2020-04-13 14:46:45 +02:00
|
|
|
---
|
|
|
|
# Install and configure Nginx
|
|
|
|
- name: Install htpasswd dependencies
|
|
|
|
apt:
|
2020-11-28 20:47:30 +01:00
|
|
|
name: python3-passlib
|
2020-04-13 14:46:45 +02:00
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Install SSL dependencies
|
|
|
|
apt:
|
|
|
|
name: ssl-cert
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Install Nginx
|
|
|
|
apt:
|
|
|
|
name: nginx-full
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Create Nginx configuration directories
|
|
|
|
file:
|
|
|
|
path: "{{ config_dir }}"
|
|
|
|
state: directory
|
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
mode: "755"
|
|
|
|
loop:
|
|
|
|
- "{{ nginx_config_dir }}"
|
|
|
|
- "{{ nginx_ssl_dir }}"
|
|
|
|
loop_control:
|
|
|
|
loop_var: config_dir
|
|
|
|
|
|
|
|
- name: Generate Diffie-Hellman parameters
|
|
|
|
# This can take a long time... So we are doing it in async mode
|
|
|
|
openssl_dhparam:
|
|
|
|
path: "{{ nginx_ssl_dir }}/dhparam.pem"
|
2020-11-28 20:47:30 +01:00
|
|
|
size: "{{ nginx_dhparam_size }}"
|
2020-04-13 14:46:45 +02:00
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
async: 3600
|
|
|
|
poll: 0
|
2020-11-30 10:24:47 +01:00
|
|
|
changed_when: no
|
2020-04-13 14:46:45 +02:00
|
|
|
register: nginx_dh
|
|
|
|
|
|
|
|
- name: Use snakoil cert key as Nginx's default private key
|
|
|
|
file:
|
|
|
|
src: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
|
|
|
path: "{{ nginx_ssl_dir }}/nginx.key"
|
|
|
|
state: link
|
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
mode: "750"
|
|
|
|
force: yes
|
|
|
|
|
|
|
|
- name: Use snakoil cert as Nginx's default certificate
|
|
|
|
file:
|
|
|
|
src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
|
|
|
path: "{{ nginx_ssl_dir }}/nginx.crt"
|
|
|
|
state: link
|
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
mode: "755"
|
|
|
|
force: yes
|
|
|
|
|
|
|
|
- name: Copy default Nginx config
|
|
|
|
template:
|
|
|
|
src: nginx/default.conf.j2
|
|
|
|
dest: /etc/nginx/sites-available/default
|
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
mode: "755"
|
|
|
|
notify: reload nginx
|
|
|
|
|
|
|
|
- name: Enable default Nginx config
|
|
|
|
file:
|
|
|
|
src: /etc/nginx/sites-available/default
|
2020-04-13 15:27:39 +02:00
|
|
|
path: /etc/nginx/sites-enabled/default
|
2020-04-13 14:46:45 +02:00
|
|
|
owner: root
|
|
|
|
group: www-data
|
|
|
|
mode: "755"
|
2020-04-13 15:27:39 +02:00
|
|
|
state: link
|
2020-04-13 14:46:45 +02:00
|
|
|
notify: reload nginx
|
|
|
|
|
|
|
|
- name: Allow default Nginx ports
|
|
|
|
ufw:
|
|
|
|
rule: allow
|
|
|
|
name: "Nginx Full"
|
|
|
|
|
|
|
|
- name: Waiting for Diffie-Hellman task to complete…
|
|
|
|
async_status:
|
|
|
|
jid: "{{ nginx_dh.ansible_job_id }}"
|
|
|
|
register: nginx_dh_job
|
|
|
|
retries: 60
|
|
|
|
delay: 30 # will retry every 30s for 30min (60 retries)
|
|
|
|
until: nginx_dh_job.finished
|
|
|
|
|
|
|
|
- name: Start Nginx server
|
|
|
|
service:
|
|
|
|
name: nginx
|
|
|
|
state: started
|
|
|
|
enabled: yes
|
|
|
|
register: nginx_started
|
|
|
|
|
|
|
|
- name: "Trigger Nginx handlers"
|
|
|
|
meta: flush_handlers
|