diff --git a/ansible/roles/geerlingguy.docker/.ansible-lint b/ansible/roles/geerlingguy.docker/.ansible-lint index 4778564..affe64f 100644 --- a/ansible/roles/geerlingguy.docker/.ansible-lint +++ b/ansible/roles/geerlingguy.docker/.ansible-lint @@ -1,2 +1,3 @@ skip_list: - '306' + - '106' diff --git a/ansible/roles/geerlingguy.docker/.github/stale.yml b/ansible/roles/geerlingguy.docker/.github/stale.yml index c7ff127..3ac21f9 100644 --- a/ansible/roles/geerlingguy.docker/.github/stale.yml +++ b/ansible/roles/geerlingguy.docker/.github/stale.yml @@ -1,5 +1,5 @@ # Configuration for probot-stale - https://github.com/probot/stale - +--- # Number of days of inactivity before an Issue or Pull Request becomes stale daysUntilStale: 90 diff --git a/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml b/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml new file mode 100644 index 0000000..42b7a1d --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml @@ -0,0 +1,72 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 7 * * 0" + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos8 + - centos7 + - ubuntu2004 + - ubuntu1804 + - debian10 + - debian9 + - fedora31 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/ansible/roles/geerlingguy.docker/.github/workflows/release.yml b/ansible/roles/geerlingguy.docker/.github/workflows/release.yml new file mode 100644 index 0000000..5d02a3e --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/ansible/roles/geerlingguy.docker/.travis.yml b/ansible/roles/geerlingguy.docker/.travis.yml deleted file mode 100644 index a0001c3..0000000 --- a/ansible/roles/geerlingguy.docker/.travis.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -language: python -services: docker - -env: - global: - - ROLE_NAME: docker - matrix: - - MOLECULE_DISTRO: centos8 - - MOLECULE_DISTRO: centos7 - - MOLECULE_DISTRO: ubuntu1804 - - MOLECULE_DISTRO: ubuntu1604 - - MOLECULE_DISTRO: debian10 - - MOLECULE_DISTRO: debian9 - -install: - # Install test dependencies. - - pip install molecule yamllint ansible-lint docker - -before_script: - # Use actual Ansible Galaxy role name for the project directory. - - cd ../ - - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME - - cd geerlingguy.$ROLE_NAME - -script: - # Run tests. - - molecule test - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/geerlingguy.docker/.yamllint b/ansible/roles/geerlingguy.docker/.yamllint index 7aeec5a..e6fc538 100644 --- a/ansible/roles/geerlingguy.docker/.yamllint +++ b/ansible/roles/geerlingguy.docker/.yamllint @@ -1,6 +1,11 @@ --- extends: default + rules: line-length: max: 200 level: warning + +ignore: | + .github/stale.yml + .travis.yml diff --git a/ansible/roles/geerlingguy.docker/README.md b/ansible/roles/geerlingguy.docker/README.md index 036b560..3090374 100644 --- a/ansible/roles/geerlingguy.docker/README.md +++ b/ansible/roles/geerlingguy.docker/README.md @@ -1,6 +1,6 @@ # Ansible Role: Docker -[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker) +[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI) An Ansible Role that installs [Docker](https://www.docker.com) on Linux. @@ -28,7 +28,7 @@ You can control whether the package is installed, uninstalled, or at the latest Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. docker_install_compose: true - docker_compose_version: "1.25.4" + docker_compose_version: "1.26.0" docker_compose_path: /usr/local/bin/docker-compose Docker Compose installation options. @@ -39,17 +39,17 @@ Docker Compose installation options. docker_apt_ignore_key_error: True docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg -(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release. +(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release. You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `docker_apt_repository` as well. docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo - docker_yum_repo_enable_edge: '0' + docker_yum_repo_enable_nightly: '0' docker_yum_repo_enable_test: '0' docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg -(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`. +(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`. You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `docker_yum_repository` as well. diff --git a/ansible/roles/geerlingguy.docker/defaults/main.yml b/ansible/roles/geerlingguy.docker/defaults/main.yml index ba5ba8a..8d66047 100644 --- a/ansible/roles/geerlingguy.docker/defaults/main.yml +++ b/ansible/roles/geerlingguy.docker/defaults/main.yml @@ -11,10 +11,10 @@ docker_restart_handler_state: restarted # Docker Compose options. docker_install_compose: true -docker_compose_version: "1.25.4" +docker_compose_version: "1.26.0" docker_compose_path: /usr/local/bin/docker-compose -# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed. +# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. docker_apt_release_channel: stable docker_apt_arch: amd64 docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" @@ -23,7 +23,7 @@ docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | # Used only for RedHat/CentOS/Fedora. docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo -docker_yum_repo_enable_edge: '0' +docker_yum_repo_enable_nightly: '0' docker_yum_repo_enable_test: '0' docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg diff --git a/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info index 412c30a..05272c2 100644 --- a/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info +++ b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:32:50 2020 -version: 2.7.0 +install_date: Sat Feb 20 13:56:42 2021 +version: 3.0.0 diff --git a/ansible/roles/geerlingguy.docker/meta/main.yml b/ansible/roles/geerlingguy.docker/meta/main.yml index 82065cd..fc01727 100644 --- a/ansible/roles/geerlingguy.docker/meta/main.yml +++ b/ansible/roles/geerlingguy.docker/meta/main.yml @@ -2,6 +2,7 @@ dependencies: [] galaxy_info: + role_name: docker author: geerlingguy description: Docker for Linux. company: "Midwestern Mac, LLC" @@ -23,6 +24,7 @@ galaxy_info: versions: - xenial - bionic + - focal galaxy_tags: - web - system diff --git a/ansible/roles/geerlingguy.docker/molecule/default/converge.yml b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml index dad331d..629095b 100644 --- a/ansible/roles/geerlingguy.docker/molecule/default/converge.yml +++ b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml @@ -8,5 +8,17 @@ apt: update_cache=yes cache_valid_time=600 when: ansible_os_family == 'Debian' + - name: Wait for systemd to complete initialization. # noqa 303 + command: systemctl is-system-running + register: systemctl_status + until: > + 'running' in systemctl_status.stdout or + 'degraded' in systemctl_status.stdout + retries: 30 + delay: 5 + when: ansible_service_mgr == 'systemd' + changed_when: false + failed_when: systemctl_status.rc > 1 + roles: - role: geerlingguy.docker diff --git a/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml index 2da47dd..7490710 100644 --- a/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml +++ b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml @@ -3,10 +3,6 @@ dependency: name: galaxy driver: name: docker -lint: | - set -e - yamllint . - ansible-lint platforms: - name: instance image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" diff --git a/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml index 800c0bc..9607238 100644 --- a/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml +++ b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml @@ -20,12 +20,13 @@ group: root mode: 0644 -- name: Configure Docker Edge repo. +- name: Configure Docker Nightly repo. ini_file: dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' - section: 'docker-{{ docker_edition }}-edge' + section: 'docker-{{ docker_edition }}-nightly' option: enabled - value: '{{ docker_yum_repo_enable_edge }}' + value: '{{ docker_yum_repo_enable_nightly }}' + mode: 0644 - name: Configure Docker Test repo. ini_file: @@ -33,9 +34,17 @@ section: 'docker-{{ docker_edition }}-test' option: enabled value: '{{ docker_yum_repo_enable_test }}' + mode: 0644 -- name: Install containerd separately (CentOS 8). - package: - name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm - state: present +- name: Configure containerd on RHEL 8. + block: + - name: Ensure container-selinux is installed. + package: + name: container-selinux + state: present + + - name: Ensure containerd.io is installed. + package: + name: containerd.io + state: present when: ansible_distribution_major_version | int == 8 diff --git a/ansible/roles/jnv.unattended-upgrades/.ansible-lint b/ansible/roles/jnv.unattended-upgrades/.ansible-lint new file mode 100644 index 0000000..d09fda8 --- /dev/null +++ b/ansible/roles/jnv.unattended-upgrades/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '503' diff --git a/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml b/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml new file mode 100644 index 0000000..35c1fac --- /dev/null +++ b/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml @@ -0,0 +1,17 @@ +name: Ansible Lint check +# visit https://github.com/marketplace/actions/ansible-lint for infos + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + targets: "." diff --git a/ansible/roles/jnv.unattended-upgrades/README.md b/ansible/roles/jnv.unattended-upgrades/README.md index 978b832..401e6fd 100644 --- a/ansible/roles/jnv.unattended-upgrades/README.md +++ b/ansible/roles/jnv.unattended-upgrades/README.md @@ -46,8 +46,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai * Default: `false` (don't send any e-mail) * `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade. * Default: `false` -* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. +* `unattended_remove_unused_dependencies`: do automatic removal of all unused dependencies after the upgrade. * Default: `false` +* `unattended_remove_new_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. + * Default: `true` * `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade. * Default: `false` * `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade. @@ -56,6 +58,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai * Default: disabled * `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive. * Default: `false` +* `unattended_syslog_enable`: Write events to syslog, which is useful in environments where syslog messages are sent to a central store. + * Default: `false` +* `unattended_syslog_facility`: Write events to the specified syslog facility, or the daemon facility if not specified. Will only have affect if `unattended_syslog_enable` is set to `true`. + * Default: `daemon` * `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root. * Possible options: * `0`: no report diff --git a/ansible/roles/jnv.unattended-upgrades/defaults/main.yml b/ansible/roles/jnv.unattended-upgrades/defaults/main.yml index 59fcc69..a62ee01 100644 --- a/ansible/roles/jnv.unattended-upgrades/defaults/main.yml +++ b/ansible/roles/jnv.unattended-upgrades/defaults/main.yml @@ -48,10 +48,14 @@ unattended_mail: false unattended_mail_only_on_error: false #Unattended-Upgrade::Remove-Unused-Dependencies -# Do automatic removal of new unused dependencies after the upgrade +# Do automatic removal of all unused dependencies after the upgrade # (equivalent to apt-get autoremove) unattended_remove_unused_dependencies: false +#Unattended-Upgrade::Remove-New-Unused-Dependencies +# Remove any new unused dependencies after the upgrade +unattended_remove_new_unused_dependencies: true + #Unattended-Upgrade::Automatic-Reboot # Automatically reboot *WITHOUT CONFIRMATION* if a # the file /var/run/reboot-required is found after the upgrade @@ -67,6 +71,17 @@ unattended_automatic_reboot_time: false # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file unattended_ignore_apps_require_restart: false +#Unattended-Upgrade::SyslogEnable +# Write events to syslog, which is useful in environments where syslog +# messages are sent to a central store. +unattended_syslog_enable: false + +#Unattended-Upgrade::SyslogFacility +# Write events to the specified syslog facility, or the daemon facility if +# not specified. Requires the Unattended-Upgrade::SyslogEnable option to be +# set to true. +#unattended_syslog_facility: "daemon" + ### APT::Periodic configuration # Snatched from /usr/lib/apt/apt.systemd.daily @@ -119,4 +134,4 @@ unattended_dpkg_options: [] # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec -#unattended_dl_limit: 70 \ No newline at end of file +#unattended_dl_limit: 70 diff --git a/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info b/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info index 0d4a914..73ff3f3 100644 --- a/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info +++ b/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 21:54:44 2020 -version: v1.8.0 +install_date: Sat Feb 20 13:56:45 2021 +version: v1.10.0 diff --git a/ansible/roles/jnv.unattended-upgrades/meta/main.yml b/ansible/roles/jnv.unattended-upgrades/meta/main.yml index 90dcd6d..f7aa9f0 100644 --- a/ansible/roles/jnv.unattended-upgrades/meta/main.yml +++ b/ansible/roles/jnv.unattended-upgrades/meta/main.yml @@ -20,7 +20,7 @@ galaxy_info: # Below are all categories currently available. Just as with # the platforms above, uncomment those that apply to your role. # - categories: + galaxy_tags: #- cloud #- cloud:ec2 #- cloud:gce diff --git a/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml b/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml index 64c97ab..2b911fe 100644 --- a/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml +++ b/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml @@ -10,7 +10,7 @@ apt: pkg: unattended-upgrades state: present - cache_valid_time: "{{unattended_cache_valid_time}}" + cache_valid_time: "{{ unattended_cache_valid_time }}" update_cache: yes - name: install reboot dependencies diff --git a/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 b/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 index 388a028..5a64ed5 100644 --- a/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 +++ b/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 @@ -1,3 +1,5 @@ +// {{ ansible_managed }} + APT::Periodic::Unattended-Upgrade "1"; {% if unattended_update_package_list is defined %} diff --git a/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 b/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 index 0b0d218..9338c49 100644 --- a/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 +++ b/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 @@ -1,3 +1,5 @@ +// {{ ansible_managed }} + // Unattended-Upgrade::Origins-Pattern controls which packages are // upgraded. Unattended-Upgrade::Origins-Pattern { @@ -55,11 +57,16 @@ Unattended-Upgrade::MailOnlyOnError "true"; {% endif %} {% if unattended_remove_unused_dependencies %} -// Do automatic removal of new unused dependencies after the upgrade +// Do automatic removal of all unused dependencies after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; {% endif %} +{% if not unattended_remove_new_unused_dependencies %} +// Do automatic removal of new unused dependencies after the upgrade +Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; +{% endif %} + {% if unattended_automatic_reboot %} // Automatically reboot *WITHOUT CONFIRMATION* if a // the file /var/run/reboot-required is found after the upgrade @@ -88,6 +95,18 @@ Unattended-Upgrade::Update-Days {{ unattended_update_days }}; Unattended-Upgrade::IgnoreAppsRequireRestart "true"; {% endif %} +{% if unattended_syslog_enable %} +// Write events to syslog, which is useful in environments where syslog +// messages are sent to a central store. +Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}"; +{% if unattended_syslog_facility is defined %} +// Write events to the specified syslog facility, or the daemon facility +// if not specified. Requires the Unattended-Upgrade::SyslogEnable option +// to be set to true. +Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}"; +{% endif %} +{% endif %} + {% if unattended_dpkg_options %} // Append options for governing dpkg behavior, e.g. --force-confdef. Dpkg::Options { diff --git a/ansible/roles/jnv.unattended-upgrades/tests/test.yml b/ansible/roles/jnv.unattended-upgrades/tests/test.yml index 45d5485..d73b9a4 100644 --- a/ansible/roles/jnv.unattended-upgrades/tests/test.yml +++ b/ansible/roles/jnv.unattended-upgrades/tests/test.yml @@ -6,12 +6,15 @@ inventory: - name: ubuntu_latest image: "ubuntu:latest" + - name: ubuntu_bionic + image: "ubuntu:bionic" - name: ubuntu_xenial image: "ubuntu:xenial" - name: ubuntu_trusty image: "ubuntu:trusty" - - name: debian_testing - image: "debian:testing" + # 6/2020: Disabled Debian Testing due to missing python packages (python-apt) + #- name: debian_testing + # image: "debian:testing" - name: debian_stable image: "debian:stable" - name: debian_oldstable @@ -27,10 +30,11 @@ gather_facts: false pre_tasks: - name: Provision Python - raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-simplejson)" + raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python)" register: output changed_when: output.stdout - - setup: # Gather facts + - name: Gather facts + setup: vars: unattended_autofix_interrupted_dpkg: false unattended_minimal_steps: true @@ -45,13 +49,15 @@ include_role: name: ansible-role-unattended-upgrades register: idempotency - - fail: + - name: fail when idempotency.changed + fail: msg: Role failed idempotency check when: idempotency.changed - name: Get apt-config variables - shell: apt-config dump + command: apt-config dump register: aptconfig + changed_when: false - name: Check for registered variables assert: that: item in aptconfig.stdout @@ -68,3 +74,4 @@ - name: Dry run unattended-upgrades command: /usr/bin/unattended-upgrades --dry-run + changed_when: idempotency.changed|bool diff --git a/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md b/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md index 5d86399..7a63863 100644 --- a/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md +++ b/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md @@ -20,9 +20,9 @@ Steps to reproduce the behavior: A clear and concise description of what you expected to happen. **Your environment:** - - Version of the NGINX Role or specific commit - - Version of Ansible - - Target deployment platform +- Version of the NGINX role or specific commit +- Version of Ansible +- Target deployment platform **Additional context** Add any other context about the problem here. diff --git a/ansible/roles/nginxinc.nginx/.github/pull_request_template.md b/ansible/roles/nginxinc.nginx/.github/pull_request_template.md index d2cf8ae..f07653a 100644 --- a/ansible/roles/nginxinc.nginx/.github/pull_request_template.md +++ b/ansible/roles/nginxinc.nginx/.github/pull_request_template.md @@ -1,10 +1,10 @@ ### Proposed changes -Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue here in this description (not in the title of the PR). +Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR). ### Checklist Before creating a PR, run through this checklist and mark each as complete. -- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/master/CONTRIBUTING.md) document +- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/main/CONTRIBUTING.md) document - [ ] I have added Molecule tests that prove my fix is effective or that my feature works -- [ ] I have checked that all unit tests pass after adding my changes -- [ ] If required, I have updated necessary documentation (`defaults/main/` and `README.md`) +- [ ] I have checked that all Molecule tests pass after adding my changes +- [ ] I have updated any relevant documentation (`defaults/main/*.yml`, `README.md` and `CHANGELOG.md`) diff --git a/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml b/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml new file mode 100644 index 0000000..a5f714a --- /dev/null +++ b/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml @@ -0,0 +1,22 @@ +--- +name: Ansible Galaxy import +on: + release: +jobs: + galaxy: + name: Galaxy + runs-on: ubuntu-latest + steps: + - name: Check out the codebase + uses: actions/checkout@v2 + + - name: Set up Python 3 + uses: actions/setup-python@v2 + with: + python-version: 3.x + + - name: Install Ansible + run: pip3 install ansible-base==2.10.3 + + - name: Import release to Ansible Galaxy + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml b/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml new file mode 100644 index 0000000..2207a3c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml @@ -0,0 +1,61 @@ +--- +name: Molecule CI/CD +on: + pull_request: + branches: + - main + push: + branches: + - main + ignore-tags: + - "*" + schedule: + - cron: "0 0 1 * *" +jobs: + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + scenario: + - default + - default_alpine + - default_centos + - module + - module_alpine + - module_centos + - plus + - plus_alpine + - plus_centos + - source + - source_alpine + - source_centos + steps: + - name: Check out the codebase + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + uses: actions/checkout@v2 + + - name: Set up Python 3 + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + uses: actions/setup-python@v2 + with: + python-version: 3.x + + - name: Install Molecule dependencies + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + run: | + pip3 install ansible-base==2.10.4 + pip3 install ansible==2.10.5 + pip3 install ansible-lint==4.3.7 + pip3 install yamllint==1.25.0 + pip3 install "molecule[docker]"==3.2.2 + pip3 install docker==4.4.1 + + - name: Run Molecule tests + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + run: molecule test -s ${{ matrix.scenario }} + env: + PY_COLORS: "1" + ANSIBLE_FORCE_COLOR: "1" + NGINX_CRT: ${{ secrets.NGINX_CRT }} + NGINX_KEY: ${{ secrets.NGINX_KEY }} diff --git a/ansible/roles/nginxinc.nginx/.gitignore b/ansible/roles/nginxinc.nginx/.gitignore index 489ae98..a11ae27 100644 --- a/ansible/roles/nginxinc.nginx/.gitignore +++ b/ansible/roles/nginxinc.nginx/.gitignore @@ -2,14 +2,19 @@ ############################ *.crt *.key -__pycache__ *~ \#* -# OS Specific +# OS Specific # +############### Thumbs.db .DS_Store .vscode -# Ansible specific -*.retry \ No newline at end of file +# Ansible specific # +#################### +*.retry + +# Python specific # +################### +__pycache__ diff --git a/ansible/roles/nginxinc.nginx/.travis.yml b/ansible/roles/nginxinc.nginx/.travis.yml deleted file mode 100644 index 3a3dfd5..0000000 --- a/ansible/roles/nginxinc.nginx/.travis.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -language: python -services: - - docker -jobs: - include: - - name: "Install Specific Version Test - Debian" - env: scenario=default - - name: "Install Specific Version Test - Alpine" - env: scenario=default_alpine - - name: "Install Specific Version Test - CentOS" - env: scenario=default_centos - - name: "Install Modules Test - Debian" - env: scenario=module - - name: "Install Modules Test - Alpine" - env: scenario=module_alpine - - name: "Install Modules Test - CentOS" - env: scenario=module_centos - - name: "Install Stable Branch and Push Configuration Test - Debian" - env: scenario=stable_push - - name: "Install Stable Branch and Push Configuration Test - Alpine" - env: scenario=stable_push_alpine - - name: "Install Stable Branch and Push Configuration Test - CentOS" - env: scenario=stable_push_centos - - name: "Use Template Setting Test - Debian" - env: scenario=template - - name: "Use Template Setting Test - Alpine" - env: scenario=template_alpine - - name: "Use Template Setting Test - CentOS" - env: scenario=template_centos - - name: "Install Unit Test - Debian" - env: scenario=unit - - name: "Install Unit Test - Alpine" - env: scenario=unit_alpine - - name: "Install Unit Test - CentOS" - env: scenario=unit_centos - - name: "Install from Source Test - Debian" - env: scenario=source - - name: "Install from Source Test - Alpine" - env: scenario=source_alpine - - name: "Install from Source Test - CentOS" - env: scenario=source_centos -before_install: - - sudo apt-get -qq update -install: - - pip install ansible==2.9.6 - - pip install molecule[docker]>=3.0.0 - - pip install testinfra - - pip install ansible-lint - - pip install flake8 -script: - - molecule --version - - ansible --version - - travis_wait 50 molecule test -s $scenario -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/nginxinc.nginx/CHANGELOG.md b/ansible/roles/nginxinc.nginx/CHANGELOG.md new file mode 100644 index 0000000..599543e --- /dev/null +++ b/ansible/roles/nginxinc.nginx/CHANGELOG.md @@ -0,0 +1,400 @@ +# Changelog + +## 0.19.1 (January 11, 2021) + +ENHANCEMENTS: + +* The GitHub actions Molecule CI/CD workflow should now correctly avoid running 'plus' related tests on external PRs. +* Update Ansible base to `2.10.4`, Ansible to `2.10.5`, Molecule to `3.2.2` and Docker Python SDK to `4.4.1`. +* Update copyright notice. + +## 0.19.0 (December 23, 2020) + +BREAKING CHANGES: + +**The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. + +ENHANCEMENTS: + +The GitHub actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push). + +## 0.18.2 (December 22, 2020) + +ENHANCEMENTS: + +* Update Molecule to `3.2.1` and Docker Python SDK to `4.4.0`. +* Add Alpine `3.12` to supported platforms for NGINX Plus. +* Remove Alpine `3.9` and CentOS/RHEL `6` from supported platforms due to EOL. +* Replace TravisCI with GitHub actions. + +## 0.18.1 (November 17, 2020) + +ENHANCEMENTS: + +Switch NGINX keysites and OSS default repository data from a dictionary to individual variables to prevent potential issues arisen from Jinja2 dictionary run-time evaluations. + +BUG FIXES: + +Fix issue whereas SELinux state would not be correctly set back to `enforcing` when `nginx_selinux: true`. + +## 0.18.0 (November 13, 2020) + +BREAKING CHANGES: + +**The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. + +## 0.17.4 (November 12, 2020) + +ENHANCEMENTS: + +Implement a new syntax to specify modules to be installed. You can now use the following format if you want further fine grained control over how you install modules: +```yaml +- name: njs # Required + state: present # Optional + version: =1.19.4+0.4.4-1~bionic # Optional +``` +The old method of specifying modules (using a list of names) still works as expected. + +## 0.17.3 (November 9, 2020) + +ENHANCEMENTS: + +* Add survey to README. +* Improve README structure and use tables where relevant. +* Update Ansible (now Ansible base) to `2.10.3`, Ansible (now Ansible Community Distribution) to `2.10.3`, Ansible Lint to `4.3.7`, Molecule to `3.1.5`, and yamllint to `1.25.0`. +* Optimize NGINX Plus install/remove tasks. + +BUG FIXES: + +* Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs. +* Fix naming for SELinux facts dictionary. +* Role now runs correctly when using Ansible's check mode. +* Removing the NGINX Plus license in RHEL based distros should no longer return a repository not found error. +* Fix issue when removing NGINX Plus license on some distributions. +* Fix Amazon Linux NGINX Plus install while at it. + +## 0.17.2 (September 24, 2020) + +BUG FIXES: + +Fix an issue where sometimes the role handlers will fail in distros where NGINX is not started upon installation. + +## 0.17.1 (September 22, 2020) + +ENHANCEMENTS: + +* The role will no longer fail automatically on unsupported platforms, but the error message will still be displayed. +* The `Check NGINX` handler now always outputs an `ok` state instead of `changed` since it's a read-only operation with no traceable changes. + +## 0.17.0 (September 20, 2020) + +BREAKING CHANGES: + +* The process to install modules has changed. You will now have to use a list variable, `nginx_modules`, instead of manually setting the modules you want to install to `true` or `false`. This change will also simplify adding future supported modules to this role. You can find a list of supported modules for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml). +* Modules can no longer be added to your NGINX config using this role. Please use the [`nginx_config`](https://github.com/nginxinc/ansible-role-nginx-config) role instead. +* Changed `nginx_configure` default value from `true` to `false` to further promote the adoption of the [NGINX config](https://github.com/nginxinc/ansible-role-nginx-config) role. + +FEATURES: + +* A new variable has been introduced: + * `nginx_setup_license` -- Determine whether you want to use this role to upload your NGINX license to your target host. +* The role will now fail automatically if you try to deploy NGINX from an official repository in an unsupported distribution. You can find a list of supported distributions for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml) +* Three new tags have been introduced -- `nginx_setup_license`, `nginx_install` and `nginx_check_support`. +* Add Alpine 3.12 to the list of supported platforms. +* Remove Alpine 3.8 from the list of supported platforms. +* Add NGINX Plus tests to TravisCI + +ENHANCEMENTS: + +* Added handlers to check for NGINX syntax validity and fail if any errors are detected. +* Switch to using `ansible_facts` wherever possible. +* Major backend refactoring to reduce the number of files and tasks. +* You can now specify an `nginx_repository` for NGINX Plus too. +* Moved "constant" variables to `vars/main.yml`. +* Included deprecation warnings in task names and files. +* Improved tasks naming conventions. +* Update Ansible to `2.9.13` and Ansible Lint to `4.3.5`. + +BUG FIXES: + +* NGINX Plus repository data for RHEL based distros is now appropriately set. +* Building NGINX from source should now work as expected in CentOS/RHEL 6 systems running Python `2.6` or earlier versions of `2.7`. + +## 0.16.0 (August 28, 2020) + +BREAKING CHANGES: + +The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source. + +ENHANCEMENTS: + +* Update Ansible to `2.9.12` and Ansible Lint to `4.3.2`. +* Explicitly define `mode` in relevant tasks. +* Explicitly define the `nginx` `apt_repository` filename in Debian based distros. + +FEATURES: + +TravisCI now always uses the latest version of Docker. + +BUG FIXES: + +Building OpenSSL from source should now work properly in CentOS 8. + +## 0.15.0 (August 20, 2020) + +DEPRECATION WARNING: + +With the advent of Ansible collections and to reduce the overhead of this role, the decision has been made to split this role into three smaller roles: +* The NGINX Ansible role will keep working as is and be used to install and setup NGINX. +* There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. The NGINX configuration functionalities included in this role will be removed in an upcoming release. +* NGINX Unit now has a separate role available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. The NGINX Unit functionalities included in this role will be removed in an upcoming release. + +BREAKING CHANGES: + +* The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source. +* If you use `custom_options` you will now need to manually end each directive with a semicolon. +* The `status` directive is no longer supported in NGINX Plus, and the `stub_status` directive has been reworked into a template. +* The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need. + + Old configuration example + ```yaml + listen_address: localhost + listen_port: 80 + udp_enable: false + ``` + + New configuration example + ```yaml + listen: + listen_localhost: + ip: 0.0.0.0 # Wrap in square brackets for IPv6 addresses + port: 80 + ssl: false + opts: [] # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:'). + ``` + + The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`. + +FEATURES: + +* Add support to configure logrotate. +* Add support for Ubuntu Focal. +* Add support to configure SELinux. +* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both. + +ENHANCEMENTS: + +* Molecule tests using Testinfra have been migrated to use Ansible instead. +* The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time. +* Improve configuration cleanup capabilities. You can now remove all `*.conf` files in a given directory, or specify a list of files you wish to delete. +* Improve configuration templating capabilities: + * Add support for unix upstreams. + * Add PID templating option. + * Add support for down parameter in upstreams. + * Add option for custom error pages. + * Add SSL support to `stream` contexts. + +BUG FIXES: + +* `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation. +* If `http_demo_conf` was undefined the web server template interpolation would fail. + +## 0.14.0 (April 22, 2020) + +This is a relatively minor release, but it includes a potential breaking change (hence the version bump). The one major new feature is the ability to install/build NGINX Open Source from source. + +BREAKING CHANGES: + +The NGINX Controller agent can no longer be installed using this role. Please use the Ansible collection linked in the README. + +FEATURES: + +* Install/build NGINX from source options now available. +* Implement NGINX http sub module templating. +* NGINX config is now correctly validated each run. +* SSL Private Key data is hidden when running the role with the `--diff` flag. + +BUG FIXES: + +* The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository. +* Modules should now correctly install when using a specific NGINX Plus version. + +## 0.13.0 (December 13, 2019) + +BREAKING CHANGES: + +* The new listen templating options are not backwards with the previous listen templating options. Check the `README` or `molecule/template_module/playbook.yml` for examples on how to use the new listen template. +* BSD and Linux NGINX installation tasks have undergone some major changes. As such, you may have to update your playbooks accordingly. + +FEATURES: + +* Improve NGINX http templating: + * Multiple server support in HTTP contexts. + * Header support. + * OCSP stapling. + * Improved proxy settings. + * Logging settings. + * Improved SSL settings. + * Improved authentication settings. + * Max body size support. + * Improved listen templating. +* Switch to Molecule for testing. +* Add support for Debian Buster. +* Support for specifying which version of NGINX to install. +* Split default variables into multiple functional files. +* Improve support for Alpine distributions. +* Support for updating or removing NGINX from your system. +* Implemented tags to support running specific tasks instead of the whole role. + +BUG FIXES: + +* Module installation when using NGINX Plus has been fixed. +* Websockets templating has been reenabled after being accidentally deleted. +* When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository. + +## 0.12.0 (May 22, 2019) + +FEATURES: + +Improve NGINX http templating - following parameters are now supported: +* Websockets. +* Basic authentication. +* Proxy cache. +* Proxy redirect. +* Proxy timeouts. +* SSL. +* Root (in server context). +* Add basic NGINX stream templating. +* Add support for RHEL 8 and Alpine Linux. + +BUG FIXES: + +Fix module installation tasks. + +## 0.11.0 (Januray 14, 2019) + +FEATURES: + +* Allow setting a custom apt and rpm signing key host. +* Add support for enabling an http to https redirects. +* Add ansible_managed to templates. +* Rename html_app_name to web_server_name. +* Rename load_balancer block to reverse_proxy. +* Allow setting the listen port when using SSL. +* Improve SSL defaults. +* Allow setting http or https server locations in proxy_pass. + +BUG FIXES: + +* Ignore undefined values for autoindex and health check. +* Clarify that the redirect variable refers to a http to https redirect. + +## 0.10.1 (November 26, 2018) + +BUG FIXES: + +Fix HTML template to use correct variable name. + +## 0.10.0 (November 26, 2018) + +FEATURES: + +Improve templating support for health checks, multiple location blocks, and auto indexing. + +BUG FIXES: + +* Fetching the NGINX signing key is now more reliable. +* Fixed HTML templating. + +## 0.9.0 (October 18, 2018) + +FEATURES: + +* Refactor NGINX templating and file uploading. +* Add ability to upload and template HTML files. +* Add ability to upload SSL keys and certificates. + +## 0.8.0 (September 17, 2018) + +FEATURES: + +* Add ability to install NGINX Plus Controller agent. +* Refactor installation of NGINX Amplify agent. +* Rename variables to be prefixed with `nginx_`. + +BUG FIXES: + +Correct spelling of name in `tasks/prerequisites/setup-debian.yml`. + +## 0.7.1 (August 21, 2018) + +FEATURES: + +Add enabled parameter to NGINX and NGINX Unit handlers. + +## 0.7.0 (August 4, 2018) + +FEATURES: + +* Add Amazon Linux 2 support for NGINX Plus. +* Add ability to delete NGINX Plus license after installation. + +BUG FIXES: + +* GeoIP module can now be properly installed. +* Module installation will no longer fail if only one module is specified. + +## 0.6.0 (July 19, 2018) + +FEATURES: + +* Improve NGINX Unit related documentation. +* Add FreeBSD and Amazon Linux 2 support for NGINX Unit. +* Allow users to install NGINX Unit without having to also install NGINX. + +## 0.5.0 (June 28, 2018) + +FEATURES: + +Add support for NGINX Unit. + +## 0.4.0 (May 25, 2018) + +FEATURES: + +* Implement support for FreeBSD. +* Allow users to select the default NGINX repository. + +## 0.3.0 (April 19, 2018) + +FEATURES: + +Improve Travis CI testing strategy. + +BUG FIXES: + +Fix templating and push tasks. + +## 0.2.0 (April 12, 2018) + +FEATURES: + +Add support for all first party NGINX modules. + +BUG FIXES: + +* Role should now work correctly in distros with old versions of Python. +* Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false). +* Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory. + +## 0.1.0 - Initial release (Januray 26, 2018) + +Initial release of the NGINX Ansible role. Features include: + +* Install NGINX Open Source or NGINX Plus. +* Choose between stable or mainline NGINX Open Source. +* Install