An Ansible role for installing and managing nginx servers.
This role installs nginx from APT on Debian systems, EPEL on Enterprise Linux systems, or pkgin on SmartOS. Other systems and installation methods are not supported.
All variables are optional.
nginx_flavor
(default:full
): nginx package to install (for choices, see thenginx
metapackage providers for your Debian-based distribution). On RedHat-based distributions, this can either begalaxy
(for "Galaxy nginx", which includes the nginx upload and pam modules), or any other value for EPEL nginx. This value is not used on pkgin/SmartOS installations. Generally TUS can be used andfull
is a safe default for the future.nginx_servers
: A list ofserver {}
(virtualhost) templates (relative totemplates/nginx/
, file ending.j2
is automatically added to list entries when searching).nginx_ssl_servers
: Likenginx_servers
, but only installed if SSL is configured.nginx_conf_http
: Set arbitrary options in thehttp {}
section ofnginx.conf
. This is a hash (dictionary) where keys are nginx config options and values are the option's value.nginx_default_redirect_uri
: When using nginx from EPEL, a default virtualhost is enabled. This option controls what URI the default virtualhost should be redirected to. nginx variables are supported.nginx_enable_default_server
(default:true
): Enable/disable the default EPEL virtualhost.nginx_supervisor
: Run nginx under supervisor (requires setting certain supervisor variables).nginx_conf_dir
(default:/etc/nginx
): nginx configuration directory
The nginx_conf_ssl_certificate*
variables control the use of SSL. If unset, SSL will not be enabled. See Example
Playbook for usage.
nginx_conf_ssl_certificate
: File name of the SSL certificate on the remote host.nginx_conf_ssl_certificate_key
: File name of the SSL private key on the remote host.nginx_conf_ssl_ciphers
: Thessl_ciphers
option innginx.conf
, this is a list.nginx_conf_ssl_protocols
: Thessl_protocols
option innginx.conf
, this is a list.
nginx_ssl_role
(default: undefined): Role to run to set up SSL. This allows the use of (for example) usegalaxy_eu.certbot, which typically must run after nginx is set up and running on port 80, but before nginx attempts to use SSL (since until certbot runs, the certs that nginx expects do not exist yet). Setting this will cause the SSL role to be run at the appropriate point in this role. See alsonginx_ssl_servers
.nginx_conf_ssl_certificate
: File name of the SSL certificate.nginx_conf_ssl_certificate_key
: File name of the SSL private key.
In this mode, the nginx_conf_ssl_certificate*
variables should be absolute paths.
If nginx_ssl_role
is unset, you can use this role to copy your certificate and key from the playbook.
nginx_ssl_conf_dir
(default:<nginx_conf_dir>/ssl
): Where to copy SSL certificates and other SSL-related files to.nginx_ssl_src_dir
(default:files/ssl
): Where to copy SSL certificates from.sslkeys
: A hash (dictionary) containing private keys. Keys are the filenames (without leading path elements) matchingnginx_conf_ssl_certificate_key
.nginx_conf_ssl_trusted_certificate
: File name of trusted certificates for OCSP stapling (setting enables stapling).
In this mode, the nginx_conf_ssl_certificate*
variables should be relative paths. However, for legacy reasons, they
can be absolute paths to the files on the remote host. If this is the case, the certs are searched for in
nginx_ssl_src_dir
with the directory portion of the path stripped. If the path is not absolute, it is relative to
nginx_ssl_src_dir
for the source, and relative to nginx_ssl_conf_dir
for the destination.
If SELinux is in enforcing mode, several additional actions will be taken:
- If
certbot_well_known_root
is set, it will be updated to allow the typehttpd_sys_content_t
permissions on all subdirectories nginx_selinux_allow_local_connections
(default:false
): Allow nginx to connect to localhost
Although not a requirement, geerlingguy.repo-epel can be used to enable EPEL with Ansible.
Here are a few playbook examples depending on where you're getting your certificates
Install nginx with SSL certs stored in the playbook (cert at {{ playbook_dir }}/files/ssl/snakeoil_cert.pem
):
- name: Install and configure nginx
hosts: webservers
vars:
sslkeys:
snakeoil_privatekey.pem: |
-----BEGIN PRIVATE KEY-----
MIIE...
-----END PRIVATE KEY-----
nginx_conf_ssl_certificate: snakeoil_cert.pem
nginx_conf_ssl_certificate_key: snakeoil_privatekey.pem
nginx_servers:
- vhost1
- vhost2
nginx_conf_http:
client_max_body_size: 1g
roles:
- galaxyproject.nginx
Install nginx with SSL certs obtained from Let's Encrypt with Certbot using usegalaxy_eu.certbot:
- name: Install and configure nginx
hosts: webservers
vars:
nginx_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
nginx_conf_ssl_certificate_key: /etc/ssl/private/private.pem
nginx_servers:
- vhost1
- vhost2
nginx_ssl_servers:
- vhost1_ssl
- vhost2_ssl
nginx_conf_http:
client_max_body_size: 1g
nginx_ssl_role: usegalaxy_eu.certbot
certbot_auth_method: --webroot
certbot_domains:
- vhost1.example.org
- vhost2.example.org
certbot_admin_email: webmaster@example.org
certbot_agree_tos: --agree-tos
certbot_well_known_root: /var/www/_well-known_root
certbot_post_renewal: |
systemctl restart nginx || true
roles:
- galaxyproject.nginx
In templates/nginx/vhost1.j2
and templates/nginx/vhost2.j2
, be sure to add something like:
server {
location /.well-known/ {
root {{ certbot_well_known_root }};
}
}
Install nginx and use a generated and self-signed SSL certificate (good option for testing secured services behind a firewall)
- name: Install and configure nginx
hosts: webservers
vars:
nginx_servers:
- vhost1
- vhost2
nginx_ssl_servers:
- vhost1_ssl
- vhost2_ssl
nginx_conf_http:
client_max_body_size: 1g
nginx_ssl_role: galaxyproject.self_signed_certs
openssl_domains: # Identical behaviour to certbot_domains
- vhost1.example.org
- vhost2.example.org
# These can be set to wherever you want your certificates and PK stored.
nginx_conf_ssl_certificate_key: /etc/ssl/private/{{ openssl_domains[0] }}.pem
nginx_conf_ssl_certificate: /etc/ssl/certs/{{ openssl_domains[0] }}.crt
roles:
- galaxyproject.nginx