238 lines
6.2 KiB
YAML
238 lines
6.2 KiB
YAML
---
|
|
- name: Nginx already installed ?
|
|
shell: dpkg-query -W 'nginx-full'
|
|
ignore_errors: true
|
|
register: nginx
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: update apt-cache
|
|
apt: update_cache=yes
|
|
when: nginx is failed
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Update repositories cache and install package
|
|
apt: pkg=apt-transport-https state=latest update_cache=yes
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Install Nginx and dependencies
|
|
apt:
|
|
pkg: "{{item}}"
|
|
state: latest
|
|
update_cache: yes
|
|
with_items:
|
|
- nginx-full
|
|
- libnginx-mod-http-headers-more-filter
|
|
- libnginx-mod-http-cache-purge
|
|
- libnginx-mod-http-uploadprogress
|
|
- libnginx-mod-stream
|
|
- python3
|
|
- python3-dev
|
|
- gcc
|
|
- dialog
|
|
- libaugeas0
|
|
- augeas-lenses
|
|
- libssl-dev
|
|
- libffi-dev
|
|
- ca-certificates
|
|
- python3-pip
|
|
- python3-virtualenv
|
|
- git
|
|
- libpython3-dev
|
|
- zlib1g-dev
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Install Nginx brotli and dependencies
|
|
apt:
|
|
pkg: "{{item}}"
|
|
state: latest
|
|
update_cache: yes
|
|
with_items:
|
|
- libnginx-mod-http-brotli-static
|
|
- libnginx-mod-http-brotli-filter
|
|
when: nginx_brotli is defined
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
|
|
- name: Install Nginx modsecurity and dependencies
|
|
apt:
|
|
pkg: "{{item}}"
|
|
state: latest
|
|
update_cache: yes
|
|
with_items:
|
|
- libmodsecurity3
|
|
- libnginx-mod-http-modsecurity
|
|
- modsecurity-crs
|
|
when: nginx_modsecurity is defined
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Creates directory
|
|
file:
|
|
path: /etc/nginx/ssl/private
|
|
state: directory
|
|
when: nginx is failed
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Generate dhparam 4096
|
|
openssl_dhparam:
|
|
path: /etc/nginx/ssl/private/dhparam.pem
|
|
size: 4096
|
|
when:
|
|
- nginx is failed
|
|
- not nginx_disable_ssl is defined or nginx_disable_ssl is false
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Create folder
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
loop:
|
|
- /var/www/letsencrypt
|
|
- /var/log/archive-nginx
|
|
- /etc/nginx/conf
|
|
- /etc/nginx/html
|
|
- /etc/nginx/ssl
|
|
- /etc/nginx/modules-available
|
|
- /etc/nginx/modules-enabled
|
|
- /etc/nginx/ssl/private/
|
|
- /var/www/html/
|
|
- /var/www/html/errors
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Remove official default configuration
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- /etc/logrotate.d/nginx
|
|
- /etc/nginx/sites-available/default
|
|
- /etc/nginx/fastcgi.conf
|
|
- /etc/nginx/koi-utf
|
|
- /etc/nginx/koi-win
|
|
- /etc/nginx/mime.types
|
|
- /etc/nginx/nginx.conf
|
|
- /etc/nginx/proxy_params
|
|
- /etc/nginx/scgi_params
|
|
- /etc/nginx/snippets
|
|
- /etc/nginx/uwsgi_params
|
|
- /etc/nginx/win-utf
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: "Add Dryusdan's configuration"
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0640'
|
|
loop:
|
|
- { 'src': 'etc/logrotate.d/nginx', 'dest':'/etc/logrotate.d/nginx' }
|
|
- { 'src': 'etc/nginx/html/index.html', 'dest': '/etc/nginx/html/index.html' }
|
|
- { 'src': 'etc/nginx/html/50x.html', 'dest': '/etc/nginx/html/50x.html' }
|
|
- { 'src': 'etc/nginx/conf.d/blacklist', 'dest': '/etc/nginx/conf.d/blacklist' }
|
|
- { 'src': 'etc/nginx/conf.d/headers.conf', 'dest': '/etc/nginx/conf.d/headers.conf' }
|
|
- { 'src': 'etc/nginx/conf.d/hsts.conf', 'dest': '/etc/nginx/conf.d/hsts.conf' }
|
|
- { 'src': 'etc/nginx/conf.d/proxy.conf', 'dest': '/etc/nginx/conf.d/proxy.conf' }
|
|
- { 'src': 'etc/nginx/conf.d/ssl.conf', 'dest': '/etc/nginx/conf.d/ssl.conf' }
|
|
- { 'src': 'etc/nginx/conf/fastcgi.conf', 'dest': '/etc/nginx/conf/fastcgi.conf' }
|
|
- { 'src': 'etc/nginx/conf/fastcgi_params', 'dest': '/etc/nginx/conf/fastcgi_params' }
|
|
- { 'src': 'etc/nginx/conf/koi-utf', 'dest': '/etc/nginx/conf/koi-utf' }
|
|
- { 'src': 'etc/nginx/conf/koi-win', 'dest': '/etc/nginx/conf/koi-win' }
|
|
- { 'src': 'etc/nginx/conf/mime.types', 'dest': '/etc/nginx/conf/mime.types' }
|
|
- { 'src': 'etc/nginx/conf/scgi_params', 'dest': '/etc/nginx/conf/scgi_params' }
|
|
- { 'src': 'etc/nginx/conf/scgi_params', 'dest': '/etc/nginx/conf/scgi_vars' }
|
|
- { 'src': 'etc/nginx/conf/uwsgi_params', 'dest': '/etc/nginx/conf/uwsgi_params' }
|
|
- { 'src': 'etc/nginx/conf/win-utf', 'dest': '/etc/nginx/conf/win-utf' }
|
|
- { 'src': 'html/index.html', 'dest': '/var/www/html/index.html' }
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: "Remove legacy Dryusdan's configuration"
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0640'
|
|
state: absent
|
|
loop:
|
|
- /etc/systemd/system/nginx.service
|
|
- /etc/nginx/conf/nginx.conf
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Add templated configuration
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0640
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- { 'src': 'default.j2', 'dest': '/etc/nginx/sites-available/default' }
|
|
- { 'src': 'ocsp.conf.j2', 'dest': '/etc/nginx/conf.d/ocsp.conf' }
|
|
- { 'src': 'nginx.conf.j2', 'dest': '/etc/nginx/nginx.conf' }
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: Add modsecs templated configuration
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0640
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- { 'src': 'modsecurity.conf.j2', 'dest': '/etc/nginx/modsecurity.conf' }
|
|
- { 'src': 'modsecurity_includes.conf.j2', 'dest': '/etc/nginx/modsecurity_includes.conf' }
|
|
- { 'src': 'owasp-crs.load.j2', 'dest': '/usr/share/modsecurity-crs/owasp-crs.load' }
|
|
when: nginx_modsecurity is defined
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: "Add errors html file"
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: www-data
|
|
group: www-data
|
|
mode: '0640'
|
|
loop:
|
|
- { 'src': 'html/errors/401.html', 'dest': '/var/www/html/errors/401.html' }
|
|
- { 'src': 'html/errors/403.html', 'dest': '/var/www/html/errors/403.html' }
|
|
- { 'src': 'html/errors/502.html', 'dest': '/var/www/html/errors/502.html' }
|
|
- { 'src': 'html/errors/503.html', 'dest': '/var/www/html/errors/503.html' }
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon_reload: yes
|
|
tags:
|
|
- install
|
|
- reconfigure
|
|
|