From ebeaf6f533d09e1435ff9e42fc48c851330bae5e Mon Sep 17 00:00:00 2001 From: les Date: Wed, 10 Feb 2021 22:56:05 +0100 Subject: [PATCH] update nginx role --- backup.yml | 6 ++-- inventory.yml | 6 ++++ roles/stable/etherpad/README.md | 0 roles/stable/nginx/defaults/main.yml | 4 +++ roles/stable/nginx/tasks/certbot.yml | 3 +- roles/stable/nginx/tasks/main.yml | 22 ++++++++++-- roles/stable/nginx/templates/default.j2 | 36 +++++++++++-------- .../nginx/templates/fpm_service.conf.j2 | 31 ++++++++++++++++ roles/stable/restic/tasks/main.yml | 2 +- 9 files changed, 88 insertions(+), 22 deletions(-) create mode 100644 roles/stable/etherpad/README.md create mode 100644 roles/stable/nginx/defaults/main.yml create mode 100644 roles/stable/nginx/templates/fpm_service.conf.j2 diff --git a/backup.yml b/backup.yml index ee90b9b..5c0590b 100644 --- a/backup.yml +++ b/backup.yml @@ -1,9 +1,9 @@ --- ## FRONTEND - name: Test backup - hosts: gancio + hosts: mastodon roles: ['stable/restic'] vars: restic_databases: - - {name: 'gancio', dump_command: sudo -Hiu postgres pg_dump -Fc gancio} - restic_folders: ['/srv/gancio/uploads'] \ No newline at end of file + - {name: 'mastodon', dump_command: sudo -Hiu postgres pg_dump -Fc mastodon} + restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production'] \ No newline at end of file diff --git a/inventory.yml b/inventory.yml index f7d3dbc..21f6779 100644 --- a/inventory.yml +++ b/inventory.yml @@ -1,12 +1,18 @@ paddone: hosts: cisti.pad +nuovo_pad: + hosts: cisti.paddone + gancio: hosts: cisti.gancio cicles: hosts: cisti.cicles +mastodon: + hosts: cisti.mastodon + farma: hosts: cisti.farma diff --git a/roles/stable/etherpad/README.md b/roles/stable/etherpad/README.md new file mode 100644 index 0000000..e69de29 diff --git a/roles/stable/nginx/defaults/main.yml b/roles/stable/nginx/defaults/main.yml new file mode 100644 index 0000000..1e61129 --- /dev/null +++ b/roles/stable/nginx/defaults/main.yml @@ -0,0 +1,4 @@ +--- +reverse_services: [] +fpm_services: [] +with_certbot: false \ No newline at end of file diff --git a/roles/stable/nginx/tasks/certbot.yml b/roles/stable/nginx/tasks/certbot.yml index f2da122..cd00767 100644 --- a/roles/stable/nginx/tasks/certbot.yml +++ b/roles/stable/nginx/tasks/certbot.yml @@ -18,5 +18,6 @@ - name: Generate certificate if needed become: yes command: /snap/bin/certbot --nginx --non-interactive --agree-tos - --domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }} + --domains {{ fpm_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }} + {{ reverse_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }} --email {{certbot_email}} diff --git a/roles/stable/nginx/tasks/main.yml b/roles/stable/nginx/tasks/main.yml index 885d581..c1bb9e7 100644 --- a/roles/stable/nginx/tasks/main.yml +++ b/roles/stable/nginx/tasks/main.yml @@ -22,7 +22,7 @@ template: src: reverse_proxy.conf.j2 dest: /etc/nginx/sites-available/{{item.server_name}}.conf - loop: "{{ servers }}" + loop: "{{ reverse_services }}" - name: Link NGINX Reverse Proxies become: yes @@ -30,8 +30,24 @@ src: "/etc/nginx/sites-available/{{item.server_name}}.conf" dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" state: link - loop: "{{ servers }}" - + loop: "{{ reverse_services }}" + +- name: Configure FPM Services + become: yes + template: + src: fpm_service.conf.j2 + dest: /etc/nginx/sites-available/{{item.server_name}}.conf + loop: "{{ fpm_services }}" + + +- name: Link NGINX FPM Services + become: yes + file: + src: "/etc/nginx/sites-available/{{item.server_name}}.conf" + dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" + state: link + loop: "{{ fpm_services }}" + - name: Make sure NGINX Service is running become: yes service: diff --git a/roles/stable/nginx/templates/default.j2 b/roles/stable/nginx/templates/default.j2 index e288269..5f0a040 100644 --- a/roles/stable/nginx/templates/default.j2 +++ b/roles/stable/nginx/templates/default.j2 @@ -1,18 +1,26 @@ +# cache +proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off; - # cache - proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off; +{% if with_certbot -%} +# redirect all http traffic to https +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; +} +{%- endif %} - # redirect all http traffic to https - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; - } +server { + listen 80; + listen [::]:80; + server_name _server_name; + root /var/www/html; +} - # enable proxy websocket - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } +# enable proxy websocket +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} diff --git a/roles/stable/nginx/templates/fpm_service.conf.j2 b/roles/stable/nginx/templates/fpm_service.conf.j2 new file mode 100644 index 0000000..0f296e4 --- /dev/null +++ b/roles/stable/nginx/templates/fpm_service.conf.j2 @@ -0,0 +1,31 @@ + +server { + listen 80; + listen [::]:80; + server_name {{item.server_name}}; + root {{item.root | default('/var/www/html/')}}; + index index.html index.html index.htm index.php; + + # keepalive_timeout 200; + {{item.custom_config | default('') | indent(2)}} + + location / { + try_files $uri $uri/ /index.php?$args; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass {{item.proxy_pass | default('unix:/run/php/php7.3-fpm.sock')}}; + {{item.custom_fastcgi_config | default('') | indent(2)}} + } + + # compression + gzip on; + gzip_types text/plain application/xml application/json; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 1000; + + # cache + proxy_cache STATIC; +} + diff --git a/roles/stable/restic/tasks/main.yml b/roles/stable/restic/tasks/main.yml index e935d40..5a06926 100644 --- a/roles/stable/restic/tasks/main.yml +++ b/roles/stable/restic/tasks/main.yml @@ -73,4 +73,4 @@ - restic_init.rc != 0 - not 'config file already exists' in restic_init.stderr - not 'config already initialized' in restic_init.stderr - - not 'config already exists' in restic_init.stderr \ No newline at end of file + - not 'config already exists' in restic_init.stderr