nginx/tasks/main.yml

110 lines
2.8 KiB
YAML

---
- name: Install NGINX
apt:
update_cache: true
name:
- nginx
- 'python3-cryptography'
state: latest
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy snippets
template:
src: "snippets/{{ item }}"
dest: "/etc/nginx/snippets/{{ item }}"
loop:
- connection_upgrade.conf # fix some nginx bug
- name: Ensure the cert directory exists
file:
path: /var/www/well-known/acme-challenge/.well-known/acme-challenge
state: directory
- name: Ensure the cert directory exists
file:
path: /etc/nginx/certs
state: directory
- name: check if dummy cert exist
stat:
path: /etc/nginx/certs/dummy.pem
register: dummy_cert
- name: Create a dummy cert
block:
- name: Generate private key
openssl_privatekey:
path: /etc/nginx/certs/dummy.key
mode: u=rw,g=,o=
size: 4096
- name: Generate the signing request
openssl_csr:
path: /etc/nginx/certs/dummy.req
privatekey_path: /etc/nginx/certs/dummy.key
common_name: dummy
- name: Sign Cert
openssl_certificate:
path: /etc/nginx/certs/dummy.pem
privatekey_path: /etc/nginx/certs/dummy.key
csr_path: /etc/nginx/certs/dummy.req
provider: selfsigned
when: dummy_cert.stat.exists == False
- name: Add wasm to mime type
lineinfile:
path: /etc/nginx/mime.types
regexp: '\s*application/wasm\s+wasm;$'
line: ' application/wasm wasm;'
owner: root
group: root
mode: '0644'
insertbefore: '}'
- name: Copy NGINX conf
template:
src: nginx.conf
dest: /etc/nginx/nginx.conf
notify: Reload nginx
# Manage each http site
- name: Copy HTTP Servers
template:
src: http_server.j2
dest: "/etc/nginx/sites-available/{{ item.key }}"
loop: "{{ http_sites | dict2items}}"
notify: Reload nginx
- name: Use the dummy certificate
file:
src: /etc/nginx/certs/dummy.pem
dest: "/etc/nginx/certs/{{ item.key }}.crt"
state: link
force: no
loop: "{{ http_sites | dict2items}}"
- name: Use the dummy key
file:
src: /etc/nginx/certs/dummy.key
dest: "/etc/nginx/certs/{{ item.key }}.key"
state: link
force: no
loop: "{{ http_sites | dict2items}}"
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item.key }}"
dest: "/etc/nginx/sites-enabled/{{ item.key }}"
state: link
force: yes
loop: "{{ http_sites | dict2items}}"
notify: Reload nginx
# Add HTTP proxy to allow ACME challenges between LE and the SSL endpoints of proxy streams
- name: Copy HTTP Servers allowing ACME challenges with proxy stream
template:
src: http_proxy_acme.j2
dest: "/etc/nginx/sites-available/acme_http_proxy_{{ item.key }}"
loop: "{{ ssl_reverse_proxy_upstream | dict2items}}"
notify: Reload nginx