From 11e2679369fe509f8995280d653556758361d0d6 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:36 +0200 Subject: [PATCH] [roles/server/nginx/server] install nginx server --- roles/server/nginx/meta/main.yml | 9 + .../server/files/default/000-default.vhost | 92 ++++++++ .../files/default/awstats-logrotate-script | 15 ++ .../server/files/default/awstats.conf.local | 20 ++ .../server/files/default/maintenance.html | 13 ++ .../server/files/default/nginx-awstats.pam | 15 ++ .../nginx/server/files/default/nginx.conf | 53 +++++ .../files/default/nginx.empty.logrotate | 9 + .../server/files/default/nginx.logrotate | 29 +++ .../nginx/server/files/default/robots.txt | 2 + roles/server/nginx/server/handlers/main.yml | 13 ++ roles/server/nginx/server/meta/main.yml | 9 + roles/server/nginx/server/tasks/main.yml | 215 ++++++++++++++++++ 13 files changed, 494 insertions(+) create mode 100644 roles/server/nginx/meta/main.yml create mode 100644 roles/server/nginx/server/files/default/000-default.vhost create mode 100644 roles/server/nginx/server/files/default/awstats-logrotate-script create mode 100644 roles/server/nginx/server/files/default/awstats.conf.local create mode 100644 roles/server/nginx/server/files/default/maintenance.html create mode 100644 roles/server/nginx/server/files/default/nginx-awstats.pam create mode 100644 roles/server/nginx/server/files/default/nginx.conf create mode 100644 roles/server/nginx/server/files/default/nginx.empty.logrotate create mode 100644 roles/server/nginx/server/files/default/nginx.logrotate create mode 100644 roles/server/nginx/server/files/default/robots.txt create mode 100644 roles/server/nginx/server/handlers/main.yml create mode 100644 roles/server/nginx/server/meta/main.yml create mode 100644 roles/server/nginx/server/tasks/main.yml diff --git a/roles/server/nginx/meta/main.yml b/roles/server/nginx/meta/main.yml new file mode 100644 index 0000000..71e7616 --- /dev/null +++ b/roles/server/nginx/meta/main.yml @@ -0,0 +1,9 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +dependencies: + - { role: server/nginx/server } diff --git a/roles/server/nginx/server/files/default/000-default.vhost b/roles/server/nginx/server/files/default/000-default.vhost new file mode 100644 index 0000000..49edeb2 --- /dev/null +++ b/roles/server/nginx/server/files/default/000-default.vhost @@ -0,0 +1,92 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + + +server { + listen 443 ssl default_server http2; + listen [::]:443 ssl default_server http2; + server_name _; + + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384; + ssl_prefer_server_ciphers on; +# ssl_dhparam /etc/nginx/dhparams.pem; + ssl_session_cache shared:SSL:10m; + + ### + location ^~ /.well-known/acme-challenge { + alias /var/www/html/dehydrated; + } + ### + ### + location /nginx_status { + stub_status; + allow 127.0.0.1; + allow ::1; + deny all; + } + ### + ### + location ~ /\.(?!well-known\/).* { + return 404; + } + ### + ### + location = /robots.txt { + root /var/www/; + try_files /html/$uri =404; + } + ### + ### + location ^~ /awstats-icon { + alias /usr/share/awstats/icon/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + } + location = /awstats.pl { + root /usr/lib/cgi-bin/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + + gzip off; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl; + } + ### +} + + +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + ### + location ^~ /.well-known/acme-challenge { + alias /var/www/html/dehydrated; + } + ### + ### + location /nginx_status { + stub_status; + allow 127.0.0.1; + allow ::1; + deny all; + } + ### + + # redirect everything to https except for /.well-known/acme-challenge and /nginx_status + location / { + return 301 https://$host$request_uri; + } +} diff --git a/roles/server/nginx/server/files/default/awstats-logrotate-script b/roles/server/nginx/server/files/default/awstats-logrotate-script new file mode 100644 index 0000000..e40d9e4 --- /dev/null +++ b/roles/server/nginx/server/files/default/awstats-logrotate-script @@ -0,0 +1,15 @@ +#!/bin/sh +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +UPDATE_SCRIPT=/usr/share/awstats/tools/update.sh +if [ -x $UPDATE_SCRIPT ] +then +# not permitted :/ +# su -l -c $UPDATE_SCRIPT www-data + sudo -u www-data -g adm $UPDATE_SCRIPT +fi diff --git a/roles/server/nginx/server/files/default/awstats.conf.local b/roles/server/nginx/server/files/default/awstats.conf.local new file mode 100644 index 0000000..b94c0c9 --- /dev/null +++ b/roles/server/nginx/server/files/default/awstats.conf.local @@ -0,0 +1,20 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# You can overrides config directives here. +# This is particularly useful for users with several configs for +# different virtual servers, who want to reuse common parameters. +# Also, this file is not updated with each new upstream release. + +LoadPlugin="ipv6" +AllowFullYearView=3 + +LogFile="/var/log/nginx/access.log" +LogFormat=1 +SiteDomain="localhost" +HostAliases="REGEX[^.*$]" diff --git a/roles/server/nginx/server/files/default/maintenance.html b/roles/server/nginx/server/files/default/maintenance.html new file mode 100644 index 0000000..028203b --- /dev/null +++ b/roles/server/nginx/server/files/default/maintenance.html @@ -0,0 +1,13 @@ + + + Down For Maintenance + + + +

