - - name: FAIL | Explicit - fail: - msg: "Something is bad... Auto crash!" + - name: FAIL | Explicit + fail: + msg: "Something is bad... Auto crash!" always: - - name: FILE | Delete fake sites - file: - path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" - state: absent - loop: "{{ acme_create }}" - notify: restart nginx + - name: FILE | Delete fake sites + file: + path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" + state: absent + loop: "{{ acme_create }}" + notify: restart nginx - - name: META | Flush handlers - meta: flush_handlers + - name: META | Flush handlers + meta: flush_handlers diff --git a/tasks/ssl/standard.yml b/tasks/ssl/standard.yml index 17b75a1..ebc7e5a 100644 --- a/tasks/ssl/standard.yml +++ b/tasks/ssl/standard.yml @@ -5,7 +5,7 @@ - name: STAT | Get info about DH file stat: path: "{{ nginx_dh_path }}" - get_checksum: no + get_checksum: false register: stat_dh_file - name: SHELL | Get info about DH file @@ -56,8 +56,6 @@ notify: restart nginx no_log: "{{ not nginx_debug_role }}" - - - name: COMMAND | Create self-signed certificates command: | openssl req diff --git a/tests/includes/post_Debian.yml b/tests/includes/post_Debian.yml index cd21505..ed97d53 100644 --- a/tests/includes/post_Debian.yml +++ b/tests/includes/post_Debian.yml @@ -1,2 +1 @@ --- - diff --git a/tests/includes/post_FreeBSD.yml b/tests/includes/post_FreeBSD.yml index cd21505..ed97d53 100644 --- a/tests/includes/post_FreeBSD.yml +++ b/tests/includes/post_FreeBSD.yml @@ -1,2 +1 @@ --- - diff --git a/tests/includes/pre_Debian.yml b/tests/includes/pre_Debian.yml index 967e2b7..e8e14ce 100644 --- a/tests/includes/pre_Debian.yml +++ b/tests/includes/pre_Debian.yml @@ -9,7 +9,7 @@ - name: APT | Install needed packages apt: pkg: "{{ packages }}" - update_cache: yes + update_cache: true cache_valid_time: 3600 state: present vars: @@ -27,7 +27,7 @@ - name: APT | Install PHP apt: pkg: "{{ pkgs }}" - update_cache: yes + update_cache: true cache_valid_time: 3600 state: present vars: @@ -61,7 +61,7 @@ unarchive: src: "/tmp/ngrok.zip" dest: "/tmp" - remote_src: yes + remote_src: true - name: SET_FACT | ngrok_path set_fact: @@ -70,7 +70,7 @@ - name: USER | Create PHP User foo user: name: foo - system: yes + system: true - name: INCLUDE_ROLE | HanXHX.php include_role: diff --git a/tests/includes/pre_FreeBSD.yml b/tests/includes/pre_FreeBSD.yml index 7a339fa..838d182 100644 --- a/tests/includes/pre_FreeBSD.yml +++ b/tests/includes/pre_FreeBSD.yml @@ -17,8 +17,6 @@ sockets: - host: '127.0.0.1' port: 9000 -# nginx_load_modules: -# - /usr/local/libexec/nginx/ngx_http_geoip_module.so ngrok_path: '/usr/local/bin/ngrok' - name: PKGNG | Install needed packages @@ -30,22 +28,16 @@ - curl - daemonize - fcgiwrap -# - GeoIP - jq - nghttp2 - php74 - vim -#- name: COMMAND | Get geoip database -# command: geoipupdate.sh -# args: -# creates: /usr/local/share/GeoIP/GeoIP.dat - - name: SERVICE | Force start services service: name: "{{ item }}" state: started - enabled: yes + enabled: true register: sf loop: - php-fpm diff --git a/tests/includes/pre_common.yml b/tests/includes/pre_common.yml index 7760cd3..91793b9 100644 --- a/tests/includes/pre_common.yml +++ b/tests/includes/pre_common.yml @@ -24,7 +24,7 @@ lineinfile: line: "set mouse=" dest: "{{ item }}/.vimrc" - create: yes + create: true loop: - /root - /home/vagrant diff --git a/tests/test.yml b/tests/test.yml index 39ae35b..fb1a414 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -39,13 +39,13 @@ {% endif %} {% endfor %} dest: "/etc/hosts" - unsafe_writes: yes + unsafe_writes: true vars: -# Internal vars + # Internal vars int_ansible_ssl_dir: '/etc/ansible-ssl' -# Role vars - nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number + # Role vars + nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number nginx_apt_package: 