--- /dev/null
+---
+
+- name: restart nginx
+ sudo: yes
+ action: service name=nginx state=restarted enabled=yes
--- /dev/null
+---
+- name: ensure sites-available for nginx
+ file:
+ path: /etc/nginx/sites-available
+ state: directory
+ sudo: true
+
+- name: ensure there is an nginx user
+ user:
+ name: nginx
+ comment: "Nginx user"
+ sudo: true
+
+- name: ensure sites-enable for nginx
+ file:
+ path: /etc/nginx/sites-enabled
+ state: directory
+ sudo: true
+
+- name: remove default nginx site
+ file:
+ path: /etc/nginx/sites-enabled/default
+ state: absent
+ sudo: true
+
+- name: write nginx.conf
+ template:
+ src: ../templates/nginx.conf
+ dest: /etc/nginx/nginx.conf
+ sudo: true
+
+- name: enable nginx
+ sudo: true
+ service:
+ name: nginx
+ enabled: true
+
+- name: ensure ssl certs directory
+ file:
+ dest: /etc/ssl/certs
+ state: directory
+ sudo: true
+
+- name: ensure ssl private directory
+ file:
+ dest: /etc/ssl/private
+ state: directory
+ sudo: true
+
+- name: check for SSL cert
+ stat:
+ path: /etc/ssl/certs/{{ fqdn }}-bundled.crt
+ ignore_errors: true
+ register: ssl_cert
+
+- name: create self-signed SSL cert
+ command: openssl req -new -nodes -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN={{ app_name }}" -days 3650 -keyout /etc/ssl/private/{{ fqdn }}.key -out /etc/ssl/certs/{{ fqdn }}-bundled.crt -extensions v3_ca creates=/etc/nginx/ssl/{{ fqdn }}-bundled.crt
+ when: development_server and ssl_cert.stat.exists == false
+ sudo: true
+ notify: restart nginx
+
+- name: make sure permissions are correct for crt
+ file:
+ path: /etc/ssl/certs/{{ fqdn }}-bundled.crt
+ mode: 0777
+ when: development_server
+ sudo: true
+
+- name: ensure nginx is restarted
+ sudo: true
+ service:
+ name: nginx
+ state: restarted
--- /dev/null
+# {{ ansible_managed }}
+user nginx;
+worker_processes 20;
+worker_rlimit_nofile 8192;
+
+pid /var/run/nginx.pid;
+
+events {
+ worker_connections 1024;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ #sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+ gzip_disable "msie6";
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # If HTTPS, then set a variable so it can be passed along.
+ ##
+
+ map $scheme $server_https {
+ default off;
+ https on;
+ }
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
--- /dev/null
+server {
+ listen 443 default_server ssl;
+ server_name {{ fqdn }};
+
+ ssl_certificate /etc/ssl/certs/{{ fqdn }}-bundled.crt;
+ ssl_certificate_key /etc/ssl/private/{{ fqdn }}.key;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ add_header Strict-Transport-Security "max-age=31536000";
+
+ access_log /var/log/nginx/{{ app_name }}-access.log;
+ error_log /var/log/nginx/{{ app_name }}-error.log;
+
+ # Some binaries are gigantic
+ client_max_body_size 2048m;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://127.0.0.1:8000;
+ proxy_read_timeout 500;
+ }
+
+}
projects / ceph-build.git / commitdiff