ansible.roles/nginx.role
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions

first commit

Browse source
This commit is contained in:
sujiba 2024-09-17 00:47:41 +02:00
commit 3bfbd3f7f9
10 changed files with 329 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

38
README.md Normal file
View file

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

19
defaults/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
# defaults file for nginx
# homepage:
# name: homepage
# domains:
# - homepage.intern.example.com
# certificate: intern.example.com
# locations:
# Add Multiple locations
# Add a comment above every location block
# - comments:
# location_name:
# protocol: http
# ip: 127.0.0.1
# port: 8080
# path:
# websocket: true
# Add additional nginx settingss
# extra_settings:

12
handlers/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
# handlers file for nginx
- name: Start and enable nginx
ansible.builtin.systemd_service:
name: nginx
state: started
enabled: true
- name: Reload nginx
ansible.builtin.systemd_service:
name: nginx
state: reloaded

52
meta/main.yml Normal file
View file

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

84
tasks/main.yml Normal file
View file

@ -0,0 +1,84 @@
---
# tasks file for nginx
- name: Install nginx
ansible.builtin.apt:
name: nginx
state: present
notify: Start and enable nginx
- name: Remove default from sites-enabled
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Comment ssl_protocols out in nginx.conf, is defined in security.conf
ansible.builtin.replace:
path: /etc/nginx/nginx.conf
regexp: '^(\s*ssl_protocols)'
replace: '#\1'
- name: Second time, because of emptyline ¯\_(ツ)_/¯
ansible.builtin.replace:
path: /etc/nginx/nginx.conf
regexp: '^(\s*ssl_protocols)'
replace: '#\1'
- name: Comment ssl_prefer_server_ciphers out in nginx.conf, is defined in security.conf
ansible.builtin.replace:
path: /etc/nginx/nginx.conf
regexp: '^(\s*ssl_prefer_server_ciphers)'
replace: '#\1'
- name: Create security.conf
ansible.builtin.template:
src: templates/security.conf.j2
dest: /etc/nginx/conf.d/security.conf
owner: root
group: root
mode: '0644'
notify: Reload nginx
- name: Create proxy_params
ansible.builtin.template:
src: templates/proxy_params.j2
dest: /etc/nginx/proxy_params
owner: root
group: root
mode: '0644'
notify: Reload nginx
- name: Create ws_params
ansible.builtin.template:
src: templates/ws_params.j2
dest: /etc/nginx/ws_params
owner: root
group: root
mode: '0644'
notify: Reload nginx
- name: Configure http redirect
ansible.builtin.template:
src: templates/http_redirect.conf.j2
dest: /etc/nginx/conf.d/http_redirect.conf
owner: root
group: root
mode: '0644'
notify: Reload nginx
- name: Configure reverse proxies
ansible.builtin.template:
src: templates/reverse_proxy.conf.j2
dest: /etc/nginx/sites-available/{{ item.key }}.conf
owner: root
group: root
mode: '0644'
loop: "{{ reverse_proxies | dict2items }}"
notify: Reload nginx
- name: Create a symbolic link
ansible.builtin.file:
src: /etc/nginx/sites-available/{{ item.key }}.conf
dest: /etc/nginx/sites-enabled/{{ item.key }}.conf
state: link
loop: "{{ reverse_proxies | dict2items }}"
notify: Reload nginx

11
templates/http_redirect.conf.j2 Normal file
View file

@ -0,0 +1,11 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}

19
templates/proxy_params.j2 Normal file
View file

@ -0,0 +1,19 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
# Set headers
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{#
# Hide headers
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Frame-Options;
proxy_hide_header X-XSS-Protection;
proxy_hide_header Content-Security-Policy;
proxy_hide_header Referrer-Policy;
proxy_hide_header Strict-Transport-Security;
#}

78
templates/reverse_proxy.conf.j2 Normal file
View file

@ -0,0 +1,78 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
# generated 2024-03-26, Mozilla Guideline v5.7, nginx 1.22.1, OpenSSL 3.0.11, modern configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=modern&openssl=3.0.11&guideline=5.7
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.value.domains | join(' ') }};
ssl_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.fullchain;
ssl_certificate_key {{ tls_cert_path }}/{{ item.value.certificate }}.key;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.ca;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# replace with the IP address of your resolver
resolver 127.0.0.1;
# Logs
access_log /var/log/nginx/{{ item.key }}_access.log;
error_log /var/log/nginx/{{ item.key }}_error.log warn;
{% if item.value.sec_headers is not defined or item.value.sec_headers %}
# Additional security headers
# https://developer.mozilla.org/en-US/docs/Web/HTTP
# https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer";
add_header X-XSS-Protection "0";
{% endif %}
{% if item.value.no_index is not defined or item.value.no_index %}
# If you don't want to get indexed
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive, noimageindex";
{% endif %}
{% if item.value.enable_csp is defined and item.value.enable_csp %}
add_header Content-Security-Policy "default-src 'self' {{ item.value.certificate }} *.{{ item.value.certificate }};";
{% endif %}
{% for item in item.value.locations %}
{% if item.comments is defined %}
{% for comment in item.comments %}
{{ comment }}
{% endfor %}
{% endif %}
location {% if item.location_name is defined %}{{ item.location_name }}{% else %}/{% endif %} {
{% if item.protocol is defined %}
proxy_pass {{ item.protocol }}://{{ item.ip }}:{{ item.port }}{% if item.path is defined %}/{{ item.path }}{% endif %};
include proxy_params;
{% endif %}
{% if item.websocket is defined and item.websocket %}
include ws_params;
{% endif %}
{% if item.extra_settings is defined %}
{% for extra_setting in item.extra_settings %}
{{ extra_setting }}
{% endfor %}
{% endif %}
}
{% endfor %}
}

10
templates/security.conf.j2 Normal file
View file

@ -0,0 +1,10 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
# Rate limiting
# https://blog.nginx.org/blog/rate-limiting-nginx
# https://www.techgrube.de/news-und-infos/nginx-rate-limiting-einstellungen-und-funktion
limit_req_zone $binary_remote_addr zone=conn_limit:10m rate=5r/s;
# extras
server_tokens off;

6
templates/ws_params.j2 Normal file
View file

@ -0,0 +1,6 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";