'nginx-extras' nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] nginx_upstreams: @@ -85,7 +85,7 @@ force: false - name: - 'test-ssl-predeployed.local' - - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme + - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme dest_key: "{{ int_ansible_ssl_dir }}/test.key" dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" - name: 'test-ssl.local' @@ -154,7 +154,7 @@ - 'test-alias.local' - 'test2-alias.local' template: '_base' - filename : 'first-test' + filename: 'first-test' override_try_files: '$uri/ $uri =404' headers: 'X-Frame-Options': 'deny always' @@ -283,15 +283,15 @@ roles: - ../../ post_tasks: -# -------------------------------- -# Apps -# -------------------------------- + # -------------------------------- + # Apps + # -------------------------------- - name: INCLUDE_TASKS | Post_tasks related to OS version include_tasks: "includes/post_{{ ansible_distribution }}.yml" -# -------------------------------- -# Deploy index files -# -------------------------------- + # -------------------------------- + # Deploy index files + # -------------------------------- - name: -- Add PHP file -- copy: dest: "{{ nginx_root }}/{{ item }}/public/index.php" @@ -325,15 +325,16 @@ dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content: "hello\n" -# -------------------------------- -# Test custom facts -# -------------------------------- + # -------------------------------- + # Test custom facts + # -------------------------------- - name: -- CHECK FACTS -- assert: that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'" -# -------------------------------- -# Simple sites tests -# -------------------------------- + + # -------------------------------- + # Simple sites tests + # -------------------------------- - name: -- VERIFY SITES -- uri: url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/" @@ -362,18 +363,18 @@ url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/" status_code: 301 follow_redirects: none - validate_certs: no + validate_certs: false loop: "{{ nginx_sites }}" when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto changed_when: false -# -------------------------------- -# PHP -# -------------------------------- + # -------------------------------- + # PHP + # -------------------------------- - name: -- VERIFY PHP SITES -- uri: url: "http://{{ item.name }}/" - return_content: yes + return_content: true register: p loop: "{{ nginx_sites }}" when: > @@ -384,13 +385,13 @@ - name: -- VERIFY INDEX2 -- uri: url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" - return_content: yes + return_content: true register: p2 failed_when: p2.content.find('PHP Version') == -1 -# -------------------------------- -# Basic Auth -# -------------------------------- + # -------------------------------- + # Basic Auth + # -------------------------------- - name: -- VERIFY AUTH BASIC NONE -- uri: url: "http://test-htpasswd.local/hello/" @@ -402,14 +403,14 @@ status_code: 401 user: "fail" password: "fail" - force_basic_auth: yes + force_basic_auth: true - name: -- VERIFY AUTH BASIC OK -- uri: url: "http://test-htpasswd.local/hello/" user: "hanx" password: "qwerty" - force_basic_auth: yes + force_basic_auth: true - name: -- VERIFY AUTH BASIC FAIL GLOBAL -- uri: @@ -417,23 +418,23 @@ status_code: 401 user: "fail" password: "fail" - force_basic_auth: yes + force_basic_auth: true - name: -- VERIFY AUTH BASIC OK GLOBAL -- uri: url: "http://test-htpasswd-all.local/" user: "hanx" password: "qwerty" - force_basic_auth: yes + force_basic_auth: true -# -------------------------------- -# SSL -# -------------------------------- + # -------------------------------- + # SSL + # -------------------------------- - name: -- VERIFY SSL -- uri: url: "https://{{ item }}/" - return_content: yes - validate_certs: no + return_content: true + validate_certs: false register: sslok failed_when: