ungleich-public/public-health-ch
6
1
Fork 0
Code Issues Pull requests 1 Projects Releases Wiki Activity

Ansible role update

Browse source
This commit is contained in:
datalets 2021-02-20 15:00:27 +01:00
parent c7582f61e2
commit c4c132bd1a
165 changed files with 2669 additions and 4455 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ansible/roles/geerlingguy.docker/.ansible-lint
View file

@ -1,2 +1,3 @@
skip_list:
- '306'
- '106'

2
ansible/roles/geerlingguy.docker/.github/stale.yml vendored
View file

@ -1,5 +1,5 @@
# Configuration for probot-stale - https://github.com/probot/stale
---
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90

72
ansible/roles/geerlingguy.docker/.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,72 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 7 * * 0"
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint ansible-lint
- name: Lint code.
run: |
yamllint .
ansible-lint
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- ubuntu2004
- ubuntu1804
- debian10
- debian9
- fedora31
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

38
ansible/roles/geerlingguy.docker/.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,38 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

31
ansible/roles/geerlingguy.docker/.travis.yml
View file

@ -1,31 +0,0 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: docker
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule yamllint ansible-lint docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

5
ansible/roles/geerlingguy.docker/.yamllint
View file

@ -1,6 +1,11 @@
---
extends: default
rules:
line-length:
max: 200
level: warning
ignore: |
.github/stale.yml
.travis.yml

10
ansible/roles/geerlingguy.docker/README.md
View file

@ -1,6 +1,6 @@
# Ansible Role: Docker
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker)
[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI)
An Ansible Role that installs [Docker](https://www.docker.com) on Linux.
@ -28,7 +28,7 @@ You can control whether the package is installed, uninstalled, or at the latest
Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`.
docker_install_compose: true
docker_compose_version: "1.25.4"
docker_compose_version: "1.26.0"
docker_compose_path: /usr/local/bin/docker-compose
Docker Compose installation options.
@ -39,17 +39,17 @@ Docker Compose installation options.
docker_apt_ignore_key_error: True
docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release.
(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release.
You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_apt_repository` as well.
docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_edge: '0'
docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`.
(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`.
You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_yum_repository` as well.

6
ansible/roles/geerlingguy.docker/defaults/main.yml
View file

@ -11,10 +11,10 @@ docker_restart_handler_state: restarted
# Docker Compose options.
docker_install_compose: true
docker_compose_version: "1.25.4"
docker_compose_version: "1.26.0"
docker_compose_path: /usr/local/bin/docker-compose
# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed.
# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
docker_apt_release_channel: stable
docker_apt_arch: amd64
docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
@ -23,7 +23,7 @@ docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution |
# Used only for RedHat/CentOS/Fedora.
docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_edge: '0'
docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg

4
ansible/roles/geerlingguy.docker/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:32:50 2020
version: 2.7.0
install_date: Sat Feb 20 13:56:42 2021
version: 3.0.0

2
ansible/roles/geerlingguy.docker/meta/main.yml
View file

@ -2,6 +2,7 @@
dependencies: []
galaxy_info:
role_name: docker
author: geerlingguy
description: Docker for Linux.
company: "Midwestern Mac, LLC"
@ -23,6 +24,7 @@ galaxy_info:
versions:
- xenial
- bionic
- focal
galaxy_tags:
- web
- system

12
ansible/roles/geerlingguy.docker/molecule/default/converge.yml
View file

@ -8,5 +8,17 @@
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
- name: Wait for systemd to complete initialization. # noqa 303
command: systemctl is-system-running
register: systemctl_status
until: >
'running' in systemctl_status.stdout or
'degraded' in systemctl_status.stdout
retries: 30
delay: 5
when: ansible_service_mgr == 'systemd'
changed_when: false
failed_when: systemctl_status.rc > 1
roles:
- role: geerlingguy.docker

4
ansible/roles/geerlingguy.docker/molecule/default/molecule.yml
View file

@ -3,10 +3,6 @@ dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"

23
ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml
View file

@ -20,12 +20,13 @@
group: root
mode: 0644
- name: Configure Docker Edge repo.
- name: Configure Docker Nightly repo.
ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-edge'
section: 'docker-{{ docker_edition }}-nightly'
option: enabled
value: '{{ docker_yum_repo_enable_edge }}'
value: '{{ docker_yum_repo_enable_nightly }}'
mode: 0644
- name: Configure Docker Test repo.
ini_file:
@ -33,9 +34,17 @@
section: 'docker-{{ docker_edition }}-test'
option: enabled
value: '{{ docker_yum_repo_enable_test }}'
mode: 0644
- name: Install containerd separately (CentOS 8).
package:
name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
state: present
- name: Configure containerd on RHEL 8.
block:
- name: Ensure container-selinux is installed.
package:
name: container-selinux
state: present
- name: Ensure containerd.io is installed.
package:
name: containerd.io
state: present
when: ansible_distribution_major_version | int == 8

2
ansible/roles/jnv.unattended-upgrades/.ansible-lint Normal file
View file

@ -0,0 +1,2 @@
skip_list:
- '503'

17
ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml vendored Normal file
View file

@ -0,0 +1,17 @@
name: Ansible Lint check
# visit https://github.com/marketplace/actions/ansible-lint for infos
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "."

8
ansible/roles/jnv.unattended-upgrades/README.md
View file

@ -46,8 +46,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
* Default: `false` (don't send any e-mail)
* `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
* Default: `false`
* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
* `unattended_remove_unused_dependencies`: do automatic removal of all unused dependencies after the upgrade.
* Default: `false`
* `unattended_remove_new_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
* Default: `true`
* `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
* Default: `false`
* `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade.
@ -56,6 +58,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
* Default: disabled
* `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive.
* Default: `false`
* `unattended_syslog_enable`: Write events to syslog, which is useful in environments where syslog messages are sent to a central store.
* Default: `false`
* `unattended_syslog_facility`: Write events to the specified syslog facility, or the daemon facility if not specified. Will only have affect if `unattended_syslog_enable` is set to `true`.
* Default: `daemon`
* `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root.
* Possible options:
* `0`: no report

19
ansible/roles/jnv.unattended-upgrades/defaults/main.yml
View file

@ -48,10 +48,14 @@ unattended_mail: false
unattended_mail_only_on_error: false
#Unattended-Upgrade::Remove-Unused-Dependencies
# Do automatic removal of new unused dependencies after the upgrade
# Do automatic removal of all unused dependencies after the upgrade
# (equivalent to apt-get autoremove)
unattended_remove_unused_dependencies: false
#Unattended-Upgrade::Remove-New-Unused-Dependencies
# Remove any new unused dependencies after the upgrade
unattended_remove_new_unused_dependencies: true
#Unattended-Upgrade::Automatic-Reboot
# Automatically reboot *WITHOUT CONFIRMATION* if a
# the file /var/run/reboot-required is found after the upgrade
@ -67,6 +71,17 @@ unattended_automatic_reboot_time: false
# I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
unattended_ignore_apps_require_restart: false
#Unattended-Upgrade::SyslogEnable
# Write events to syslog, which is useful in environments where syslog
# messages are sent to a central store.
unattended_syslog_enable: false
#Unattended-Upgrade::SyslogFacility
# Write events to the specified syslog facility, or the daemon facility if
# not specified. Requires the Unattended-Upgrade::SyslogEnable option to be
# set to true.
#unattended_syslog_facility: "daemon"
### APT::Periodic configuration
# Snatched from /usr/lib/apt/apt.systemd.daily
@ -119,4 +134,4 @@ unattended_dpkg_options: []
# Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec
#unattended_dl_limit: 70
#unattended_dl_limit: 70

4
ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 21:54:44 2020
version: v1.8.0
install_date: Sat Feb 20 13:56:45 2021
version: v1.10.0

2
ansible/roles/jnv.unattended-upgrades/meta/main.yml
View file

@ -20,7 +20,7 @@ galaxy_info:
# Below are all categories currently available. Just as with
# the platforms above, uncomment those that apply to your role.
#
categories:
galaxy_tags:
#- cloud
#- cloud:ec2
#- cloud:gce

2
ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml
View file

@ -10,7 +10,7 @@
apt:
pkg: unattended-upgrades
state: present
cache_valid_time: "{{unattended_cache_valid_time}}"
cache_valid_time: "{{ unattended_cache_valid_time }}"
update_cache: yes
- name: install reboot dependencies

2
ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2
View file

@ -1,3 +1,5 @@
// {{ ansible_managed }}
APT::Periodic::Unattended-Upgrade "1";
{% if unattended_update_package_list is defined %}

21
ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2
View file

@ -1,3 +1,5 @@
// {{ ansible_managed }}
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
Unattended-Upgrade::Origins-Pattern {
@ -55,11 +57,16 @@ Unattended-Upgrade::MailOnlyOnError "true";
{% endif %}
{% if unattended_remove_unused_dependencies %}
// Do automatic removal of new unused dependencies after the upgrade
// Do automatic removal of all unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
{% endif %}
{% if not unattended_remove_new_unused_dependencies %}
// Do automatic removal of new unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
{% endif %}
{% if unattended_automatic_reboot %}
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
@ -88,6 +95,18 @@ Unattended-Upgrade::Update-Days {{ unattended_update_days }};
Unattended-Upgrade::IgnoreAppsRequireRestart "true";
{% endif %}
{% if unattended_syslog_enable %}
// Write events to syslog, which is useful in environments where syslog
// messages are sent to a central store.
Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}";
{% if unattended_syslog_facility is defined %}
// Write events to the specified syslog facility, or the daemon facility
// if not specified. Requires the Unattended-Upgrade::SyslogEnable option
// to be set to true.
Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}";
{% endif %}
{% endif %}
{% if unattended_dpkg_options %}
// Append options for governing dpkg behavior, e.g. --force-confdef.
Dpkg::Options {

19
ansible/roles/jnv.unattended-upgrades/tests/test.yml
View file

@ -6,12 +6,15 @@
inventory:
- name: ubuntu_latest
image: "ubuntu:latest"
- name: ubuntu_bionic
image: "ubuntu:bionic"
- name: ubuntu_xenial
image: "ubuntu:xenial"
- name: ubuntu_trusty
image: "ubuntu:trusty"
- name: debian_testing
image: "debian:testing"
# 6/2020: Disabled Debian Testing due to missing python packages (python-apt)
#- name: debian_testing
# image: "debian:testing"
- name: debian_stable
image: "debian:stable"
- name: debian_oldstable
@ -27,10 +30,11 @@
gather_facts: false
pre_tasks:
- name: Provision Python
raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-simplejson)"
raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python)"
register: output
changed_when: output.stdout
- setup: # Gather facts
- name: Gather facts
setup:
vars:
unattended_autofix_interrupted_dpkg: false
unattended_minimal_steps: true
@ -45,13 +49,15 @@
include_role:
name: ansible-role-unattended-upgrades
register: idempotency
- fail:
- name: fail when idempotency.changed
fail:
msg: Role failed idempotency check
when: idempotency.changed
- name: Get apt-config variables
shell: apt-config dump
command: apt-config dump
register: aptconfig
changed_when: false
- name: Check for registered variables
assert:
that: item in aptconfig.stdout
@ -68,3 +74,4 @@
- name: Dry run unattended-upgrades
command: /usr/bin/unattended-upgrades --dry-run
changed_when: idempotency.changed|bool

6
ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -20,9 +20,9 @@ Steps to reproduce the behavior:
A clear and concise description of what you expected to happen.
**Your environment:**
- Version of the NGINX Role or specific commit
- Version of Ansible
- Target deployment platform
- Version of the NGINX role or specific commit
- Version of Ansible
- Target deployment platform
**Additional context**
Add any other context about the problem here.

