initial commit of files

bytepark · Dec 18, 2018 · e5bf8a1 · e5bf8a1
1 parent 3c49c66
commit e5bf8a1
Show file tree

Hide file tree

Showing 10 changed files with 498 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.idea
+
diff --git a/README.md b/README.md
@@ -0,0 +1,67 @@
+ansible-nginx
+=========
+
+Ansible role to install and configure NGINX
+
+Requirements
+------------
+
+No further requirements besides bash.
+
+Role Variables
+--------------
+Variable defaults
+
+```
+# repo url - either deb or ppa (e.g "ppa:bytepark/nginx-mainline")
+nginx_repo: "deb https://nginx.org/packages/ubuntu/ bionic nginx"
+# repo key - when repo needs signing key (e.g. http://nginx.org/keys/nginx_signing.key) 
+nginx_repo_key: ""
+# package name to install (can allso be nginx-full e.g)
+nginx_package: "nginx"
+
+# list of vhosts with following keys
+#   type                        - static/fastcgi/proxy - which type to use
+#   hostname                    - main server name
+#   additional_server_names     - alias domains
+#   is_default                  - whether this vhost is the default listener
+#   docroot                     - document root for vhost
+#   logfile_separate            - true/false - for separate log file for this vhost
+#   logfile_format              - name of a different logfile format defined in nginx.conf 
+#   enable_ssl                  - true/false - whether to enable SSL
+#   cache_enable                - true/false - whether to enable caching (fastcgi/proxy only)
+#   cache_time                  - e.g. 30s - how long to cache valid responses
+#   enable_websocket            - true/false - for proxy setups, enable websocket listening
+nginx_vhosts: []
+
+#   nginx_ssl_type              - modern/intermediate - cipher config from mozilla server configurator
+nginx_ssl_type: "modern"
+#   nginx_enable_hsts           - whether to enable HSTS
+nginx_enable_hsts: false        
+
+nginx_dhparam_path: "/etc/ssl/dhparam.pem"
+nginx_dhparam_encryption_size: 2048
+
+```
+
+Dependencies
+------------
+
+No dependencies.
+
+Example Playbook
+----------------
+
+    - hosts: servers
+      roles:
+         - { role: bytepark.nginx }
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+bytepark / 2018.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -0,0 +1,29 @@
+---
+# repo url - either deb or ppa (e.g "ppa:bytepark/nginx-mainline")
+nginx_repo: "deb https://nginx.org/packages/ubuntu/ bionic nginx"
+# repo key - when repo needs signing key (e.g. http://nginx.org/keys/nginx_signing.key)
+nginx_repo_key: ""
+# package name to install (can allso be nginx-full e.g)
+nginx_package: "nginx"
+
+# list of vhosts with following keys
+#   type                        - static/fastcgi/proxy - which type to use
+#   hostname                    - main server name
+#   additional_server_names     - alias domains
+#   is_default                  - whether this vhost is the default listener
+#   docroot                     - document root for vhost
+#   logfile_separate            - true/false - for separate log file for this vhost
+#   logfile_format              - name of a different logfile format defined in nginx.conf
+#   enable_ssl                  - true/false - whether to enable SSL
+#   cache_enable                - true/false - whether to enable caching (fastcgi/proxy only)
+#   cache_time                  - e.g. 30s - how long to cache valid responses
+#   enable_websocket            - true/false - for proxy setups, enable websocket listening
+nginx_vhosts: []
+
+#   nginx_ssl_type              - modern/intermediate - cipher config from mozilla server configurator
+nginx_ssl_type: "modern"
+#   nginx_enable_hsts           - whether to enable HSTS
+nginx_enable_hsts: false
+
+nginx_dhparam_path: "/etc/ssl/dhparam.pem"
+nginx_dhparam_encryption_size: 2048
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+# nginx handlers
+- name: restart nginx
+  service: name=nginx enabled=yes state=restarted
+
+- name: reload nginx
+  service: name=nginx state=reloaded
diff --git a/meta/main.yml b/meta/main.yml
@@ -0,0 +1,24 @@
+galaxy_info:
+  role_name: nginx
+  author: Dev Team
+  description: Ansible Role to install and configure nginx
+  company: bytepark GmbH
+
+  license: license (MIT)
+
+  min_ansible_version: 2.4
+
+  platforms:
+   - name: Ubuntu
+     versions:
+     - xenial
+     - bionic
+
+  galaxy_tags:
+    - web
+    - server
+    - dehydrated
+    - ssl
+    - letsencrypt
+
+dependencies: []
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -0,0 +1,89 @@