NGINX Amplify. +* Install NGINX Javascript, Perl, and ModSecurity WAF NGINX modules. +* Enable the NGINX Plus REST API and dashboard. +* Upload NGINX configuration files. +* Templated NGINX configuration system. diff --git a/ansible/roles/nginxinc.nginx/CONTRIBUTING.md b/ansible/roles/nginxinc.nginx/CONTRIBUTING.md index b71585a..a776a0d 100644 --- a/ansible/roles/nginxinc.nginx/CONTRIBUTING.md +++ b/ansible/roles/nginxinc.nginx/CONTRIBUTING.md @@ -14,25 +14,26 @@ The following is a set of guidelines for contributing to the NGINX Ansible role. * [Git Guidelines](#git-guidelines) * [Ansible Guidelines](#ansible-guidelines) -[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/master/CODE_OF_CONDUCT.md) +[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/main/CODE_OF_CONDUCT.md) ## Ask a Question -Please open an Issue on GitHub with the label `question`. +Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`. ## Getting Started -Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/master/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role. +Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/main/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role. ### Project Structure -* The NGINX Ansible role is written in `yaml` and supports open source NGINX, NGINX Plus, NGINX Amplify, and NGINX Unit. -* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html) - * The main code is found at `tasks/` - * The main variables can be found at `defaults/main/` - * Configuration templates for NGINX can be found at `templates/` +* The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, and NGINX Amplify. +* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): + * The main code is found in `tasks/`. + * Variables can be found in `defaults/main/*.yml`. + * "Constant" variables can be found in `vars/main.yml`. + * Configuration templates for NGINX can be found in `templates/`. * [Molecule](https://molecule.readthedocs.io/) tests can be found in `molecule/`. - * CI/CD is done via Travis using `.travis.yml` Deployment yaml files, and Helm files are found at `deployments/` + * CI/CD is done via Travis using `.travis.yml` deployment `yaml` files. ## Contributing @@ -46,27 +47,27 @@ To suggest an enhancement, please create an issue on GitHub with the label `enha ### Open a Pull Request -* Fork the repo, create a branch, submit a PR when your changes are tested and ready for review -* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/master/.github/PULL_REQUEST_TEMPLATE.md) +* Fork the repo, create a branch, submit a PR when your changes are **tested** (ideally using Molecule) and ready for review. +* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/main/.github/PULL_REQUEST_TEMPLATE.md). Note: if you’d like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature. ## Code Guidelines -### Git Guidelines - -* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR -* Follow the guidelines of writing a good commit message as described here and summarised in the next few points - * In the subject line, use the present tense ("Add feature" not "Added feature") - * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...") - * Limit the subject line to 72 characters or less - * Reference issues and pull requests liberally after the subject line - * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`) - ### Ansible Guidelines * Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. -* Run `molecule test --all` on your code to catch any other issues. +* Run `molecule test --all` on your code before you submit a PR to catch any potential issues. * Follow these guides on some good practices for Ansible: * * + +### Git Guidelines + +* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR. +* Follow the guidelines of writing a good commit message as described here and summarised in the next few points: + * In the subject line, use the present tense ("Add feature" not "Added feature"). + * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to..."). + * Limit the subject line to 72 characters or less. + * Reference issues and pull requests liberally after the subject line. + * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`). diff --git a/ansible/roles/nginxinc.nginx/README.md b/ansible/roles/nginxinc.nginx/README.md index 5cc122b..aba5ddf 100644 --- a/ansible/roles/nginxinc.nginx/README.md +++ b/ansible/roles/nginxinc.nginx/README.md @@ -1,414 +1,182 @@ -Ansible NGINX Role -================== - [![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginxinc.nginx-5bbdbf.svg)](https://galaxy.ansible.com/nginxinc/nginx) -[![Build Status](https://travis-ci.org/nginxinc/ansible-role-nginx.svg?branch=master)](https://travis-ci.org/nginxinc/ansible-role-nginx) +[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nginx/workflows/Molecule%20CI/CD/badge.svg)](https://github.com/nginxinc/ansible-role-nginx/actions) +[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -This role installs NGINX Open Source, NGINX Plus, the NGINX Amplify agent, or NGINX Unit on your target host. +# 👾 *Help make the NGINX Ansible role better by participating in our [survey](https://forms.office.com/Pages/ResponsePage.aspx?id=L_093Ttq0UCb4L-DJ9gcUKLQ7uTJaE1PitM_37KR881UM0NCWkY5UlE5MUYyWU1aTUcxV0NRUllJSC4u)!* 👾 + +# Ansible NGINX Role + +This role installs NGINX Open Source, NGINX Plus, or the NGINX Amplify agent on your target host. **Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues. -Requirements ------------- +**Deprecation Warnings:** -**Ansible** +With the advent of Ansible collections and the release of the [NGINX Core Ansible collection](https://github.com/nginxinc/ansible-collection-nginx), the decision has been made to split this role into three smaller roles and reduce the overhead of this role: +* The NGINX Ansible role will keep working as is and be used to install and setup NGINX. +* **The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. This disclaimer will be removed in a future release. +* **The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. This disclaimer will be removed in a future release. -This role was developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed. +## Requirements -Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). +### Ansible -**Molecule** +* This role is developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed. +* Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). -Molecule is used to test the various functionailities of the role. Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). +### Molecule -Installation ------------- +* Molecule `3.x` is used to test the various functionalities of the role. +* Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). -**Ansible Galaxy** +## Installation + +### Ansible Galaxy Use `ansible-galaxy install nginxinc.nginx` to install the latest stable release of the role on your system. -**Git** +### Git Use `git clone https://github.com/nginxinc/ansible-role-nginx.git` to pull the latest edge commit of the role from GitHub. -Platforms ---------- +## Platforms -The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html#mainline), [NGINX Plus](https://www.nginx.com/products/technical-specs/), the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported), and [NGINX Unit](https://unit.nginx.org/installation/#official-packages): +The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html), [NGINX Plus](https://docs.nginx.com/nginx/technical-specs/), and the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported): -**NGINX Open Source** +### NGINX Open Source ```yaml Alpine: - versions: - - 3.8 - - 3.9 - - 3.10 - - 3.11 + - 3.10 + - 3.11 + - 3.12 CentOS: - versions: - - 6 - - 7 - - 8 + - 7.4+ + - 8 Debian: - versions: - - stretch - - buster -FreeBSD: - versions: - - 11.2+ - - 12 -RedHat: - versions: - - 6 - - 7.4+ - - 8 + - stretch + - buster +Red Hat: + - 7.4+ + - 8 SUSE/SLES: - versions: - - 12 - - 15 + - 12 + - 15 Ubuntu: - versions: - - xenial - - bionic + - xenial + - bionic + - eoan + - focal ``` -**NGINX Plus** +### NGINX Plus ```yaml Alpine: - versions: - - 3.8 - - 3.9 - - 3.10 - - 3.11 + - 3.10 + - 3.11 + - 3.12 Amazon Linux: - versions: - - 2018.03 + - 2018.03 Amazon Linux 2: - versions: - - LTS + - any CentOS: - versions: - - 6.5+ - - 7.4+ - - 8 + - 7.4+ + - 8 Debian: - versions: - - stretch - - buster + - stretch + - buster FreeBSD: - versions: - - 11.2+ - - 12 + - 11.2+ + - 12 Oracle Linux: - versions: - - 6.5+ - - 7.4+ -RedHat: - versions: - - 6.5+ - - 7.4+ - - 8 + - 6.5+ + - 7.4+ +Red Hat: + - 7.4+ + - 8 SUSE/SLES: - versions: - - 12 - - 15 + - 12 + - 15 Ubuntu: - versions: - - xenial - - bionic + - xenial + - bionic + - eoan + - focal ``` -**NGINX Amplify Agent** +### NGINX Amplify Agent ```yaml Amazon Linux: - versions: - - 2017.09 + - 2017.09 CentOS: - versions: - - 6 - - 7 + - 7 Debian: - versions: - - jessie - - stretch + - jessie + - stretch +Red Hat: + - 7 Ubuntu: - versions: - - xenial - - bionic -RedHat: - versions: - - 6 - - 7 + - xenial + - bionic + - focal ``` -**NGINX Unit** +**Note:** You can also use this role to compile NGINX Open Source from source, install NGINX Open Source on compatible yet unsupported platforms, or install NGINX Open Source on BSD systems at your own risk. -```yaml -CentOS: - versions: - - 6 - - 7 -RedHat: - versions: - - 6 - - 7 -Debian: - versions: - - jessie - - stretch - - buster -Ubuntu: - versions: - - xenial - - bionic -Amazon Linux: - versions: - - 2018.03 -Amazon Linux 2: - versions: - - 2 -FreeBSD: - versions: - - 10 - - 11 -``` +## Role Variables -Role Variables --------------- +This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/)** folder in the following files: -This role has multiple variables. The descriptions and defaults for all these variables can be found in the directory **`defaults/main`** in the following files: +|Name|Description| +|----|-----------| +|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/main.yml)**|NGINX installation variables| +|**[`amplify.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/amplify.yml)**|NGINX Amplify agent installation variables| +|**[`linux.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/linux.yml)**|Linux installation variables| +|**[`bsd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/bsd.yml)**|BSD installation variables| -- **[defaults/main/main.yml](./defaults/main/main.yml):** NGINX installation variables -- **[defaults/main/amplify.yml](./defaults/main/amplify.yml):** NGINX Amplify agent installation variables -- **[defaults/main/template.yml](./defaults/main/template.yml):** NGINX configuration templating variables -- **[defaults/main/upload.yml](./defaults/main/upload.yml):** NGINX configuration/HTML/SSL upload variables -- **[defaults/main/linux.yml](./defaults/main/linux.yml):** Linux installation variables -- **[defaults/main/bsd.yml](./defaults/main/bsd.yml):** BSD installation variables -- **[defaults/main/unit.yml](./defaults/main/unit.yml):** NGINX Unit installation variables +Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/)** folder in the following files: -Dependencies ------------- +|Name|Description| +|----|-----------| +|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)**|List of supported NGINX platforms and modules| -None +## Example Playbooks -Example Playbook ----------------- +Working functional playbook examples can be found in the **[`molecule/common/playbooks/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/)** folder in the following files: -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX. +|Name|Description| +|----|-----------| +|**[`default_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/default_converge.yml)**|Install a specific version of NGINX and set up logrotate| +|**[`module_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/module_converge.yml)**|Install various NGINX supported modules| +|**[`plus_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/plus_converge.yml)**|Install NGINX Plus and various NGINX Plus supported modules| +|**[`source_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/source_converge.yml)**|Install NGINX from source| -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx -``` +Do note that if you install this repository via Ansible Galaxy, you will have to replace the role variable in the sample playbooks from `ansible-role-nginx` to `nginxinc.nginx`. -This is a sample playbook file for deploying the Ansible Galaxy NGINX role to a dynamic inventory containing the `nginx` tag. +## Other NGINX Ansible Collections and Roles -```yaml ---- -- hosts: tag_nginx - remote_user: root - roles: - - role: nginxinc.nginx -``` +You can find the Ansible NGINX Core collection of roles to install and configure NGINX Open Source, NGINX Plus, and NGINX App Protect [here](https://github.com/nginxinc/ansible-collection-nginx). -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a simple web server. +You can find the Ansible NGINX configuration role to configure NGINX [here](https://github.com/nginxinc/ansible-role-nginx-config). -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_http_template_enable: true - nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - # ip: 0.0.0.0 - port: 80 - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - default: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false -``` +You can find the Ansible NGINX App Protect role to install and configure NGINX App Protect [here](https://github.com/nginxinc/ansible-role-nginx-app-protect). -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a reverse proxy. +You can find the Ansible NGINX Controller collection of roles to install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller). -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_http_template_enable: true - nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - # ip: 0.0.0.0 - port: 80 - opts: - - default_server - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - reverse_proxy: - locations: - frontend: - location: / - proxy_pass: http://frontend_servers - backend: - location: /backend - proxy_pass: http://backend_servers - upstreams: - upstream_1: - name: frontend_servers - lb_method: least_conn - zone_name: frontend - zone_size: 64k - sticky_cookie: false - servers: - frontend_server_1: - address: 0.0.0.0 - port: 8081 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - upstream_2: - name: backend_servers - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8082 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - frontend: - template_file: http/default.conf.j2 - conf_file_name: frontend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 8081 - ssl: false - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - frontend_site: - location: / - proxy_hide_headers: - - X-Powered-By - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false - backend: - template_file: http/default.conf.j2 - conf_file_name: backend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 8082 - ssl: false - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - backend_site: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false -``` +You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://github.com/nginxinc/ansible-role-nginx-unit). +## License -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing NGINX Plus. +[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/main/LICENSE) -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_type: plus -``` - -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost to install NGINX Unit and the PHP/Perl NGINX Unit language modules. - -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_enable: false - nginx_unit_enable: true - nginx_unit_modules: - - unit-php - - unit-perl -``` - -To run any of the above sample playbooks create a `setup-nginx.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook setup-nginx.yml`. - -Alternatively, you can also clone this repository instead of installing it from Ansible Galaxy. If you decide to do so, replace the role variable in the previous sample playbooks from `nginxinc.nginx` to `ansible-role-nginx`. - -Other NGINX Roles ------------------ - -You can find an Ansible collection of roles to help you install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller) - -License -------- - -[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/master/LICENSE) - -Author Information ------------------- +## Author Information [Alessandro Fael Garcia](https://github.com/alessfg) [Grzegorz Dzien](https://github.com/gdzien) -© [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020 +[Tom Gamull](https://github.com/magicalyak) + +© [F5 Networks, Inc.](https://www.f5.com/) 2018 - 2021 diff --git a/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml b/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml index 6e041c9..2c6a534 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml @@ -1,7 +1,7 @@ --- # Install NGINX Amplify. # Use your NGINX Amplify API key. -# Requires access to either the NGINX stub status or the NGINX Plus REST API. +# Requires access to either the NGINX stub_status or the NGINX Plus REST API. # Default is null. nginx_amplify_enable: false nginx_amplify_api_key: null diff --git a/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml b/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml index 941f3ba..be7c5fb 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml @@ -1,26 +1,16 @@ --- -# Supported distributions -nginx_bsd_systems: ['FreeBSD', 'NetBSD', 'OpenBSD', 'DragonFlyBSD', 'HardenedBSD'] - -# Supported distributions NGINX Plus -# https://docs.nginx.com/nginx/technical-specs/ -nginx_plus_bsd_systems: ['FreeBSD'] - # Choose to install BSD packages or ports. -# Options are True for packages or False for ports. -# Default is True. +# Options are true for packages or false for ports. +# Default is true. nginx_bsd_install_packages: true # Choose to update BSD ports collection. -# Options are True for update or False for do not update. -# Default is True. +# Options are true for update or false for do not update. +# Default is true. nginx_bsd_update_ports: true # Choose to install packages built from BSD ports collection if # available. -# Options are True for use packages or False for do not use packages. -# Default is True. +# Options are true for use packages or false for do not use packages. +# Default is true. nginx_bsd_portinstall_use_packages: true - -# FreeBSD extra packages -nginx_freebsd_extra_packages: ['security/ca_root_nss'] diff --git a/ansible/roles/nginxinc.nginx/defaults/main/linux.yml b/ansible/roles/nginxinc.nginx/defaults/main/linux.yml deleted file mode 100644 index 0be7b2f..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/linux.