8
ansible/roles/nginxinc.nginx/.github/pull_request_template.md vendored
View file

@ -1,10 +1,10 @@
### Proposed changes
Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue here in this description (not in the title of the PR).
Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR).
### Checklist
Before creating a PR, run through this checklist and mark each as complete.
- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/master/CONTRIBUTING.md) document
- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/main/CONTRIBUTING.md) document
- [ ] I have added Molecule tests that prove my fix is effective or that my feature works
- [ ] I have checked that all unit tests pass after adding my changes
- [ ] If required, I have updated necessary documentation (`defaults/main/` and `README.md`)
- [ ] I have checked that all Molecule tests pass after adding my changes
- [ ] I have updated any relevant documentation (`defaults/main/*.yml`, `README.md` and `CHANGELOG.md`)

22
ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml vendored Normal file
View file

@ -0,0 +1,22 @@
---
name: Ansible Galaxy import
on:
release:
jobs:
galaxy:
name: Galaxy
runs-on: ubuntu-latest
steps:
- name: Check out the codebase
uses: actions/checkout@v2
- name: Set up Python 3
uses: actions/setup-python@v2
with:
python-version: 3.x
- name: Install Ansible
run: pip3 install ansible-base==2.10.3
- name: Import release to Ansible Galaxy
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

61
ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml vendored Normal file
View file

@ -0,0 +1,61 @@
---
name: Molecule CI/CD
on:
pull_request:
branches:
- main
push:
branches:
- main
ignore-tags:
- "*"
schedule:
- cron: "0 0 1 * *"
jobs:
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
scenario:
- default
- default_alpine
- default_centos
- module
- module_alpine
- module_centos
- plus
- plus_alpine
- plus_centos
- source
- source_alpine
- source_centos
steps:
- name: Check out the codebase
if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)"
uses: actions/checkout@v2
- name: Set up Python 3
if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)"
uses: actions/setup-python@v2
with:
python-version: 3.x
- name: Install Molecule dependencies
if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)"
run: |
pip3 install ansible-base==2.10.4
pip3 install ansible==2.10.5
pip3 install ansible-lint==4.3.7
pip3 install yamllint==1.25.0
pip3 install "molecule[docker]"==3.2.2
pip3 install docker==4.4.1
- name: Run Molecule tests
if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)"
run: molecule test -s ${{ matrix.scenario }}
env:
PY_COLORS: "1"
ANSIBLE_FORCE_COLOR: "1"
NGINX_CRT: ${{ secrets.NGINX_CRT }}
NGINX_KEY: ${{ secrets.NGINX_KEY }}

13
ansible/roles/nginxinc.nginx/.gitignore vendored
View file

@ -2,14 +2,19 @@
############################
*.crt
*.key
__pycache__
*~
\#*
# OS Specific
# OS Specific #
###############
Thumbs.db
.DS_Store
.vscode
# Ansible specific
*.retry
# Ansible specific #
####################
*.retry
# Python specific #
###################
__pycache__

56
ansible/roles/nginxinc.nginx/.travis.yml
View file

@ -1,56 +0,0 @@
---
language: python
services:
- docker
jobs:
include:
- name: "Install Specific Version Test - Debian"
env: scenario=default
- name: "Install Specific Version Test - Alpine"
env: scenario=default_alpine
- name: "Install Specific Version Test - CentOS"
env: scenario=default_centos
- name: "Install Modules Test - Debian"
env: scenario=module
- name: "Install Modules Test - Alpine"
env: scenario=module_alpine
- name: "Install Modules Test - CentOS"
env: scenario=module_centos
- name: "Install Stable Branch and Push Configuration Test - Debian"
env: scenario=stable_push
- name: "Install Stable Branch and Push Configuration Test - Alpine"
env: scenario=stable_push_alpine
- name: "Install Stable Branch and Push Configuration Test - CentOS"
env: scenario=stable_push_centos
- name: "Use Template Setting Test - Debian"
env: scenario=template
- name: "Use Template Setting Test - Alpine"
env: scenario=template_alpine
- name: "Use Template Setting Test - CentOS"
env: scenario=template_centos
- name: "Install Unit Test - Debian"
env: scenario=unit
- name: "Install Unit Test - Alpine"
env: scenario=unit_alpine
- name: "Install Unit Test - CentOS"
env: scenario=unit_centos
- name: "Install from Source Test - Debian"
env: scenario=source
- name: "Install from Source Test - Alpine"
env: scenario=source_alpine
- name: "Install from Source Test - CentOS"
env: scenario=source_centos
before_install:
- sudo apt-get -qq update
install:
- pip install ansible==2.9.6
- pip install molecule[docker]>=3.0.0
- pip install testinfra
- pip install ansible-lint
- pip install flake8
script:
- molecule --version
- ansible --version
- travis_wait 50 molecule test -s $scenario
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

400
ansible/roles/nginxinc.nginx/CHANGELOG.md Normal file
View file

@ -0,0 +1,400 @@
# Changelog
## 0.19.1 (January 11, 2021)
ENHANCEMENTS:
* The GitHub actions Molecule CI/CD workflow should now correctly avoid running 'plus' related tests on external PRs.
* Update Ansible base to `2.10.4`, Ansible to `2.10.5`, Molecule to `3.2.2` and Docker Python SDK to `4.4.1`.
* Update copyright notice.
## 0.19.0 (December 23, 2020)
BREAKING CHANGES:
**The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on.
ENHANCEMENTS:
The GitHub actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push).
## 0.18.2 (December 22, 2020)
ENHANCEMENTS:
* Update Molecule to `3.2.1` and Docker Python SDK to `4.4.0`.
* Add Alpine `3.12` to supported platforms for NGINX Plus.
* Remove Alpine `3.9` and CentOS/RHEL `6` from supported platforms due to EOL.
* Replace TravisCI with GitHub actions.
## 0.18.1 (November 17, 2020)
ENHANCEMENTS:
Switch NGINX keysites and OSS default repository data from a dictionary to individual variables to prevent potential issues arisen from Jinja2 dictionary run-time evaluations.
BUG FIXES:
Fix issue whereas SELinux state would not be correctly set back to `enforcing` when `nginx_selinux: true`.
## 0.18.0 (November 13, 2020)
BREAKING CHANGES:
**The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on.
## 0.17.4 (November 12, 2020)
ENHANCEMENTS:
Implement a new syntax to specify modules to be installed. You can now use the following format if you want further fine grained control over how you install modules:
```yaml
- name: njs # Required
state: present # Optional
version: =1.19.4+0.4.4-1~bionic # Optional
```
The old method of specifying modules (using a list of names) still works as expected.
## 0.17.3 (November 9, 2020)
ENHANCEMENTS:
* Add survey to README.
* Improve README structure and use tables where relevant.
* Update Ansible (now Ansible base) to `2.10.3`, Ansible (now Ansible Community Distribution) to `2.10.3`, Ansible Lint to `4.3.7`, Molecule to `3.1.5`, and yamllint to `1.25.0`.
* Optimize NGINX Plus install/remove tasks.
BUG FIXES:
* Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs.
* Fix naming for SELinux facts dictionary.
* Role now runs correctly when using Ansible's check mode.
* Removing the NGINX Plus license in RHEL based distros should no longer return a repository not found error.
* Fix issue when removing NGINX Plus license on some distributions.
* Fix Amazon Linux NGINX Plus install while at it.
## 0.17.2 (September 24, 2020)
BUG FIXES:
Fix an issue where sometimes the role handlers will fail in distros where NGINX is not started upon installation.
## 0.17.1 (September 22, 2020)
ENHANCEMENTS:
* The role will no longer fail automatically on unsupported platforms, but the error message will still be displayed.
* The `Check NGINX` handler now always outputs an `ok` state instead of `changed` since it's a read-only operation with no traceable changes.
## 0.17.0 (September 20, 2020)
BREAKING CHANGES:
* The process to install modules has changed. You will now have to use a list variable, `nginx_modules`, instead of manually setting the modules you want to install to `true` or `false`. This change will also simplify adding future supported modules to this role. You can find a list of supported modules for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml).
* Modules can no longer be added to your NGINX config using this role. Please use the [`nginx_config`](https://github.com/nginxinc/ansible-role-nginx-config) role instead.
* Changed `nginx_configure` default value from `true` to `false` to further promote the adoption of the [NGINX config](https://github.com/nginxinc/ansible-role-nginx-config) role.
FEATURES:
* A new variable has been introduced:
* `nginx_setup_license` -- Determine whether you want to use this role to upload your NGINX license to your target host.
* The role will now fail automatically if you try to deploy NGINX from an official repository in an unsupported distribution. You can find a list of supported distributions for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)
* Three new tags have been introduced -- `nginx_setup_license`, `nginx_install` and `nginx_check_support`.
* Add Alpine 3.12 to the list of supported platforms.
* Remove Alpine 3.8 from the list of supported platforms.
* Add NGINX Plus tests to TravisCI
ENHANCEMENTS:
* Added handlers to check for NGINX syntax validity and fail if any errors are detected.
* Switch to using `ansible_facts` wherever possible.
* Major backend refactoring to reduce the number of files and tasks.
* You can now specify an `nginx_repository` for NGINX Plus too.
* Moved "constant" variables to `vars/main.yml`.
* Included deprecation warnings in task names and files.
* Improved tasks naming conventions.
* Update Ansible to `2.9.13` and Ansible Lint to `4.3.5`.
BUG FIXES:
* NGINX Plus repository data for RHEL based distros is now appropriately set.
* Building NGINX from source should now work as expected in CentOS/RHEL 6 systems running Python `2.6` or earlier versions of `2.7`.
## 0.16.0 (August 28, 2020)
BREAKING CHANGES:
The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
ENHANCEMENTS:
* Update Ansible to `2.9.12` and Ansible Lint to `4.3.2`.
* Explicitly define `mode` in relevant tasks.
* Explicitly define the `nginx` `apt_repository` filename in Debian based distros.
FEATURES:
TravisCI now always uses the latest version of Docker.
BUG FIXES:
Building OpenSSL from source should now work properly in CentOS 8.
## 0.15.0 (August 20, 2020)
DEPRECATION WARNING:
With the advent of Ansible collections and to reduce the overhead of this role, the decision has been made to split this role into three smaller roles:
* The NGINX Ansible role will keep working as is and be used to install and setup NGINX.
* There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. The NGINX configuration functionalities included in this role will be removed in an upcoming release.
* NGINX Unit now has a separate role available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. The NGINX Unit functionalities included in this role will be removed in an upcoming release.
BREAKING CHANGES:
* The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
* If you use `custom_options` you will now need to manually end each directive with a semicolon.
* The `status` directive is no longer supported in NGINX Plus, and the `stub_status` directive has been reworked into a template.
* The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
Old configuration example
```yaml
listen_address: localhost
listen_port: 80
udp_enable: false
```
New configuration example
```yaml
listen:
listen_localhost:
ip: 0.0.0.0 # Wrap in square brackets for IPv6 addresses
port: 80
ssl: false
opts: [] # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:').
```
The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`.
FEATURES:
* Add support to configure logrotate.
* Add support for Ubuntu Focal.
* Add support to configure SELinux.
* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both.
ENHANCEMENTS:
* Molecule tests using Testinfra have been migrated to use Ansible instead.
* The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time.
* Improve configuration cleanup capabilities. You can now remove all `*.conf` files in a given directory, or specify a list of files you wish to delete.
* Improve configuration templating capabilities:
* Add support for unix upstreams.
* Add PID templating option.
* Add support for down parameter in upstreams.
* Add option for custom error pages.
* Add SSL support to `stream` contexts.
BUG FIXES:
* `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation.
* If `http_demo_conf` was undefined the web server template interpolation would fail.
## 0.14.0 (April 22, 2020)
This is a relatively minor release, but it includes a potential breaking change (hence the version bump). The one major new feature is the ability to install/build NGINX Open Source from source.
BREAKING CHANGES:
The NGINX Controller agent can no longer be installed using this role. Please use the Ansible collection linked in the README.
FEATURES:
* Install/build NGINX from source options now available.
* Implement NGINX http sub module templating.
* NGINX config is now correctly validated each run.
* SSL Private Key data is hidden when running the role with the `--diff` flag.
BUG FIXES:
* The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository.
* Modules should now correctly install when using a specific NGINX Plus version.
## 0.13.0 (December 13, 2019)
BREAKING CHANGES:
* The new listen templating options are not backwards with the previous listen templating options. Check the `README` or `molecule/template_module/playbook.yml` for examples on how to use the new listen template.
* BSD and Linux NGINX installation tasks have undergone some major changes. As such, you may have to update your playbooks accordingly.
FEATURES:
* Improve NGINX http templating:
* Multiple server support in HTTP contexts.
* Header support.
* OCSP stapling.
* Improved proxy settings.
* Logging settings.
* Improved SSL settings.
* Improved authentication settings.
* Max body size support.
* Improved listen templating.
* Switch to Molecule for testing.
* Add support for Debian Buster.
* Support for specifying which version of NGINX to install.
* Split default variables into multiple functional files.
* Improve support for Alpine distributions.
* Support for updating or removing NGINX from your system.
* Implemented tags to support running specific tasks instead of the whole role.
BUG FIXES:
* Module installation when using NGINX Plus has been fixed.
* Websockets templating has been reenabled after being accidentally deleted.
* When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository.
## 0.12.0 (May 22, 2019)
FEATURES:
Improve NGINX http templating - following parameters are now supported:
* Websockets.
* Basic authentication.
* Proxy cache.
* Proxy redirect.
* Proxy timeouts.
* SSL.
* Root (in server context).
* Add basic NGINX stream templating.
* Add support for RHEL 8 and Alpine Linux.
BUG FIXES:
Fix module installation tasks.
## 0.11.0 (Januray 14, 2019)
FEATURES:
* Allow setting a custom apt and rpm signing key host.
* Add support for enabling an http to https redirects.
* Add ansible_managed to templates.
* Rename html_app_name to web_server_name.
* Rename load_balancer block to reverse_proxy.
* Allow setting the listen port when using SSL.
* Improve SSL defaults.
* Allow setting http or https server locations in proxy_pass.
BUG FIXES:
* Ignore undefined values for autoindex and health check.
* Clarify that the redirect variable refers to a http to https redirect.
## 0.10.1 (November 26, 2018)
BUG FIXES:
Fix HTML template to use correct variable name.
## 0.10.0 (November 26, 2018)
FEATURES:
Improve templating support for health checks, multiple location blocks, and auto indexing.
BUG FIXES:
* Fetching the NGINX signing key is now more reliable.
* Fixed HTML templating.
## 0.9.0 (October 18, 2018)
FEATURES:
* Refactor NGINX templating and file uploading.
* Add ability to upload and template HTML files.
* Add ability to upload SSL keys and certificates.
## 0.8.0 (September 17, 2018)
FEATURES:
* Add ability to install NGINX Plus Controller agent.
* Refactor installation of NGINX Amplify agent.
* Rename variables to be prefixed with `nginx_`.
BUG FIXES:
Correct spelling of name in `tasks/prerequisites/setup-debian.yml`.
## 0.7.1 (August 21, 2018)
FEATURES:
Add enabled parameter to NGINX and NGINX Unit handlers.
## 0.7.0 (August 4, 2018)
FEATURES:
* Add Amazon Linux 2 support for NGINX Plus.
* Add ability to delete NGINX Plus license after installation.
BUG FIXES:
* GeoIP module can now be properly installed.
* Module installation will no longer fail if only one module is specified.
## 0.6.0 (July 19, 2018)
FEATURES:
* Improve NGINX Unit related documentation.
* Add FreeBSD and Amazon Linux 2 support for NGINX Unit.
* Allow users to install NGINX Unit without having to also install NGINX.
## 0.5.0 (June 28, 2018)
FEATURES:
Add support for NGINX Unit.
## 0.4.0 (May 25, 2018)
FEATURES:
* Implement support for FreeBSD.
* Allow users to select the default NGINX repository.
## 0.3.0 (April 19, 2018)
FEATURES:
Improve Travis CI testing strategy.
BUG FIXES:
Fix templating and push tasks.
## 0.2.0 (April 12, 2018)
FEATURES:
Add support for all first party NGINX modules.
BUG FIXES:
* Role should now work correctly in distros with old versions of Python.
* Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false).
* Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory.
## 0.1.0 - Initial release (Januray 26, 2018)
Initial release of the NGINX Ansible role. Features include:
* Install NGINX Open Source or NGINX Plus.
* Choose between stable or mainline NGINX Open Source.
* Install NGINX Amplify.
* Install NGINX Javascript, Perl, and ModSecurity WAF NGINX modules.
* Enable the NGINX Plus REST API and dashboard.
* Upload NGINX configuration files.
* Templated NGINX configuration system.