Down For Maintenance

+

Sorry for the inconvenience.
We’ll be back ASAP!

+

In the meantime go and watch the best pictures on the web: kitty paws.

+ diff --git a/roles/server/nginx/server/files/default/nginx-awstats.pam b/roles/server/nginx/server/files/default/nginx-awstats.pam new file mode 100644 index 0000000..8dabaad --- /dev/null +++ b/roles/server/nginx/server/files/default/nginx-awstats.pam @@ -0,0 +1,15 @@ +#%PAM-1.0 +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +auth optional pam_faildelay.so delay=3000000 +auth [success=1 default=ignore] pam_unix.so +auth requisite pam_deny.so +auth required pam_permit.so + +account required pam_permit.so diff --git a/roles/server/nginx/server/files/default/nginx.conf b/roles/server/nginx/server/files/default/nginx.conf new file mode 100644 index 0000000..2fbf8ea --- /dev/null +++ b/roles/server/nginx/server/files/default/nginx.conf @@ -0,0 +1,53 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + charset utf-8; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + # get rid of php timeouts. + fastcgi_read_timeout 900; + + # use http 429 to indicate rate limiting. + limit_req_status 429; + + # disable any default-webroot. + root /dev/null; + + # $connection_upgrade map + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.vhost; +} diff --git a/roles/server/nginx/server/files/default/nginx.empty.logrotate b/roles/server/nginx/server/files/default/nginx.empty.logrotate new file mode 100644 index 0000000..371a99d --- /dev/null +++ b/roles/server/nginx/server/files/default/nginx.empty.logrotate @@ -0,0 +1,9 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# renamed to zzz_nginx to make sure awstats (takes a while) is run after all other logs were rotated. diff --git a/roles/server/nginx/server/files/default/nginx.logrotate b/roles/server/nginx/server/files/default/nginx.logrotate new file mode 100644 index 0000000..29bab2e --- /dev/null +++ b/roles/server/nginx/server/files/default/nginx.logrotate @@ -0,0 +1,29 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +/var/log/nginx/*.log { + daily + missingok + rotate 31 + dateext + compress + copytruncate + delaycompress + notifempty + create 0640 www-data adm + sharedscripts + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi \ + endscript + postrotate + systemctl reload nginx.service >/dev/null 2>&1 +# invoke-rc.d nginx rotate >/dev/null 2>&1 + endscript +} diff --git a/roles/server/nginx/server/files/default/robots.txt b/roles/server/nginx/server/files/default/robots.txt new file mode 100644 index 0000000..1f53798 --- /dev/null +++ b/roles/server/nginx/server/files/default/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: / diff --git a/roles/server/nginx/server/handlers/main.yml b/roles/server/nginx/server/handlers/main.yml new file mode 100644 index 0000000..7c73618 --- /dev/null +++ b/roles/server/nginx/server/handlers/main.yml @@ -0,0 +1,13 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: restart nginx.service + systemd: + name: nginx.service + daemon_reload: yes + state: restarted + ignore_errors: yes diff --git a/roles/server/nginx/server/meta/main.yml b/roles/server/nginx/server/meta/main.yml new file mode 100644 index 0000000..81d8e62 --- /dev/null +++ b/roles/server/nginx/server/meta/main.yml @@ -0,0 +1,9 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +dependencies: + - { role: server/letsencrypt-bot, tags: ['letsencrypt-bot'] } diff --git a/roles/server/nginx/server/tasks/main.yml b/roles/server/nginx/server/tasks/main.yml new file mode 100644 index 0000000..5145039 --- /dev/null +++ b/roles/server/nginx/server/tasks/main.yml @@ -0,0 +1,215 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +- name: install web-server + apt: + pkg: + - nginx-full + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: copy nginx.conf + copy: + src: "{{item}}" + dest: "/etc/nginx/nginx.conf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nginx.conf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nginx.conf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nginx.conf" + - "default/nginx.conf" + notify: restart nginx.service + + +- name: copy