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Supported distributions -nginx_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse'] - -# Supported distributions NGINX Plus -# https://docs.nginx.com/nginx/technical-specs/ -# RedHat={Amazon,CentOS,OracleLinux,RHEL} Debian={Ubuntu,Debian} -nginx_plus_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse'] - -# Default locations and versions for install from source -pcre_version: pcre-8.43 -zlib_version: zlib-1.2.11 -openssl_version: openssl-1.1.1c diff --git a/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml b/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml new file mode 100644 index 0000000..d9f01de --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml @@ -0,0 +1,15 @@ +--- +# Create custom logrotate config +nginx_logrotate_conf_enable: false +nginx_logrotate_conf: + paths: + - "/var/log/nginx/*.log" + options: + - daily + - missingok + - rotate 14 + - compress + - delaycompress + - notifempty + - create 0644 www-data adm # Changes nginx logs permissions + - sharedscripts diff --git a/ansible/roles/nginxinc.nginx/defaults/main/main.yml b/ansible/roles/nginxinc.nginx/defaults/main/main.yml index 7d1dbe6..3d8f7dc 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/main.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/main.yml @@ -1,8 +1,13 @@ --- -# Install NGINX. +# Enable NGINX options -- `nginx_install` and `nginx_configure`. # Default is true. nginx_enable: true +# Install NGINX and NGINX modules. +# Variables for these options can be found below. +# Default is true. +nginx_install: true + # Start NGINX service. # Default is true. nginx_start: true @@ -15,14 +20,14 @@ nginx_debug_output: false # Default is 'opensource'. nginx_type: opensource -# Specify which version of NGINX you want to install. -# Default is empty. +# (Optional) Specify which version of NGINX you want to install. +# Default is to install the latest release. # nginx_version: "=19-1~bionic" -# For Plus and modules you'll need a wilcard like below (which installs plus-20 and modules) +# For NGINX Plus and modules you'll need a wilcard like below (which installs plus-20 and modules) # nginx_version: "-20*" # Specify whether you want to maintain your version of NGINX, upgrade to the latest version, or remove NGINX. -# Can be used with `nginx_version` to achieve fine tune control on which version of NGINX is installed/used on each playbook execution. +# Can be used with `nginx_version` to fine tune control on which version of NGINX is installed/used on each playbook execution. # Using 'present' will install the latest version (or 'nginx_version') of NGINX on a fresh install. # Using 'latest' will upgrade NGINX to the latest version (that matches your 'nginx_version') of NGINX on every playbook execution. # Using 'absent' will remove NGINX from your system. @@ -36,27 +41,24 @@ nginx_state: present nginx_install_from: nginx_repository # Specify source install options for NGINX Open Source. -# Options represent whether to install from source also -# or to install from packages (default). These only apply -# if 'nginx_install_from' is set to 'source' -# For the tools, true means we will isntall from a package -# and false means install from source. -# 'nginx_install_source_build_tools' will install compiler -# and build tools from packages. If false, you need to have -# these present. +# Options represent whether to install from source also or to install from packages (default). +# These only apply if 'nginx_install_from' is set to 'source'. +# For the tools, true means we will install from a package and false means install from source. +# 'nginx_install_source_build_tools' will install compiler and build tools from packages. +# If false, you need to have these present. nginx_install_source_build_tools: true nginx_install_source_pcre: false nginx_install_source_openssl: true nginx_install_source_zlib: false -# Choose where to fetch the NGINX signing key from. +# (Optional) Choose where to fetch the NGINX signing key from. # Default is the official NGINX signing key host. # nginx_signing_key: http://nginx.org/keys/nginx_signing.key -# Specify source repository for NGINX Open Source. -# Only works if 'install_from' is set to 'nginx_repository'. +# (Optional) Specify repository for NGINX Open Source or NGINX Plus. +# Only works if 'install_from' is set to 'nginx_repository' when installing NGINX Open Source. # Defaults are the official NGINX repositories. -# nginx_repository: deb https://nginx.org/packages/mainline/debian/ stretch nginx +# nginx_repository: deb [arch=amd64] https://nginx.org/packages/mainline/debian/ buster nginx # Specify which branch of NGINX Open Source you want to install. # Options are 'mainline' or 'stable'. @@ -70,24 +72,37 @@ nginx_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key +# Set up NGINX Plus license before installation. +# Default is true. +nginx_setup_license: true + # Remove NGINX Plus license and repository after installation for security purposes. -# Default is false. -nginx_delete_license: false +# Default is true. +nginx_remove_license: true -# Install NGINX JavaScript, Perl, ModSecurity WAF (NGINX Plus only), GeoIP, Image-Filter, RTMP Media Streaming (NGINX Plus only), and/or XSLT modules. -# Default is false. -nginx_modules: - njs: false - perl: false - waf: false - geoip: false - image_filter: false - rtmp: false - xslt: false - -# Remove previously existing NGINX configuration files. -# Use a list of paths you wish to remove. -# Default is false. -nginx_cleanup_config: false -nginx_cleanup_config_path: - - /etc/nginx/conf.d +# Install NGINX Modules. +# You can select any of the modules listed below. Beware of NGINX Plus only modules (these are marked). +# Format is list with either the module name or a dictionary (see njs for an example). +# When using a dictionary, the default value for state is present, and for version it's nginx_version if specified. +# Default is an empty list (no modules are installed). +nginx_modules: [] + # - auth-spnego # NGINX Plus + # - brotli # NGINX Plus + # - cookie-flag # NGINX Plus + # - encrypted-session # NGINX Plus + # - geoip + # - geoip2 # NGINX Plus + # - headers-more # NGINX Plus + # - image-filter + # - lua # NGINX Plus + # - name: njs # Required + # state: present # Optional + # version: =1.19.4+0.4.4-1~bionic # Optional + # - opentracing # NGINX Plus + # - passenger # NGINX Plus + # - perl # NGINX Plus + # - prometheus # NGINX Plus + # - rtmp + # - subs-filter # NGINX Plus + # - waf # NGINX Plus + # - xslt diff --git a/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml b/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml new file mode 100644 index 0000000..5c6afb5 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml @@ -0,0 +1,15 @@ +--- +# Set SELinux enforcing for NGINX (CentOS/Red Hat only) - you may need to open ports on your own +nginx_selinux: false +# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true) +nginx_selinux_enforcing: true +# List of TCP ports to add to http_port_t type (80 and 443 have this type already) +# nginx_selinux_tcp_ports: +# - 80 +# - 443 +# List of UDP ports to add to http_port_t type +# nginx_selinux_udp_ports: +# - 80 +# - 443 +# Temporary directory to hold selinux modules +nginx_selinux_tempdir: /tmp diff --git a/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml b/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml new file mode 100644 index 0000000..7d9c006 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml @@ -0,0 +1,43 @@ +--- +# Enable systemd modifications +# ** ALL of the following variables are ignored unless this is set to true ** +nginx_service_modify: false + +# Remove the override file completely +nginx_service_clean: false + +# Override the systemd directory +# Default is /etc/systemd/system/nginx.service.d +nginx_service_overridepath: /etc/systemd/system/nginx.service.d + +# Override the systemd filename +# Default is override.conf +nginx_service_overridefilename: override.conf + +# Set service timeout for systemd systems in seconds (default: 90) +# [Service] +# TimeoutStopSec=90 +# Default is to comment this out +# nginx_service_timeoutstopsec: 90 + +# Set the restart policy for systemd systems +# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always +# [Service] +# Restart=on-failure +# Default is to comment this out +# nginx_service_restart: on-failure + +# Set the restart timer in seconds +# [Service] +# RestartSec=5s +# Default is to comment this out +# nginx_service_restartsec: 5s + +# Enable a custom systemd override file +# ** This could break the service ** +# Setting this to true disables custom values above +nginx_service_custom: false + +# Filename and path for systemd override file +# Setting this will overwrite existing override file +nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf" diff --git a/ansible/roles/nginxinc.nginx/defaults/main/template.yml b/ansible/roles/nginxinc.nginx/defaults/main/template.yml deleted file mode 100644 index 1c0afd7..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/template.yml +++ /dev/null @@ -1,369 +0,0 @@ ---- -# Enable creating dynamic templated NGINX HTML demo websites. -nginx_html_demo_template_enable: false -nginx_html_demo_template: - default: - template_file: www/index.html.j2 - html_file_name: index.html - html_file_location: /usr/share/nginx/html - web_server_name: Default - -# Enable creating dynamic templated NGINX configuration files. -# Defaults are the values found in a fresh NGINX installation. -nginx_main_template_enable: false -nginx_main_template: - template_file: nginx.conf.j2 - conf_file_name: nginx.conf - conf_file_location: /etc/nginx/ - user: nginx - worker_processes: auto - # worker_rlimit_nofile: 1024 - error_log: - location: /var/log/nginx/error.log - level: warn - worker_connections: 1024 - http_enable: true - http_settings: - access_log_format: - - name: main - format: |- - '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - access_log_location: - - name: main - location: /var/log/nginx/access.log - tcp_nopush: true - tcp_nodelay: true - keepalive_timeout: 65 - cache: false - rate_limit: false - keyval: false - # server_tokens: "off" - http_global_autoindex: false - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # http_custom_options: [] - stream_enable: false - # stream_custom_options: [] - # auth_request_http: /auth - # auth_request_set_http: - # name: $auth_user - # value: $upstream_http_x_user - -# Enable creating dynamic templated NGINX HTTP configuration files. -# Defaults will not produce a valid configuration. Instead they are meant to showcase -# the options available for templating. Each key represents a new configuration file. -nginx_http_template_enable: false -nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: localhost # Wrap in square brackets for IPv6 addresses - port: 8081 - ssl: true - opts: [] # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:'). - server_name: localhost - include_files: [] - error_page: /usr/share/nginx/html - access_log: - - name: main - location: /var/log/nginx/access.log - error_log: - location: /var/log/nginx/error.log - level: warn - root: /usr/share/nginx/html - # https_redirect: $host - autoindex: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - client_max_body_size: 1m - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - ssl: - cert: /etc/ssl/certs/default.crt - key: /etc/ssl/private/default.key - dhparam: /etc/ssl/private/dh_param.pem - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - prefer_server_ciphers: true - session_cache: none - session_timeout: 5m - disable_session_tickets: false - trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt - stapling: true - stapling_verify: true - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - web_server: - locations: - default: - location: / - include_files: [] - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - client_max_body_size: 1m - # returns: - # return302: - # code: 302 - # url: https://sso.somehost.local/?url=https://$http_host$request_uri - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - http_demo_conf: false - reverse_proxy: - locations: - backend: - location: / - include_files: [] - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - proxy_connect_timeout: null - proxy_pass: http://backend - # rewrites: - # - /foo(.*) /$1 break - # proxy_pass_request_body: off - # allows: - # - 192.168.1.0/24 - # denies: - # - all - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - # header_upgrade: - # name: Upgrade - # value: $http_upgrade - # header_connection: - # name: Connection - # value: "Upgrade" - # header_random: - # name: RandomName - # value: RandomValue - # internal: false - # proxy_store: off - # proxy_store_acccess: user:rw - proxy_read_timeout: null - proxy_send_timeout: null - proxy_ssl: - cert: /etc/ssl/certs/proxy_default.crt - key: /etc/ssl/private/proxy_default.key - trusted_cert: /etc/ssl/certs/proxy_ca.crt - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - verify: false - verify_depth: 1 - session_reuse: true - proxy_cache: backend_proxy_cache - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_temp_path: - path: /var/cache/nginx/proxy/backend/temp - proxy_cache_lock: false - proxy_cache_min_uses: 3 - proxy_cache_revalidate: false - proxy_cache_use_stale: - - http_403 - - http_404 - proxy_ignore_headers: - - Vary - - Cache-Control - proxy_cookie_path: - path: /web/ - replacement: / - proxy_buffering: false - proxy_http_version: 1.0 - websocket: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - # returns: - # return302: - # code: 302 - # url: https://sso.somehost.local/?url=https://$http_host$request_uri - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - health_check_plus: false - returns: - return301: - location: / - code: 301 - value: http://$host$request_uri - proxy_cache: - proxy_cache_path: - - path: /var/cache/nginx/proxy/backend - keys_zone: - name: backend_proxy_cache - size: 10m - levels: "1:2" - max_size: 10g - inactive: 60m - use_temp_path: true - proxy_temp_path: - path: /var/cache/nginx/proxy/temp - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_cache_lock: true - proxy_cache_min_uses: 5 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - error - - timeout - proxy_ignore_headers: - - Expires - upstreams: - upstream1: - name: backend - lb_method: least_conn - zone_name: backend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - server1: - address: localhost - port: 8081 - weight: 1 - health_check: max_fails=1 fail_timeout=10s - # custom_options: [] - # custom_options: [] - -# Enable NGINX status data. -# Will enable 'stub_status' in NGINX Open Source and 'status' in NGINX Plus. -# Note - 'status' has been deprecated since NGINX Plus R13. -# Default is false. -nginx_status_enable: false -nginx_status_location: /etc/nginx/conf.d/stub_status.conf -nginx_status_port: 80 - -# Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard. -# Requires NGINX Plus. -# Default is false. -nginx_rest_api_enable: false -nginx_rest_api_template_file: http/api.conf.j2 -nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf -nginx_rest_api_port: 80 -nginx_rest_api_write: false -nginx_rest_api_dashboard: false - -# Enable creating dynamic templated NGINX stream configuration files. -# Defaults will not produce a valid configuration. Instead they are meant to showcase -# the options available for templating. Each key represents a new configuration file. -nginx_stream_template_enable: false -nginx_stream_template: - default: - template_file: stream/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/stream/ - network_streams: - default: - listen_address: localhost - listen_port: 80 - udp_enable: false - include_files: [] - proxy_pass: backend - proxy_timeout: 3s - proxy_connect_timeout: 1s - proxy_protocol: false - proxy_ssl: - cert: /etc/ssl/certs/proxy_default.crt - key: /etc/ssl/private/proxy_default.key - trusted_cert: /etc/ssl/certs/proxy_ca.crt - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - verify: false - verify_depth: 1 - session_reuse: true - health_check_plus: false - # custom_options: [] - upstreams: - upstream1: - name: backend - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - server1: - address: localhost - port: 8080 - weight: 1 - health_check: max_fails=1 fail_timeout=10s - # custom_options: [] - # custom_options: [] diff --git a/ansible/roles/nginxinc.nginx/defaults/main/unit.yml b/ansible/roles/nginxinc.nginx/defaults/main/unit.yml deleted file mode 100644 index e2bce7b..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/unit.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Install NGINX Unit and NGINX Unit modules. -# Use a list of supported NGINX Unit modules. -# Default is false. -nginx_unit_enable: false -nginx_unit_modules: null diff --git a/ansible/roles/nginxinc.nginx/defaults/main/upload.yml b/ansible/roles/nginxinc.nginx/defaults/main/upload.yml deleted file mode 100644 index d6aca77..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/upload.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Enable uploading NGINX configuration files to your system. -# Default for uploading files is false. -# Default location of files is the files folder within the NGINX Ansible role. -# Upload the main NGINX configuration file. -nginx_main_upload_enable: false -nginx_main_upload_src: conf/nginx.conf -nginx_main_upload_dest: /etc/nginx/ -# Upload HTTP NGINX configuration files. -nginx_http_upload_enable: false -nginx_http_upload_src: conf/http/*.conf -nginx_http_upload_dest: /etc/nginx/conf.d/ -# Upload Stream NGINX configuration files. -nginx_stream_upload_enable: false -nginx_stream_upload_src: conf/stream/*.conf -nginx_stream_upload_dest: /etc/nginx/conf.d/ -# Upload HTML files. -nginx_html_upload_enable: false -nginx_html_upload_src: www/* -nginx_html_upload_dest: /usr/share/nginx/html -# Upload SSL certificates and keys. -nginx_ssl_upload_enable: false -nginx_ssl_crt_upload_src: ssl/*.crt -nginx_ssl_crt_upload_dest: /etc/ssl/certs/ -nginx_ssl_key_upload_src: ssl/*.key -nginx_ssl_key_upload_dest: /etc/ssl/private/ diff --git a/ansible/roles/nginxinc.nginx/files/conf/http/.gitkeep b/ansible/roles/nginxinc.nginx/files/conf/http/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/conf/stream/.gitkeep b/ansible/roles/nginxinc.nginx/files/conf/stream/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf b/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf new file mode 100644 index 0000000..2c99453 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf @@ -0,0 +1,2 @@ +[Service] +TimeoutStopSec=90 diff --git a/ansible/roles/nginxinc.nginx/files/ssl/.gitkeep b/ansible/roles/nginxinc.nginx/files/ssl/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/www/index.html b/ansible/roles/nginxinc.nginx/files/www/index.html deleted file mode 100644 index 77dc0b6..0000000 --- a/ansible/roles/nginxinc.nginx/files/www/index.html +++ /dev/null @@ -1,25 +0,0 @@ - - - -Welcome to nginx! - - - -

Welcome to nginx!

-

If you see this page, the nginx web server is successfully installed and -working. Further configuration is required.

- -

For online documentation and support please refer to -nginx.org.
-Commercial support is available at -nginx.com.

- -

Thank you for using nginx.

