Home Explore Help
Register Sign In
six
/
infra
forked from cisti/infra
1
0
Fork 0
Files
Browse Source

update nginx role

les 3 years ago
parent
ee7216929a
commit
ebeaf6f533
9 changed files with 88 additions and 22 deletions
Split View Show Diff Stats
  1. 3 3
      backup.yml
  2. 6 0
      inventory.yml
  3. 0 0
      roles/stable/etherpad/README.md
  4. 4 0
      roles/stable/nginx/defaults/main.yml
  5. 2 1
      roles/stable/nginx/tasks/certbot.yml
  6. 19 3
      roles/stable/nginx/tasks/main.yml
  7. 22 14
      roles/stable/nginx/templates/default.j2
  8. 31 0
      roles/stable/nginx/templates/fpm_service.conf.j2
  9. 1 1
      roles/stable/restic/tasks/main.yml

+ 3 - 3
backup.yml
View File 

@@ -1,9 +1,9 @@
 
 ---
 
 ## FRONTEND
 
 - name: Test backup
 
-  hosts: gancio
 
+  hosts: mastodon
 
   roles: ['stable/restic']
 
   vars:
 
     restic_databases:
 
-      - {name: 'gancio', dump_command: sudo -Hiu postgres pg_dump -Fc gancio}
 
-    restic_folders: ['/srv/gancio/uploads']
 
+      - {name: 'mastodon', dump_command: sudo -Hiu postgres pg_dump -Fc mastodon}
 
+    restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production']

+ 6 - 0
inventory.yml
View File 

@@ -1,12 +1,18 @@
 
 paddone:
 
   hosts: cisti.pad
 
 
+nuovo_pad:
 
+  hosts: cisti.paddone
 
+
 
 gancio:
 
   hosts: cisti.gancio
 
 
 cicles:
 
   hosts: cisti.cicles
 
 
+mastodon:
 
+  hosts: cisti.mastodon
 
+
 
 farma:
 
   hosts: cisti.farma

+ 0 - 0
roles/stable/etherpad/README.md
View File


+ 4 - 0
roles/stable/nginx/defaults/main.yml
View File 

@@ -0,0 +1,4 @@
 
+---
 
+reverse_services: []
 
+fpm_services: []
 
+with_certbot: false

+ 2 - 1
roles/stable/nginx/tasks/certbot.yml
View File 

@@ -18,5 +18,6 @@
 
 - name: Generate certificate if needed
 
   become: yes
 
   command: /snap/bin/certbot --nginx --non-interactive --agree-tos
 
-      --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
 
+      --domains {{ fpm_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
 
+        {{ reverse_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
 
       --email {{certbot_email}}

+ 19 - 3
roles/stable/nginx/tasks/main.yml
View File 

@@ -22,7 +22,7 @@
 
   template:
 
     src: reverse_proxy.conf.j2
 
     dest: /etc/nginx/sites-available/{{item.server_name}}.conf
 
-  loop: "{{ servers }}"
 
+  loop: "{{ reverse_services }}"
 
 
 - name: Link NGINX Reverse Proxies
 
   become: yes
 
@@ -30,8 +30,24 @@
 
     src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
 
     dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
 
     state: link
 
-  loop: "{{ servers }}"
 
-  
+  loop: "{{ reverse_services }}"
 
+
 
+- name: Configure FPM Services
 
+  become: yes
 
+  template:
 
+    src: fpm_service.conf.j2
 
+    dest: /etc/nginx/sites-available/{{item.server_name}}.conf
 
+  loop: "{{ fpm_services }}"
 
+
 
+
 
+- name: Link NGINX FPM Services
 
+  become: yes
 
+  file:
 
+    src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
 
+    dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
 
+    state: link
 
+  loop: "{{ fpm_services }}"  
+
 
 - name: Make sure NGINX Service is running
 
   become: yes
 
   service:

+ 22 - 14
roles/stable/nginx/templates/default.j2
View File 

@@ -1,18 +1,26 @@
 
+# cache
 
+proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=10g use_temp_path=off;
 
 
-	# cache
 
-	proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m	inactive=24h  max_size=10g use_temp_path=off;
 
+{% if with_certbot -%}
 
+# redirect all http traffic to https
 
+server {
 
+	listen 80 default_server;
 
+	listen [::]:80 default_server;
 
+	server_name _;
 
+	return 301 https://$host$request_uri;
 
+}
 
+{%- endif %}
 
 
-	# redirect all http traffic to https
 
-	server {
 
-		listen 80 default_server;
 
-		listen [::]:80 default_server;
 
-		server_name _;
 
-		return 301 https://$host$request_uri;
 
-	}
 
+server {
 
+  listen 80;
 
+  listen [::]:80;
 
+  server_name _server_name;
 
+  root /var/www/html;
 
+}
 
 
-	# enable proxy websocket
 
-	map $http_upgrade $connection_upgrade {
 
-		default upgrade;
 
-		''      close;
 
-	}
 
+# enable proxy websocket
 
+map $http_upgrade $connection_upgrade {
 
+	default upgrade;
 
+	''      close;
 
+}

+ 31 - 0
roles/stable/nginx/templates/fpm_service.conf.j2
View File 

@@ -0,0 +1,31 @@
 
+
 
+server {
 
+  listen 80;
 
+  listen [::]:80;
 
+  server_name {{item.server_name}};
 
+  root {{item.root | default('/var/www/html/')}};
 
+  index index.html index.html index.htm index.php;
 
+
 
+  # keepalive_timeout 200;
 
+  {{item.custom_config | default('') | indent(2)}}
 
+
 
+  location / {
 
+    try_files $uri $uri/ /index.php?$args;
 
+  }
 
+
 
+  location ~ \.php$ {
 
+    include snippets/fastcgi-php.conf;
 
+    fastcgi_pass {{item.proxy_pass | default('unix:/run/php/php7.3-fpm.sock')}};
 
+    {{item.custom_fastcgi_config | default('') | indent(2)}}
 
+  }
 
+
 
+  # compression
 
+  gzip on;
 
+  gzip_types      text/plain application/xml application/json;
 
+  gzip_proxied    no-cache no-store private expired auth;
 
+  gzip_min_length 1000;
 
+  
+  # cache
 
+  proxy_cache STATIC;
 
+}
 
+

+ 1 - 1
roles/stable/restic/tasks/main.yml
View File 

@@ -73,4 +73,4 @@
 
     - restic_init.rc != 0
 
     - not 'config file already exists' in restic_init.stderr
 
     - not 'config already initialized' in restic_init.stderr
 
-    - not 'config already exists' in restic_init.stderr
 
+    - not 'config already exists' in restic_init.stderr