sslok.content.find('Index HTML test OK') == -1 loop: @@ -445,9 +446,9 @@ - name: -- VERIFY SSL REDIRECT -- uri: url: "http://{{ item.name }}/" - validate_certs: no + validate_certs: false status_code: 301 - return_content: yes + return_content: true follow_redirects: none register: sslredirok failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' @@ -458,13 +459,13 @@ - name: 'test-ssl-redirect-many2.local' port: '8443' -# -------------------------------- -# Default sites -# -------------------------------- + # -------------------------------- + # Default sites + # -------------------------------- - name: -- VERIFY DEFAULT SITE -- uri: url: 'http://127.0.0.1/' - return_content: yes + return_content: true register: vdefault failed_when: > vdefault.content.find('Index HTML test OK') == -1 or @@ -473,7 +474,7 @@ - name: -- VERIFY DEFAULT SITE + STUB STATUS-- uri: url: 'http://127.0.0.1/status' - return_content: yes + return_content: true register: vdefault_status failed_when: > vdefault_status.content.find('Active connections') == -1 or @@ -482,8 +483,8 @@ - name: -- VERIFY DEFAULT SSL SITE -- uri: url: 'https://127.0.0.1/' - return_content: yes - validate_certs: no + return_content: true + validate_certs: false register: vdefault failed_when: > vdefault.content.find('Index HTML test OK') == -1 or @@ -492,55 +493,46 @@ - name: -- VERIFY NOT DEFAULT SITE -- uri: url: 'http://test-php.local/' - return_content: yes + return_content: true register: vphp failed_when: vphp.x_ansible_default is defined - name: -- VERIFY NOT DEFAULT SSL SITE -- uri: url: 'https://test-ssl.local/' - return_content: yes - validate_certs: no + return_content: true + validate_certs: false register: notdefaultssl failed_when: notdefaultssl.x_ansible_default is defined - -# -------------------------------- -# Check Proxy protocol -# -------------------------------- - -# Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument - + # -------------------------------- + # Check Proxy protocol + # Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument + # -------------------------------- - block: - - name: SHELL | Check HTTP proxy protocol - shell: curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/sh - warn: no - changed_when: false - tags: - - skip_ansible_lint + - name: SHELL | Check HTTP proxy protocol + shell: curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/sh + warn: false + changed_when: false - - name: SHELL | Check HTTPS proxy protocol - shell: curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/sh - warn: no - changed_when: false - tags: - - skip_ansible_lint + - name: SHELL | Check HTTPS proxy protocol + shell: curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/sh + warn: false + changed_when: false when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq')) -# -------------------------------- -# Check HTTP2 -# -------------------------------- + # -------------------------------- + # Check HTTP2 + # -------------------------------- - name: SHELL | Check HTTP2 shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2 args: executable: /bin/sh changed_when: false when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules - tags: - - skip_ansible_lint diff --git a/vars/Debian.yml b/vars/Debian.yml index b904ff2..d01aec5 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,3 +1,5 @@ +--- + nginx_events_use: 'epoll' nginx_pid: '/run/nginx.pid' nginx_etc_dir: '/etc/nginx' diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index f57bd00..e615e95 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -1,3 +1,5 @@ +--- + nginx_events_use: 'kqueue' nginx_pid: '/var/run/nginx.pid' nginx_etc_dir: '/usr/local/etc/nginx' diff --git a/vars/main.yml b/vars/main.yml index 0c1c288..92d3d99 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,5 @@ +--- + nginx_upstream_server_params: - key: 'weight' default: 1