radityo
/
ansible-nginx
mirror of https://github.com/HanXHX/ansible-nginx.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix Ansible Lint

debian_11
Emilien Mantel 2021-09-01 11:58:39 +02:00
parent a2780d3d95
commit 8c6c4dc813
13 changed files with 113 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ansible-lint 100644
View File

@ -0,0 +1,2 @@
enable_list:
- fqcn-builtins

16
handlers/main.yml
View File

@ -1,46 +1,46 @@
--- ---
- name: reload nginx - name: reload nginx
command: nginx -t ansible.builtin.command: nginx -t
notify: notify:
- real-reload nginx - real-reload nginx
- docker reload nginx - docker reload nginx
- name: restart nginx - name: restart nginx
command: nginx -t ansible.builtin.command: nginx -t
notify: notify:
- real-restart nginx - real-restart nginx
- docker restart nginx - docker restart nginx
- name: real-reload nginx - name: real-reload nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: reloaded state: reloaded
when: ansible_virtualization_type != 'docker' when: ansible_virtualization_type != 'docker'
- name: real-restart nginx - name: real-restart nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
when: ansible_virtualization_type != 'docker' when: ansible_virtualization_type != 'docker'
- name: docker reload nginx - name: docker reload nginx
command: service nginx reload ansible.builtin.command: service nginx reload
args: args:
warn: false warn: false
when: ansible_virtualization_type == 'docker' when: ansible_virtualization_type == 'docker'
- name: docker restart nginx - name: docker restart nginx
command: service nginx restart ansible.builtin.command: service nginx restart
args: args:
warn: false warn: false
when: ansible_virtualization_type == 'docker' when: ansible_virtualization_type == 'docker'
- name: restart nginx freebsd - name: restart nginx freebsd
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
when: ansible_distribution == "FreeBSD" when: ansible_distribution == "FreeBSD"
- name: setup - name: setup
action: setup ansible.builtin.setup:

10
tasks/config.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: TEMPLATE | Deploy nginx.conf - name: TEMPLATE | Deploy nginx.conf
template: ansible.builtin.template:
src: "etc/nginx/nginx.conf.j2" src: "etc/nginx/nginx.conf.j2"
dest: "{{ nginx_etc_dir }}/nginx.conf" dest: "{{ nginx_etc_dir }}/nginx.conf"
mode: 0644 mode: 0644
@ -10,7 +10,7 @@
notify: reload nginx notify: reload nginx
- name: TEMPLATE | Deploy all helpers - name: TEMPLATE | Deploy all helpers
template: ansible.builtin.template:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}" dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}"
mode: 0644 mode: 0644
@ -20,7 +20,7 @@
notify: reload nginx notify: reload nginx
- name: TEMPLATE | Deploy custom http configuration - name: TEMPLATE | Deploy custom http configuration
template: ansible.builtin.template:
src: "etc/nginx/conf.d/custom.conf.j2" src: "etc/nginx/conf.d/custom.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/custom.conf" dest: "{{ nginx_etc_dir }}/conf.d/custom.conf"
mode: 0644 mode: 0644
@ -29,7 +29,7 @@
notify: reload nginx notify: reload nginx
- name: LINEINFILE | Fix path - name: LINEINFILE | Fix path
lineinfile: ansible.builtin.lineinfile:
regexp: '{{ item.0.regexp }}' regexp: '{{ item.0.regexp }}'
line: '{{ item.0.line }}' line: '{{ item.0.line }}'
dest: '{{ item.1 }}' dest: '{{ item.1 }}'
@ -45,7 +45,7 @@
when: nginx_fastcgi_fix_realpath when: nginx_fastcgi_fix_realpath
- name: COPY | Add modules manually - name: COPY | Add modules manually
copy: ansible.builtin.copy:
content: | content: |
{% for m in nginx_load_modules %} {% for m in nginx_load_modules %}
load_module {{ m }}; load_module {{ m }};

4
tasks/htpasswd.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: FILE | Delete htpasswd file - name: FILE | Delete htpasswd file
file: ansible.builtin.file:
path: "{{ nginx_htpasswd_dir }}/{{ item.name }}" path: "{{ nginx_htpasswd_dir }}/{{ item.name }}"
state: absent state: absent
loop: "{{ nginx_htpasswd }}" loop: "{{ nginx_htpasswd }}"
@ -9,7 +9,7 @@
no_log: "{{ not nginx_debug_role }}" no_log: "{{ not nginx_debug_role }}"
- name: HTPASSWD | Manage files - name: HTPASSWD | Manage files
htpasswd: ansible.builtin.htpasswd:
name: "{{ item.1.name }}" name: "{{ item.1.name }}"
password: "{{ item.1.password }}" password: "{{ item.1.password }}"
path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}" path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}"