45
ansible/roles/nginxinc.nginx/CONTRIBUTING.md
View file

@ -14,25 +14,26 @@ The following is a set of guidelines for contributing to the NGINX Ansible role.
* [Git Guidelines](#git-guidelines)
* [Ansible Guidelines](#ansible-guidelines)
[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/master/CODE_OF_CONDUCT.md)
[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/main/CODE_OF_CONDUCT.md)
## Ask a Question
Please open an Issue on GitHub with the label `question`.
Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`.
## Getting Started
Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/master/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role.
Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/main/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role.
### Project Structure
* The NGINX Ansible role is written in `yaml` and supports open source NGINX, NGINX Plus, NGINX Amplify, and NGINX Unit.
* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html)
* The main code is found at `tasks/`
* The main variables can be found at `defaults/main/`
* Configuration templates for NGINX can be found at `templates/`
* The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, and NGINX Amplify.
* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html):
* The main code is found in `tasks/`.
* Variables can be found in `defaults/main/*.yml`.
* "Constant" variables can be found in `vars/main.yml`.
* Configuration templates for NGINX can be found in `templates/`.
* [Molecule](https://molecule.readthedocs.io/) tests can be found in `molecule/`.
* CI/CD is done via Travis using `.travis.yml` Deployment yaml files, and Helm files are found at `deployments/`
* CI/CD is done via Travis using `.travis.yml` deployment `yaml` files.
## Contributing
@ -46,27 +47,27 @@ To suggest an enhancement, please create an issue on GitHub with the label `enha
### Open a Pull Request
* Fork the repo, create a branch, submit a PR when your changes are tested and ready for review
* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/master/.github/PULL_REQUEST_TEMPLATE.md)
* Fork the repo, create a branch, submit a PR when your changes are **tested** (ideally using Molecule) and ready for review.
* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/main/.github/PULL_REQUEST_TEMPLATE.md).
Note: if youd like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature.
## Code Guidelines
### Git Guidelines
* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR
* Follow the guidelines of writing a good commit message as described here <https://chris.beams.io/posts/git-commit/> and summarised in the next few points
* In the subject line, use the present tense ("Add feature" not "Added feature")
* In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...")
* Limit the subject line to 72 characters or less
* Reference issues and pull requests liberally after the subject line
* Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`)
### Ansible Guidelines
* Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues.
* Run `molecule test --all` on your code to catch any other issues.
* Run `molecule test --all` on your code before you submit a PR to catch any potential issues.
* Follow these guides on some good practices for Ansible:
* <https://www.ansible.com/blog/ansible-best-practices-essentials>
* <https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html>
### Git Guidelines
* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR.
* Follow the guidelines of writing a good commit message as described here <https://chris.beams.io/posts/git-commit/> and summarised in the next few points:
* In the subject line, use the present tense ("Add feature" not "Added feature").
* In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...").
* Limit the subject line to 72 characters or less.
* Reference issues and pull requests liberally after the subject line.
* Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`).

450
ansible/roles/nginxinc.nginx/README.md
View file

@ -1,414 +1,182 @@
Ansible NGINX Role
==================
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginxinc.nginx-5bbdbf.svg)](https://galaxy.ansible.com/nginxinc/nginx)
[![Build Status](https://travis-ci.org/nginxinc/ansible-role-nginx.svg?branch=master)](https://travis-ci.org/nginxinc/ansible-role-nginx)
[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nginx/workflows/Molecule%20CI/CD/badge.svg)](https://github.com/nginxinc/ansible-role-nginx/actions)
[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
This role installs NGINX Open Source, NGINX Plus, the NGINX Amplify agent, or NGINX Unit on your target host.
# 👾 *Help make the NGINX Ansible role better by participating in our [survey](https://forms.office.com/Pages/ResponsePage.aspx?id=L_093Ttq0UCb4L-DJ9gcUKLQ7uTJaE1PitM_37KR881UM0NCWkY5UlE5MUYyWU1aTUcxV0NRUllJSC4u)!* 👾
# Ansible NGINX Role
This role installs NGINX Open Source, NGINX Plus, or the NGINX Amplify agent on your target host.
**Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues.
Requirements
------------
**Deprecation Warnings:**
**Ansible**
With the advent of Ansible collections and the release of the [NGINX Core Ansible collection](https://github.com/nginxinc/ansible-collection-nginx), the decision has been made to split this role into three smaller roles and reduce the overhead of this role:
* The NGINX Ansible role will keep working as is and be used to install and setup NGINX.
* **The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. This disclaimer will be removed in a future release.
* **The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. This disclaimer will be removed in a future release.
This role was developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed.
## Requirements
Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
### Ansible
**Molecule**
* This role is developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed.
* Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
Molecule is used to test the various functionailities of the role. Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html).
### Molecule
Installation
------------
* Molecule `3.x` is used to test the various functionalities of the role.
* Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html).
**Ansible Galaxy**
## Installation
### Ansible Galaxy
Use `ansible-galaxy install nginxinc.nginx` to install the latest stable release of the role on your system.
**Git**
### Git
Use `git clone https://github.com/nginxinc/ansible-role-nginx.git` to pull the latest edge commit of the role from GitHub.
Platforms
---------
## Platforms
The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html#mainline), [NGINX Plus](https://www.nginx.com/products/technical-specs/), the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported), and [NGINX Unit](https://unit.nginx.org/installation/#official-packages):
The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html), [NGINX Plus](https://docs.nginx.com/nginx/technical-specs/), and the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported):
**NGINX Open Source**
### NGINX Open Source
```yaml
Alpine:
versions:
- 3.8
- 3.9
- 3.10
- 3.11
- 3.10
- 3.11
- 3.12
CentOS:
versions:
- 6
- 7
- 8
- 7.4+
- 8
Debian:
versions:
- stretch
- buster
FreeBSD:
versions:
- 11.2+
- 12
RedHat:
versions:
- 6
- 7.4+
- 8
- stretch
- buster
Red Hat:
- 7.4+
- 8
SUSE/SLES:
versions:
- 12
- 15
- 12
- 15
Ubuntu:
versions:
- xenial
- bionic
- xenial
- bionic
- eoan
- focal
```
**NGINX Plus**
### NGINX Plus
```yaml
Alpine:
versions:
- 3.8
- 3.9
- 3.10
- 3.11
- 3.10
- 3.11
- 3.12
Amazon Linux:
versions:
- 2018.03
- 2018.03
Amazon Linux 2:
versions:
- LTS
- any
CentOS:
versions:
- 6.5+
- 7.4+
- 8
- 7.4+
- 8
Debian:
versions:
- stretch
- buster
- stretch
- buster
FreeBSD:
versions:
- 11.2+
- 12
- 11.2+
- 12
Oracle Linux:
versions:
- 6.5+
- 7.4+
RedHat:
versions:
- 6.5+
- 7.4+
- 8
- 6.5+
- 7.4+
Red Hat:
- 7.4+
- 8
SUSE/SLES:
versions:
- 12
- 15
- 12
- 15
Ubuntu:
versions:
- xenial
- bionic
- xenial
- bionic
- eoan
- focal
```
**NGINX Amplify Agent**
### NGINX Amplify Agent
```yaml
Amazon Linux:
versions:
- 2017.09
- 2017.09
CentOS:
versions:
- 6
- 7
- 7
Debian:
versions:
- jessie
- stretch
- jessie
- stretch
Red Hat:
- 7
Ubuntu:
versions:
- xenial
- bionic
RedHat:
versions:
- 6
- 7
- xenial
- bionic
- focal
```
**NGINX Unit**
**Note:** You can also use this role to compile NGINX Open Source from source, install NGINX Open Source on compatible yet unsupported platforms, or install NGINX Open Source on BSD systems at your own risk.
```yaml
CentOS:
versions:
- 6
- 7
RedHat:
versions:
- 6
- 7
Debian:
versions:
- jessie
- stretch
- buster
Ubuntu:
versions:
- xenial
- bionic
Amazon Linux:
versions:
- 2018.03
Amazon Linux 2:
versions:
- 2
FreeBSD:
versions:
- 10
- 11
```
## Role Variables
Role Variables
--------------
This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/)** folder in the following files:
This role has multiple variables. The descriptions and defaults for all these variables can be found in the directory **`defaults/main`** in the following files:
|Name|Description|
|----|-----------|
|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/main.yml)**|NGINX installation variables|
|**[`amplify.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/amplify.yml)**|NGINX Amplify agent installation variables|
|**[`linux.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/linux.yml)**|Linux installation variables|
|**[`bsd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/bsd.yml)**|BSD installation variables|
- **[defaults/main/main.yml](./defaults/main/main.yml):** NGINX installation variables
- **[defaults/main/amplify.yml](./defaults/main/amplify.yml):** NGINX Amplify agent installation variables
- **[defaults/main/template.yml](./defaults/main/template.yml):** NGINX configuration templating variables
- **[defaults/main/upload.yml](./defaults/main/upload.yml):** NGINX configuration/HTML/SSL upload variables
- **[defaults/main/linux.yml](./defaults/main/linux.yml):** Linux installation variables
- **[defaults/main/bsd.yml](./defaults/main/bsd.yml):** BSD installation variables
- **[defaults/main/unit.yml](./defaults/main/unit.yml):** NGINX Unit installation variables
Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/)** folder in the following files:
Dependencies
------------
|Name|Description|
|----|-----------|
|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)**|List of supported NGINX platforms and modules|
None
## Example Playbooks
Example Playbook
----------------
Working functional playbook examples can be found in the **[`molecule/common/playbooks/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/)** folder in the following files:
This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX.
|Name|Description|
|----|-----------|
|**[`default_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/default_converge.yml)**|Install a specific version of NGINX and set up logrotate|
|**[`module_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/module_converge.yml)**|Install various NGINX supported modules|
|**[`plus_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/plus_converge.yml)**|Install NGINX Plus and various NGINX Plus supported modules|
|**[`source_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/source_converge.yml)**|Install NGINX from source|
```yaml
---
- hosts: localhost
become: true
roles:
- role: nginxinc.nginx
```
Do note that if you install this repository via Ansible Galaxy, you will have to replace the role variable in the sample playbooks from `ansible-role-nginx` to `nginxinc.nginx`.
This is a sample playbook file for deploying the Ansible Galaxy NGINX role to a dynamic inventory containing the `nginx` tag.
## Other NGINX Ansible Collections and Roles
```yaml
---
- hosts: tag_nginx
remote_user: root
roles:
- role: nginxinc.nginx
```
You can find the Ansible NGINX Core collection of roles to install and configure NGINX Open Source, NGINX Plus, and NGINX App Protect [here](https://github.com/nginxinc/ansible-collection-nginx).
This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a simple web server.
You can find the Ansible NGINX configuration role to configure NGINX [here](https://github.com/nginxinc/ansible-role-nginx-config).
```yaml
---
- hosts: localhost
become: true
roles:
- role: nginxinc.nginx
vars:
nginx_http_template_enable: true
nginx_http_template:
default:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
# ip: 0.0.0.0
port: 80
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
web_server:
locations:
default:
location: /
html_file_location: /usr/share/nginx/html
html_file_name: index.html
autoindex: false
http_demo_conf: false
```
You can find the Ansible NGINX App Protect role to install and configure NGINX App Protect [here](https://github.com/nginxinc/ansible-role-nginx-app-protect).
This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a reverse proxy.
You can find the Ansible NGINX Controller collection of roles to install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller).
```yaml
---
- hosts: localhost
become: true
roles:
- role: nginxinc.nginx
vars:
nginx_http_template_enable: true
nginx_http_template:
default:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
# ip: 0.0.0.0
port: 80
opts:
- default_server
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
reverse_proxy:
locations:
frontend:
location: /
proxy_pass: http://frontend_servers
backend:
location: /backend
proxy_pass: http://backend_servers
upstreams:
upstream_1:
name: frontend_servers
lb_method: least_conn
zone_name: frontend
zone_size: 64k
sticky_cookie: false
servers:
frontend_server_1:
address: 0.0.0.0
port: 8081
weight: 1
health_check: max_fails=3 fail_timeout=5s
upstream_2:
name: backend_servers
lb_method: least_conn
zone_name: backend
zone_size: 64k
sticky_cookie: false
servers:
backend_server_1:
address: 0.0.0.0
port: 8082
weight: 1
health_check: max_fails=3 fail_timeout=5s
frontend:
template_file: http/default.conf.j2
conf_file_name: frontend_default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
ip: 0.0.0.0
port: 8081
ssl: false
opts: []
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
web_server:
locations:
frontend_site:
location: /
proxy_hide_headers:
- X-Powered-By
html_file_location: /usr/share/nginx/html
html_file_name: index.html
autoindex: false
http_demo_conf: false
backend:
template_file: http/default.conf.j2
conf_file_name: backend_default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
ip: 0.0.0.0
port: 8082
ssl: false
opts: []
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
web_server:
locations:
backend_site:
location: /
html_file_location: /usr/share/nginx/html
html_file_name: index.html
autoindex: false
http_demo_conf: false
```
You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://github.com/nginxinc/ansible-role-nginx-unit).
## License
This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing NGINX Plus.
[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/main/LICENSE)
```yaml
---
- hosts: localhost
become: true
roles:
- role: nginxinc.nginx
vars:
nginx_type: plus
```
This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost to install NGINX Unit and the PHP/Perl NGINX Unit language modules.
```yaml
---
- hosts: localhost
become: true
roles:
- role: nginxinc.nginx
vars:
nginx_enable: false
nginx_unit_enable: true
nginx_unit_modules:
- unit-php
- unit-perl
```
To run any of the above sample playbooks create a `setup-nginx.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook setup-nginx.yml`.
Alternatively, you can also clone this repository instead of installing it from Ansible Galaxy. If you decide to do so, replace the role variable in the previous sample playbooks from `nginxinc.nginx` to `ansible-role-nginx`.
Other NGINX Roles
-----------------
You can find an Ansible collection of roles to help you install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller)
License
-------
[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/master/LICENSE)
Author Information
------------------
## Author Information
[Alessandro Fael Garcia](https://github.com/alessfg)
[Grzegorz Dzien](https://github.com/gdzien)
&copy; [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020
[Tom Gamull](https://github.com/magicalyak)
&copy; [F5 Networks, Inc.](https://www.f5.com/) 2018 - 2021