+---
+# nginx provisioning
+
+- name: "[NGINX] Add Signing Key"
+  apt_key:
+    url: "{{ nginx_repo_key }}"
+  when: nginx_repo_key is defined
+
+- name: "[NGINX] Add repo to sources list"
+  apt_repository:
+    repo: "{{nginx_repo}}"
+    state: present
+
+- name: "[NGINX] Install Nginx"
+  apt:
+    update_cache: yes
+    name: '{{nginx_package}}'
+    state: present
+
+- name: "[NGINX Secure] | Generate dhparam file"
+  command: openssl dhparam -out {{nginx_dhparam_path}} {{nginx_dhparam_encryption_size | 2048}}
+  args:
+    creates: "{{nginx_dhparam_path}}"
+  when: nginx_dhparam_path is defined and nginx_dhparam_path
+  notify:
+    - reload nginx
+
+- name: Create auth directory
+  file:
+    path:  "/etc/nginx/auth"
+    state: directory
+
+- name: "[NGINX] Create http basic auth files"
+  copy:
+    content: "{{ item.auth }}"
+    dest: "{{ item.auth_basic_file }}"
+  when: item.auth is defined and item.auth_basic_file is defined
+  with_items:
+    - "{{ nginx_vhosts | default([]) }}"
+
+- name: "[NGINX] Copy secure.conf"
+  template:
+    src: "secure.conf.j2"
+    dest: "/etc/nginx/secure.conf"
+    mode: 0644
+  notify:
+  - reload nginx
+
+- name: "[NGINX] Copy pagespeed.conf"
+  template:
+    src: "pagespeed.conf.j2"
+    dest: "/etc/nginx/pagespeed.conf"
+    mode: 0644
+  notify:
+    - reload nginx
+
+- name: "[NGINX] Copy nginx.conf"
+  template:
+    src: "nginx.conf.j2"
+    dest: "/etc/nginx/nginx.conf"
+    mode: 0644
+  notify:
+    - reload nginx
+
+- name: "[NGINX] Disable the default site"
+  file:
+    path: "/etc/nginx/conf.d/default.conf"
+    state: absent
+  notify:
+    - reload nginx
+
+- name: "[NGINX] Check and setup doc roots"
+  when: item.docroot is defined
+  file:
+    path:  "{{ item.docroot }}/app/web"
+    state: directory
+  with_items:
+    - "{{ nginx_vhosts | default([]) }}"
+
+- name: "[NGINX] Create the configuration file for vHosts"
+  when: nginx_vhosts is defined
+  template:
+    src: "vhost.conf.j2"
+    dest: /etc/nginx/conf.d/{{ item.hostname }}.conf
+    mode: 0644
+  with_items:
+    - "{{ nginx_vhosts }}"
+  notify:
+    - reload nginx
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
@@ -0,0 +1,67 @@
+# {{ ansible_managed }}
+user www-data;
+worker_processes 2;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    use epoll;
+    # multi_accept on;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile off;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+    proxy_hide_header X-Powered-By;
+
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Cache Settings
+    ##
+    proxy_cache_path /dev/shm/nginx keys_zone=cache:10m levels=1:2 inactive=600s max_size=100m;
+    proxy_cache_key $host:$server_port$uri$is_args$args;
+    proxy_ignore_headers "Cache-Control";
+    proxy_ignore_headers "Expires";
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    log_format bytepark '$remote_addr - $remote_user [$time_local]  $status "$request" $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for" $scheme $host cache:$upstream_cache_status $request_time';
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
+    include /etc/nginx/secure.conf;
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/templates/pagespeed.conf.j2 b/templates/pagespeed.conf.j2
@@ -0,0 +1,6 @@
+location ~* \.(?:ico|css|application/javascript|gif|jpe?g|png|js|svg|woff|ttf|otf|woff2)$ {
+    expires 365d;
+    access_log off;
+    add_header Cache-Control "public";
+    add_header X-Cache $upstream_cache_status;
+}
diff --git a/templates/secure.conf.j2 b/templates/secure.conf.j2
@@ -0,0 +1,38 @@
+# {{ ansible_managed }}
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# modern configuration. tweak to your needs.
+{% if nginx_ssl_type == "modern" %}
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+{% endif %}
+{% if nginx_ssl_type== "intermediate" %}
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+{% endif %}
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 1d;
+{% if nginx_enable_hsts %}
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security max-age=15768000;
+{% endif %}
+
+# OCSP Stapling ---
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# OpenDNS
+resolver 1.1.1.1;
+
+# unique dhparam generated with ansible playbook
+# https://gist.github.com/plentz/6737338
+ssl_dhparam {{nginx_dhparam_path}};
+
+# add Security Headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-Xss-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "same-origin";