18
tasks/install_Debian.yml
View File

@ -1,51 +1,51 @@
--- ---
- name: SET_FACT | Bypass https://github.com/ansible/ansible/issues/19874 - name: SET_FACT | Bypass https://github.com/ansible/ansible/issues/19874
set_fact: ansible.builtin.set_fact:
ansible_distribution_release: 'buster' ansible_distribution_release: 'buster'
when: ansible_facts.distribution_major_version == "buster/sid" when: ansible_facts.distribution_major_version == "buster/sid"
- name: APT | Update cache - name: APT | Update cache
apt: ansible.builtin.apt:
update_cache: true update_cache: true
cache_valid_time: 3600 cache_valid_time: 3600
changed_when: false changed_when: false
- name: APT | Install nginx and dependencies - name: APT | Install nginx and dependencies
apt: ansible.builtin.apt:
pkg: "{{ nginx_apt_package }}" pkg: "{{ nginx_apt_package }}"
default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}" default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
- name: APT | Install nginx modules - name: APT | Install nginx modules
apt: ansible.builtin.apt:
pkg: "{{ nginx_module_packages }}" pkg: "{{ nginx_module_packages }}"
state: present state: present
- name: APT | Install python-passlib - name: APT | Install python-passlib
apt: ansible.builtin.apt:
pkg: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}-passlib" pkg: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}-passlib"
state: present state: present
- name: STAT | Check acme.sh is installed - name: STAT | Check acme.sh is installed
stat: ansible.builtin.stat:
path: "{{ nginx_acmesh_dir }}" path: "{{ nginx_acmesh_dir }}"
register: acme register: acme
- block: - block:
- name: APT | Install git - name: APT | Install git
apt: ansible.builtin.apt:
pkg: git pkg: git
- name: GIT | Get acme.sh - name: GIT | Get acme.sh
git: ansible.builtin.git:
repo: 'https://github.com/Neilpang/acme.sh.git' repo: 'https://github.com/Neilpang/acme.sh.git'
dest: '{{ nginx_acmesh_git_dir }}' dest: '{{ nginx_acmesh_git_dir }}'
update: false update: false
version: master version: master
- name: COMMAND | Install acme.sh - name: COMMAND | Install acme.sh
command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}" ansible.builtin.command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}"
args: args:
chdir: "{{ nginx_acmesh_git_dir }}" chdir: "{{ nginx_acmesh_git_dir }}"
creates: "{{ nginx_acmesh_dir }}" creates: "{{ nginx_acmesh_dir }}"

12
tasks/install_FreeBSD.yml
View File

@ -16,20 +16,20 @@
- block: - block:
- name: COMMAND | Create /usr/local/etc/fdfs/http.conf - name: COMMAND | Create /usr/local/etc/fdfs/http.conf
command: touch /usr/local/etc/fdfs/http.conf ansible.builtin.command: touch /usr/local/etc/fdfs/http.conf
args: args:
creates: /usr/local/etc/fdfs/http.conf creates: /usr/local/etc/fdfs/http.conf
register: fd1 register: fd1
- name: LINEINFILE | Tune fdfs - name: LINEINFILE | Tune fdfs
lineinfile: ansible.builtin.lineinansible.builtin.file:
regexp: ^load_fdfs_parameters_from_tracker regexp: ^load_fdfs_parameters_from_tracker
line: load_fdfs_parameters_from_tracker=false line: load_fdfs_parameters_from_tracker=false
path: /usr/local/etc/fdfs/mod_fastdfs.conf path: /usr/local/etc/fdfs/mod_fastdfs.conf
register: fd2 register: fd2
- name: SERVICE | Restart nginx when fdfs is tuned - name: SERVICE | Restart nginx when fdfs is tuned
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
when: fd1.changed or fd2.changed when: fd1.changed or fd2.changed
@ -37,7 +37,7 @@
when: true when: true
- name: FILE | Create configuration dir (like Debian) - name: FILE | Create configuration dir (like Debian)
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/{{ item }}" path: "{{ nginx_etc_dir }}/{{ item }}"
state: directory state: directory
mode: 0755 mode: 0755
@ -49,7 +49,7 @@
- sites-enabled - sites-enabled
- name: FILE | Create log directory - name: FILE | Create log directory
file: ansible.builtin.file:
path: "{{ nginx_log_dir }}" path: "{{ nginx_log_dir }}"
owner: "{{ nginx_user }}" owner: "{{ nginx_user }}"
group: wheel group: wheel
@ -57,6 +57,6 @@
state: directory state: directory
- name: SERVICE | Enable nginx - name: SERVICE | Enable nginx
service: ansible.builtin.service:
name: nginx name: nginx
enabled: true enabled: true

