diff options
author | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
commit | 1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch) | |
tree | 129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/roles/nginx/tasks/main.yml | |
parent | 9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff) | |
download | mail-master.tar.gz |
Diffstat (limited to 'ansible/roles/nginx/tasks/main.yml')
-rw-r--r-- | ansible/roles/nginx/tasks/main.yml | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..73469a1 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml | |||
@@ -0,0 +1,118 @@ | |||
1 | --- | ||
2 | - name: emerge, nginx with extra modules! | ||
3 | apt: | ||
4 | pkg: nginx-extras | ||
5 | state: latest | ||
6 | |||
7 | # Keep 32 logs | ||
8 | - name: adjust nginx logrotate keep files | ||
9 | lineinfile: | ||
10 | state: present | ||
11 | path: /etc/logrotate.d/nginx | ||
12 | regexp: "^(\\s+)rotate " | ||
13 | line: "\\1rotate 32" | ||
14 | backrefs: yes | ||
15 | |||
16 | # And only rotate when they grow larger than 1 GB | ||
17 | - name: adjust nginx logrotate trigger rolls | ||
18 | lineinfile: | ||
19 | state: present | ||
20 | path: /etc/logrotate.d/nginx | ||
21 | regexp: "minsize" | ||
22 | line: "minsize 1G" | ||
23 | insertafter: "rotate \\d+" | ||
24 | |||
25 | - name: verify nginx isn't serving default pages | ||
26 | file: | ||
27 | path: /etc/nginx/sites-enabled/default | ||
28 | state: absent | ||
29 | notify: | ||
30 | - reload nginx | ||
31 | |||
32 | - name: verify nginx proxy cache dir exists | ||
33 | file: | ||
34 | path: /var/nginx/proxy-cache | ||
35 | owner: www-data | ||
36 | state: directory | ||
37 | |||
38 | - name: verify nginx cpu affinity | ||
39 | lineinfile: | ||
40 | state: present | ||
41 | path: /etc/nginx/nginx.conf | ||
42 | regexp: "^worker_cpu_affinity " | ||
43 | line: "worker_cpu_affinity auto;" | ||
44 | insertafter: '^worker_processes ' | ||
45 | notify: | ||
46 | - reload nginx | ||
47 | |||
48 | - name: drop keepalive from nginx conf because we set it custom | ||
49 | lineinfile: | ||
50 | state: absent | ||
51 | path: /etc/nginx/nginx.conf | ||
52 | regexp: "^\\s+keepalive_timeout" | ||
53 | notify: | ||
54 | - reload nginx | ||
55 | |||
56 | - name: copy config extensions | ||
57 | copy: | ||
58 | src: conf.d | ||
59 | dest: /etc/nginx/ | ||
60 | notify: | ||
61 | - reload nginx | ||
62 | |||
63 | - name: copy shared tls settings | ||
64 | copy: | ||
65 | src: tls/ | ||
66 | dest: /etc/nginx/ | ||
67 | notify: | ||
68 | - reload nginx | ||
69 | |||
70 | - name: generate our templated basic sites | ||
71 | template: | ||
72 | src: basic-site.conf.j2 | ||
73 | dest: "/etc/nginx/sites-available/{{ item.domain }}" | ||
74 | loop: "{{ nginx.basic }}" | ||
75 | notify: | ||
76 | - reload nginx | ||
77 | |||
78 | - name: copy our more complex sites we don't want templated | ||
79 | copy: | ||
80 | src: "servers/{{ item }}" | ||
81 | dest: /etc/nginx/sites-available/ | ||
82 | loop: "{{ nginx.complex }}" | ||
83 | notify: | ||
84 | - reload nginx | ||
85 | |||
86 | - name: activate our nginx site configs | ||
87 | file: | ||
88 | src: "/etc/nginx/sites-available/{{ item }}" | ||
89 | dest: "/etc/nginx/sites-enabled/{{ item }}" | ||
90 | state: link | ||
91 | loop: "{{ nginx.complex }}" | ||
92 | notify: | ||
93 | - reload nginx | ||
94 | |||
95 | - name: activate our nginx site templates | ||
96 | file: | ||
97 | src: "/etc/nginx/sites-available/{{ item.domain }}" | ||
98 | dest: "/etc/nginx/sites-enabled/{{ item.domain }}" | ||
99 | state: link | ||
100 | loop: "{{ nginx.basic }}" | ||
101 | notify: | ||
102 | - reload nginx | ||
103 | |||
104 | - name: remove disabled sites | ||
105 | file: | ||
106 | src: "/etc/nginx/sites-enabled/{{ item }}" | ||
107 | state: absent | ||
108 | loop: "{{ nginx.disabled | default([]) }}" | ||
109 | notify: | ||
110 | - reload nginx | ||
111 | |||
112 | - name: reload if certs newish | ||
113 | include_role: | ||
114 | name: certreload | ||
115 | vars: | ||
116 | certreload: | ||
117 | notifiers: | ||
118 | - reload nginx | ||