Fix idempotence

Add feature: override_try_files on vhost

.travis.yml

@@ -1,11 +1,13 @@
 env:
-- PLATFORM=debian-wheezy
-- PLATFORM=debian-jessie
+  - PLATFORM=debian-wheezy
+  - PLATFORM=debian-jessie
 
-sudo: true
+sudo: required
 
-install:
-- curl -sLo - http://j.mp/install-travis-docker | sh -xe
+language: python
+
+services:
+  - docker
 
 script:
-- ./run 'docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM'
+  - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM

README.md

@@ -1,11 +1,11 @@
 Nginx for Debian Ansible role
 =============================
 
-[![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg)](https://travis-ci.org/HanXHX/ansible-nginx)
 
 Install and configure Nginx on Debian.
 
-This role is not production ready. SSL management wille come later.
+SSL management will come later.
 
 Requirements
 ------------
@@ -44,14 +44,17 @@ Socket:
   - `nginx_worker_processes`
   - `nginx_events`: key/value in events block
   - `nginx_http`: key/value in http block
+  - `nginx_pid`: daemon pid file 
 
 ### Vhost management
 
+You can see many examples in: [tests/test.yml](tests/test.yml).
+
   - `nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
 
-####
+#### Common
 
-  - `name`: (M) List of domain used. The first occurence is the most important!
+  - `name`: (M) Domain or list of domain used.
   - `template`: (M) template used to create vhost
   - `enable`: (O) Enable the vhost (default is true)
   - `delete`: (O) Delete the vhost (default is false)
@@ -59,6 +62,8 @@ Socket:
   - `location`: (O) Add new custom locations (it does not overwrite!)
   - `more`: (O) Add more custom infos.
   - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
+  - `override_try_files`: (O) overrides default try\_files defined in template
+  - `manage_local_content`: (O) Boolean. Set to false if you don't want to manage local content (images, css...). This option is useless if you use proxy `template`
 
 (O) : Optional
 (M) : Mandatory
@@ -66,13 +71,53 @@ Socket:
 #### Templates
 
   - `base`: static template
-  - `php`: PHP base template. Can work with many frameworks/tools.
-  - `wordpress`
   - `dokuwiki`
+  - `phalcon`: Phalcon PHP Framework
+  - `php`: PHP base template. Can work with many frameworks/tools
+  - `php_index`: Same as above. But you can only run index.php
+  - `proxy`
+  - `wordpress`
 
 Templates works as parent-child.
 
-You can see many examples in: [tests/test.yml](tests/test.yml).
+#### About proxy template
+
+Proxy template allow you to use Nginx as reverse proxy. Usefull when you have application serveur such as Redmine, Jenkins...
+
+You have many key added to vhost key:
+
+  - `upstream_name`: (O) upstream name used to pass proxy
+  - `proxy_params`: (M) list of raw params passed to the vhost
+
+(O) : Optional
+(M) : Mandatory
+
+
+### Upstream management
+
+  - `nginx_upstreams`: List of dict. An upstream has few keys. See bellow.
+
+Note: Few params are unavailable on old Nginx version. But this role don't put it if your version is too old!
+
+#### Upstream params
+
+- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
+- `params`: list of param (hash, zone...)
+- `servers`: each upstream MUST have at least 1 server
+
+#### Server params
+
+You must set a `path`. For example: *192.168.0.50:8080* or *unix:/tmp/my.sock*.
+
+All this params are optional. You should see [Nginx upstream doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
+
+  - `weight`
+  - `max`fails`
+  - `fail`timeout`
+  - `backup`
+  - `down`
+  - `route`
+  - `slow`start`
 
 Dependencies
 ------------
@@ -94,6 +139,4 @@ GPLv2
 Author Information
 ------------------
 