16
tasks/main.yml
View File

@ -1,30 +1,30 @@
--- ---
- name: INCLUDE_VARS | Related to OS - name: INCLUDE_VARS | Related to OS
include_vars: "{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
tags: ['nginx::site', 'nginx::ssl'] tags: ['nginx::site', 'nginx::ssl']
- name: INCLUDE_TASKS | Install - name: INCLUDE_TASKS | Install
include_tasks: "install_{{ ansible_distribution }}.yml" ansible.builtin.include_tasks: "install_{{ ansible_distribution }}.yml"
tags: ['nginx::site', 'nginx::ssl'] tags: ['nginx::site', 'nginx::ssl']
- name: IMPORT_TASKS| Prepare - name: IMPORT_TASKS| Prepare
import_tasks: prepare.yml ansible.builtin.import_tasks: prepare.yml
tags: ['nginx::site', 'nginx::ssl'] tags: ['nginx::site', 'nginx::ssl']
- name: IMPORT_TASKS| Install - name: IMPORT_TASKS| Install
import_tasks: config.yml ansible.builtin.import_tasks: config.yml
- name: IMPORT_TASKS| Upstream configuration - name: IMPORT_TASKS| Upstream configuration
import_tasks: upstream.yml ansible.builtin.import_tasks: upstream.yml
- name: IMPORT_TASKS| htpasswd configuration - name: IMPORT_TASKS| htpasswd configuration
import_tasks: htpasswd.yml ansible.builtin.import_tasks: htpasswd.yml
- name: IMPORT_TASKS| SSL configuration - name: IMPORT_TASKS| SSL configuration
import_tasks: ssl/main.yml ansible.builtin.import_tasks: ssl/main.yml
tags: ['nginx::ssl'] tags: ['nginx::ssl']
- name: IMPORT_TASKS| Sites configuration - name: IMPORT_TASKS| Sites configuration
import_tasks: site.yml ansible.builtin.import_tasks: site.yml
tags: ['nginx::site'] tags: ['nginx::site']

10
tasks/prepare.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: SHELL | Get Nginx version - name: SHELL | Get Nginx version
shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1 ansible.builtin.shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
args: args:
executable: /bin/sh executable: /bin/sh
register: nginx_version register: nginx_version
@ -11,7 +11,7 @@
- skip_ansible_lint - skip_ansible_lint
- name: SHELL | Get module list - name: SHELL | Get module list
shell: | ansible.builtin.shell: |
nginx -V 2>&1 | nginx -V 2>&1 |
tr -- - '\n' | tr -- - '\n' |
grep -A 1 with | grep -A 1 with |
@ -27,11 +27,11 @@
- skip_ansible_lint - skip_ansible_lint
- name: SET_FACT | Save modules - name: SET_FACT | Save modules
set_fact: ansible.builtin.set_fact:
nginx_modules: "{{ shell_modules.stdout_lines }}" nginx_modules: "{{ shell_modules.stdout_lines }}"
- name: FILE | Create folders - name: FILE | Create folders
file: ansible.builtin.file:
dest: "{{ item.dir }}" dest: "{{ item.dir }}"
owner: "{{ item.owner }}" owner: "{{ item.owner }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
@ -39,7 +39,7 @@
loop: "{{ nginx_dirs }}" loop: "{{ nginx_dirs }}"
- name: FILE | Create ansible facts dir - name: FILE | Create ansible facts dir
file: ansible.builtin.file:
path: /etc/ansible/facts.d path: /etc/ansible/facts.d
state: directory state: directory
mode: 0755 mode: 0755