- - \ No newline at end of file diff --git a/ansible/roles/nginxinc.nginx/handlers/main.yml b/ansible/roles/nginxinc.nginx/handlers/main.yml index 5d58b86..76a99d9 100644 --- a/ansible/roles/nginxinc.nginx/handlers/main.yml +++ b/ansible/roles/nginxinc.nginx/handlers/main.yml @@ -1,39 +1,39 @@ --- -- name: "(Handler: All OSs) Run NGINX" - block: - - - name: "(Handler: All OSs) Start NGINX" - service: - name: nginx - state: started - enabled: yes - notify: "(Handler: All OSs) Check NGINX" - - - name: "(Handler: All OSs) Reload NGINX" - command: "nginx -s reload" - changed_when: false +- name: (Handler) Systemd daemon-reload + systemd: + daemon_reload: yes +- name: (Handler) Start/reload NGINX + service: + name: nginx + state: reloaded + enabled: yes when: - nginx_start | bool - - not ansible_check_mode + - not ansible_check_mode | bool + listen: (Handler) Run NGINX -- name: "(Handler: All OSs) Start NGINX Amplify Agent" +- name: (Handler) Check NGINX + command: nginx -t + register: config_check + ignore_errors: yes + check_mode: no + changed_when: false + listen: (Handler) Run NGINX + +- name: (Handler) Print NGINX error if syntax check fails + debug: + var: config_check.stderr_lines + failed_when: config_check.rc != 0 + when: + - config_check.stderr_lines is defined + - config_check.rc != 0 + listen: (Handler) Run NGINX + +- name: (Handler) Start NGINX Amplify agent service: name: amplify-agent state: started -- name: "(Handler: Debian/Ubuntu/CentOS/RedHat) Start NGINX Unit" - service: - name: unit - state: started - enabled: yes - -- name: "(Handler: FreeBSD) Start NGINX Unit" - service: - name: unitd - state: started - enabled: yes - -- name: "(Handler: All OSs) Check NGINX" - command: "nginx -t" - changed_when: false +- name: (Handler) Run logrotate + command: logrotate -f /etc/logrotate.d/nginx diff --git a/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info b/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info index 24f861e..935239a 100644 --- a/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info +++ b/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 21:51:16 2020 -version: 0.14.0 +install_date: Sat Feb 20 13:56:47 2021 +version: 0.19.1 diff --git a/ansible/roles/nginxinc.nginx/meta/main.yml b/ansible/roles/nginxinc.nginx/meta/main.yml index 0a3f86e..9055bb0 100644 --- a/ansible/roles/nginxinc.nginx/meta/main.yml +++ b/ansible/roles/nginxinc.nginx/meta/main.yml @@ -2,7 +2,8 @@ galaxy_info: author: Alessandro Fael Garcia description: Official Ansible role for NGINX - company: NGINX, Inc. + role_name: nginx + company: F5 Networks, Inc. license: Apache License, Version 2.0 @@ -11,19 +12,21 @@ galaxy_info: platforms: - name: Alpine versions: - - all + - any - name: Amazon versions: - - Candidate + - 2018.03 + - name: Amazon Linux 2 + versions: + - any - name: Debian versions: - - jessie - stretch - buster - name: EL versions: - - 6 - 7 + - 8 - name: FreeBSD versions: - 11.2 @@ -32,6 +35,7 @@ galaxy_info: versions: - xenial - bionic + - focal - name: SLES versions: - 12 @@ -40,11 +44,11 @@ galaxy_info: galaxy_tags: - nginx - oss + - opensource - plus - - amplify - - unit - web - server - development + - install dependencies: [] diff --git a/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 b/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 index c268a5b..a84fd9d 100644 --- a/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 +++ b/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 @@ -17,27 +17,27 @@ ENV {{ var }} {{ value }} RUN \ if [ $(command -v apt-get) ]; then \ apt-get update \ - && apt-get install -y python3 sudo bash ca-certificates iproute2 python3-apt aptitude systemd systemd-sysv procps curl \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \ && apt-get clean; \ elif [ $(command -v dnf) ]; then \ dnf makecache \ - && dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 bash iproute \ + && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \ && dnf clean all; \ elif [ $(command -v yum) ]; then \ yum makecache fast \ - && yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute \ + && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ && yum clean all; \ elif [ $(command -v zypper) ]; then \ zypper refresh \ - && zypper install -y python3 sudo bash iproute2 \ + && zypper install -y bash iproute2 python3 sudo vim \ && zypper clean -a; \ elif [ $(command -v apk) ]; then \ apk update \ - && apk add --no-cache python3 sudo bash ca-certificates curl openrc; \ + && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \ echo 'rc_provide="loopback net"' >> /etc/rc.conf; \ elif [ $(command -v xbps-install) ]; then \ xbps-install -Syu \ - && xbps-install -y python3 sudo bash ca-certificates iproute2 \ + && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \ && xbps-remove -O; \ fi diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf b/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf deleted file mode 100755 index 4559b82..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 80; - server_name localhost; - - #charset koi8-r; - #access_log /var/log/nginx/host.access.log main; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf b/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf deleted file mode 100755 index ba09f41..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf +++ /dev/null @@ -1,31 +0,0 @@ -user nginx; -worker_processes 4; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/www/.gitkeep b/ansible/roles/nginxinc.nginx/molecule/common/files/www/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml deleted file mode 100644 index aa04765..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Converge - hosts: all - pre_tasks: - - name: "Set repo if Alpine" - set_fact: - version: "=1.17.8-r1" - when: ansible_os_family == "Alpine" - - name: "Set repo if Debian" - set_fact: - version: "=1.17.8-1~{{ ansible_distribution_release }}" - when: ansible_os_family == "Debian" - - name: "Set repo if RedHat" - set_fact: - version: "-1.17.8-1.el{{ ansible_distribution_major_version }}.ngx" - when: ansible_os_family == "RedHat" - roles: - - role: ansible-role-nginx - vars: - nginx_version: "{{ version }}" diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml deleted file mode 100644 index 3f42b42..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_modules: - njs: true - perl: true - waf: false - geoip: true - image_filter: true - rtmp: true - xslt: true diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml deleted file mode 100644 index 808fd2f..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_install_from: source - nginx_branch: mainline - nginx_install_source_build_tools: true - nginx_install_source_pcre: false - nginx_install_source_openssl: true - nginx_install_source_zlib: false - - nginx_main_upload_enable: true - nginx_main_upload_src: files/nginx.conf - nginx_http_upload_enable: true - nginx_http_upload_src: files/http/*.conf diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml deleted file mode 100644 index c4841ae..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_branch: stable - nginx_main_upload_enable: true - nginx_main_upload_src: files/nginx.conf - nginx_http_upload_enable: true - nginx_http_upload_src: files/http/*.conf diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml deleted file mode 100644 index 3ff9e57..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml +++ /dev/null @@ -1,353 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_main_template_enable: true - nginx_main_template: - template_file: nginx.conf.j2 - conf_file_name: nginx.conf - conf_file_location: /etc/nginx/ - user: nginx - worker_processes: auto - error_log: - location: /var/log/nginx/error.log - level: warn - worker_connections: 1024 - http_enable: true - http_settings: - access_log_format: - - name: main - format: | - '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - access_log_location: - - name: main - location: /var/log/nginx/access.log - keepalive_timeout: 65 - cache: false - rate_limit: false - keyval: false - server_tokens: "off" - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - stream_enable: true - http_global_autoindex: false - - nginx_http_template_enable: true - nginx_http_template: - app: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 80 - opts: - - default_server - server_name: localhost - error_page: /usr/share/nginx/html - client_max_body_size: 512k - proxy_hide_headers: - - X-Powered-By - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - reverse_proxy: - locations: - frontend: - location: / - proxy_hide_headers: - - X-Powered-By - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - another_header: - name: Fancy-New-Header-To-Test - value: testing=true - always: false - proxy_pass: http://frontend_servers/ - proxy_cache: frontend_proxy_cache - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_temp_path: - path: /var/cache/nginx/proxy/frontend/temp - proxy_cache_lock: false - proxy_cache_min_uses: 3 - proxy_cache_revalidate: false - proxy_cache_use_stale: - - http_403 - - http_404 - proxy_ignore_headers: - - Vary - - Cache-Control - proxy_redirect: false - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - proxy_buffering: false - client_max_body_size: 5m - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - backend: - location: /backend - proxy_pass: http://backend_servers/ - proxy_cache: backend_proxy_cache - proxy_cache_valid: - - time: 10m - proxy_temp_path: - path: /var/cache/nginx/proxy/backend/temp - proxy_cache_lock: true - proxy_cache_min_uses: 2 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - http_500 - - http_502 - - http_503 - proxy_redirect: default - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - proxy_cookie_path: - path: /web/ - replacement: / - returns: - return301: - location: ^~ /old-path - code: 301 - value: http://$host/new-path - proxy_cache: - proxy_cache_path: - - path: /var/cache/nginx/proxy/frontend - keys_zone: - name: frontend_proxy_cache - size: 5m - levels: "1:2" - max_size: 5g - inactive: 30m - use_temp_path: true - - path: /var/cache/nginx/proxy/backend - keys_zone: - name: backend_proxy_cache - size: 10m - levels: "1:2" - max_size: 10g - inactive: 60m - use_temp_path: true - proxy_temp_path: - path: /var/cache/nginx/proxy/temp - proxy_cache_lock: true - proxy_cache_min_uses: 5 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - error - - timeout - proxy_ignore_headers: - - Expires - upstreams: - frontend_upstream: - name: frontend_servers - lb_method: least_conn - zone_name: frontend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - frontend_server_1: - address: 0.0.0.0 - port: 8081 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - backend_upstream: - name: backend_servers - lb_method: least_conn - zone_name: backend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8082 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - frontend: - template_file: http/default.conf.j2 - conf_file_name: frontend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - port: 8081 - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - sub_filter: - sub_filters: - - "'server_hostname' '$hostname'" - - "'server_address' '$server_addr:$server_port'" - - "'server_url' '$request_uri'" - - "'remote_addr' '$remote_addr:$remote_port'" - - "'server_date' '$time_local'" - - "'client_browser' '$http_user_agent'" - - "'request_id' '$request_id'" - - "'nginx_version' '$nginx_version'" - - "'document_root' '$document_root'" - - "'proxied_for_ip' '$http_x_forwarded_for'" - last_modified: "off" - once: "off" - types: "text/html" - web_server: - locations: - frontend_site: - location: / - proxy_hide_headers: - - X-Powered-By - html_file_location: /usr/share/nginx/html - html_file_name: frontend_index.html - autoindex: false - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "off" - types: "text/html" - http_demo_conf: false - backend: - template_file: http/default.conf.j2 - conf_file_name: backend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - port: 8082 - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - sub_filter: - sub_filters: - - "'server_hostname' '$hostname'" - - "'server_address' '$server_addr:$server_port'" - - "'server_url' '$request_uri'" - - "'remote_addr' '$remote_addr:$remote_port'" - - "'server_date' '$time_local'" - - "'client_browser' '$http_user_agent'" - - "'request_id' '$request_id'" - - "'nginx_version' '$nginx_version'" - - "'document_root' '$document_root'" - - "'proxied_for_ip' '$http_x_forwarded_for'" - last_modified: "off" - once: "off" - types: "text/html" - web_server: - locations: - backend_site: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: backend_index.html - autoindex: false - php: - location: ~ \.php$ - html_file_location: /usr/share/nginx/html - autoindex: false - custom_options: - - fastcgi_split_path_info ^(.+\.php)(/.+)$ - - fastcgi_pass unix:/run/php/php7.2-fpm.sock - - fastcgi_index index.php - - include fastcgi_params - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "off" - types: "text/html" - http_demo_conf: false - nginx_html_demo_template_enable: true - nginx_html_demo_template: - frontend: - template_file: www/index.html.j2 - html_file_name: frontend_index.html - html_file_location: /usr/share/nginx/html - web_server_name: Frontend - backend: - template_file: www/index.html.j2 - html_file_name: backend_index.html - html_file_location: /usr/share/nginx/html - web_server_name: Backend - - nginx_stream_template_enable: true - nginx_stream_template: - default: - template_file: stream/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/stream - network_streams: - app: - listen_address: 0.0.0.0 - listen_port: 8090 - udp_enable: false - proxy_pass: backend - proxy_timeout: 3s - proxy_connect_timeout: 1s - proxy_protocol: false - health_check_plus: false - upstreams: - backend_upstream: - name: backend - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8091 - weight: 1 - health_check: max_fails=1 fail_timeout=10s diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml deleted file mode 100644 index ee1dcc1..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Converge - hosts: all - pre_tasks: - - name: "Set module if Alpine" - set_fact: - module: - - "unit-perl" - - "unit-php7" - - "unit-python3" - when: ansible_os_family == "Alpine" - - name: "Set module if Debian/RedHat" - set_fact: - module: - - "unit-perl" - - "unit-php" - - "unit-ruby" - when: ansible_os_family == "Debian" - - name: "Set module if RedHat" - set_fact: - module: - - "unit-php" - - "unit-go" - when: ansible_os_family == "RedHat" - roles: - - role: ansible-role-nginx - vars: - nginx_enable: false - nginx_unit_enable: true - nginx_unit_modules: "{{ module }}" diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml new file mode 100644 index 0000000..3700406 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml @@ -0,0 +1,47 @@ +--- +- name: Converge + hosts: all + pre_tasks: + - name: Set repo if Alpine + set_fact: + version: "=1.19.1-r1" + when: ansible_facts['os_family'] == "Alpine" + - name: Set repo if Debian + set_fact: + version: "=1.19.1-1~{{ ansible_facts['distribution_release'] }}" + when: ansible_facts['os_family'] == "Debian" + - name: Set repo if Red Hat + set_fact: + version: "-1.19.1-1.el{{ ansible_facts['distribution_major_version'] }}.ngx" + when: ansible_facts['os_family'] == "RedHat" + - name: Enable NGINX @CentOS-AppStream dnf modules + shell: + args: + cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx # noqa 204 303 + register: dnf_module_enable + changed_when: dnf_module_enable.stdout != 'ENABLED' + when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==') + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + nginx_version: "{{ version }}" + nginx_configure: false + nginx_logrotate_conf_enable: true + nginx_logrotate_conf: + paths: + - /var/log/nginx/*.log + options: + - daily + - missingok + - rotate 14 + - compress + - delaycompress + - notifempty + - sharedscripts diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml new file mode 100644 index 0000000..8e590fb --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml new file mode 100644 index 0000000..9c68740 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml @@ -0,0 +1,26 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX modules + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + + nginx_service_modify: true + nginx_service_timeout: 95 + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + + nginx_modules: + - brotli + - geoip + - image-filter + - name: njs + # version: =1.19.4+0.4.4-1~bionic + state: present + - perl + - xslt diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml new file mode 100644 index 0000000..8e590fb --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml new file mode 100644 index 0000000..696ffd8 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml @@ -0,0 +1,32 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_type: plus + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key + nginx_remove_license: false + nginx_modules: + - auth-spnego + - brotli + - cookie-flag + - encrypted-session + - geoip + - geoip2 + - headers-more + - image-filter + - lua + - modsecurity + - njs + - opentracing + - passenger + - perl + - prometheus + - rtmp + - subs-filter + - xslt diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml new file mode 100644 index 0000000..594d5ee --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml @@ -0,0 +1,18 @@ +--- +- name: Prepare + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_CRT') | b64decode }}" + dest: ../../../files/license/nginx-repo.crt + force: no + mode: 0444 + + - name: Create ephemeral license key file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_KEY') | b64decode }}" + dest: ../../../files/license/nginx-repo.key + force: no + mode: 0444 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml new file mode 100644 index 0000000..2c1c78f --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx-plus + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml new file mode 100644 index 0000000..534fc85 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX from source + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + + nginx_install_from: source + nginx_branch: stable + nginx_install_source_build_tools: true + nginx_install_source_pcre: true + nginx_install_source_openssl: true + nginx_install_source_zlib: true diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml new file mode 100644 index 0000000..d69320c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml @@ -0,0 +1,17 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py deleted file mode 100644 index 8d12025..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py +++ /dev/null @@ -1,30 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py deleted file mode 100644 index 8d12025..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py +++ /dev/null @@ -1,30 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py deleted file mode 100644 index 24fcbab..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py +++ /dev/null @@ -1,25 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py deleted file mode 100644 index c695962..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py +++ /dev/null @@ -1,42 +0,0 @@ -import nginx -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout - - -def test_generated_files(host): - assert host.file('/etc/nginx/conf.d/default.conf').exists - - -def test_default_server(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - lf = c.server.filter('Location', '/') - assert len(lf) == 1 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py deleted file mode 100644 index 0b79c97..