-  - You can find many other roles in my GitHub "lab": https://github.com/HanXHX/my-ansible-playbooks
-  - All issues, pull-request are welcome :)
-
+- Twitter: https://twitter.com/hanxhx

defaults/main.yml

@@ -8,8 +8,9 @@ nginx_apt_package: nginx-full
 nginx_root: "/srv/www"
 nginx_log_dir: '/var/log/nginx'
 nginx_ssl_dir: '/etc/nginx/ssl'
+nginx_pid: '/run/nginx.pid'
 nginx_resolver:
-  hosts: ['208.67.222.222', '208.67.220.220'] # OpenDNS
+  hosts: ['8.8.8.8', '8.8.4.4'] # OpenDNS
   valid: '300'
   timeout: '5'
 nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
@@ -70,3 +71,4 @@ nginx_http:
 #  etag: 'off'
 
 nginx_vhosts: []
+nginx_upstreams: []

handlers/main.yml

@@ -1,6 +1,4 @@
 ---
-- name: restart nginx
-  action: service name=nginx state=restarted enabled=yes
 
 - name: reload nginx
   action: service name=nginx state=reloaded enabled=yes

meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: Nginx for Debian 
   company:
   license: GPLv2 
-  min_ansible_version: 1.2
+  min_ansible_version: 1.6
   platforms:
   - name: Debian
     versions:

tasks/main.yml

@@ -9,8 +9,10 @@
   changed_when: false
 
 - name: TEMPLATE | Deploy nginx.conf
-  template: src=etc/nginx/nginx.conf.j2 dest=/etc/nginx/nginx.conf validate= "nginx -t"
-  notify: restart nginx
+  template: >
+    src=etc/nginx/nginx.conf.j2
+    dest=/etc/nginx/nginx.conf
+  notify: reload nginx
 
 - name: FILE | Create /etc/nginx/helpers
   file: dest=/etc/nginx/helpers owner=root mode=0755 state=directory
@@ -24,7 +26,9 @@
 #    creates: "{{ nginx_dh_path }}"
 
 - name: TEMPLATE | Deploy all helpers
-  template: src={{ item }} dest=/etc/nginx/helpers/{{ item | basename | regex_replace('\.j2$','') }}
+  template: >
+    src={{ item }}
+    dest=/etc/nginx/helpers/{{ item | basename | regex_replace('\.j2$','') }}
   with_fileglob: '../templates/etc/nginx/helpers/*.j2'
   notify: reload nginx
 

tasks/upstream.yml

@@ -4,3 +4,7 @@
   template: src=etc/nginx/upstream/php.conf.j2 dest=/etc/nginx/conf.d/php.conf
   notify: reload nginx
 
+- name: TEMPLATE | Deploy other upstreams
+  template: src=etc/nginx/upstream/upstream.conf.j2 dest=/etc/nginx/conf.d/upstream-{{ item.name }}.conf
+  with_items: nginx_upstreams
+  notify: reload nginx

tasks/vhost.yml

@@ -2,18 +2,18 @@
 
 - name: FILE | Create root folders (foreach nginx_vhosts)
   file: >
-    path={{ nginx_root }}/{{ item.name[0] }}/public
+    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
     state=directory
     owner={{ item.owner | default('www-data') }}
     group={{ item.group | default('www-data') }}
     mode={{ item.mode | default('0755') }}
   with_items: nginx_vhosts
-  when: item.root is not defined
+  when: item.root is not defined and item.template != '_proxy'
 
 - name: TEMPLATE | Create vhosts
   template: >
     src=etc/nginx/sites-available/{{ item.template }}.j2
-    dest=/etc/nginx/sites-available/{{ item.name[0] }}
+    dest=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
   with_items: nginx_vhosts
   notify: reload nginx
   when: item.delete is not defined or not item.delete
@@ -23,16 +23,16 @@
 #  with_fileglob: "web/*"
 
 - name: FILE | Delete vhosts
-  file: dest=/etc/nginx/sites-enabled/{{ item.name[0] }} state=absent
-  file: dest=/etc/nginx/sites-available/{{ item.name[0] }} state=absent
+  file: dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }} state=absent
+  file: dest=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }} state=absent
   with_items: nginx_vhosts
   notify: reload nginx
   when: item.delete is defined and item.delete
 
 - name: FILE | Enable vhosts
   file: >
-    src=/etc/nginx/sites-available/{{ item.name[0] }}
-    dest=/etc/nginx/sites-enabled/{{ item.name[0] }}
+    src=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
+    dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }}
     state=link
   with_items: nginx_vhosts
   notify: reload nginx
@@ -42,7 +42,7 @@
     (item.delete is not defined or not item.delete)
 