default vhost + copy: + src: "{{item}}" + dest: "/etc/nginx/sites-enabled/000-default.vhost" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/000-default.vhost" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/000-default.vhost" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/000-default.vhost" + - "default/000-default.vhost" + register: temp_result + + +- name: enable and restart nginx.service when default vhost changes + systemd: + name: nginx.service + daemon_reload: yes + enabled: yes + state: restarted + when: temp_result.changed + + +- name: copy default robots.txt + copy: + src: "{{item}}" + dest: "/var/www/html/robots.txt" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/robots.txt" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/robots.txt" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/robots.txt" + - "default/robots.txt" + notify: restart nginx.service + + +- name: copy default maintenance.html + copy: + src: "{{item}}" + dest: "/var/www/maintenance.html.dis" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/maintenance.html" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/maintenance.html" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/maintenance.html" + - "default/maintenance.html" + notify: restart nginx.service + + +- name: fix permissions of /var/www/ + file: + path: "/var/www/" + state: directory + mode: 0755 + owner: "root" + group: "root" + + +- name: fix permissions of /var/www/html/ + file: + path: "/var/www/html" + state: directory + mode: 0755 + owner: "root" + group: "root" + + +- name: enable and start nginx.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: nginx.service + + +########### +# AWSTATS # +########### +- name: install awstats + apt: + pkg: + - fcgiwrap + - awstats + - libnet-ip-perl + - libnet-dns-perl + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: remove broken awstats directory + file: + path: "/etc/logrotate.d/httpd-prerotate/awstats" + state: absent + + +- name: disable periodic update by cron + copy: + content: "# disabled by someone's ansible provisioner" + dest: "/etc/cron.d/awstats" + mode: 0640 + owner: "root" + group: "root" + + +- name: copy awstats "default" vhost config + copy: + src: "{{item}}" + dest: "/etc/awstats/awstats.conf.local" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/awstats.conf.local" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/awstats.conf.local" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/awstats.conf.local" + - "default/awstats.conf.local" + + +- name: copy awstats logrotate script + copy: + src: "{{item}}" + dest: "/etc/logrotate.d/httpd-prerotate/awstats-logrotate-script" + mode: 0750 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/awstats-logrotate-script" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/awstats-logrotate-script" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/awstats-logrotate-script" + - "default/awstats-logrotate-script" + + +- name: nginx logrotate zzz config + copy: + src: "{{item}}" + dest: "/etc/logrotate.d/zzz_nginx" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nginx.logrotate" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nginx.logrotate" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nginx.logrotate" + - "default/nginx.logrotate" + + +- name: nginx logrotate empty config + copy: + src: "{{item}}" + dest: "/etc/logrotate.d/nginx" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nginx.empty.logrotate" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nginx.empty.logrotate" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nginx.empty.logrotate" + - "default/nginx.empty.logrotate" + + +- name: nginx-awstats pam.d config + copy: + src: "{{item}}" + dest: "/etc/pam.d/nginx-awstats" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/nginx-awstats.pam" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/nginx-awstats.pam" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/nginx-awstats.pam" + - "default/nginx-awstats.pam" + + +- name: enable and start fcgiwrap.socket + include_role: name="base/systemd/enable-and-start" + vars: + service_name: fcgiwrap.socket -- 2.43.0