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py +++ /dev/null @@ -1,58 +0,0 @@ -import nginx -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout - - -def test_generated_files(host): - assert host.file('/etc/nginx/conf.d/default.conf').exists - assert host.file('/etc/nginx/conf.d/frontend_default.conf').exists - assert host.file('/etc/nginx/conf.d/backend_default.conf').exists - - -def test_default_server(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - lf = c.server.filter('Location', '/') - assert len(lf) == 1 - lb = c.server.filter('Location', '/backend') - assert len(lb) == 1 - - -def test_client_max_body_size(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - vs = c.server.filter('Key', 'client_max_body_size') - assert len(vs) == 1 - assert vs[0].value == '512k' - lc = c.server.filter('Location', '/') - vl = lc[0].filter('Key', 'client_max_body_size') - assert len(vl) == 1 - assert vl[0].value == '5m' diff --git a/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml index 9a5c3a6..ad780a3 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml index 8fea6a0..84342fb 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml @@ -4,23 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 @@ -35,10 +20,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml index 11b030f..7ae1cde 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml index 2e12f7e..d1f3cba 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml index 8de545e..06140c8 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml @@ -4,23 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 @@ -35,10 +20,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml index 0b09e78..aaac71a 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml similarity index 70% rename from ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml index 71585a8..6f3dbd5 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,7 +34,16 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml similarity index 63% rename from ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml index cd02977..92956e1 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml @@ -4,32 +4,24 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 - image: alpine:3.10 + image: python:alpine3.10 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" - name: alpine-3.11 - image: alpine:3.11 + image: python:alpine3.11 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: @@ -38,4 +30,6 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml similarity index 72% rename from ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml index bd73ca0..40f02db 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,4 +23,6 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml index a2028ed..75efa0f 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml index a5b2919..a23bdaa 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml @@ -4,32 +4,24 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 - image: python:alpine3.10 + image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" - name: alpine-3.11 - image: python:alpine3.11 + image: alpine:3.11 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: @@ -38,7 +30,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml index 1fff5be..1e29674 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: centos-7 image: centos:7 @@ -24,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml deleted file mode 100644 index 40c6990..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: debian-stretch - image: debian:stretch-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: debian-buster - image: debian:buster-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-xenial - image: ubuntu:xenial - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-bionic - image: ubuntu:bionic - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml deleted file mode 100644 index c2753f3..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.10 - image: alpine:3.10 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.11 - image: alpine:3.11 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml deleted file mode 100644 index c5f1884..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - - name: centos-7 - image: centos:7 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" - - name: centos-8 - image: centos:8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml deleted file mode 100644 index 541fee0..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: debian-stretch - image: debian:stretch-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: debian-buster - image: debian:buster-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-xenial - image: ubuntu:xenial - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-bionic - image: ubuntu:bionic - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml deleted file mode 100644 index a646a5b..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.10 - image: alpine:3.10 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.11 - image: alpine:3.11 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml deleted file mode 100644 index 3b0f745..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - - name: centos-7 - image: centos:7 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" - - name: centos-8 - image: centos:8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml index 9204abf..2a06fed 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml @@ -1,24 +1,23 @@ --- -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" +- name: Configure NGINX Amplify agent repository + include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_facts['os_family'] | lower }}.yml" + when: ansible_facts['os_family'] in ['Debian', 'RedHat'] -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - -- name: "(Install: All OSs) Install NGINX Amplify Agent" +- name: Install NGINX Amplify agent package: name: nginx-amplify-agent state: present -- name: "(Setup: All OSs) Copy NGINX Configurator Agent Configuration Template" +- name: Copy NGINX configurator agent configuration template copy: remote_src: yes src: /etc/amplify-agent/agent.conf.default dest: /etc/amplify-agent/agent.conf + mode: 0644 -- name: "(Setup: All OSs) Configure NGINX Amplify Agent API Key" +- name: Configure NGINX Amplify agent API key lineinfile: dest: /etc/amplify-agent/agent.conf regexp: api_key =.* line: "api_key = {{ nginx_amplify_api_key }}" - notify: "(Handler: All OSs) Start NGINX Amplify Agent" + notify: (Handler) Start NGINX Amplify agent diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml index 224a076..c8e5d15 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml @@ -1,5 +1,17 @@ --- -- name: "(Install: Debian/Ubuntu) Add NGINX Amplify Agent Repository" +- name: (Debian/Ubuntu) Add NGINX Amplify agent repository apt_repository: filename: nginx-amplify - repo: deb [arch=amd64] http://packages.amplify.nginx.com/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} amplify-agent + repo: "deb [arch=amd64] https://packages.amplify.nginx.com/{{ ansible_facts['distribution'] | lower }}/ + {{ ansible_facts['distribution_release'] | lower }} amplify-agent" + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] != "focal" + +- name: (Ubuntu 20.04) Add NGINX Amplify agent repository + apt_repository: + filename: nginx-amplify + repo: deb [arch=amd64] https://packages.amplify.nginx.com/py3/ubuntu focal amplify-agent + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] == "focal" diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml index 154da5e..ba332d8 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml @@ -1,8 +1,9 @@ --- -- name: "(Install: CentOS/RedHat/Amazon Linux) Add NGINX Amplify Agent Repository" +- name: (Amazon Linux/CentOS/RHEL) Add NGINX Amplify agent repository yum_repository: name: nginx-amplify - baseurl: http://packages.amplify.nginx.com/{{ (ansible_distribution == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/ + baseurl: http://packages.amplify.nginx.com/{{ (ansible_facts['distribution'] == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/ description: NGINX Amplify Agent enabled: yes gpgcheck: yes + mode: 0644 diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml deleted file mode 100644 index 9eb405c..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: "(Setup: All OSs) Remove NGINX configuration files" - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ nginx_cleanup_config_path }}" - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml b/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml deleted file mode 100644 index 6ad7ba1..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: "(Setup: All OSs) Register NGINX configuration" - command: nginx -T - changed_when: false - register: nginx_configuration - -- name: "(Setup: All OSs) Print NGINX configuration" - debug: - var: nginx_configuration.stdout_lines diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml b/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml deleted file mode 100644 index a69c43e..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: "(Setup: NGINX Open Source) Enable NGINX Open Source Status" - blockinfile: - path: "{{ nginx_status_location }}" - create: yes - block: | - server { - listen 127.0.0.1:{{ nginx_status_port | default('80') }}; - location /nginx_status { - stub_status on; - allow 127.0.0.1; - deny all; - } - } - when: nginx_type == "opensource" - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: NGINX Plus) Enable NGINX Plus Status" - blockinfile: - path: "{{ nginx_status_location }}" - create: yes - block: | - server { - listen 127.0.0.1:{{ nginx_status_port | default('80') }}; - location /status { - status; - allow 127.0.0.1; - deny all; - } - } - when: nginx_type == "plus" - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml deleted file mode 100644 index 21205f0..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -- name: "(Setup: All NGINX) Ensure HTML Directory Exists" - file: - path: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}" - state: directory - with_dict: "{{ nginx_html_demo_template }}" - when: nginx_html_demo_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate HTML Files" - template: - src: "{{ item.value.template_file | default('www/index.html.j2') }}" - dest: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}/{{ item.value.html_file_name | default('index.html') }}" - backup: yes - with_dict: "{{ nginx_html_demo_template }}" - when: nginx_html_demo_template_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists" - file: - path: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}" - state: directory - when: nginx_main_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX Main Configuration File" - template: - src: "{{ nginx_main_template.template_file | default('nginx.conf.j2') }}" - dest: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}/{{ nginx_main_template.conf_file_name | default('nginx.conf') }}" - backup: yes - when: nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists" - file: - path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}" - state: directory - with_dict: "{{ nginx_http_template }}" - when: nginx_http_template_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Proxy Cache Directories Exist" - file: - path: "{{ item.1.path }}" - state: directory - owner: "{{ nginx_main_template.user | default('nginx') }}" - with_subelements: - - "{{ nginx_http_template }}" - - proxy_cache.proxy_cache_path - - skip_missing: true - when: nginx_http_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX HTTP Configuration Files" - template: - src: "{{ item.value.template_file | default('http/default.conf.j2') }}" - dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}/{{ item.value.conf_file_name | default('default.conf') }}" - backup: yes - with_dict: "{{ nginx_http_template }}" - when: nginx_http_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - - -- name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File" - template: - src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}" - dest: "{{ nginx_rest_api_file_location | default('/etc/nginx/conf.d/api.conf') }}" - backup: yes - notify: "(Handler: All OSs) Reload NGINX" - when: nginx_rest_api_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists" - file: - path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}" - state: directory - with_dict: "{{ nginx_stream_template }}" - when: nginx_stream_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX Stream Configuration Files" - template: - src: "{{ item.value.template_file | default('stream/default.conf.j2') }}" - dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}/{{ item.value.conf_file_name | default('default.conf') }}" - backup: yes - with_dict: "{{ nginx_stream_template }}" - notify: "(Handler: All OSs) Reload NGINX" - when: nginx_stream_template_enable | bool diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml deleted file mode 100644 index 66c68dd..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists" - file: - path: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}" - state: directory - when: nginx_main_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX Main Configuration File" - copy: - src: "{{ nginx_main_upload_src | default('conf/nginx.conf') }}" - dest: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}" - backup: yes - when: nginx_main_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists" - file: - path: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}" - state: directory - when: nginx_http_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX HTTP Configuration Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}" - backup: yes - with_fileglob: "{{ nginx_http_upload_src }}" - when: nginx_http_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists" - file: - path: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}" - state: directory - when: nginx_stream_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX Stream Configuration Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}" - backup: yes - with_fileglob: "{{ nginx_stream_upload_src }}" - when: nginx_stream_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTML Directory Exists" - file: - path: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}" - state: directory - when: nginx_html_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX HTML Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}" - backup: yes - with_fileglob: "{{ nginx_html_upload_src }}" - when: nginx_html_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure SSL Certificate Directory Exists" - file: - path: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}" - state: directory - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Ensure SSL Key Directory Exists" - file: - path: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}" - state: directory - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX SSL Certificates" - copy: - src: "{{ item }}" - dest: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}" - mode: 0640 - decrypt: yes - backup: yes - with_fileglob: "{{ nginx_ssl_crt_upload_src }}" - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX SSL Keys" - copy: - src: "{{ item }}" - dest: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}" - mode: 0640 - decrypt: yes - backup: yes - with_fileglob: "{{ nginx_ssl_key_upload_src }}" - no_log: yes - when: nginx_ssl_upload_enable | bool diff --git a/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml b/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml new file mode 100644 index 0000000..0ea0a41 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml @@ -0,0 +1,12 @@ +--- +- name: Register NGINX config + command: nginx -T + ignore_errors: "{{ ansible_check_mode }}" + check_mode: no + changed_when: false + register: config_full + +- name: Print NGINX config + debug: + var: config_full.stdout_lines + when: config_full.stdout_lines is defined diff --git a/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml b/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml new file mode 100644 index 0000000..cad1b25 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml @@ -0,0 +1,37 @@ +--- +- name: Create override directory for NGINX systemd service + file: + path: "{{ nginx_service_overridepath }}" + state: directory + mode: 0755 + +- name: Create override for NGINX systemd service + template: + src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: 0644 + when: + - not nginx_service_custom | bool + - not nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload + +- name: Customize override for NGINX systemd service + copy: + src: "{{ nginx_service_custom_file }}" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: 0644 + when: + - nginx_service_custom | bool + - not nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload + +- name: Remove override for NGINX systemd service + file: + path: "{{ nginx_service_overridepath }}" + state: absent + when: nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload diff --git a/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml b/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml new file mode 100644 index 0000000..a01c629 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml @@ -0,0 +1,36 @@ +--- +- name: (Alpine Linux) Install logrotate + apk: + name: logrotate + when: ansible_facts['os_family'] == "Alpine" + +- name: (Debian/Ubuntu) Install logrotate + apt: + name: logrotate + state: present + when: ansible_facts['os_family'] == "Debian" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install logrotate + yum: + name: logrotate + state: present + when: ansible_facts['os_family'] == "RedHat" + +- name: (SLES) Set up logrotate + block: + - name: (SLES) Configure logrotate repository + zypper_repository: + repo: https://download.opensuse.org/repositories/openSUSE:Leap:42.1/standard/openSUSE:Leap:42.1.repo + + - name: (SLES) Install Logrotate + zypper: + name: logrotate + state: present + when: ansible_facts['os_family'] == "Suse" + +- name: Create logrotate config + template: + src: logrotate/nginx.j2 + dest: /etc/logrotate.d/nginx + mode: 0644 + notify: (Handler) Run logrotate diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml deleted file mode 100644 index 131634d..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: APK OSs) Set Default APK NGINX Signing Key URL" - set_fact: - default_keysite: https://nginx.org/keys/nginx_signing.rsa.pub - -- name: "(Install: APK OSs) Set APK NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: APK OSs) Download NGINX Signing Key" - get_url: - url: "{{ keysite }}" - dest: /etc/apk/keys/nginx_signing.rsa.pub diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml deleted file mode 100644 index ef7f140..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: "(Install: APT OSs) Set Default APT NGINX Signing Key URL" - set_fact: - default_keysite: https://nginx.org/keys/nginx_signing.key - -- name: "(Install: APT OSs) Set APT NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: APT OSs) Add APT NGINX Signing Key" - apt_key: - url: "{{ keysite }}" diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml deleted file mode 100644 index 0323d56..