2
ansible/roles/nginxinc.nginx/defaults/main/amplify.yml
View file

@ -1,7 +1,7 @@
---
# Install NGINX Amplify.
# Use your NGINX Amplify API key.
# Requires access to either the NGINX stub status or the NGINX Plus REST API.
# Requires access to either the NGINX stub_status or the NGINX Plus REST API.
# Default is null.
nginx_amplify_enable: false
nginx_amplify_api_key: null

22
ansible/roles/nginxinc.nginx/defaults/main/bsd.yml
View file

@ -1,26 +1,16 @@
---
# Supported distributions
nginx_bsd_systems: ['FreeBSD', 'NetBSD', 'OpenBSD', 'DragonFlyBSD', 'HardenedBSD']
# Supported distributions NGINX Plus
# https://docs.nginx.com/nginx/technical-specs/
nginx_plus_bsd_systems: ['FreeBSD']
# Choose to install BSD packages or ports.
# Options are True for packages or False for ports.
# Default is True.
# Options are true for packages or false for ports.
# Default is true.
nginx_bsd_install_packages: true
# Choose to update BSD ports collection.
# Options are True for update or False for do not update.
# Default is True.
# Options are true for update or false for do not update.
# Default is true.
nginx_bsd_update_ports: true
# Choose to install packages built from BSD ports collection if
# available.
# Options are True for use packages or False for do not use packages.
# Default is True.
# Options are true for use packages or false for do not use packages.
# Default is true.
nginx_bsd_portinstall_use_packages: true
# FreeBSD extra packages
nginx_freebsd_extra_packages: ['security/ca_root_nss']

13
ansible/roles/nginxinc.nginx/defaults/main/linux.yml
View file

@ -1,13 +0,0 @@
---
# Supported distributions
nginx_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse']
# Supported distributions NGINX Plus
# https://docs.nginx.com/nginx/technical-specs/
# RedHat={Amazon,CentOS,OracleLinux,RHEL} Debian={Ubuntu,Debian}
nginx_plus_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse']
# Default locations and versions for install from source
pcre_version: pcre-8.43
zlib_version: zlib-1.2.11
openssl_version: openssl-1.1.1c

15
ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml Normal file
View file

@ -0,0 +1,15 @@
---
# Create custom logrotate config
nginx_logrotate_conf_enable: false
nginx_logrotate_conf:
paths:
- "/var/log/nginx/*.log"
options:
- daily
- missingok
- rotate 14
- compress
- delaycompress
- notifempty
- create 0644 www-data adm # Changes nginx logs permissions
- sharedscripts

87
ansible/roles/nginxinc.nginx/defaults/main/main.yml
View file

@ -1,8 +1,13 @@
---
# Install NGINX.
# Enable NGINX options -- `nginx_install` and `nginx_configure`.
# Default is true.
nginx_enable: true
# Install NGINX and NGINX modules.
# Variables for these options can be found below.
# Default is true.
nginx_install: true
# Start NGINX service.
# Default is true.
nginx_start: true
@ -15,14 +20,14 @@ nginx_debug_output: false
# Default is 'opensource'.
nginx_type: opensource
# Specify which version of NGINX you want to install.
# Default is empty.
# (Optional) Specify which version of NGINX you want to install.
# Default is to install the latest release.
# nginx_version: "=19-1~bionic"
# For Plus and modules you'll need a wilcard like below (which installs plus-20 and modules)
# For NGINX Plus and modules you'll need a wilcard like below (which installs plus-20 and modules)
# nginx_version: "-20*"
# Specify whether you want to maintain your version of NGINX, upgrade to the latest version, or remove NGINX.
# Can be used with `nginx_version` to achieve fine tune control on which version of NGINX is installed/used on each playbook execution.
# Can be used with `nginx_version` to fine tune control on which version of NGINX is installed/used on each playbook execution.
# Using 'present' will install the latest version (or 'nginx_version') of NGINX on a fresh install.
# Using 'latest' will upgrade NGINX to the latest version (that matches your 'nginx_version') of NGINX on every playbook execution.
# Using 'absent' will remove NGINX from your system.
@ -36,27 +41,24 @@ nginx_state: present
nginx_install_from: nginx_repository
# Specify source install options for NGINX Open Source.
# Options represent whether to install from source also
# or to install from packages (default). These only apply
# if 'nginx_install_from' is set to 'source'
# For the tools, true means we will isntall from a package
# and false means install from source.
# 'nginx_install_source_build_tools' will install compiler
# and build tools from packages. If false, you need to have
# these present.
# Options represent whether to install from source also or to install from packages (default).
# These only apply if 'nginx_install_from' is set to 'source'.
# For the tools, true means we will install from a package and false means install from source.
# 'nginx_install_source_build_tools' will install compiler and build tools from packages.
# If false, you need to have these present.
nginx_install_source_build_tools: true
nginx_install_source_pcre: false
nginx_install_source_openssl: true
nginx_install_source_zlib: false
# Choose where to fetch the NGINX signing key from.
# (Optional) Choose where to fetch the NGINX signing key from.
# Default is the official NGINX signing key host.
# nginx_signing_key: http://nginx.org/keys/nginx_signing.key
# Specify source repository for NGINX Open Source.
# Only works if 'install_from' is set to 'nginx_repository'.
# (Optional) Specify repository for NGINX Open Source or NGINX Plus.
# Only works if 'install_from' is set to 'nginx_repository' when installing NGINX Open Source.
# Defaults are the official NGINX repositories.
# nginx_repository: deb https://nginx.org/packages/mainline/debian/ stretch nginx
# nginx_repository: deb [arch=amd64] https://nginx.org/packages/mainline/debian/ buster nginx
# Specify which branch of NGINX Open Source you want to install.
# Options are 'mainline' or 'stable'.
@ -70,24 +72,37 @@ nginx_license:
certificate: license/nginx-repo.crt
key: license/nginx-repo.key
# Set up NGINX Plus license before installation.
# Default is true.
nginx_setup_license: true
# Remove NGINX Plus license and repository after installation for security purposes.
# Default is false.
nginx_delete_license: false
# Default is true.
nginx_remove_license: true
# Install NGINX JavaScript, Perl, ModSecurity WAF (NGINX Plus only), GeoIP, Image-Filter, RTMP Media Streaming (NGINX Plus only), and/or XSLT modules.
# Default is false.
nginx_modules:
njs: false
perl: false
waf: false
geoip: false
image_filter: false
rtmp: false
xslt: false
# Remove previously existing NGINX configuration files.
# Use a list of paths you wish to remove.
# Default is false.
nginx_cleanup_config: false
nginx_cleanup_config_path:
- /etc/nginx/conf.d
# Install NGINX Modules.
# You can select any of the modules listed below. Beware of NGINX Plus only modules (these are marked).
# Format is list with either the module name or a dictionary (see njs for an example).
# When using a dictionary, the default value for state is present, and for version it's nginx_version if specified.
# Default is an empty list (no modules are installed).
nginx_modules: []
# - auth-spnego # NGINX Plus
# - brotli # NGINX Plus
# - cookie-flag # NGINX Plus
# - encrypted-session # NGINX Plus
# - geoip
# - geoip2 # NGINX Plus
# - headers-more # NGINX Plus
# - image-filter
# - lua # NGINX Plus
# - name: njs # Required
# state: present # Optional
# version: =1.19.4+0.4.4-1~bionic # Optional
# - opentracing # NGINX Plus
# - passenger # NGINX Plus
# - perl # NGINX Plus
# - prometheus # NGINX Plus
# - rtmp
# - subs-filter # NGINX Plus
# - waf # NGINX Plus
# - xslt