22
tasks/site.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: FAIL | Check filenames - name: FAIL | Check filenames
fail: ansible.builtin.fail:
msg: "Forbidden keyword default on site {{ item | nginx_site_name }}" msg: "Forbidden keyword default on site {{ item | nginx_site_name }}"
when: item.filename is defined and item.filename == 'default' when: item.filename is defined and item.filename == 'default'
loop: "{{ nginx_sites }}" loop: "{{ nginx_sites }}"
@ -9,7 +9,7 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: FAIL | Check HTTPS redir and proto - name: FAIL | Check HTTPS redir and proto
fail: ansible.builtin.fail:
msg: "You can't have HTTP proto and HTTPS redirection at the same time" msg: "You can't have HTTP proto and HTTPS redirection at the same time"
when: when:
((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
@ -19,7 +19,7 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: FILE | Create root directory - name: FILE | Create root directory
file: ansible.builtin.file:
path: "{{ nginx_root }}" path: "{{ nginx_root }}"
state: directory state: directory
mode: 0755 mode: 0755
@ -27,7 +27,7 @@
group: root group: root
- name: FILE | Create root public folders (foreach nginx_sites) - name: FILE | Create root public folders (foreach nginx_sites)
file: ansible.builtin.file:
path: "{{ nginx_root }}/{{ item | nginx_site_filename }}/public" path: "{{ nginx_root }}/{{ item | nginx_site_filename }}/public"
state: directory state: directory
owner: "{{ item.owner | default(nginx_user) }}" owner: "{{ item.owner | default(nginx_user) }}"
@ -43,7 +43,7 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: TEMPLATE | Create sites - name: TEMPLATE | Create sites
template: ansible.builtin.template:
src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2" src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2"
dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}" dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
mode: 0644 mode: 0644
@ -56,7 +56,7 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: FILE | Delete sites - name: FILE | Delete sites
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}" path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
state: absent state: absent
loop: "{{ nginx_sites | product(dirs) | list }}" loop: "{{ nginx_sites | product(dirs) | list }}"
@ -68,7 +68,7 @@
label: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}" label: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
- name: FILE | Enable sites - name: FILE | Enable sites
file: ansible.builtin.file:
src: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}" src: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}" dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
state: link state: link
@ -80,7 +80,7 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: FILE | Disable sites - name: FILE | Disable sites
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}" path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
state: absent state: absent
loop: "{{ nginx_sites }}" loop: "{{ nginx_sites }}"
@ -90,14 +90,14 @@
label: "{{ item | nginx_site_name }}" label: "{{ item | nginx_site_name }}"
- name: FILE | Delete default site when explicitely defined - name: FILE | Delete default site when explicitely defined
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/sites-enabled/default" path: "{{ nginx_etc_dir }}/sites-enabled/default"
state: absent state: absent
notify: ['reload nginx', 'restart nginx freebsd'] notify: ['reload nginx', 'restart nginx freebsd']
when: nginx_default_site is not none when: nginx_default_site is not none
- name: FILE | Auto set default site - name: FILE | Auto set default site
file: ansible.builtin.file:
src: "{{ nginx_etc_dir }}/sites-available/default" src: "{{ nginx_etc_dir }}/sites-available/default"
dest: "{{ nginx_etc_dir }}/sites-enabled/default" dest: "{{ nginx_etc_dir }}/sites-enabled/default"
state: link state: link
@ -105,7 +105,7 @@
when: nginx_default_site is none when: nginx_default_site is none
- name: TEMPLATE | Deploy facts - name: TEMPLATE | Deploy facts
template: ansible.builtin.template:
src: etc/ansible/facts.d/nginx.fact.j2 src: etc/ansible/facts.d/nginx.fact.j2
dest: /etc/ansible/facts.d/nginx.fact dest: /etc/ansible/facts.d/nginx.fact
mode: 0644 mode: 0644

