From a10a0a3f06f514e4e7968b1b8db37342211979a7 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Mon, 15 Jun 2020 23:25:16 -0500
Subject: Added stream support to nginx configs.

---
 nginx/defaults/main.yaml | 13 +++----
 nginx/files/nginx.conf   | 91 ++++++++++++++++++++++++++++++++++++++++++++++++
 nginx/tasks/main.yaml    | 37 +++++++++++---------
 3 files changed, 117 insertions(+), 24 deletions(-)
 create mode 100644 nginx/files/nginx.conf

(limited to 'nginx')

diff --git a/nginx/defaults/main.yaml b/nginx/defaults/main.yaml
index c0db79d..b1964ee 100644
--- a/nginx/defaults/main.yaml
+++ b/nginx/defaults/main.yaml
@@ -1,10 +1,7 @@
 ---
 
-nginx_port: 80
-nginx_ssl_port: 443
-nginx_ssl_cert: "/etc/letsencrypt/live/{{nginx_server_name}}/fullchain.pem"
-nginx_ssl_privkey: "/etc/letsencrypt/live/{{nginx_server_name}}/privkey.pem"
-nginx_enable_certbot: No
-nginx_server_name: "{{ansible_host}}"
-nginx_conf_dst: "{{nginx_server_name}}.nginx.conf"
-nginx_admin_email: "admin@{{nginx_server_name}}"
+nginx_conf_src: "files/{{nginx_server_name}}/nginx.conf.j2"
+nginx_root_src: "files/{{nginx_server_name}}/root"
+nginx_root_dest: "/var/www/{{nginx_server_name}}"
+nginx_server_type: "site"
+nginx_root: false
diff --git a/nginx/files/nginx.conf b/nginx/files/nginx.conf
new file mode 100644
index 0000000..2f7cb0a
--- /dev/null
+++ b/nginx/files/nginx.conf
@@ -0,0 +1,91 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        include /etc/nginx/streams-enabled/*;
+}
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
diff --git a/nginx/tasks/main.yaml b/nginx/tasks/main.yaml
index 5cace24..846650d 100644
--- a/nginx/tasks/main.yaml
+++ b/nginx/tasks/main.yaml
@@ -1,39 +1,44 @@
 ---
 
-- name: install nginx packages
+- name: apt install nginx
   become: yes
   apt: name="nginx"
 
-- name: install site
+- name: disable default site
   become: yes
-  template: src="{{nginx_conf_src}}" dest="/etc/nginx/sites-available/{{nginx_conf_dst}}"
-  notify: restart nginx
+  file: path="/etc/nginx/sites-enabled/default" state="absent"
 
-- name: install nginx packages
+- name: install base config
   become: yes
-  apt: name="python-certbot-nginx"
+  copy: src="nginx.conf" dest="/etc/nginx/nginx.conf"
   notify: restart nginx
-  when: nginx_enable_certbot
 
-- name: install certbot in nginx
+- name: make stream dirs
   become: yes
-  command: "certbot certonly --nginx -n --agree-tos -d {{nginx_server_name}} -m {{nginx_admin_email}}"
-  changed_when: false
-  when: nginx_enable_certbot
+  file: path="/etc/nginx/streams-{{item}}" state="directory"
+  loop: ["available", "enabled"]
 
-- name: disable default site
+- name: make config available
   become: yes
-  file: path="/etc/nginx/sites-enabled/default" state="absent"
+  template:
+    src:  "{{nginx_conf_src}}"
+    dest: "/etc/nginx/{{nginx_server_type}}s-available/{{nginx_server_name}}.conf"
   notify: restart nginx
 
-- name: enable site
+- name: enable config
   become: yes
   file:
-    src:  "/etc/nginx/sites-available/{{nginx_conf_dst}}"
-    dest: "/etc/nginx/sites-enabled/{{nginx_conf_dst}}"
+    src:  "/etc/nginx/{{nginx_server_type}}s-available/{{nginx_server_name}}.conf"
+    dest: "/etc/nginx/{{nginx_server_type}}s-enabled/{{nginx_server_name}}.conf"
     state: "link"
   notify: restart nginx
 
+- name: copy root files
+  become: yes
+  copy: src="{{nginx_root_src}}" dest="{{nginx_root_dest}}/"
+  when: nginx_root
+  notify: restart nginx
+
 - name: enable nginx service
   become: yes
   systemd: name="nginx" enabled="yes" state="started"
-- 
cgit v1.2.3