15
ansible/roles/nginxinc.nginx/defaults/main/selinux.yml Normal file
View file

@ -0,0 +1,15 @@
---
# Set SELinux enforcing for NGINX (CentOS/Red Hat only) - you may need to open ports on your own
nginx_selinux: false
# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
nginx_selinux_enforcing: true
# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
# nginx_selinux_tcp_ports:
# - 80
# - 443
# List of UDP ports to add to http_port_t type
# nginx_selinux_udp_ports:
# - 80
# - 443
# Temporary directory to hold selinux modules
nginx_selinux_tempdir: /tmp

43
ansible/roles/nginxinc.nginx/defaults/main/systemd.yml Normal file
View file

@ -0,0 +1,43 @@
---
# Enable systemd modifications
# ** ALL of the following variables are ignored unless this is set to true **
nginx_service_modify: false
# Remove the override file completely
nginx_service_clean: false
# Override the systemd directory
# Default is /etc/systemd/system/nginx.service.d
nginx_service_overridepath: /etc/systemd/system/nginx.service.d
# Override the systemd filename
# Default is override.conf
nginx_service_overridefilename: override.conf
# Set service timeout for systemd systems in seconds (default: 90)
# [Service]
# TimeoutStopSec=90
# Default is to comment this out
# nginx_service_timeoutstopsec: 90
# Set the restart policy for systemd systems
# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always
# [Service]
# Restart=on-failure
# Default is to comment this out
# nginx_service_restart: on-failure
# Set the restart timer in seconds
# [Service]
# RestartSec=5s
# Default is to comment this out
# nginx_service_restartsec: 5s
# Enable a custom systemd override file
# ** This could break the service **
# Setting this to true disables custom values above
nginx_service_custom: false
# Filename and path for systemd override file
# Setting this will overwrite existing override file
nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf"

369
ansible/roles/nginxinc.nginx/defaults/main/template.yml
View file

@ -1,369 +0,0 @@
---
# Enable creating dynamic templated NGINX HTML demo websites.
nginx_html_demo_template_enable: false
nginx_html_demo_template:
default:
template_file: www/index.html.j2
html_file_name: index.html
html_file_location: /usr/share/nginx/html
web_server_name: Default
# Enable creating dynamic templated NGINX configuration files.
# Defaults are the values found in a fresh NGINX installation.
nginx_main_template_enable: false
nginx_main_template:
template_file: nginx.conf.j2
conf_file_name: nginx.conf
conf_file_location: /etc/nginx/
user: nginx
worker_processes: auto
# worker_rlimit_nofile: 1024
error_log:
location: /var/log/nginx/error.log
level: warn
worker_connections: 1024
http_enable: true
http_settings:
access_log_format:
- name: main
format: |-
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log_location:
- name: main
location: /var/log/nginx/access.log
tcp_nopush: true
tcp_nodelay: true
keepalive_timeout: 65
cache: false
rate_limit: false
keyval: false
# server_tokens: "off"
http_global_autoindex: false
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
# http_custom_options: []
stream_enable: false
# stream_custom_options: []
# auth_request_http: /auth
# auth_request_set_http:
# name: $auth_user
# value: $upstream_http_x_user
# Enable creating dynamic templated NGINX HTTP configuration files.
# Defaults will not produce a valid configuration. Instead they are meant to showcase
# the options available for templating. Each key represents a new configuration file.
nginx_http_template_enable: false
nginx_http_template:
default:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
ip: localhost # Wrap in square brackets for IPv6 addresses
port: 8081
ssl: true
opts: [] # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:').
server_name: localhost
include_files: []
error_page: /usr/share/nginx/html
access_log:
- name: main
location: /var/log/nginx/access.log
error_log:
location: /var/log/nginx/error.log
level: warn
root: /usr/share/nginx/html
# https_redirect: $host
autoindex: false
auth_basic: null
auth_basic_user_file: null
try_files: $uri $uri/index.html $uri.html =404
# auth_request: /auth
# auth_request_set:
# name: $auth_user
# value: $upstream_http_x_user
client_max_body_size: 1m
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
add_headers:
strict_transport_security:
name: Strict-Transport-Security
value: max-age=15768000; includeSubDomains
always: true
# header_name:
# name: Header-X
# value: Value-X
# always: false
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
dhparam: /etc/ssl/private/dh_param.pem
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
prefer_server_ciphers: true
session_cache: none
session_timeout: 5m
disable_session_tickets: false
trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt
stapling: true
stapling_verify: true
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
# custom_options: []
web_server:
locations:
default:
location: /
include_files: []
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
add_headers:
strict_transport_security:
name: Strict-Transport-Security
value: max-age=15768000; includeSubDomains
always: true
# header_name:
# name: Header-X
# value: Value-X
# always: false
html_file_location: /usr/share/nginx/html
html_file_name: index.html
autoindex: false
auth_basic: null
auth_basic_user_file: null
try_files: $uri $uri/index.html $uri.html =404
# auth_request: /auth
# auth_request_set:
# name: $auth_user
# value: $upstream_http_x_user
client_max_body_size: 1m
# returns:
# return302:
# code: 302
# url: https://sso.somehost.local/?url=https://$http_host$request_uri
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
# custom_options: []
http_demo_conf: false
reverse_proxy:
locations:
backend:
location: /
include_files: []
proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application
add_headers:
strict_transport_security:
name: Strict-Transport-Security
value: max-age=15768000; includeSubDomains
always: true
# header_name:
# name: Header-X
# value: Value-X
# always: false
proxy_connect_timeout: null
proxy_pass: http://backend
# rewrites:
# - /foo(.*) /$1 break
# proxy_pass_request_body: off
# allows:
# - 192.168.1.0/24
# denies:
# - all
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
# header_upgrade:
# name: Upgrade
# value: $http_upgrade
# header_connection:
# name: Connection
# value: "Upgrade"
# header_random:
# name: RandomName
# value: RandomValue
# internal: false
# proxy_store: off
# proxy_store_acccess: user:rw
proxy_read_timeout: null
proxy_send_timeout: null
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
proxy_cache: backend_proxy_cache
proxy_cache_valid:
- code: 200
time: 10m
- code: 301
time: 1m
proxy_temp_path:
path: /var/cache/nginx/proxy/backend/temp
proxy_cache_lock: false
proxy_cache_min_uses: 3
proxy_cache_revalidate: false
proxy_cache_use_stale:
- http_403
- http_404
proxy_ignore_headers:
- Vary
- Cache-Control
proxy_cookie_path:
path: /web/
replacement: /
proxy_buffering: false
proxy_http_version: 1.0
websocket: false
auth_basic: null
auth_basic_user_file: null
try_files: $uri $uri/index.html $uri.html =404
# auth_request: /auth
# auth_request_set:
# name: $auth_user
# value: $upstream_http_x_user
# returns:
# return302:
# code: 302
# url: https://sso.somehost.local/?url=https://$http_host$request_uri
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
# custom_options: []
health_check_plus: false
returns:
return301:
location: /
code: 301
value: http://$host$request_uri
proxy_cache:
proxy_cache_path:
- path: /var/cache/nginx/proxy/backend
keys_zone:
name: backend_proxy_cache
size: 10m
levels: "1:2"
max_size: 10g
inactive: 60m
use_temp_path: true
proxy_temp_path:
path: /var/cache/nginx/proxy/temp
proxy_cache_valid:
- code: 200
time: 10m
- code: 301
time: 1m
proxy_cache_lock: true
proxy_cache_min_uses: 5
proxy_cache_revalidate: true
proxy_cache_use_stale:
- error
- timeout
proxy_ignore_headers:
- Expires
upstreams:
upstream1:
name: backend
lb_method: least_conn
zone_name: backend_mem_zone
zone_size: 64k
sticky_cookie: false
servers:
server1:
address: localhost
port: 8081
weight: 1
health_check: max_fails=1 fail_timeout=10s
# custom_options: []
# custom_options: []
# Enable NGINX status data.
# Will enable 'stub_status' in NGINX Open Source and 'status' in NGINX Plus.
# Note - 'status' has been deprecated since NGINX Plus R13.
# Default is false.
nginx_status_enable: false
nginx_status_location: /etc/nginx/conf.d/stub_status.conf
nginx_status_port: 80
# Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard.
# Requires NGINX Plus.
# Default is false.
nginx_rest_api_enable: false
nginx_rest_api_template_file: http/api.conf.j2
nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf
nginx_rest_api_port: 80
nginx_rest_api_write: false
nginx_rest_api_dashboard: false
# Enable creating dynamic templated NGINX stream configuration files.
# Defaults will not produce a valid configuration. Instead they are meant to showcase
# the options available for templating. Each key represents a new configuration file.
nginx_stream_template_enable: false
nginx_stream_template:
default:
template_file: stream/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/stream/
network_streams:
default:
listen_address: localhost
listen_port: 80
udp_enable: false
include_files: []
proxy_pass: backend
proxy_timeout: 3s
proxy_connect_timeout: 1s
proxy_protocol: false
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
key: /etc/ssl/private/proxy_default.key
trusted_cert: /etc/ssl/certs/proxy_ca.crt
protocols: TLSv1 TLSv1.1 TLSv1.2
ciphers: HIGH:!aNULL:!MD5
verify: false
verify_depth: 1
session_reuse: true
health_check_plus: false
# custom_options: []
upstreams:
upstream1:
name: backend
lb_method: least_conn
zone_name: backend
zone_size: 64k
sticky_cookie: false
servers:
server1:
address: localhost
port: 8080
weight: 1
health_check: max_fails=1 fail_timeout=10s
# custom_options: []
# custom_options: []

6
ansible/roles/nginxinc.nginx/defaults/main/unit.yml
View file

@ -1,6 +0,0 @@
---
# Install NGINX Unit and NGINX Unit modules.
# Use a list of supported NGINX Unit modules.
# Default is false.
nginx_unit_enable: false
nginx_unit_modules: null

26
ansible/roles/nginxinc.nginx/defaults/main/upload.yml
View file

@ -1,26 +0,0 @@
---
# Enable uploading NGINX configuration files to your system.
# Default for uploading files is false.
# Default location of files is the files folder within the NGINX Ansible role.
# Upload the main NGINX configuration file.
nginx_main_upload_enable: false
nginx_main_upload_src: conf/nginx.conf
nginx_main_upload_dest: /etc/nginx/
# Upload HTTP NGINX configuration files.
nginx_http_upload_enable: false
nginx_http_upload_src: conf/http/*.conf
nginx_http_upload_dest: /etc/nginx/conf.d/
# Upload Stream NGINX configuration files.
nginx_stream_upload_enable: false
nginx_stream_upload_src: conf/stream/*.conf
nginx_stream_upload_dest: /etc/nginx/conf.d/
# Upload HTML files.
nginx_html_upload_enable: false
nginx_html_upload_src: www/*
nginx_html_upload_dest: /usr/share/nginx/html
# Upload SSL certificates and keys.
nginx_ssl_upload_enable: false
nginx_ssl_crt_upload_src: ssl/*.crt
nginx_ssl_crt_upload_dest: /etc/ssl/certs/
nginx_ssl_key_upload_src: ssl/*.key
nginx_ssl_key_upload_dest: /etc/ssl/private/

0
ansible/roles/nginxinc.nginx/files/conf/http/.gitkeep
View file

0
ansible/roles/nginxinc.nginx/files/conf/stream/.gitkeep
View file

2
ansible/roles/nginxinc.nginx/files/services/nginx.override.conf Normal file
View file