26
tasks/ssl/acme.yml
View File

@ -1,18 +1,18 @@
--- ---
- name: SET_FACT | Assign default... - name: SET_FACT | Assign default...
set_fact: ansible.builtin.set_fact:
acme_create: [] acme_create: []
- name: STAT | Check if certificates are already installed - name: STAT | Check if certificates are already installed
stat: ansible.builtin.stat:
path: "{{ item | nginx_cert_path(nginx_ssl_dir) }}" path: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
loop: "{{ nginx_ssl_pairs }}" loop: "{{ nginx_ssl_pairs }}"
when: item.acme is defined and item.acme when: item.acme is defined and item.acme
register: acme_installed_certs register: acme_installed_certs
- name: SET_FACT | Assign var with certificates to create - name: SET_FACT | Assign var with certificates to create
set_fact: ansible.builtin.set_fact:
acme_create: "{{ acme_create | default([]) + [ (item.item) ] }}" acme_create: "{{ acme_create | default([]) + [ (item.item) ] }}"
loop: "{{ acme_installed_certs.results }}" loop: "{{ acme_installed_certs.results }}"
when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0) when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0)
@ -21,7 +21,7 @@
block: block:
- name: TEMPLATE | Create fake site - name: TEMPLATE | Create fake site
template: ansible.builtin.template:
src: "etc/nginx/conf.d/FAKESITE.conf.j2" src: "etc/nginx/conf.d/FAKESITE.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
mode: 0644 mode: 0644
@ -31,26 +31,26 @@
register: fake_site register: fake_site
- name: FILE | Delete current site if needed - name: FILE | Delete current site if needed
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}" path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
state: absent state: absent
loop: "{{ acme_create }}" loop: "{{ acme_create }}"
when: fake_site.changed when: fake_site.changed
- name: SERVICE | Restart nginx - name: SERVICE | Restart nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
when: fake_site.changed and ansible_virtualization_type != 'docker' when: fake_site.changed and ansible_virtualization_type != 'docker'
- name: COMMAND | Restart nginx - name: COMMAND | Restart nginx
command: service nginx restart ansible.builtin.command: service nginx restart
args: args:
warn: false warn: false
when: fake_site.changed and ansible_virtualization_type == 'docker' when: fake_site.changed and ansible_virtualization_type == 'docker'
- name: COMMAND | Get certificates - name: COMMAND | Get certificates
command: | ansible.builtin.command: |
{{ nginx_acmesh_bin }} {{ nginx_acmesh_bin }}
--home {{ nginx_acmesh_dir }} --home {{ nginx_acmesh_dir }}
--issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %} --issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %}
@ -64,12 +64,12 @@
no_log: "{{ not nginx_debug_role }}" no_log: "{{ not nginx_debug_role }}"
- name: FILE | Create SSL dir per site - name: FILE | Create SSL dir per site
file: ansible.builtin.file:
path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}" path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
loop: "{{ acme_create }}" loop: "{{ acme_create }}"
- name: COMMAND | Install certificates - name: COMMAND | Install certificates
command: | ansible.builtin.command: |
{{ nginx_acmesh_bin }} {{ nginx_acmesh_bin }}
--home {{ nginx_acmesh_dir }} --home {{ nginx_acmesh_dir }}
--install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }} --install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }}
@ -85,17 +85,17 @@
rescue: rescue:
- name: FAIL | Explicit - name: FAIL | Explicit
fail: ansible.builtin.fail:
msg: "Something is bad... Auto crash!" msg: "Something is bad... Auto crash!"
always: always:
- name: FILE | Delete fake sites - name: FILE | Delete fake sites
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf" path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
state: absent state: absent
loop: "{{ acme_create }}" loop: "{{ acme_create }}"
notify: restart nginx notify: restart nginx
- name: META | Flush handlers - name: META | Flush handlers
meta: flush_handlers ansible.builtin.meta: flush_handlers

16
tasks/ssl/standard.yml
View File

@ -3,26 +3,26 @@
- block: - block:
- name: STAT | Get info about DH file - name: STAT | Get info about DH file
stat: ansible.builtin.stat:
path: "{{ nginx_dh_path }}" path: "{{ nginx_dh_path }}"
get_checksum: false get_checksum: false
register: stat_dh_file register: stat_dh_file
- name: SHELL | Get info about DH file - name: SHELL | Get info about DH file
shell: openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }' ansible.builtin.shell: openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
changed_when: false changed_when: false
register: dh_info register: dh_info
when: stat_dh_file.stat.exists when: stat_dh_file.stat.exists
- name: COMMAND | Generate DH file - name: COMMAND | Generate DH file
command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }} ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int) when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
notify: restart nginx notify: restart nginx
when: nginx_dh is not string when: nginx_dh is not string
- name: COPY | Deploy DH file from vars - name: COPY | Deploy DH file from vars
copy: ansible.builtin.copy:
content: "{{ nginx_dh }}" content: "{{ nginx_dh }}"
dest: "{{ nginx_dh_path }}" dest: "{{ nginx_dh_path }}"
owner: root owner: root
@ -32,7 +32,7 @@
notify: restart nginx notify: restart nginx
- name: FILE | Create SSL directories - name: FILE | Create SSL directories
file: ansible.builtin.file:
path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}" path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
state: directory state: directory
owner: root owner: root
@ -43,7 +43,7 @@
no_log: "{{ not nginx_debug_role }}" no_log: "{{ not nginx_debug_role }}"
- name: COPY | Deploy SSL keys - name: COPY | Deploy SSL keys
copy: ansible.builtin.copy:
content: "{{ item.key }}" content: "{{ item.key }}"
dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}" dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}"
owner: root owner: root
@ -55,7 +55,7 @@
no_log: "{{ not nginx_debug_role }}" no_log: "{{ not nginx_debug_role }}"
- name: COPY | Deploy SSL certs - name: COPY | Deploy SSL certs
copy: ansible.builtin.copy:
content: "{{ item.cert }}" content: "{{ item.cert }}"
dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}" dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
owner: root owner: root
@ -67,7 +67,7 @@
no_log: "{{ not nginx_debug_role }}" no_log: "{{ not nginx_debug_role }}"
- name: COMMAND | Create self-signed certificates - name: COMMAND | Create self-signed certificates
command: | ansible.builtin.command: |
openssl req openssl req
-new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509
-subj '/CN={{ item | nginx_site_name }}' -subj '/CN={{ item | nginx_site_name }}'

