mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
66 lines
2.0 KiB
YAML
66 lines
2.0 KiB
YAML
---
|
|
|
|
- name: install nginx
|
|
pacman: name=nginx,nginx-mod-brotli state=present
|
|
|
|
- name: install nginx.service snippet
|
|
copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644
|
|
|
|
- name: configure nginx
|
|
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
|
|
notify:
|
|
- restart nginx
|
|
|
|
- name: snippets directories
|
|
file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755
|
|
with_items:
|
|
- toplevel-snippets
|
|
- snippets
|
|
|
|
- name: copy snippets
|
|
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=0644
|
|
with_items:
|
|
- letsencrypt.conf
|
|
- sslsettings.conf
|
|
notify:
|
|
- reload nginx
|
|
|
|
- name: install cert renewal hook
|
|
template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755
|
|
|
|
- name: create nginx.d directory
|
|
file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755
|
|
|
|
- name: create auth directory
|
|
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
|
|
|
|
- name: create default nginx log directory
|
|
file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
|
|
|
|
- name: create unique DH group
|
|
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
|
|
|
|
- name: create directory to store validation stuff in
|
|
file: owner=root group=http mode=0750 path={{ letsencrypt_validation_dir }} state=directory
|
|
|
|
- name: install logrotate config
|
|
copy: src=logrotate.conf dest=/etc/logrotate.d/nginx-ansible owner=root group=root mode=0644
|
|
|
|
- name: install inventory_hostname vhost
|
|
template: src=nginx-hostname-vhost.conf.j2 dest=/etc/nginx/nginx.d/nginx-hostname-vhost.conf owner=root group=root mode=0644
|
|
notify:
|
|
- reload nginx
|
|
tags: ['nginx']
|
|
|
|
- name: enable nginx
|
|
service: name=nginx enabled=yes
|
|
|
|
- name: open firewall holes
|
|
firewalld: service={{ item }} permanent=true state=enabled immediate=yes
|
|
with_items:
|
|
- http
|
|
- https
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|