@ -0,0 +1,2 @@
[Service]
TimeoutStopSec=90

0
ansible/roles/nginxinc.nginx/files/ssl/.gitkeep
View file

25
ansible/roles/nginxinc.nginx/files/www/index.html
View file

@ -1,25 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

60
ansible/roles/nginxinc.nginx/handlers/main.yml
View file

@ -1,39 +1,39 @@
---
- name: "(Handler: All OSs) Run NGINX"
block:
- name: "(Handler: All OSs) Start NGINX"
service:
name: nginx
state: started
enabled: yes
notify: "(Handler: All OSs) Check NGINX"
- name: "(Handler: All OSs) Reload NGINX"
command: "nginx -s reload"
changed_when: false
- name: (Handler) Systemd daemon-reload
systemd:
daemon_reload: yes
- name: (Handler) Start/reload NGINX
service:
name: nginx
state: reloaded
enabled: yes
when:
- nginx_start | bool
- not ansible_check_mode
- not ansible_check_mode | bool
listen: (Handler) Run NGINX
- name: "(Handler: All OSs) Start NGINX Amplify Agent"
- name: (Handler) Check NGINX
command: nginx -t
register: config_check
ignore_errors: yes
check_mode: no
changed_when: false
listen: (Handler) Run NGINX
- name: (Handler) Print NGINX error if syntax check fails
debug:
var: config_check.stderr_lines
failed_when: config_check.rc != 0
when:
- config_check.stderr_lines is defined
- config_check.rc != 0
listen: (Handler) Run NGINX
- name: (Handler) Start NGINX Amplify agent
service:
name: amplify-agent
state: started
- name: "(Handler: Debian/Ubuntu/CentOS/RedHat) Start NGINX Unit"
service:
name: unit
state: started
enabled: yes
- name: "(Handler: FreeBSD) Start NGINX Unit"
service:
name: unitd
state: started
enabled: yes
- name: "(Handler: All OSs) Check NGINX"
command: "nginx -t"
changed_when: false
- name: (Handler) Run logrotate
command: logrotate -f /etc/logrotate.d/nginx

4
ansible/roles/nginxinc.nginx/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 21:51:16 2020
version: 0.14.0
install_date: Sat Feb 20 13:56:47 2021
version: 0.19.1

18
ansible/roles/nginxinc.nginx/meta/main.yml
View file

@ -2,7 +2,8 @@
galaxy_info:
author: Alessandro Fael Garcia
description: Official Ansible role for NGINX
company: NGINX, Inc.
role_name: nginx
company: F5 Networks, Inc.
license: Apache License, Version 2.0
@ -11,19 +12,21 @@ galaxy_info:
platforms:
- name: Alpine
versions:
- all
- any
- name: Amazon
versions:
- Candidate
- 2018.03
- name: Amazon Linux 2
versions:
- any
- name: Debian
versions:
- jessie
- stretch
- buster
- name: EL
versions:
- 6
- 7
- 8
- name: FreeBSD
versions:
- 11.2
@ -32,6 +35,7 @@ galaxy_info:
versions:
- xenial
- bionic
- focal
- name: SLES
versions:
- 12
@ -40,11 +44,11 @@ galaxy_info:
galaxy_tags:
- nginx
- oss
- opensource
- plus
- amplify
- unit
- web
- server
- development
- install
dependencies: []

12
ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2
View file

@ -17,27 +17,27 @@ ENV {{ var }} {{ value }}
RUN \
if [ $(command -v apt-get) ]; then \
apt-get update \
&& apt-get install -y python3 sudo bash ca-certificates iproute2 python3-apt aptitude systemd systemd-sysv procps curl \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \
&& apt-get clean; \
elif [ $(command -v dnf) ]; then \
dnf makecache \
&& dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 bash iproute \
&& dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \
&& dnf clean all; \
elif [ $(command -v yum) ]; then \
yum makecache fast \
&& yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute \
&& yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
&& sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \
&& yum clean all; \
elif [ $(command -v zypper) ]; then \
zypper refresh \
&& zypper install -y python3 sudo bash iproute2 \
&& zypper install -y bash iproute2 python3 sudo vim \
&& zypper clean -a; \
elif [ $(command -v apk) ]; then \
apk update \
&& apk add --no-cache python3 sudo bash ca-certificates curl openrc; \
&& apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \
echo 'rc_provide="loopback net"' >> /etc/rc.conf; \
elif [ $(command -v xbps-install) ]; then \
xbps-install -Syu \
&& xbps-install -y python3 sudo bash ca-certificates iproute2 \
&& xbps-install -y bash ca-certificates iproute2 python3 sudo vim \
&& xbps-remove -O; \
fi

44
ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf
View file

@ -1,44 +0,0 @@
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

31
ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf
View file

@ -1,31 +0,0 @@
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

0
ansible/roles/nginxinc.nginx/molecule/common/files/www/.gitkeep
View file

20
ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml
View file

@ -1,20 +0,0 @@
---
- name: Converge
hosts: all
pre_tasks:
- name: "Set repo if Alpine"
set_fact:
version: "=1.17.8-r1"
when: ansible_os_family == "Alpine"
- name: "Set repo if Debian"
set_fact:
version: "=1.17.8-1~{{ ansible_distribution_release }}"
when: ansible_os_family == "Debian"
- name: "Set repo if RedHat"
set_fact:
version: "-1.17.8-1.el{{ ansible_distribution_major_version }}.ngx"
when: ansible_os_family == "RedHat"
roles:
- role: ansible-role-nginx
vars:
nginx_version: "{{ version }}"

16
ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml
View file

@ -1,16 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_modules:
njs: true
perl: true
waf: false
geoip: true
image_filter: true
rtmp: true
xslt: true

19
ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml
View file

@ -1,19 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_install_from: source
nginx_branch: mainline
nginx_install_source_build_tools: true
nginx_install_source_pcre: false
nginx_install_source_openssl: true
nginx_install_source_zlib: false
nginx_main_upload_enable: true
nginx_main_upload_src: files/nginx.conf
nginx_http_upload_enable: true
nginx_http_upload_src: files/http/*.conf

13
ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml
View file

@ -1,13 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_branch: stable
nginx_main_upload_enable: true
nginx_main_upload_src: files/nginx.conf
nginx_http_upload_enable: true
nginx_http_upload_src: files/http/*.conf

353
ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml
View file

@ -1,353 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_main_template_enable: true
nginx_main_template:
template_file: nginx.conf.j2
conf_file_name: nginx.conf
conf_file_location: /etc/nginx/
user: nginx
worker_processes: auto
error_log:
location: /var/log/nginx/error.log
level: warn
worker_connections: 1024
http_enable: true
http_settings:
access_log_format:
- name: main
format: |
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log_location:
- name: main
location: /var/log/nginx/access.log
keepalive_timeout: 65
cache: false
rate_limit: false
keyval: false
server_tokens: "off"
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
stream_enable: true
http_global_autoindex: false
nginx_http_template_enable: true
nginx_http_template:
app:
template_file: http/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
ip: 0.0.0.0
port: 80
opts:
- default_server
server_name: localhost
error_page: /usr/share/nginx/html
client_max_body_size: 512k
proxy_hide_headers:
- X-Powered-By
add_headers:
strict_transport_security:
name: Strict-Transport-Security
value: max-age=15768000; includeSubDomains
always: true
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
# custom_options: []
reverse_proxy:
locations:
frontend:
location: /
proxy_hide_headers:
- X-Powered-By
add_headers:
strict_transport_security:
name: Strict-Transport-Security
value: max-age=15768000; includeSubDomains
always: true
another_header:
name: Fancy-New-Header-To-Test
value: testing=true
always: false
proxy_pass: http://frontend_servers/
proxy_cache: frontend_proxy_cache
proxy_cache_valid:
- code: 200
time: 10m
- code: 301
time: 1m
proxy_temp_path:
path: /var/cache/nginx/proxy/frontend/temp
proxy_cache_lock: false
proxy_cache_min_uses: 3
proxy_cache_revalidate: false
proxy_cache_use_stale:
- http_403
- http_404
proxy_ignore_headers:
- Vary
- Cache-Control
proxy_redirect: false
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
proxy_buffering: false
client_max_body_size: 5m
sub_filter:
# sub_filters: []
last_modified: "off"
once: "on"
types: "text/html"
backend:
location: /backend
proxy_pass: http://backend_servers/
proxy_cache: backend_proxy_cache
proxy_cache_valid:
- time: 10m
proxy_temp_path:
path: /var/cache/nginx/proxy/backend/temp
proxy_cache_lock: true
proxy_cache_min_uses: 2
proxy_cache_revalidate: true
proxy_cache_use_stale:
- http_500
- http_502
- http_503
proxy_redirect: default
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
proxy_cookie_path:
path: /web/
replacement: /
returns:
return301:
location: ^~ /old-path
code: 301
value: http://$host/new-path
proxy_cache:
proxy_cache_path:
- path: /var/cache/nginx/proxy/frontend
keys_zone:
name: frontend_proxy_cache
size: 5m
levels: "1:2"
max_size: 5g
inactive: 30m
use_temp_path: true
- path: /var/cache/nginx/proxy/backend
keys_zone:
name: backend_proxy_cache
size: 10m
levels: "1:2"
max_size: 10g
inactive: 60m
use_temp_path: true
proxy_temp_path:
path: /var/cache/nginx/proxy/temp
proxy_cache_lock: true
proxy_cache_min_uses: 5
proxy_cache_revalidate: true
proxy_cache_use_stale:
- error
- timeout
proxy_ignore_headers:
- Expires
upstreams:
frontend_upstream:
name: frontend_servers
lb_method: least_conn
zone_name: frontend_mem_zone
zone_size: 64k
sticky_cookie: false
servers:
frontend_server_1:
address: 0.0.0.0
port: 8081
weight: 1
health_check: max_fails=3 fail_timeout=5s
backend_upstream:
name: backend_servers
lb_method: least_conn
zone_name: backend_mem_zone
zone_size: 64k
sticky_cookie: false
servers:
backend_server_1:
address: 0.0.0.0
port: 8082
weight: 1
health_check: max_fails=3 fail_timeout=5s
frontend:
template_file: http/default.conf.j2
conf_file_name: frontend_default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
port: 8081
opts: []
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
sub_filter:
sub_filters:
- "'server_hostname' '$hostname'"
- "'server_address' '$server_addr:$server_port'"
- "'server_url' '$request_uri'"
- "'remote_addr' '$remote_addr:$remote_port'"
- "'server_date' '$time_local'"
- "'client_browser' '$http_user_agent'"
- "'request_id' '$request_id'"
- "'nginx_version' '$nginx_version'"
- "'document_root' '$document_root'"
- "'proxied_for_ip' '$http_x_forwarded_for'"
last_modified: "off"
once: "off"
types: "text/html"
web_server:
locations:
frontend_site:
location: /
proxy_hide_headers:
- X-Powered-By
html_file_location: /usr/share/nginx/html
html_file_name: frontend_index.html
autoindex: false
sub_filter:
# sub_filters: []
last_modified: "off"
once: "off"
types: "text/html"
http_demo_conf: false
backend:
template_file: http/default.conf.j2
conf_file_name: backend_default.conf
conf_file_location: /etc/nginx/conf.d/
servers:
server1:
listen:
listen_localhost:
port: 8082
opts: []
server_name: localhost
error_page: /usr/share/nginx/html
autoindex: false
sub_filter:
sub_filters:
- "'server_hostname' '$hostname'"
- "'server_address' '$server_addr:$server_port'"
- "'server_url' '$request_uri'"
- "'remote_addr' '$remote_addr:$remote_port'"
- "'server_date' '$time_local'"
- "'client_browser' '$http_user_agent'"
- "'request_id' '$request_id'"
- "'nginx_version' '$nginx_version'"
- "'document_root' '$document_root'"
- "'proxied_for_ip' '$http_x_forwarded_for'"
last_modified: "off"
once: "off"
types: "text/html"
web_server:
locations:
backend_site:
location: /
html_file_location: /usr/share/nginx/html
html_file_name: backend_index.html
autoindex: false
php:
location: ~ \.php$
html_file_location: /usr/share/nginx/html
autoindex: false
custom_options:
- fastcgi_split_path_info ^(.+\.php)(/.+)$
- fastcgi_pass unix:/run/php/php7.2-fpm.sock
- fastcgi_index index.php
- include fastcgi_params
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name
sub_filter:
# sub_filters: []
last_modified: "off"
once: "off"
types: "text/html"
http_demo_conf: false
nginx_html_demo_template_enable: true
nginx_html_demo_template:
frontend:
template_file: www/index.html.j2
html_file_name: frontend_index.html
html_file_location: /usr/share/nginx/html
web_server_name: Frontend
backend:
template_file: www/index.html.j2
html_file_name: backend_index.html
html_file_location: /usr/share/nginx/html
web_server_name: Backend
nginx_stream_template_enable: true
nginx_stream_template:
default:
template_file: stream/default.conf.j2
conf_file_name: default.conf
conf_file_location: /etc/nginx/conf.d/stream
network_streams:
app:
listen_address: 0.0.0.0
listen_port: 8090
udp_enable: false
proxy_pass: backend
proxy_timeout: 3s
proxy_connect_timeout: 1s
proxy_protocol: false
health_check_plus: false
upstreams:
backend_upstream:
name: backend
lb_method: least_conn
zone_name: backend
zone_size: 64k
sticky_cookie: false
servers:
backend_server_1:
address: 0.0.0.0
port: 8091
weight: 1
health_check: max_fails=1 fail_timeout=10s