6
tasks/upstream.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: TEMPLATE | Deploy PHP upstream to Nginx - name: TEMPLATE | Deploy PHP upstream to Nginx
template: ansible.builtin.template:
src: "etc/nginx/conf.d/php.conf.j2" src: "etc/nginx/conf.d/php.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/php.conf" dest: "{{ nginx_etc_dir }}/conf.d/php.conf"
mode: 0644 mode: 0644
@ -10,7 +10,7 @@
notify: reload nginx notify: reload nginx
- name: TEMPLATE | Deploy other upstreams - name: TEMPLATE | Deploy other upstreams
template: ansible.builtin.template:
src: "etc/nginx/conf.d/_upstream.conf.j2" src: "etc/nginx/conf.d/_upstream.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf" dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
mode: 0644 mode: 0644
@ -21,7 +21,7 @@
notify: reload nginx notify: reload nginx
- name: FILE | Delete other upstreams - name: FILE | Delete other upstreams
file: ansible.builtin.file:
path: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf" path: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
state: absent state: absent
loop: "{{ nginx_upstreams }}" loop: "{{ nginx_upstreams }}"

66
tests/test.yml
View File

@ -4,13 +4,13 @@
pre_tasks: pre_tasks:
- name: INCLUDE_TASKS | Pre_tasks related to OS version - name: INCLUDE_TASKS | Pre_tasks related to OS version
include_tasks: "includes/pre_{{ ansible_distribution }}.yml" ansible.builtin.include_tasks: "includes/pre_{{ ansible_distribution }}.yml"
- name: IMPORT_TASKS | Pre_tasks common - name: IMPORT_TASKS | Pre_tasks common
import_tasks: "includes/pre_common.yml" ansible.builtin.import_tasks: "includes/pre_common.yml"
- name: FILE | Create an internal SSL dir - name: FILE | Create an internal SSL dir
file: ansible.builtin.file:
path: "{{ int_ansible_ssl_dir }}" path: "{{ int_ansible_ssl_dir }}"
state: directory state: directory
mode: 0750 mode: 0750
@ -18,7 +18,7 @@
group: root group: root
- name: COPY | Deploy test certificate - name: COPY | Deploy test certificate
copy: ansible.builtin.copy:
src: "file/test.crt" src: "file/test.crt"
dest: "{{ int_ansible_ssl_dir }}/test.crt" dest: "{{ int_ansible_ssl_dir }}/test.crt"
mode: 0640 mode: 0640
@ -26,7 +26,7 @@
group: root group: root
- name: COPY | Deploy test key - name: COPY | Deploy test key
copy: ansible.builtin.copy:
src: "file/test.key" src: "file/test.key"
dest: "{{ int_ansible_ssl_dir }}/test.key" dest: "{{ int_ansible_ssl_dir }}/test.key"
mode: 0640 mode: 0640
@ -34,7 +34,7 @@
group: root group: root
- name: COPY | Add all hosts in /etc/hosts - name: COPY | Add all hosts in /etc/hosts
copy: ansible.builtin.copy:
content: | content: |
127.0.0.1 localhost 127.0.0.1 localhost
{% for s in nginx_sites %} {% for s in nginx_sites %}
@ -299,13 +299,13 @@
# Apps # Apps
# -------------------------------- # --------------------------------
- name: INCLUDE_TASKS | Post_tasks related to OS version - name: INCLUDE_TASKS | Post_tasks related to OS version
include_tasks: "includes/post_{{ ansible_distribution }}.yml" ansible.builtin.include_tasks: "includes/post_{{ ansible_distribution }}.yml"
# -------------------------------- # --------------------------------
# Deploy index files # Deploy index files
# -------------------------------- # --------------------------------
- name: -- Add PHP file -- - name: -- Add PHP file --
copy: ansible.builtin.copy:
dest: "{{ nginx_root }}/{{ item }}/public/index.php" dest: "{{ nginx_root }}/{{ item }}/public/index.php"
content: "<?php phpinfo();" content: "<?php phpinfo();"
mode: 0644 mode: 0644
@ -317,7 +317,7 @@
- 'test-php-index2.local' - 'test-php-index2.local'
- name: -- Add HTML file -- - name: -- Add HTML file --
copy: ansible.builtin.copy:
dest: "{{ item }}/index.html" dest: "{{ item }}/index.html"
content: "Index HTML test OK\n" content: "Index HTML test OK\n"
mode: 0644 mode: 0644
@ -334,7 +334,7 @@