 - name: FILE | Disable vhosts
-  file: dest=/etc/nginx/sites-enabled/{{ item.name[0] }} state=absent
+  file: dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }} state=absent
   with_items: nginx_vhosts
   notify: reload nginx
   when: item.enable is defined and not item.enable

templates/etc/nginx/nginx.conf.j2

@@ -4,7 +4,7 @@
 
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
-pid /run/nginx.pid;
+pid {{ nginx_pid }};
 
 events {
 {% for key, value in nginx_events.iteritems() %}

templates/etc/nginx/sites-available/_base.j2

@@ -12,11 +12,11 @@ server {
 {% for port in __listen %}
 	listen {{ port }};
 {% endfor %}
-	server_name {{ item.name | join(' ') }};
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
 {% if item.root is defined %}
 	root {{ item.root }};
 {% else %}
-	root {{ nginx_root }}/{{ item.name[0] }}/public;
+	root {{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public;
 {% endif %}
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm') }};
@@ -28,11 +28,13 @@ server {
 {% endfor %}
 {% endif %}
 
+{% if not __location.has_key('/') %}
 	location / {
 {% block template_try_files %}
-		try_files $uri $uri/ =404;
+		try_files {{ override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 	}
+{% endif %}
 
 {% block template_upstream_location %}
 {% endblock %}
@@ -43,6 +45,8 @@ server {
 		deny all;
 	}
 
+{% block template_local_content %}
+{% if item.manage_local_content is not defined or item.manage_local_content %}
 	location = /favicon.ico {
 		expires 30d;
 		access_log off;
@@ -53,6 +57,8 @@ server {
 		expires 30d;
 		log_not_found off;
 	}
+{% endif %}
+{% endblock %}
 
 {% if __location is iterable and __location | length > 0 %}
 	# --> Custom locations

templates/etc/nginx/sites-available/_php.j2

@@ -4,7 +4,7 @@
 {% endblock %}
 
 {% block template_try_files %}
-		try_files $uri $uri/ /index.php;
+		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
 {% endblock %}
 
 {% block template_upstream_location %}

templates/etc/nginx/sites-available/_php_index.j2

@@ -0,0 +1,24 @@
+{% extends "_php.j2" %}
+
+{% block template_upstream_location %}
+	location = /index.php {
+		fastcgi_pass php;
+		fastcgi_index index.php;
+{% if item.upstream_params is defined and item.upstream_params is iterable %}
+{% for param in item.upstream_params %}
+		{{ param }}
+{% endfor %}
+{% endif %}
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+	}
+{% endblock %}
+
+{% block template_custom_location %}
+	location ~ \.(php\d?|phtml)$ {
+		return 403;
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_proxy.j2

@@ -0,0 +1,23 @@
+{% extends "_base.j2" %}
+
+{% block template_try_files %}
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		
+		proxy_pass http://{{ item.upstream_name }};
+		proxy_read_timeout 90;
+		
+		{#proxy_redirect http://{{ upstream.name }} https://jenkins.domain.tld;#}
+
+{% if item.proxy_params is defined and item.proxy_params is iterable %}
+{% for param in item.proxy_params %}
+		{{ param }}
+{% endfor %}
+{% endif %}
+{% endblock %}
+
+{# We flush the default local content (locations) #}
+{% block template_local_content %}
+{% endblock %}

templates/etc/nginx/upstream/upstream.conf.j2

@@ -0,0 +1,19 @@
+{%- macro s(key, value, is_bool, min_version) %}
+{% if nginx_version.stdout | version_compare(min_version, 'ge') %}
+{% if is_bool and value %} {{ key }}{% elif not is_bool %} {{ key }}={{ value }}{% endif %}
+{% endif %}
+{%- endmacro -%}
+#
+# {{ ansible_managed }}
+#
+
+upstream {{ item.name }} {
+{% for server in item.servers %}
+	server {{ server.path }}{% for p in nginx_upstream_server_params if server[p.key] is defined %}{{ s(p.key, server[p.key] | default(p.default), p.is_bool | default(false), p.min_version | default('0.0.1')) }}{% endfor %};
+{% endfor %}
+{% if item.params is defined and item.params is iterable %}
+{% for param in item.params %}
+	{{ param }};
+{% endfor %}
+{% endif %}
+}

