six/infra
1
0
Fork 0
forked from cisti/infra
Code Releases Activity

update nginx role

Browse source
This commit is contained in:
les 2021-02-10 22:56:05 +01:00
parent ee7216929a
commit ebeaf6f533
9 changed files with 88 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
backup.yml
View file

@ -1,9 +1,9 @@
--- ---
## FRONTEND ## FRONTEND
- name: Test backup - name: Test backup
hosts: gancio hosts: mastodon
roles: ['stable/restic'] roles: ['stable/restic']
vars: vars:
restic_databases: restic_databases:
- {name: 'gancio', dump_command: sudo -Hiu postgres pg_dump -Fc gancio} - {name: 'mastodon', dump_command: sudo -Hiu postgres pg_dump -Fc mastodon}
restic_folders: ['/srv/gancio/uploads'] restic_folders: ['/var/lib/redis/dump.rdb','/home/mastodon/live/.env.production']

6
inventory.yml
View file

@ -1,12 +1,18 @@
paddone: paddone:
hosts: cisti.pad hosts: cisti.pad
nuovo_pad:
hosts: cisti.paddone
gancio: gancio:
hosts: cisti.gancio hosts: cisti.gancio
cicles: cicles:
hosts: cisti.cicles hosts: cisti.cicles
mastodon:
hosts: cisti.mastodon
farma: farma:
hosts: cisti.farma hosts: cisti.farma

0
roles/stable/etherpad/README.md Normal file
View file

4
roles/stable/nginx/defaults/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
reverse_services: []
fpm_services: []
with_certbot: false

3
roles/stable/nginx/tasks/certbot.yml
View file

@ -18,5 +18,6 @@
- name: Generate certificate if needed - name: Generate certificate if needed
become: yes become: yes
command: /snap/bin/certbot --nginx --non-interactive --agree-tos command: /snap/bin/certbot --nginx --non-interactive --agree-tos
--domains {{ servers | items2dict(key_name='server_name', value_name='server_name') | join(',') }} --domains {{ fpm_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
{{ reverse_services | items2dict(key_name='server_name', value_name='server_name') | join(',') }}
--email {{certbot_email}} --email {{certbot_email}}

22
roles/stable/nginx/tasks/main.yml
View file

@ -22,7 +22,7 @@
template: template:
src: reverse_proxy.conf.j2 src: reverse_proxy.conf.j2
dest: /etc/nginx/sites-available/{{item.server_name}}.conf dest: /etc/nginx/sites-available/{{item.server_name}}.conf
loop: "{{ servers }}" loop: "{{ reverse_services }}"
- name: Link NGINX Reverse Proxies - name: Link NGINX Reverse Proxies
become: yes become: yes
@ -30,8 +30,24 @@
src: "/etc/nginx/sites-available/{{item.server_name}}.conf" src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf" dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
state: link state: link
loop: "{{ servers }}" loop: "{{ reverse_services }}"
- name: Configure FPM Services
become: yes
template:
src: fpm_service.conf.j2
dest: /etc/nginx/sites-available/{{item.server_name}}.conf
loop: "{{ fpm_services }}"
- name: Link NGINX FPM Services
become: yes
file:
src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
state: link
loop: "{{ fpm_services }}"
- name: Make sure NGINX Service is running - name: Make sure NGINX Service is running
become: yes become: yes
service: service:

36
roles/stable/nginx/templates/default.j2
View file

@ -1,18 +1,26 @@
# cache
proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off;
# cache {% if with_certbot -%}
proxy_cache_path /tmp levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=10g use_temp_path=off; # redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
{%- endif %}
# redirect all http traffic to https server {
server { listen 80;
listen 80 default_server; listen [::]:80;
listen [::]:80 default_server; server_name _server_name;
server_name _; root /var/www/html;
return 301 https://$host$request_uri; }
}
# enable proxy websocket # enable proxy websocket
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }

31
roles/stable/nginx/templates/fpm_service.conf.j2 Normal file
View file

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{item.server_name}};
root {{item.root | default('/var/www/html/')}};
index index.html index.html index.htm index.php;
# keepalive_timeout 200;
{{item.custom_config | default('') | indent(2)}}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass {{item.proxy_pass | default('unix:/run/php/php7.3-fpm.sock')}};
{{item.custom_fastcgi_config | default('') | indent(2)}}
}
# compression
gzip on;
gzip_types text/plain application/xml application/json;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
# cache
proxy_cache STATIC;
}

2
roles/stable/restic/tasks/main.yml
View file

@ -73,4 +73,4 @@
- restic_init.rc != 0 - restic_init.rc != 0
- not 'config file already exists' in restic_init.stderr - not 'config file already exists' in restic_init.stderr
- not 'config already initialized' in restic_init.stderr - not 'config already initialized' in restic_init.stderr
- not 'config already exists' in restic_init.stderr - not 'config already exists' in restic_init.stderr