- '{{ nginx_root }}/{{ ngrok.stdout }}/public' - '{{ nginx_root }}/{{ ngrok.stdout }}/public'
- name: -- Create directory -- - name: -- Create directory --
file: ansible.builtin.file:
path: "{{ nginx_root }}/test-htpasswd.local/public/hello" path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
state: directory state: directory
mode: 0755 mode: 0755
@ -342,7 +342,7 @@
group: root group: root
- name: -- Add HTML file hello -- - name: -- Add HTML file hello --
copy: ansible.builtin.copy:
dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
content: "hello\n" content: "hello\n"
mode: 0644 mode: 0644
@ -353,14 +353,14 @@
# Test custom facts # Test custom facts
# -------------------------------- # --------------------------------
- name: -- CHECK FACTS -- - name: -- CHECK FACTS --
assert: ansible.builtin.assert:
that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'" that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'"
# -------------------------------- # --------------------------------
# Simple sites tests # Simple sites tests
# -------------------------------- # --------------------------------
- name: -- VERIFY SITES -- - name: -- VERIFY SITES --
uri: ansible.builtin.uri:
url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/" url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
status_code: '200,301,302,401,403' status_code: '200,301,302,401,403'
follow_redirects: none follow_redirects: none
@ -369,12 +369,12 @@
changed_when: false changed_when: false
- name: -- VERIFY FORBIDDEN -- - name: -- VERIFY FORBIDDEN --
uri: ansible.builtin.uri:
url: "http://test-php-index.local/phpinfo.php" url: "http://test-php-index.local/phpinfo.php"
status_code: 403 status_code: 403
- name: -- VERIFY REDIRECT SITES -- - name: -- VERIFY REDIRECT SITES --
uri: ansible.builtin.uri:
url: "http://{{ item.redirect_from[0] }}/" url: "http://{{ item.redirect_from[0] }}/"
status_code: 301 status_code: 301
follow_redirects: none follow_redirects: none
@ -383,7 +383,7 @@
changed_when: false changed_when: false
- name: -- VERIFY REDIRECT HTTPS SITES -- - name: -- VERIFY REDIRECT HTTPS SITES --
uri: ansible.builtin.uri:
url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/" url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
status_code: 301 status_code: 301
follow_redirects: none follow_redirects: none
@ -396,7 +396,7 @@
# PHP # PHP
# -------------------------------- # --------------------------------
- name: -- VERIFY PHP SITES -- - name: -- VERIFY PHP SITES --
uri: ansible.builtin.uri:
url: "http://{{ item.name }}/" url: "http://{{ item.name }}/"
return_content: true return_content: true
register: p register: p
@ -407,7 +407,7 @@
failed_when: p.content.find('PHP Version') == -1 failed_when: p.content.find('PHP Version') == -1
- name: -- VERIFY INDEX2 -- - name: -- VERIFY INDEX2 --
uri: ansible.builtin.uri:
url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
return_content: true return_content: true
register: p2 register: p2
@ -417,12 +417,12 @@
# Basic Auth # Basic Auth
# -------------------------------- # --------------------------------
- name: -- VERIFY AUTH BASIC NONE -- - name: -- VERIFY AUTH BASIC NONE --
uri: ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/" url: "http://test-htpasswd.local/hello/"
status_code: 401 status_code: 401
- name: -- VERIFY AUTH BASIC FAIL -- - name: -- VERIFY AUTH BASIC FAIL --
uri: ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/" url: "http://test-htpasswd.local/hello/"
status_code: 401 status_code: 401
user: "fail" user: "fail"
@ -430,14 +430,14 @@
force_basic_auth: true force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK -- - name: -- VERIFY AUTH BASIC OK --
uri: ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/" url: "http://test-htpasswd.local/hello/"
user: "hanx" user: "hanx"
password: "qwerty" password: "qwerty"
force_basic_auth: true force_basic_auth: true