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: "(Install: RPM OSs) Set Default RPM NGINX Signing Key" - set_fact: - default_keysite: >- - {{ (ansible_distribution_major_version|int == 6) - | ternary('http://nginx.org/keys/nginx_signing.key', 'https://nginx.org/keys/nginx_signing.key') }} - -- name: "(Install: RPM OSs) Set RPM NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: RPM OSs) Add RPM NGINX Signing Key" - rpm_key: - key: "{{ keysite }}" diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml b/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml new file mode 100644 index 0000000..fb9dccc --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml @@ -0,0 +1,31 @@ +--- +- name: (Alpine Linux) Set up signing key + block: + - name: (Alpine Linux) Set up NGINX signing key URL + set_fact: + keysite: "{{ nginx_signing_key | default(nginx_default_signing_key_rsa_pub) }}" + + - name: (Alpine Linux) Download NGINX signing key + get_url: + url: "{{ keysite }}" + dest: /etc/apk/keys/nginx_signing.rsa.pub + mode: 0400 + when: ansible_facts['os_family'] == "Alpine" + +- name: (Debian/Red Hat/SLES OSs) Set up NGINX signing key URL + set_fact: + keysite: "{{ nginx_signing_key | default(nginx_default_signing_key_pgp) }}" + when: ansible_facts['os_family'] != "Alpine" + +- name: (Debian/Ubuntu) Add NGINX signing key + apt_key: + id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 + url: "{{ keysite }}" + when: ansible_facts['os_family'] == "Debian" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL/SLES) Add NGINX signing key + rpm_key: + fingerprint: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 + key: "{{ keysite }}" + validate_certs: "{{ (ansible_facts['distribution_major_version'] is version('6', '==')) | ternary('no', 'yes') }}" + when: ansible_facts['os_family'] in ['RedHat', 'Suse'] diff --git a/ansible/roles/nginxinc.nginx/tasks/main.yml b/ansible/roles/nginxinc.nginx/tasks/main.yml index ead4e9b..59a2865 100644 --- a/ansible/roles/nginxinc.nginx/tasks/main.yml +++ b/ansible/roles/nginxinc.nginx/tasks/main.yml @@ -1,85 +1,88 @@ --- -- import_tasks: prerequisites/install-prerequisites.yml +- name: Check whether you are using a supported NGINX distribution + assert: + that: (nginx_type == "opensource" and ansible_facts['distribution'] in nginx_distributions) + or (nginx_type == "plus" and ansible_facts['distribution'] in nginx_plus_distributions) + success_msg: "Your OS, {{ ansible_facts['distribution'] }} is supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" + fail_msg: "Your OS, {{ ansible_facts['distribution'] }} is not supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" + when: + - nginx_install | bool + - (nginx_install_from == "nginx_repository" or nginx_type == "plus") + ignore_errors: yes + tags: nginx_check_support + +- name: Set up prerequisites + include_tasks: "{{ role_path }}/tasks/prerequisites/prerequisites.yml" tags: nginx_prerequisites -- import_tasks: keys/apt-key.yml - when: - - ansible_os_family == "Debian" - - nginx_install_from == "nginx_repository" - or nginx_amplify_enable - or nginx_unit_enable - tags: nginx_aptkey +- name: Set up signing keys + include_tasks: "{{ role_path }}/tasks/keys/setup-keys.yml" + when: (nginx_install | bool and nginx_install_from == "nginx_repository") + or nginx_amplify_enable | bool + tags: nginx_key -- import_tasks: keys/rpm-key.yml - when: - - ansible_os_family == "RedHat" - or ansible_os_family == "Suse" - - nginx_install_from == "nginx_repository" - or nginx_amplify_enable - or nginx_unit_enable - tags: nginx_rpmkey - -- import_tasks: keys/apk-key.yml - when: ansible_os_family == "Alpine" - tags: nginx_apkkey - -- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX" +- name: Install and Configure NGINX block: + - name: Install NGINX + block: + - name: Install NGINX Open Source + include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml" + when: nginx_type == "opensource" + tags: nginx_install_oss - - import_tasks: opensource/install-oss.yml - when: nginx_type == "opensource" - tags: nginx_install_oss + - name: Set up NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml" + when: + - nginx_type == "plus" + - nginx_setup_license | bool + tags: nginx_setup_license - - import_tasks: plus/install-plus.yml - when: nginx_type == "plus" - tags: nginx_install_plus + - name: Install NGINX Plus + include_tasks: "{{ role_path }}/tasks/plus/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nginx_type == "plus" + tags: nginx_install_plus - - import_tasks: conf/cleanup-config.yml - when: nginx_cleanup_config | bool - tags: nginx_cleanup_config + - name: Install NGINX modules + include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" + when: + - nginx_modules is defined + - nginx_modules | length > 0 + tags: nginx_install_modules - - import_tasks: conf/upload-config.yml - when: nginx_main_upload_enable - or nginx_http_upload_enable - or nginx_stream_upload_enable - or nginx_html_upload_enable - or nginx_ssl_upload_enable - tags: nginx_upload_config + - name: Remove NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/remove-license.yml" + when: + - nginx_type == "plus" + - nginx_remove_license | bool + tags: nginx_remove_license - - import_tasks: conf/template-config.yml - when: nginx_main_template_enable - or nginx_http_template_enable - or nginx_stream_template_enable - or nginx_rest_api_enable - tags: nginx_template_config + - name: Modify systemd parameters + include_tasks: "{{ role_path }}/tasks/config/modify-systemd.yml" + when: + - ansible_facts['service_mgr'] == "systemd" + - nginx_service_modify | bool + tags: nginx_modify_systemd + when: nginx_install | bool + tags: nginx_install - - import_tasks: conf/setup-status.yml - when: nginx_status_enable | bool - tags: nginx_setup_status + - name: Ensure NGINX is running + meta: flush_handlers - - import_tasks: modules/install-modules.yml - when: true in nginx_modules.values() - tags: nginx_install_modules - - - import_tasks: conf/debug-output.yml + - name: Debug NGINX output + include_tasks: "{{ role_path }}/tasks/config/debug-output.yml" when: nginx_debug_output | bool tags: nginx_debug_output - - import_tasks: plus/delete-license.yml - when: - - nginx_type == "plus" - - nginx_delete_license - tags: nginx_delete_license - + - name: Configure logrotate for NGINX + include_tasks: "{{ role_path }}/tasks/config/setup-logrotate.yml" + when: nginx_logrotate_conf_enable | bool + tags: nginx_logrotate_config when: nginx_enable | bool -- import_tasks: amplify/install-amplify.yml +- name: Install NGINX Amplify + include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml" when: - nginx_amplify_enable | bool - nginx_amplify_api_key is defined - nginx_amplify_api_key | length > 0 tags: nginx_install_amplify - -- import_tasks: unit/install-unit.yml - when: nginx_unit_enable | bool - tags: nginx_install_unit diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml deleted file mode 100644 index 124d0f0..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: "(Install: CentOS) Install GeoIP Required CentOS Dependencies" - yum: - name: - - epel-release - when: ansible_distribution == "CentOS" - -- name: "(Install: All OSs) Install NGINX Open Source GeoIP Module" - package: - name: "nginx-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus GeoIP Module" - package: - name: "nginx-plus-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX GeoIP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - with_items: - - load_module modules/ngx_http_geoip_module.so; - - load_module modules/ngx_stream_geoip_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml deleted file mode 100644 index bbce180..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source Image Filter Module" - package: - name: "nginx-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Image Filter Module" - package: - name: "nginx-plus-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Image Filter Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_image_filter_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml index d055fe4..51e6c87 100644 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml +++ b/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml @@ -1,28 +1,33 @@ --- -- import_tasks: install-njs.yml - when: nginx_modules.njs | default(false) - -- import_tasks: install-perl.yml - when: nginx_modules.perl | default(false) - -- import_tasks: install-geoip.yml +- name: (CentOS) Install GeoIP dependencies + yum: + name: epel-release when: - - nginx_modules.geoip | default(false) - - ansible_os_family != "RedHat" - - ansible_distribution_major_version != "8" + - ansible_facts['distribution'] == "CentOS" + - '"geoip" in nginx_modules' -- import_tasks: install-image-filter.yml - when: nginx_modules.image_filter | default(false) - -- import_tasks: install-rtmp.yml +- name: Install NGINX modules + package: + name: "nginx-{{ (nginx_type == 'plus') | ternary('plus-', '') }}module-{{ item.name | default(item) }}\ + {{ item.version | default(nginx_version) | default('') }}" + state: "{{ item.state | default('present') }}" + loop: "{{ nginx_modules }}" when: - - nginx_modules.rtmp | default(false) - - nginx_type == "plus" - -- import_tasks: install-xslt.yml - when: nginx_modules.xslt | default(false) - -- import_tasks: install-waf.yml - when: - - nginx_modules.waf | default(false) - - nginx_type == "plus" + - (item.name | default(item) in nginx_modules_list and nginx_type == 'opensource') + or (item.name | default(item) in nginx_plus_modules_list and nginx_type == 'plus') + - not (item.name | default(item) == "auth-spnego") + or not (ansible_facts['os_family'] == "Alpine" and (ansible_facts['distribution_version'] | regex_search('^[0-9]+\\.[0-9]+') is version('3.8', '=='))) + - not (item.name | default(item) == "geoip") + or not ((ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==')) + or (ansible_facts['os_family'] == "FreeBSD")) + - not (item.name | default(item) == "brotli") + or not ((ansible_facts['os_family'] == "Alpine") + or (ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '<')) + or (ansible_facts['os_family'] == "Debian" and ansible_facts['distribution_major_version'] is version('9', '==')) + or (ansible_facts['os_family'] == "Suse" and ansible_facts['distribution_major_version'] is version('12', '<')) + or (ansible_facts['distribution'] == "Amazon") + or (ansible_facts['distribution'] == "OracleLinux")) + - not (item.name | default(item) == "geoip2") or not (ansible_facts['os_family'] == "Suse") + - not (item.name | default(item) == "opentracing") + or not ((ansible_facts['os_family'] == "Suse" and ansible_facts['distribution_major_version'] is version('12', '==')) + or (ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('6', '=='))) diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml deleted file mode 100644 index f0a2a8a..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source JavaScript Module" - package: - name: "nginx-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus JavaScript Module" - package: - name: "nginx-plus-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX JavaScript Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - with_items: - - load_module modules/ngx_http_js_module.so; - - load_module modules/ngx_stream_js_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml deleted file mode 100644 index eb8fac3..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: "(Install: All OSs) Install Perl Dependency" - package: - name: perl - state: present - -- name: "(Install: All OSs) Install NGINX Open Source Perl Module" - package: - name: "nginx-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Perl Module" - package: - name: "nginx-plus-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Perl Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_perl_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml deleted file mode 100644 index 77b1dfd..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus RTMP Module" - package: - name: "nginx-plus-module-rtmp{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: All NGINX) Load NGINX RTMP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_rtmp_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml deleted file mode 100644 index 806cfd3..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus WAF Module" - package: - name: "nginx-plus-module-modsecurity{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: NGINX Plus) Load NGINX Plus WAF Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_modsecurity_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml deleted file mode 100644 index d73f552..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source XSLT Module" - package: - name: "nginx-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus XSLT Module" - package: - name: "nginx-plus-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX XSLT Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_xslt_filter_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml new file mode 100644 index 0000000..a884a9d --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml @@ -0,0 +1,15 @@ +--- +- name: (Alpine Linux) Configure NGINX repository + lineinfile: + path: /etc/apk/repositories + insertafter: EOF + line: "{{ nginx_repository | default(nginx_default_repository_alpine) }}" + +- name: (Alpine Linux) Install NGINX + apk: + name: "nginx{{ nginx_version | default('') }}" + repository: "{{ nginx_repository | default(nginx_default_repository_alpine) }}" + state: "{{ nginx_state }}" + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml new file mode 100644 index 0000000..de78d65 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml @@ -0,0 +1,78 @@ +--- +- name: (FreeBSD) Update ports + block: + - name: (FreeBSD) Fetch ports + command: portsnap fetch --interactive + args: + creates: /var/db/portsnap/INDEX + + - name: (FreeBSD) Extract ports + command: portsnap extract + args: + creates: /usr/ports + when: + - ansible_facts['system'] == "FreeBSD" + - nginx_bsd_update_ports | bool + +- name: (FreeBSD) Install NGINX + block: + - name: (FreeBSD) Install NGINX package + pkgng: + name: "www/nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (FreeBSD) Install NGINX port + portinstall: + name: "www/nginx{{ nginx_version | default('') }}" + use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" + state: "{{ nginx_state }}" + when: not nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + when: ansible_facts['system'] == "FreeBSD" + +- name: (OpenBSD) Install NGINX + block: + - name: (OpenBSD) Install NGINX package + openbsd_pkg: + name: "nginx{{ nginx_version | default('') }}" + build: no + state: "{{ nginx_state }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (OpenBSD) Install NGINX port + openbsd_pkg: + name: "nginx{{ nginx_version | default('') }}" + build: yes + state: "{{ nginx_state }}" + when: not nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + when: ansible_facts['system'] == "OpenBSD" + +- name: (NetBSD) Install NGINX + block: + - name: (NetBSD) Install NGINX package + command: "pkg_add www/nginx{{ nginx_version | default('') }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (NetBSD) Install NGINX port + fail: + msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + when: not nginx_bsd_install_packages | bool + when: ansible_facts['system'] == "NetBSD" + +- name: (DragonFlyBSD/HardenedBSD) Install NGINX + block: + - name: (DragonFlyBSD/HardenedBSD) Install NGINX package + command: "pkg install www/nginx{{ nginx_version | default('') }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (DragonFlyBSD/HardenedBSD) Install NGINX port + fail: + msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + when: not nginx_bsd_install_packages | bool + when: ansible_facts['system'] in ['DragonFlyBSD', 'HardenedBSD'] diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml new file mode 100644 index 0000000..8f1253c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml @@ -0,0 +1,15 @@ +--- +- name: (Debian/Ubuntu) Configure NGINX repository + apt_repository: + filename: nginx + repo: "{{ item }}" + update_cache: yes + mode: 0644 + loop: "{{ nginx_repository | default(nginx_default_repository_debian) }}" + +- name: (Debian/Ubuntu) Install NGINX + apt: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml deleted file mode 100644 index b8b5997..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- -- name: "(Install: FreeBSD) Update ports" - block: - - - name: "(Install: FreeBSD) Fetch Ports" - command: portsnap fetch --interactive - args: - creates: /var/db/portsnap/INDEX - - - name: "(Install: FreeBSD) Extract Ports" - command: portsnap extract - args: - creates: /usr/ports - - when: - - ansible_system == 'FreeBSD' - - nginx_bsd_update_ports - -- name: "(Install: FreeBSD)" - block: - - - name: "(Install: FreeBSD) Install NGINX package" - pkgng: - name: "www/nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: FreeBSD) Install NGINX port" - portinstall: - name: "www/nginx{{ nginx_version | default('') }}" - use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" - state: "{{ nginx_state }}" - when: not nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - when: ansible_system == 'FreeBSD' - -- name: "(Install: OpenBSD)" - block: - - - name: "(Install: OpenBSD) Install NGINX package" - openbsd_pkg: - name: "nginx{{ nginx_version | default('') }}" - build: false - state: "{{ nginx_state }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: OpenBSD) Install NGINX port" - openbsd_pkg: - name: "nginx{{ nginx_version | default('') }}" - build: true - state: "{{ nginx_state }}" - when: not nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - when: ansible_system == 'OpenBSD' - -- name: "(Install: NetBSD)" - block: - - - name: "(Install: NetBSD) Install NGINX package" - command: "pkg_add www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: NetBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'NetBSD' - -- name: "(Install: DragonFlyBSD)" - block: - - - name: "(Install: DragonFlyBSD) Install NGINX package" - command: "pkg install www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: DragonFlyBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'DragonFlyBSD' - -- name: "(Install: HardenedBSD)" - block: - - - name: "(Install: HardenedBSD) Install NGINX package" - command: "pkg install www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: HardenedBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'HardenedBSD' diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml deleted file mode 100644 index 3525e63..