tests/debian-jessie.Dockerfile

@@ -2,5 +2,3 @@ FROM williamyeh/ansible:debian8-onbuild
 
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
-
-EXPOSE 6379

tests/debian-wheezy.Dockerfile

@@ -2,5 +2,3 @@ FROM williamyeh/ansible:debian7-onbuild
 
 RUN apt-get update
 CMD ["sh", "tests/test.sh"]
-
-EXPOSE 6379

tests/test.yml

@@ -8,12 +8,21 @@
         - curl
   vars:
     nginx_php: true
+    nginx_upstreams:
+      - name: 'test'
+        servers:
+          - path: '127.0.0.1:80'
+            max_conns: 150
+            weight: 10
+            down: false
     nginx_vhosts:
       - name:
           - 'test.local'
           - 'test-alias.local'
           - 'test2-alias.local'
         template: '_base'
+        override_try_files: '$uri $uri index.htm index.html'
+        manage_local_content: false
         more:
           - 'autoindex off;'
         location:
@@ -21,31 +30,50 @@
             - 'return 403;'
           '/gunther':
             - 'return 404;'
-      - name:
-          - 'test-php.local'
+      - name: 'test-location.local'
+        template: '_base'
+        location:
+          '/':
+            - 'alias /var/tmp;'
+      - name: 'test-php.local'
         upstream_params:
           - 'fastcgi_param FOO bar;'
         redirect_from:
           - 'www.test-php.local'
         template: '_php'
-      - name:
-          - 'deleted.local'
+      - name: 'test-php-index.local'
+        template: '_php_index'
+      - name: 'test-proxy.local'
+        listen:
+          - 8080
+        template: '_proxy'
+        upstream_name: 'test'
+      - name: 'deleted.local'
         template: '_base'
         delete: true
   roles:
     - ../../
   post_tasks:
     - name: -- Add PHP file --
-      copy: dest="{{ nginx_root }}/test-php.local/public/index.php" content="<?php phpinfo();"
+      copy: dest="{{ nginx_root }}/{{ item }}/public/index.php" content="<?php phpinfo();"
+      with_items: ['test-php.local', 'test-php-index.local']
     - name: -- Add HTML file --
-      copy: dest="{{ nginx_root }}/test.local/public/index.html" content="Index HTML test OK\n"
+      copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
+      with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp']
     - name: -- VERIFY VHOSTS --
-      shell: "curl -H 'Host: {{ item.name[0] }}' http://127.0.0.1/"
+      command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
       with_items: nginx_vhosts
       when: item.delete is undefined or not item.delete
       changed_when: false
+    - name: -- VERIFY FORBIDDEN --
+      command: "curl -H 'Host: test-php-index.local' http://127.0.0.1/phpinfo.php"
+      register: f
+      failed_when: f.stdout.find('403 Forbidden') == -1
+      changed_when: false
     - name: -- VERIFY REDIRECT VHOSTS --
-      shell: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
+      command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
       with_items: nginx_vhosts
       when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
       changed_when: false
+      register: r
+      failed_when: r.stdout.find('301 Moved Permanently') == -1

vars/main.yml

@@ -1 +1,25 @@
 nginx_dh_path: /etc/nginx/ssl/dhparams.pem
+
+nginx_upstream_server_params:
+  - key: 'weight'
+    default: 1
+  - key: 'max_fails'
+    default: 1
+  - key: 'fail_timeout'
+    default: '10s'
+  - key: 'backup'
+    is_bool: true
+  - key: 'down'
+    is_bool: true
+    default: false
+  - key: 'route'
+    default: 'configuration_error'
+  - key: 'slow_start'
+    default: 0
+# Nginx Plus only
+#  - key: 'max_conns'
+#    default: 0
+#    min_version: '1.5.9'
+#  - key: 'resolve'
+#    is_bool: true
+#    min_version: '1.5.12'