30
ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml
View file

@ -1,30 +0,0 @@
---
- name: Converge
hosts: all
pre_tasks:
- name: "Set module if Alpine"
set_fact:
module:
- "unit-perl"
- "unit-php7"
- "unit-python3"
when: ansible_os_family == "Alpine"
- name: "Set module if Debian/RedHat"
set_fact:
module:
- "unit-perl"
- "unit-php"
- "unit-ruby"
when: ansible_os_family == "Debian"
- name: "Set module if RedHat"
set_fact:
module:
- "unit-php"
- "unit-go"
when: ansible_os_family == "RedHat"
roles:
- role: ansible-role-nginx
vars:
nginx_enable: false
nginx_unit_enable: true
nginx_unit_modules: "{{ module }}"

47
ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml Normal file
View file

@ -0,0 +1,47 @@
---
- name: Converge
hosts: all
pre_tasks:
- name: Set repo if Alpine
set_fact:
version: "=1.19.1-r1"
when: ansible_facts['os_family'] == "Alpine"
- name: Set repo if Debian
set_fact:
version: "=1.19.1-1~{{ ansible_facts['distribution_release'] }}"
when: ansible_facts['os_family'] == "Debian"
- name: Set repo if Red Hat
set_fact:
version: "-1.19.1-1.el{{ ansible_facts['distribution_major_version'] }}.ngx"
when: ansible_facts['os_family'] == "RedHat"
- name: Enable NGINX @CentOS-AppStream dnf modules
shell:
args:
cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx # noqa 204 303
register: dnf_module_enable
changed_when: dnf_module_enable.stdout != 'ENABLED'
when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==')
tasks:
- name: Install NGINX
include_role:
name: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_selinux: true
nginx_selinux_tcp_ports:
- 80
- 443
nginx_version: "{{ version }}"
nginx_configure: false
nginx_logrotate_conf_enable: true
nginx_logrotate_conf:
paths:
- /var/log/nginx/*.log
options:
- daily
- missingok
- rotate 14
- compress
- delaycompress
- notifempty
- sharedscripts

24
ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Verify
hosts: all
tasks:
- name: Check if NGINX is installed
package:
name: nginx
check_mode: yes
register: install
failed_when: (install is changed) or (install is failed)
- name: Check if NGINX service is running
service:
name: nginx
state: started
enabled: yes
check_mode: yes
register: service
failed_when: (service is changed) or (service is failed)
- name: Verify NGINX is up and running
uri:
url: http://localhost
status_code: 200

26
ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Converge
hosts: all
tasks:
- name: Install NGINX modules
include_role:
name: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_service_modify: true
nginx_service_timeout: 95
nginx_selinux: true
nginx_selinux_tcp_ports:
- 80
- 443
nginx_modules:
- brotli
- geoip
- image-filter
- name: njs
# version: =1.19.4+0.4.4-1~bionic
state: present
- perl
- xslt

24
ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Verify
hosts: all
tasks:
- name: Check if NGINX is installed
package:
name: nginx
check_mode: yes
register: install
failed_when: (install is changed) or (install is failed)
- name: Check if NGINX service is running
service:
name: nginx
state: started
enabled: yes
check_mode: yes
register: service
failed_when: (service is changed) or (service is failed)
- name: Verify NGINX is up and running
uri:
url: http://localhost
status_code: 200

32
ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml Normal file
View file

@ -0,0 +1,32 @@
---
- name: Converge
hosts: all
tasks:
- name: Install NGINX
include_role:
name: ansible-role-nginx
vars:
nginx_type: plus
nginx_license:
certificate: license/nginx-repo.crt
key: license/nginx-repo.key
nginx_remove_license: false
nginx_modules:
- auth-spnego
- brotli
- cookie-flag
- encrypted-session
- geoip
- geoip2
- headers-more
- image-filter
- lua
- modsecurity
- njs
- opentracing
- passenger
- perl
- prometheus
- rtmp
- subs-filter
- xslt

18
ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Prepare
hosts: localhost
gather_facts: false
tasks:
- name: Create ephemeral license certificate file from b64 decoded env var
copy:
content: "{{ lookup('env','NGINX_CRT') | b64decode }}"
dest: ../../../files/license/nginx-repo.crt
force: no
mode: 0444
- name: Create ephemeral license key file from b64 decoded env var
copy:
content: "{{ lookup('env','NGINX_KEY') | b64decode }}"
dest: ../../../files/license/nginx-repo.key
force: no
mode: 0444

24
ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Verify
hosts: all
tasks:
- name: Check if NGINX is installed
package:
name: nginx-plus
check_mode: yes
register: install
failed_when: (install is changed) or (install is failed)
- name: Check if NGINX service is running
service:
name: nginx
state: started
enabled: yes
check_mode: yes
register: service
failed_when: (service is changed) or (service is failed)
- name: Verify NGINX is up and running
uri:
url: http://localhost
status_code: 200

16
ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml Normal file
View file

@ -0,0 +1,16 @@
---
- name: Converge
hosts: all
tasks:
- name: Install NGINX from source
include_role:
name: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_install_from: source
nginx_branch: stable
nginx_install_source_build_tools: true
nginx_install_source_pcre: true
nginx_install_source_openssl: true
nginx_install_source_zlib: true

17
ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Verify
hosts: all
tasks:
- name: Check if NGINX service is running
service:
name: nginx
state: started
enabled: yes
check_mode: yes
register: service
failed_when: (service is changed) or (service is failed)
- name: Verify NGINX is up and running
uri:
url: http://localhost
status_code: 200

30
ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py
View file

@ -1,30 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_nginx_is_installed(host):
ngx = host.package("nginx")
assert ngx.is_installed
def test_nginx_running_and_enabled(host):
ngx = host.service("nginx")
assert ngx.is_running
assert ngx.is_enabled
def test_hosts_file(host):
ngx = host.file('/etc/hosts')
assert ngx.exists
assert ngx.user == 'root'
assert ngx.group == 'root'
def test_endpoint(host):
command = """curl -I http://localhost/"""
cmd = host.run(command)
assert '200 OK' in cmd.stdout

30
ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py
View file

@ -1,30 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_nginx_is_installed(host):
ngx = host.package("nginx")
assert ngx.is_installed
def test_nginx_running_and_enabled(host):
ngx = host.service("nginx")
assert ngx.is_running
assert ngx.is_enabled
def test_hosts_file(host):
ngx = host.file('/etc/hosts')
assert ngx.exists
assert ngx.user == 'root'
assert ngx.group == 'root'
def test_endpoint(host):
command = """curl -I http://localhost/"""
cmd = host.run(command)
assert '200 OK' in cmd.stdout

25
ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py
View file

@ -1,25 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_nginx_running_and_enabled(host):
ngx = host.service("nginx")
assert ngx.is_running
assert ngx.is_enabled
def test_hosts_file(host):
ngx = host.file('/etc/hosts')
assert ngx.exists
assert ngx.user == 'root'
assert ngx.group == 'root'
def test_endpoint(host):
command = """curl -I http://localhost/"""
cmd = host.run(command)
assert '200 OK' in cmd.stdout

42
ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py
View file

@ -1,42 +0,0 @@
import nginx
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_nginx_is_installed(host):
ngx = host.package("nginx")
assert ngx.is_installed
def test_nginx_running_and_enabled(host):
ngx = host.service("nginx")
assert ngx.is_running
assert ngx.is_enabled
def test_hosts_file(host):
ngx = host.file('/etc/hosts')
assert ngx.exists
assert ngx.user == 'root'
assert ngx.group == 'root'
def test_endpoint(host):
command = """curl -I http://localhost/"""
cmd = host.run(command)
assert '200 OK' in cmd.stdout
def test_generated_files(host):
assert host.file('/etc/nginx/conf.d/default.conf').exists
def test_default_server(host):
f = host.file('/etc/nginx/conf.d/default.conf')
c = nginx.loads(f.content_string)
lf = c.server.filter('Location', '/')
assert len(lf) == 1

58
ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py
View file

@ -1,58 +0,0 @@
import nginx
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_nginx_is_installed(host):
ngx = host.package("nginx")
assert ngx.is_installed
def test_nginx_running_and_enabled(host):
ngx = host.service("nginx")
assert ngx.is_running
assert ngx.is_enabled
def test_hosts_file(host):
ngx = host.file('/etc/hosts')
assert ngx.exists
assert ngx.user == 'root'
assert ngx.group == 'root'
def test_endpoint(host):
command = """curl -I http://localhost/"""
cmd = host.run(command)
assert '200 OK' in cmd.stdout
def test_generated_files(host):
assert host.file('/etc/nginx/conf.d/default.conf').exists
assert host.file('/etc/nginx/conf.d/frontend_default.conf').exists
assert host.file('/etc/nginx/conf.d/backend_default.conf').exists
def test_default_server(host):
f = host.file('/etc/nginx/conf.d/default.conf')
c = nginx.loads(f.content_string)
lf = c.server.filter('Location', '/')
assert len(lf) == 1
lb = c.server.filter('Location', '/backend')
assert len(lb) == 1
def test_client_max_body_size(host):
f = host.file('/etc/nginx/conf.d/default.conf')
c = nginx.loads(f.content_string)
vs = c.server.filter('Key', 'client_max_body_size')
assert len(vs) == 1
assert vs[0].value == '512k'
lc = c.server.filter('Location', '/')
vl = lc[0].filter('Key', 'client_max_body_size')
assert len(vl) == 1
assert vl[0].value == '5m'

16
ansible/roles/nginxinc.nginx/molecule/default/molecule.yml
View file

@ -4,8 +4,7 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: debian-stretch
image: debian:stretch-slim
@ -35,10 +34,15 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-focal
image: ubuntu:focal
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_default.yml
verifier:
name: testinfra
directory: ../common/test_default
converge: ../common/playbooks/default_converge.yml
verify: ../common/playbooks/default_verify.yml

30
ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml
View file

@ -4,23 +4,8 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: alpine:3.10
dockerfile: ../common/Dockerfile.j2
@ -35,10 +20,15 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.12
image: alpine:3.12
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_default.yml
verifier:
name: testinfra
directory: ../common/test_default
converge: ../common/playbooks/default_converge.yml
verify: ../common/playbooks/default_verify.yml

12
ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml
View file

@ -4,12 +4,8 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: centos-6
image: centos:6
dockerfile: ../common/Dockerfile.j2
- name: centos-7
image: centos:7
dockerfile: ../common/Dockerfile.j2
@ -27,7 +23,5 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_default.yml
verifier:
name: testinfra
directory: ../common/test_default
converge: ../common/playbooks/default_converge.yml
verify: ../common/playbooks/default_verify.yml

16
ansible/roles/nginxinc.nginx/molecule/module/molecule.yml
View file

@ -4,8 +4,7 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: debian-stretch
image: debian:stretch-slim
@ -35,10 +34,15 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-focal
image: ubuntu:focal
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_module.yml
verifier:
name: testinfra
directory: ../common/test_module
converge: ../common/playbooks/module_converge.yml
verify: ../common/playbooks/module_verify.yml

30
ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml
View file

@ -4,23 +4,8 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: alpine:3.10
dockerfile: ../common/Dockerfile.j2
@ -35,10 +20,15 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.12
image: alpine:3.12
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_module.yml
verifier:
name: testinfra
directory: ../common/test_module
converge: ../common/playbooks/module_converge.yml
verify: ../common/playbooks/module_verify.yml

12
ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml
View file

@ -4,12 +4,8 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: centos-6
image: centos:6
dockerfile: ../common/Dockerfile.j2
- name: centos-7
image: centos:7
dockerfile: ../common/Dockerfile.j2
@ -27,7 +23,5 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_module.yml
verifier:
name: testinfra
directory: ../common/test_module
converge: ../common/playbooks/module_converge.yml
verify: ../common/playbooks/module_verify.yml

14
ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml → ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml
View file

@ -4,8 +4,7 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: debian-stretch
image: debian:stretch-slim
@ -35,7 +34,16 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-focal
image: ubuntu:focal
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_unit.yml
prepare: ../common/playbooks/plus_prepare.yml
converge: ../common/playbooks/plus_converge.yml
verify: ../common/playbooks/plus_verify.yml

32
ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml → ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml
View file

@ -4,32 +4,24 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: alpine:3.10
image: python:alpine3.10
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.11
image: alpine:3.11
image: python:alpine3.11
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.12
image: alpine:3.12
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
@ -38,4 +30,6 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_unit.yml
prepare: ../common/playbooks/plus_prepare.yml
converge: ../common/playbooks/plus_converge.yml
verify: ../common/playbooks/plus_verify.yml