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: "(Install: Linux) Configure NGINX repo" - block: - - - import_tasks: setup-alpine.yml - when: ansible_os_family == "Alpine" - - - import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - - - import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - - - import_tasks: setup-suse.yml - when: ansible_os_family == "Suse" - - when: nginx_install_from == "nginx_repository" - -- name: "(Install: Linux) Install NGINX from source" - import_tasks: setup-source.yml - when: nginx_install_from == "source" - -- name: "(Install: Linux) Install NGINX package" - package: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - when: nginx_install_from == "os_repository" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml index a2b8584..1a573ad 100644 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml @@ -1,8 +1,22 @@ --- -- name: "(Install: OSS Linux)" - import_tasks: install-oss-linux.yml - when: ansible_os_family in nginx_linux_families +- name: Install NGINX in Linux systems + block: + - name: Install NGINX from repository + include_tasks: "{{ role_path }}/tasks/opensource/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nginx_install_from == "nginx_repository" -- name: "(Install: OSS BSD)" - import_tasks: install-oss-bsd.yml - when: ansible_system in nginx_bsd_systems + - name: Install NGINX from source + include_tasks: "{{ role_path }}/tasks/opensource/install-source.yml" + when: nginx_install_from == "source" + + - name: Install NGINX from package + package: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + when: nginx_install_from == "os_repository" + notify: (Handler) Run NGINX + when: ansible_facts['system'] | lower is not search('bsd') + +- name: Install NGINX in Unix systems + include_tasks: "{{ role_path }}/tasks/opensource/install-bsd.yml" + when: ansible_facts['system'] | lower is search('bsd') diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml new file mode 100644 index 0000000..6fc1691 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml @@ -0,0 +1,34 @@ +--- +- name: (CentOS/RHEL 6/7) Configure NGINX repository + yum_repository: + name: nginx + baseurl: "{{ nginx_repository | default(nginx_default_repository_redhat) }}" + description: NGINX Repository + enabled: yes + gpgcheck: yes + mode: 0644 + when: ansible_facts['distribution_major_version'] is version('8', '<') + +- name: (CentOS/RHEL 8) Configure NGINX repository + blockinfile: + path: /etc/yum.repos.d/nginx.repo + create: yes + block: | + [nginx] + baseurl = {{ nginx_repository | default(nginx_default_repository_redhat) }} + enabled = 1 + gpgcheck = 1 + name = NGINX Repository + module_hotfixes = true + mode: 0644 + when: ansible_facts['distribution_major_version'] is version('8', '==') + +- name: (CentOS/RHEL) Install NGINX + yum: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + disablerepo: "*" + enablerepo: nginx + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml new file mode 100644 index 0000000..af2cf8d --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml @@ -0,0 +1,450 @@ +--- +- name: Check for build tools + block: + - name: (CentOS/RHEL 8) Setup Python 3 + block: + - name: (CentOS/RHEL 8) Install Python 3 + yum: + name: + - python3 + - python3-pip + - python3-devel + update_cache: yes + + - name: (Centos/RHEL 8) Set Python 3 as default + alternatives: + name: python + path: /usr/bin/python3 + link: /usr/bin/python + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['distribution_major_version'] is version('8', '==') + + - name: (Centos/RHEL) Install build tools + yum: + name: + - "@Development tools" + - ca-certificates + - gcc + - gd + - gd-devel + - glibc + - glibc-common + - perl-core + - wget + - zlib-devel + update_cache: yes + when: ansible_facts['os_family'] == "RedHat" + + - name: (Debian) Install backports repo for 'buster' + apt_repository: + filename: buster-backports + repo: deb http://ftp.us.debian.org/debian buster-backports main + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] == "buster" + + - name: (Debian/Ubuntu) Install build tools + apt: + name: + - build-essential + - checkinstall + - libtemplate-perl + - python3-minimal + - perl + - tar + - zlib1g-dev + update_cache: yes + when: ansible_facts['os_family'] == "Debian" + + - name: (Alpine Linux) Install build tools + apk: + name: + - alpine-sdk + - build-base + - git + - openrc + - perl + - python3 + - linux-headers + - tar + - wget + update_cache: yes + when: ansible_facts['os_family'] == "Alpine" + + - name: (Alpine Linux) Enable OpenRC + copy: + content: "" + dest: /run/openrc/softlevel + force: no + owner: root + mode: 0644 + when: ansible_facts['os_family'] == "Alpine" + when: nginx_install_source_build_tools | bool + +- name: Check for source installs + block: + - name: Check for PCRE install + stat: + path: /tmp/{{ pcre_version }} + register: pcre_result + + - name: Check for ZLib install + stat: + path: /tmp/{{ zlib_version }} + register: zlib_result + + - name: Check for OpenSSL install + stat: + path: /tmp/{{ openssl_version }} + register: openssl_result + +- name: (CentOS/RHEL) Install PCRE dependency from package + yum: + name: pcre-devel + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install PCRE dependency from package + apt: + name: libpcre3-dev + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install PCRE dependency from package + apk: + name: pcre-dev + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install PCRE dependence from source + block: + - name: Download PCRE dependency + get_url: + url: "https://ftp.pcre.org/pub/pcre/{{ pcre_version }}.tar.gz" + dest: "/tmp/{{ pcre_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: pcre_source + + - name: Unpack PCRE dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ pcre_source.dest }}" + mode: 0700 + + - name: Configure PCRE dependency + command: ./configure + args: + chdir: "/tmp/{{ pcre_version }}" + + - name: Make PCRE dependency + make: + chdir: "/tmp/{{ pcre_version }}" + + - name: Install PCRE dependency + make: + chdir: "/tmp/{{ pcre_version }}" + target: install + when: + - not pcre_result.stat.exists | bool + - not nginx_install_source_pcre | bool + - not ansible_check_mode | bool + +- name: (Centos/RHEL) Install ZLib dependency from package + yum: + name: zlib-devel + update_cache: yes + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install ZLib dependency from package + apt: + name: zlib1g-dev + update_cache: true + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install ZLib dependency from package + apk: + name: zlib-dev + update_cache: yes + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install ZLib dependency from source + block: + - name: Download ZLib dependency + get_url: + url: "https://zlib.net/{{ zlib_version }}.tar.gz" + dest: "/tmp/{{ zlib_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: zlib_source + + - name: Unpack ZLib dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ zlib_source.dest }}" + mode: 0700 + + - name: Configure ZLib dependency + command: ./configure + args: + chdir: "/tmp/{{ zlib_version }}" + + - name: Make ZLib dependency + make: + chdir: "/tmp/{{ zlib_version }}" + + - name: Install ZLib dependency + make: + chdir: "/tmp/{{ zlib_version }}" + target: install + when: + - not zlib_result.stat.exists | bool + - not nginx_install_source_zlib | bool + - not ansible_check_mode | bool + +- name: (CentOS/RHEL) Install OpenSSL dependency from package + yum: + name: openssl-devel + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install OpenSSL dependency from package + apt: + name: libssl-dev + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install OpenSSL dependency from package + apk: + name: openssl-dev + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install OpenSSL dependency from source + block: + - name: Download OpenSSL dependency + get_url: + url: "https://www.openssl.org/source/{{ openssl_version }}.tar.gz" + dest: "/tmp/{{ openssl_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: openssl_source + + - name: Unpack OpenSSL dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ openssl_source.dest }}" + mode: 0700 + + - name: Configure OpenSSL dependency + command: ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib + args: + chdir: "/tmp/{{ openssl_version }}" + + - name: Make OpenSSL dependency + make: + chdir: "/tmp/{{ openssl_version }}" + + - name: Install OpenSSL dependency + make: + chdir: "/tmp/{{ openssl_version }}" + target: install + when: + - not openssl_result.stat.exists | bool + - not nginx_install_source_openssl | bool + - not ansible_check_mode | bool + +- name: Get NGINX version + block: + - name: Fetch NGINX version + uri: + url: https://trac.nginx.org/nginx/browser + return_content: yes + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + check_mode: no + register: nginx_versions + + - name: Set NGINX mainline version + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search('release[^<]*') | regex_replace('release', 'nginx') }}" + when: nginx_branch == "mainline" + + - name: Set NGINX stable version 1/2 + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search('stable[^<]*') | regex_replace('stable', 'release') }}" + when: nginx_branch == "stable" + + - name: Set NGINX stable version 2/2 + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search(nginx_version + '[^<]*') | regex_replace('release', 'nginx') }}" + when: nginx_branch == "stable" + + - name: Set NGINX download filename + set_fact: + nginx_download_name: "{{ nginx_version }}" + + - name: Check for NGINX install + stat: + path: /usr/sbin/nginx + follow: yes + register: nginx_result + +- name: Add NGINX user + user: + name: nginx + +- name: Install NGINX + block: + - name: Download NGINX + get_url: + url: "https://nginx.org/download/{{ nginx_download_name }}.tar.gz" + dest: "/tmp/{{ nginx_download_name }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: nginx_source + + - name: Unpack NGINX + unarchive: + copy: no + dest: /tmp/ + src: "{{ nginx_source.dest }}" + mode: 0755 + + - name: Configure NGINX + command: >- + ./configure + --conf-path=/etc/nginx/nginx.conf + --error-log-path=/var/log/nginx/error.log + --http-log-path=/var/log/nginx/access.log + --lock-path=/var/lock/nginx.lock + --modules-path=/usr/lib/nginx/modules + --prefix=/usr + --pid-path=/var/run/nginx.pid + --with-http_ssl_module + --with-mail=dynamic + --with-stream + {{ nginx_install_source_pcre | ternary('', '--with-pcre=../' + pcre_version) }} + {{ nginx_install_source_zlib | ternary('', '--with-zlib=../' + zlib_version) }} + {{ nginx_install_source_openssl | ternary('', '--with-openssl=../' + openssl_version) }} + args: + chdir: "/tmp/{{ nginx_version }}" + register: nginx_configure + + - name: Make NGINX + make: + chdir: "/tmp/{{ nginx_version }}" + + - name: Install NGINX + make: + chdir: "/tmp/{{ nginx_version }}" + target: install + + - name: Upload systemd NGINX service file + copy: + src: services/nginx.systemd + dest: /lib/systemd/system/nginx.service + owner: root + group: root + mode: 0644 + when: ansible_facts['service_mgr'] == "systemd" + + - name: Enable systemd NGINX service file + systemd: + daemon_reload: yes + name: nginx + state: restarted + enabled: yes + when: ansible_facts['service_mgr'] == "systemd" + notify: "(Handler) Run NGINX" + + - name: Upload upstart NGINX service file + copy: + src: services/nginx.upstart + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "upstart" + + - name: Upload Upstart NGINX service conf file + copy: + src: services/nginx.conf.upstart + dest: /etc/init/nginx.conf + owner: root + group: root + mode: 0644 + when: ansible_facts['service_mgr'] == "upstart" + + - name: Enable Upstart NGINX service reload + command: initctl reload-configuration + when: ansible_facts['service_mgr'] == "upstart" + + - name: Start Upstart NGINX service reload + command: nginx + when: ansible_facts['service_mgr'] == "upstart" + notify: "(Handler) Run NGINX" + + - name: Upload SysVinit NGINX service file + copy: + src: services/nginx.sysvinit + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "sysvinit" + notify: "(Handler) Run NGINX" + + - name: Upload OpenRC NGINX service file + copy: + src: services/nginx.openrc + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "openrc" + + - name: Enable OpenRC NGINX service + command: rc-update add nginx default + when: ansible_facts['service_mgr'] == "openrc" + notify: (Handler) Run NGINX + when: + - not nginx_result.stat.exists | bool + - not ansible_check_mode | bool + +- name: Cleanup downloads + file: + path: "{{ item }}" + state: absent + loop: + - "{{ pcre_source.dest }}" + - "{{ zlib_source.dest }}" + - "{{ openssl_source.dest }}" + - "{{ nginx_source.dest }}" + when: item is defined diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml new file mode 100644 index 0000000..37e0e21 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml @@ -0,0 +1,14 @@ +--- +- name: (SLES) Configure NGINX repository + zypper_repository: + name: "nginx-{{ nginx_branch }}" + repo: "{{ nginx_repository | default(nginx_default_repository_suse) }}" + +- name: (SLES) Install NGINX + zypper: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + disable_recommends: no + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml deleted file mode 100644 index f5aa5b9..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: "(Install: Alpine) Set Default APK NGINX Repository" - set_fact: - default_repository: >- - https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}alpine/v{{ ansible_distribution_version.split('.')[0] }}.{{ ansible_distribution_version.split('.')[1] }}/main - -- name: "(Install: Alpine) Set APK NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: Alpine) Add NGINX Repository" - lineinfile: - path: /etc/apk/repositories - insertafter: EOF - line: "{{ repository }}" - -- name: "(Install: Alpine) Install Required Alpine Dependencies" - apk: - name: - - openssl - - pcre - -- name: "(Install: Alpine) Install NGINX" - apk: - name: "nginx{{ nginx_version | default('') }}" - repository: "{{ repository }}" - state: "{{ nginx_state }}" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml deleted file mode 100644 index a289956..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: "(Install: Debian/Ubuntu) Set Default APT NGINX Repository" - set_fact: - default_repository: - - >- - deb [arch=amd64] https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx - - >- - deb-src [arch=amd64] https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx - -- name: "(Install: Debian/Ubuntu) Set APT NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: Debian/Ubuntu) Add NGINX Repository" - apt_repository: - repo: "{{ item }}" - with_items: - - "{{ repository }}" - -- name: "(Install: Debian/Ubuntu) Install NGINX" - apt: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml deleted file mode 100644 index 45b19b4..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: "(Install: CentOS/RedHat) Set Default YUM NGINX Repository" - set_fact: - default_repository: >- - https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ (ansible_distribution == "RedHat") - | ternary('rhel', 'centos') }}/{{ ansible_distribution_major_version }}/$basearch/ - -- name: "(Install: CentOS/RedHat) Set YUM NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: CentOS/RedHat) Add NGINX Repository" - yum_repository: - name: nginx - baseurl: "{{ repository }}" - description: NGINX Repository - enabled: yes - gpgcheck: yes - -- name: "(Install: CentOS/RedHat) Install Required CentOS/RedHat Dependencies" - yum: - name: openssl - -- name: "(Install: CentOS/RedHat) Install NGINX" - yum: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - disablerepo: "*" - enablerepo: "nginx" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml deleted file mode 100644 index f194daf..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml +++ /dev/null @@ -1,437 +0,0 @@ ---- -- name: "(Install: Linux) Check for build tools" - when: nginx_install_source_build_tools - block: - - - name: "(Install: Linux) Install Python - Centos/RHEL" - package: - name: - - python3 - - python3-pip - - python3-devel - state: present - when: ansible_os_family == "RedHat" - - - name: "(Install: Linux) Set Python3 default - Centos/RHEL" - alternatives: - name: python - path: /usr/bin/python3 - link: /usr/bin/python - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "8" - - - name: "(Install: Linux) Install Build Tools - Centos/RHEL" - package: - name: - - "@Development tools" - - gcc - - glibc - - glibc-common - - gd - - gd-devel - - perl-core - - wget - - ca-certificates - - zlib-devel - state: present - when: ansible_os_family == "RedHat" - - - name: "(Install: Linux) Install backports repo for Buster" - apt_repository: - repo: deb http://ftp.us.debian.org/debian buster-backports main - when: ansible_distribution_release == "buster" - - - name: "(Install: Linux) Install Build Tools - Debian/Ubuntu" - package: - name: - - python-minimal - - build-essential - - perl - - tar - - checkinstall - - zlib1g-dev - - libtemplate-perl - state: present - when: ansible_os_family == "Debian" - - - name: "(Install: Linux) Install Build Tools - Alpine" - package: - name: - - python - - alpine-sdk - - build-base - - git - - wget - - perl - - linux-headers - - tar - - openrc - state: present - when: ansible_os_family == "Alpine" - - - name: "(Install: Linux) Enable openrc - Alpine" - copy: - content: "" - dest: /run/openrc/softlevel - force: no - owner: root - mode: 0644 - when: ansible_os_family == "Alpine" - -- name: "(Install: Linux) Check for Source Installs" - block: - - - name: "(Install: Linux) Check for PCRE Install" - stat: - path: /tmp/{{ pcre_version }} - register: pcre_result - - - name: "(Install: Linux) Check for zlib Install" - stat: - path: /tmp/{{ zlib_version }} - register: zlib_result - - - name: "(Install: Linux) Check for openssl Install" - stat: - path: /tmp/{{ openssl_version }} - register: openssl_result - -- name: "(Install: Linux) Install PCRE Dependency: Package: Centos/RHEL" - when: nginx_install_source_pcre and ansible_os_family == "RedHat" - package: - name: pcre-devel - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_pcre and ansible_os_family == "Debian" - package: - name: libpcre3–dev - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Package: Alpine" - when: nginx_install_source_pcre and ansible_os_family == "Alpine" - package: - name: pcre-dev - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Source" - when: not pcre_result.stat.exists and not nginx_install_source_pcre - block: - - - name: "(Install: Linux) Install PCRE Dependency: Download" - get_url: - url: "http://ftp.pcre.org/pub/pcre/{{ pcre_version }}.tar.gz" - dest: "/tmp/{{ pcre_version }}.tar.gz" - register: pcre_source - - - name: "(Install: Linux) Install PCRE Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ pcre_source.dest }}" - register: pcre_source_unpack - - - name: "(Install: Linux) Install PCRE Dependency: Configure" - command: "./configure" - args: - chdir: "/tmp/{{ pcre_version }}" - register: pcre_configure - - - name: "(Install: Linux) Install PCRE Dependency: Install" - make: - chdir: "/tmp/{{ pcre_version }}" - - - name: "(Install: Linux) Install PCRE Dependency: Install" - make: - chdir: "/tmp/{{ pcre_version }}" - target: install - -- name: "(Install: Linux) Install zlib Dependency: Package: Centos/RHEL" - when: nginx_install_source_zlib and ansible_os_family == "RedHat" - package: - name: zlib-devel - state: present - -- name: "(Install: Linux) Install zlib Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_zlib and ansible_os_family == "Debian" - package: - name: zlib1g-dev - state: present - -- name: "(Install: Linux) Install zlib Dependency: Package: Alpine" - when: nginx_install_source_zlib and ansible_os_family == "Alpine" - package: - name: zlib-dev - state: present - -- name: "(Install: Linux) Install zlib Dependency: Source" - when: not zlib_result.stat.exists and not nginx_install_source_zlib - block: - - - name: "(Install: Linux) Install zlib Dependency: Download" - get_url: - url: "http://zlib.net/{{ zlib_version }}.tar.gz" - dest: "/tmp/{{ zlib_version }}.tar.gz" - register: zlib_source - - - name: "(Install: Linux) Install zlib Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ zlib_source.dest }}" - register: zlib_source_unpack - - - name: "(Install: Linux) Install zlib Dependency: Configure" - command: "./configure" - args: - chdir: "/tmp/{{ zlib_version }}" - register: zlib_configure - - - name: "(Install: Linux) Install zlib Dependency: Install" - make: - chdir: "/tmp/{{ zlib_version }}" - - - name: "(Install: Linux) Install zlib Dependency: Install" - make: - chdir: "/tmp/{{ zlib_version }}" - target: install - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Centos/RHEL" - when: nginx_install_source_openssl and ansible_os_family == "RedHat" - package: - name: openssl-devel - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_openssl and ansible_os_family == "Debian" - package: - name: libssl-dev - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Alpine" - when: nginx_install_source_openssl and ansible_os_family == "Alpine" - package: - name: openssl-dev - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Source" - when: not openssl_result.stat.exists and not nginx_install_source_openssl - block: - - - name: "(Install: Linux) Install OpenSSL Dependency: Download" - get_url: - url: "http://www.openssl.org/source/{{ openssl_version }}.tar.gz" - dest: "/tmp/{{ openssl_version }}.tar.gz" - register: openssl_source - - - name: "(Install: Linux) Install OpenSSL Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ openssl_source.dest }}" - register: openssl_source_unpack - - - name: "(Install: Linux) Install OpenSSL Dependency: Configure" - command: "./config --prefix=/usr" - args: - chdir: "/tmp/{{ openssl_version }}" - register: openssl_configure - - - name: "(Install: Linux) Install OpenSSL Dependency: Make" - make: - chdir: "/tmp/{{ openssl_version }}" - - - name: "(Install: Linux) Install OpenSSL Dependency: Install" - make: - chdir: "/tmp/{{ openssl_version }}" - target: install - -- name: "(Install: Linux) Install NGINX: Get NGINX version" - block: - - - name: "(Install: Linux) Install NGINX: Get NGINX mainline version" - shell: - args: - cmd: curl --stderr - https://trac.nginx.org/nginx/browser | grep release | head -1 | sed -e 's:.*