94 lines
2.1 KiB
YAML
94 lines
2.1 KiB
YAML
- name: load distribution-specific values
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
|
- '{{ ansible_distribution }}.yml'
|
|
- '{{ ansible_os_family }}.yml'
|
|
- defaults.yml
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure nginx is installed
|
|
package:
|
|
name: '{{ nginx_packages|join(",") }}'
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure nginx pki directories exist
|
|
file:
|
|
path: '{{ item.path }}'
|
|
mode: '{{ item.mode }}'
|
|
state: directory
|
|
with_items:
|
|
- path: /etc/pki/nginx
|
|
mode: '0755'
|
|
- path: /etc/pki/nginx/private
|
|
mode: '0700'
|
|
- name: ensure tls private key exists
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '{{ nginx_ssl_certificate_key }}'
|
|
mode: '0400'
|
|
setype: cert_t
|
|
diff: false
|
|
with_fileglob:
|
|
- 'certs/nginx/{{ inventory_hostname }}/server.key'
|
|
notify: reload nginx
|
|
- name: ensure tls certificate exists
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '{{ nginx_ssl_certificate }}'
|
|
mode: '0644'
|
|
setype: cert_t
|
|
with_fileglob:
|
|
- 'certs/nginx/{{ inventory_hostname }}/server.cer'
|
|
notify: reload nginx
|
|
- name: ensure tls ca certificate exists
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '{{ nginx_ssl_ca_certificate }}'
|
|
mode: '0644'
|
|
setype: cert_t
|
|
when: nginx_ssl_ca_certificate is defined
|
|
with_fileglob:
|
|
- 'certs/nginx/{{ inventory_hostname }}/ca.crt'
|
|
notify: reload nginx
|
|
|
|
- name: ensure nginx configuration directories exist
|
|
file:
|
|
path: '{{ item }}'
|
|
mode: u=rwx,go=rx
|
|
owner: root
|
|
group: root
|
|
state: directory
|
|
loop:
|
|
- /etc/nginx
|
|
- /etc/nginx/conf.d
|
|
- /etc/nginx/default.d
|
|
- name: ensure nginx is configured
|
|
template:
|
|
src: nginx.conf.j2
|
|
dest: /etc/nginx/nginx.conf
|
|
mode: '0644'
|
|
notify: reload nginx
|
|
tags:
|
|
- nginx-config
|
|
|
|
- name: ensure nginx is allowed in the firewall
|
|
firewalld:
|
|
service: '{{ item }}'
|
|
state: enabled
|
|
permanent: no
|
|
immediate: yes
|
|
when: host_uses_firewalld|d(true)
|
|
with_items:
|
|
- http
|
|
- https
|
|
notify: save firewalld configuration
|
|
|
|
- name: ensure nginx starts at boot
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|