From 435de160f9ec6600d2803c21fdcbe0ba97d7ec78 Mon Sep 17 00:00:00 2001
From: Alfredo Deza <adeza@redhat.com>
Date: Mon, 20 Jun 2016 15:24:57 -0400
Subject: [PATCH] ansible: create a base nginx role

Signed-off-by: Alfredo Deza <adeza@redhat.com>
---
 ansible/roles/nginx/handlers/main.yml         |  5 ++
 ansible/roles/nginx/tasks/main.yml            | 73 +++++++++++++++++++
 ansible/roles/nginx/templates/nginx.conf      | 68 +++++++++++++++++
 ansible/roles/nginx/templates/nginx_site.conf | 26 +++++++
 4 files changed, 172 insertions(+)
 create mode 100644 ansible/roles/nginx/handlers/main.yml
 create mode 100644 ansible/roles/nginx/tasks/main.yml
 create mode 100644 ansible/roles/nginx/templates/nginx.conf
 create mode 100644 ansible/roles/nginx/templates/nginx_site.conf

diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml
new file mode 100644
index 00000000..8bddf01d
--- /dev/null
+++ b/ansible/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: restart nginx
+  sudo: yes
+  action: service name=nginx state=restarted enabled=yes
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
new file mode 100644
index 00000000..c2a5df33
--- /dev/null
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+- name: ensure sites-available for nginx
+  file:
+    path: /etc/nginx/sites-available
+    state: directory
+  sudo: true
+
+- name: ensure there is an nginx user
+  user:
+    name: nginx
+    comment: "Nginx user"
+  sudo: true
+
+- name: ensure sites-enable for nginx
+  file:
+    path: /etc/nginx/sites-enabled
+    state: directory
+  sudo: true
+
+- name: remove default nginx site
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  sudo: true
+
+- name: write nginx.conf
+  template:
+    src: ../templates/nginx.conf
+    dest: /etc/nginx/nginx.conf
+  sudo: true
+
+- name: enable nginx
+  sudo: true
+  service:
+    name: nginx
+    enabled: true
+
+- name: ensure ssl certs directory
+  file:
+    dest: /etc/ssl/certs
+    state: directory
+  sudo: true
+
+- name: ensure ssl private directory
+  file:
+    dest: /etc/ssl/private
+    state: directory
+  sudo: true
+
+- name: check for SSL cert
+  stat:
+    path: /etc/ssl/certs/{{ fqdn }}-bundled.crt
+  ignore_errors: true
+  register: ssl_cert
+
+- name: create self-signed SSL cert
+  command: openssl req -new -nodes -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN={{ app_name }}" -days 3650 -keyout /etc/ssl/private/{{ fqdn }}.key -out /etc/ssl/certs/{{ fqdn }}-bundled.crt -extensions v3_ca creates=/etc/nginx/ssl/{{ fqdn }}-bundled.crt
+  when: development_server and ssl_cert.stat.exists == false
+  sudo: true
+  notify: restart nginx
+
+- name: make sure permissions are correct for crt
+  file:
+    path: /etc/ssl/certs/{{ fqdn }}-bundled.crt
+    mode: 0777
+  when: development_server
+  sudo: true
+
+- name: ensure nginx is restarted
+  sudo: true
+  service:
+    name: nginx
+    state: restarted
diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf
new file mode 100644
index 00000000..912dd773
--- /dev/null
+++ b/ansible/roles/nginx/templates/nginx.conf
@@ -0,0 +1,68 @@
+# {{ ansible_managed }}
+user nginx;
+worker_processes 20;
+worker_rlimit_nofile 8192;
+
+pid /var/run/nginx.pid;
+
+events {
+	worker_connections 1024;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	#sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# If HTTPS, then set a variable so it can be passed along.
+	##
+
+	map $scheme $server_https {
+		default off;
+		https on;
+	}
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
diff --git a/ansible/roles/nginx/templates/nginx_site.conf b/ansible/roles/nginx/templates/nginx_site.conf
new file mode 100644
index 00000000..d151af6a
--- /dev/null
+++ b/ansible/roles/nginx/templates/nginx_site.conf
@@ -0,0 +1,26 @@
+server {
+    listen       443 default_server ssl;
+    server_name  {{ fqdn }};
+
+    ssl_certificate     /etc/ssl/certs/{{ fqdn }}-bundled.crt;
+    ssl_certificate_key /etc/ssl/private/{{ fqdn }}.key;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    add_header Strict-Transport-Security "max-age=31536000";
+
+    access_log  /var/log/nginx/{{ app_name }}-access.log;
+    error_log /var/log/nginx/{{ app_name }}-error.log;
+
+    # Some binaries are gigantic
+    client_max_body_size 2048m;
+
+    location / {
+      proxy_set_header        Host $host;
+      proxy_set_header        X-Real-IP $remote_addr;
+      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header        X-Forwarded-Proto $scheme;
+
+      proxy_pass          http://127.0.0.1:8000;
+      proxy_read_timeout  500;
+    }
+
+}
-- 
2.47.3