- name: -- VERIFY AUTH BASIC FAIL GLOBAL -- - name: -- VERIFY AUTH BASIC FAIL GLOBAL --
uri: ansible.builtin.uri:
url: "http://test-htpasswd-all.local/" url: "http://test-htpasswd-all.local/"
status_code: 401 status_code: 401
user: "fail" user: "fail"
@ -445,7 +445,7 @@
force_basic_auth: true force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK GLOBAL -- - name: -- VERIFY AUTH BASIC OK GLOBAL --
uri: ansible.builtin.uri:
url: "http://test-htpasswd-all.local/" url: "http://test-htpasswd-all.local/"
user: "hanx" user: "hanx"
password: "qwerty" password: "qwerty"
@ -455,7 +455,7 @@
# SSL # SSL
# -------------------------------- # --------------------------------
- name: -- VERIFY SSL -- - name: -- VERIFY SSL --
uri: ansible.builtin.uri:
url: "https://{{ item }}/" url: "https://{{ item }}/"
return_content: true return_content: true
validate_certs: false validate_certs: false
@ -468,7 +468,7 @@
- '{{ ngrok.stdout }}' - '{{ ngrok.stdout }}'
- name: -- VERIFY SSL REDIRECT -- - name: -- VERIFY SSL REDIRECT --
uri: ansible.builtin.uri:
url: "http://{{ item.name }}/" url: "http://{{ item.name }}/"
validate_certs: false validate_certs: false
status_code: 301 status_code: 301
@ -487,7 +487,7 @@
# Default sites # Default sites
# -------------------------------- # --------------------------------
- name: -- VERIFY DEFAULT SITE -- - name: -- VERIFY DEFAULT SITE --
uri: ansible.builtin.uri:
url: 'http://127.0.0.1/' url: 'http://127.0.0.1/'
return_content: true return_content: true
register: vdefault register: vdefault
@ -496,7 +496,7 @@
vdefault.x_ansible_default is not defined vdefault.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SITE + STUB STATUS-- - name: -- VERIFY DEFAULT SITE + STUB STATUS--
uri: ansible.builtin.uri:
url: 'http://127.0.0.1/status' url: 'http://127.0.0.1/status'
return_content: true return_content: true
register: vdefault_status register: vdefault_status
@ -505,7 +505,7 @@
vdefault_status.x_ansible_default is not defined vdefault_status.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SSL SITE -- - name: -- VERIFY DEFAULT SSL SITE --
uri: ansible.builtin.uri:
url: 'https://127.0.0.1/' url: 'https://127.0.0.1/'
return_content: true return_content: true
validate_certs: false validate_certs: false
@ -515,14 +515,14 @@
vdefault.x_ansible_default is not defined vdefault.x_ansible_default is not defined
- name: -- VERIFY NOT DEFAULT SITE -- - name: -- VERIFY NOT DEFAULT SITE --
uri: ansible.builtin.uri:
url: 'http://test-php.local/' url: 'http://test-php.local/'
return_content: true return_content: true
register: vphp register: vphp
failed_when: vphp.x_ansible_default is defined failed_when: vphp.x_ansible_default is defined
- name: -- VERIFY NOT DEFAULT SSL SITE -- - name: -- VERIFY NOT DEFAULT SSL SITE --
uri: ansible.builtin.uri:
url: 'https://test-ssl.local/' url: 'https://test-ssl.local/'
return_content: true return_content: true
validate_certs: false validate_certs: false
@ -536,14 +536,14 @@
- block: - block:
- name: SHELL | Check HTTP proxy protocol - name: SHELL | Check HTTP proxy protocol
shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol'
args: args:
executable: /bin/bash executable: /bin/bash
warn: false warn: false
changed_when: false changed_when: false
- name: SHELL | Check HTTPS proxy protocol - name: SHELL | Check HTTPS proxy protocol
shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol'
args: args:
executable: /bin/bash executable: /bin/bash
warn: false warn: false
@ -555,7 +555,7 @@
# Check HTTP2 # Check HTTP2
# -------------------------------- # --------------------------------
- name: SHELL | Check HTTP2 - name: SHELL | Check HTTP2
shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2 ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2
args: args:
executable: /bin/bash executable: /bin/bash
changed_when: false changed_when: false