10
ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml → ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml
View file

@ -4,12 +4,8 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: centos-6
image: centos:6
dockerfile: ../common/Dockerfile.j2
- name: centos-7
image: centos:7
dockerfile: ../common/Dockerfile.j2
@ -27,4 +23,6 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_unit.yml
prepare: ../common/playbooks/plus_prepare.yml
converge: ../common/playbooks/plus_converge.yml
verify: ../common/playbooks/plus_verify.yml

16
ansible/roles/nginxinc.nginx/molecule/source/molecule.yml
View file

@ -4,8 +4,7 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: debian-stretch
image: debian:stretch-slim
@ -35,10 +34,15 @@ platforms:
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-focal
image: ubuntu:focal
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_source.yml
verifier:
name: testinfra
directory: ../common/test_source
converge: ../common/playbooks/source_converge.yml
verify: ../common/playbooks/source_verify.yml

34
ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml
View file

@ -4,32 +4,24 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: python:alpine3.10
image: alpine:3.10
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.11
image: python:alpine3.11
image: alpine:3.11
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.12
image: alpine:3.12
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
@ -38,7 +30,5 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_source.yml
verifier:
name: testinfra
directory: ../common/test_source
converge: ../common/playbooks/source_converge.yml
verify: ../common/playbooks/source_verify.yml

9
ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml
View file

@ -4,8 +4,7 @@ driver:
lint: |
set -e
yamllint .
ansible-lint
flake8
ansible-lint --force-color
platforms:
- name: centos-7
image: centos:7
@ -24,7 +23,5 @@ platforms:
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_source.yml
verifier:
name: testinfra
directory: ../common/test_source
converge: ../common/playbooks/source_converge.yml
verify: ../common/playbooks/source_verify.yml

47
ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml
View file

@ -1,47 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: debian-stretch
image: debian:stretch-slim
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: debian-buster
image: debian:buster-slim
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-xenial
image: ubuntu:xenial
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-bionic
image: ubuntu:bionic
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_stable_push.yml
verifier:
name: testinfra
directory: ../common/test_stable_push

47
ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml
View file

@ -1,47 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: alpine:3.10
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.11
image: alpine:3.11
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_stable_push.yml
verifier:
name: testinfra
directory: ../common/test_stable_push

36
ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml
View file

@ -1,36 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: centos-6
image: centos:6
dockerfile: ../common/Dockerfile.j2
- name: centos-7
image: centos:7
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/usr/sbin/init"
- name: centos-8
image: centos:8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/usr/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_stable_push.yml
verifier:
name: testinfra
directory: ../common/test_stable_push

47
ansible/roles/nginxinc.nginx/molecule/template/molecule.yml
View file

@ -1,47 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: debian-stretch
image: debian:stretch-slim
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: debian-buster
image: debian:buster-slim
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-xenial
image: ubuntu:xenial
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: ubuntu-bionic
image: ubuntu:bionic
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_template.yml
verifier:
name: testinfra
directory: ../common/test_template

47
ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml
View file

@ -1,47 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: alpine-3.8
image: alpine:3.8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.9
image: alpine:3.9
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.10
image: alpine:3.10
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
- name: alpine-3.11
image: alpine:3.11
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_template.yml
verifier:
name: testinfra
directory: ../common/test_template

36
ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml
View file

@ -1,36 +0,0 @@
---
dependency:
name: shell
command: pip install python-nginx
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
flake8
platforms:
- name: centos-6
image: centos:6
dockerfile: ../common/Dockerfile.j2
- name: centos-7
image: centos:7
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/usr/sbin/init"
- name: centos-8
image: centos:8
dockerfile: ../common/Dockerfile.j2
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:rw"
command: "/usr/sbin/init"
provisioner:
name: ansible
playbooks:
converge: ../common/playbook_template.yml
verifier:
name: testinfra
directory: ../common/test_template

17
ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml
View file

@ -1,24 +1,23 @@
---
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- name: Configure NGINX Amplify agent repository
include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_facts['os_family'] | lower }}.yml"
when: ansible_facts['os_family'] in ['Debian', 'RedHat']
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- name: "(Install: All OSs) Install NGINX Amplify Agent"
- name: Install NGINX Amplify agent
package:
name: nginx-amplify-agent
state: present
- name: "(Setup: All OSs) Copy NGINX Configurator Agent Configuration Template"
- name: Copy NGINX configurator agent configuration template
copy:
remote_src: yes
src: /etc/amplify-agent/agent.conf.default
dest: /etc/amplify-agent/agent.conf
mode: 0644
- name: "(Setup: All OSs) Configure NGINX Amplify Agent API Key"
- name: Configure NGINX Amplify agent API key
lineinfile:
dest: /etc/amplify-agent/agent.conf
regexp: api_key =.*
line: "api_key = {{ nginx_amplify_api_key }}"
notify: "(Handler: All OSs) Start NGINX Amplify Agent"
notify: (Handler) Start NGINX Amplify agent

16
ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml
View file

@ -1,5 +1,17 @@
---
- name: "(Install: Debian/Ubuntu) Add NGINX Amplify Agent Repository"
- name: (Debian/Ubuntu) Add NGINX Amplify agent repository
apt_repository:
filename: nginx-amplify
repo: deb [arch=amd64] http://packages.amplify.nginx.com/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} amplify-agent
repo: "deb [arch=amd64] https://packages.amplify.nginx.com/{{ ansible_facts['distribution'] | lower }}/
{{ ansible_facts['distribution_release'] | lower }} amplify-agent"
update_cache: yes
mode: 0644
when: ansible_facts['distribution_release'] != "focal"
- name: (Ubuntu 20.04) Add NGINX Amplify agent repository
apt_repository:
filename: nginx-amplify
repo: deb [arch=amd64] https://packages.amplify.nginx.com/py3/ubuntu focal amplify-agent
update_cache: yes
mode: 0644
when: ansible_facts['distribution_release'] == "focal"

5
ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml
View file

@ -1,8 +1,9 @@
---
- name: "(Install: CentOS/RedHat/Amazon Linux) Add NGINX Amplify Agent Repository"
- name: (Amazon Linux/CentOS/RHEL) Add NGINX Amplify agent repository
yum_repository:
name: nginx-amplify
baseurl: http://packages.amplify.nginx.com/{{ (ansible_distribution == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/
baseurl: http://packages.amplify.nginx.com/{{ (ansible_facts['distribution'] == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/
description: NGINX Amplify Agent
enabled: yes
gpgcheck: yes
mode: 0644

8
ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml
View file

@ -1,8 +0,0 @@
---
- name: "(Setup: All OSs) Remove NGINX configuration files"
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ nginx_cleanup_config_path }}"
notify: "(Handler: All OSs) Reload NGINX"

9
ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml
View file

@ -1,9 +0,0 @@
---
- name: "(Setup: All OSs) Register NGINX configuration"
command: nginx -T
changed_when: false
register: nginx_configuration
- name: "(Setup: All OSs) Print NGINX configuration"
debug:
var: nginx_configuration.stdout_lines

32
ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml
View file

@ -1,32 +0,0 @@
---
- name: "(Setup: NGINX Open Source) Enable NGINX Open Source Status"
blockinfile:
path: "{{ nginx_status_location }}"
create: yes
block: |
server {
listen 127.0.0.1:{{ nginx_status_port | default('80') }};
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
}
when: nginx_type == "opensource"
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: NGINX Plus) Enable NGINX Plus Status"
blockinfile:
path: "{{ nginx_status_location }}"
create: yes
block: |
server {
listen 127.0.0.1:{{ nginx_status_port | default('80') }};
location /status {
status;
allow 127.0.0.1;
deny all;
}
}
when: nginx_type == "plus"
notify: "(Handler: All OSs) Reload NGINX"

81
ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml
View file

@ -1,81 +0,0 @@
---
- name: "(Setup: All NGINX) Ensure HTML Directory Exists"
file:
path: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}"
state: directory
with_dict: "{{ nginx_html_demo_template }}"
when: nginx_html_demo_template_enable | bool
- name: "(Setup: All NGINX) Dynamically Generate HTML Files"
template:
src: "{{ item.value.template_file | default('www/index.html.j2') }}"
dest: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}/{{ item.value.html_file_name | default('index.html') }}"
backup: yes
with_dict: "{{ nginx_html_demo_template }}"
when: nginx_html_demo_template_enable | bool
- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists"
file:
path: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}"
state: directory
when: nginx_main_template_enable | bool
- name: "(Setup: All NGINX) Dynamically Generate NGINX Main Configuration File"
template:
src: "{{ nginx_main_template.template_file | default('nginx.conf.j2') }}"
dest: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}/{{ nginx_main_template.conf_file_name | default('nginx.conf') }}"
backup: yes
when: nginx_main_template_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists"
file:
path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}"
state: directory
with_dict: "{{ nginx_http_template }}"
when: nginx_http_template_enable | bool
- name: "(Setup: All NGINX) Ensure NGINX Proxy Cache Directories Exist"
file:
path: "{{ item.1.path }}"
state: directory
owner: "{{ nginx_main_template.user | default('nginx') }}"
with_subelements:
- "{{ nginx_http_template }}"
- proxy_cache.proxy_cache_path
- skip_missing: true
when: nginx_http_template_enable | bool
- name: "(Setup: All NGINX) Dynamically Generate NGINX HTTP Configuration Files"
template:
src: "{{ item.value.template_file | default('http/default.conf.j2') }}"
dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}/{{ item.value.conf_file_name | default('default.conf') }}"
backup: yes
with_dict: "{{ nginx_http_template }}"
when: nginx_http_template_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File"
template:
src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}"
dest: "{{ nginx_rest_api_file_location | default('/etc/nginx/conf.d/api.conf') }}"
backup: yes
notify: "(Handler: All OSs) Reload NGINX"
when: nginx_rest_api_enable | bool
- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists"
file:
path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}"
state: directory
with_dict: "{{ nginx_stream_template }}"
when: nginx_stream_template_enable | bool
- name: "(Setup: All NGINX) Dynamically Generate NGINX Stream Configuration Files"
template:
src: "{{ item.value.template_file | default('stream/default.conf.j2') }}"
dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}/{{ item.value.conf_file_name | default('default.conf') }}"
backup: yes
with_dict: "{{ nginx_stream_template }}"
notify: "(Handler: All OSs) Reload NGINX"
when: nginx_stream_template_enable | bool

92
ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml
View file

@ -1,92 +0,0 @@
---
- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists"
file:
path: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}"
state: directory
when: nginx_main_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX Main Configuration File"
copy:
src: "{{ nginx_main_upload_src | default('conf/nginx.conf') }}"
dest: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}"
backup: yes
when: nginx_main_upload_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists"
file:
path: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}"
state: directory
when: nginx_http_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX HTTP Configuration Files"
copy:
src: "{{ item }}"
dest: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}"
backup: yes
with_fileglob: "{{ nginx_http_upload_src }}"
when: nginx_http_upload_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists"
file:
path: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}"
state: directory
when: nginx_stream_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX Stream Configuration Files"
copy:
src: "{{ item }}"
dest: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}"
backup: yes
with_fileglob: "{{ nginx_stream_upload_src }}"
when: nginx_stream_upload_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Ensure NGINX HTML Directory Exists"
file:
path: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
state: directory
when: nginx_html_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX HTML Files"
copy:
src: "{{ item }}"
dest: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
backup: yes
with_fileglob: "{{ nginx_html_upload_src }}"
when: nginx_html_upload_enable | bool
notify: "(Handler: All OSs) Reload NGINX"
- name: "(Setup: All NGINX) Ensure SSL Certificate Directory Exists"
file:
path: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}"
state: directory
when: nginx_ssl_upload_enable | bool
- name: "(Setup: All NGINX) Ensure SSL Key Directory Exists"
file:
path: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}"
state: directory
when: nginx_ssl_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX SSL Certificates"
copy:
src: "{{ item }}"
dest: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}"
mode: 0640
decrypt: yes
backup: yes
with_fileglob: "{{ nginx_ssl_crt_upload_src }}"
when: nginx_ssl_upload_enable | bool
- name: "(Setup: All NGINX) Upload NGINX SSL Keys"
copy:
src: "{{ item }}"
dest: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}"
mode: 0640
decrypt: yes
backup: yes
with_fileglob: "{{ nginx_ssl_key_upload_src }}"
no_log: yes
when: nginx_ssl_upload_enable | bool

Some files were not shown because too many files have changed in this diff Show more