mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
018e73b91d
This will be used for installing the geoip2 module, so we can make it
more difficult for Chinese bots to crawl the wiki.
The name of the shared object file can be overridden in case it is not
named ngx_http_{{ module.name }}_module.so, e.g. srcache where the
shared object is named ngx_http_srcache_filter_module.so.
71 lines
2.4 KiB
YAML
71 lines
2.4 KiB
YAML
- name: Install nginx
|
|
pacman: name=nginx,nginx-mod-brotli state=present
|
|
|
|
- name: Install extra nginx modules
|
|
pacman: name={{ nginx_extra_modules | map(attribute='name') | map('regex_replace', '^', 'nginx-mod-') }} state=present
|
|
|
|
- name: Install nginx.service snippet
|
|
copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644
|
|
|
|
- name: Configure nginx
|
|
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
|
|
notify:
|
|
- Reload nginx
|
|
|
|
- name: Snippets directories
|
|
file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755
|
|
with_items:
|
|
- toplevel-snippets
|
|
- snippets
|
|
|
|
- name: Copy snippets
|
|
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
|
|
with_items:
|
|
- letsencrypt.conf
|
|
- sslsettings.conf
|
|
notify:
|
|
- Reload nginx
|
|
|
|
- name: Install cert renewal hook
|
|
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755
|
|
when: "'certbot' in ansible_play_role_names"
|
|
|
|
- name: Create nginx.d directory
|
|
file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755
|
|
|
|
- name: Create auth directory
|
|
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
|
|
|
|
- name: Create maps directory
|
|
file: state=directory path=/etc/nginx/maps owner=root group=root mode=0755
|
|
|
|
- name: Create default nginx log directory
|
|
file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
|
|
|
|
- name: Create unique DH group
|
|
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
|
|
|
|
- name: Create directory to store validation stuff in
|
|
file: owner=root group=http mode=0750 path={{ letsencrypt_validation_dir }} state=directory
|
|
|
|
- name: Install logrotate config
|
|
copy: src=logrotate.conf dest=/etc/logrotate.d/nginx-ansible owner=root group=root mode=0644
|
|
|
|
- name: Install inventory_hostname vhost
|
|
template: src=nginx-hostname-vhost.conf.j2 dest=/etc/nginx/nginx.d/nginx-hostname-vhost.conf owner=root group=root mode=0644
|
|
notify:
|
|
- Reload nginx
|
|
tags: ['nginx']
|
|
|
|
- name: Enable nginx
|
|
service: name=nginx enabled=yes
|
|
|
|
- name: Open firewall holes
|
|
ansible.posix.firewalld: service={{ item }} zone={{ nginx_firewall_zone }} permanent=true state=enabled immediate=yes
|
|
with_items:
|
|
- http
|
|
- https
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|