diff --git a/ansible/roles/nginx_vhost/tasks/defaulthost.yml b/ansible/roles/nginx_vhost/tasks/defaulthost.yml index 731fc7211..9cb36c0a6 100644 --- a/ansible/roles/nginx_vhost/tasks/defaulthost.yml +++ b/ansible/roles/nginx_vhost/tasks/defaulthost.yml @@ -22,25 +22,6 @@ tags: - nginx_vhost -- name: remove previous fragments dir for aws_elb_default - file: - path: "{{nginx_conf_dir}}/vhost_fragments/aws_elb_default" - state: absent - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: ensure fragments dir for default vhost for ala is present - file: - path: "{{nginx_conf_dir}}/vhost_fragments/ala_default" - state: directory - mode: 0755 - owner: root - group: root - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - - name: add upstream fragment template: src: "fragment_02_upstream.j2" @@ -65,69 +46,13 @@ tags: - nginx_vhost -- name: add start of default vhost for ala - template: - src: "ala_default_start.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/10_ala_default_start" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: add start location fragment for default vhost for Amazon load balancer health checks - template: - src: "fragment_70_location_start.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/70_location_{{ item.sort_label | default(item.path | basename) }}_70_start" - with_items: - - "{{ nginx_paths }}" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: add default contents location fragment for default vhost for Amazon load balancer health checks +- name: Create Nginx default config from template template: - src: "fragment_71_location_default.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/70_location_{{ item.sort_label | default(item.path | basename) }}_71_default" - with_items: - - "{{ nginx_paths }}" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: add usual contents location fragment for default vhost for Amazon load balancer health checks - template: - src: "fragment_73_location.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/70_location_{{ item.sort_label | default(item.path | basename) }}_73_content" - with_items: - - "{{ nginx_paths }}" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: add end location fragment for default vhost for Amazon load balancer health checks - template: - src: "fragment_75_location_end.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/70_location_{{ item.sort_label | default(item.path | basename) }}_75_end" - with_items: - - "{{ nginx_paths }}" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: add end of default vhost for ala - template: - src: "ala_default_end.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/ala_default/90_ala_default_end" - when: ala_default_vhost and vhost_required - tags: - - nginx_vhost - -- name: assemble fragments into default vhost for Amazon load balancer health checks - assemble: - src: "{{nginx_conf_dir}}/vhost_fragments/ala_default" - dest: "{{nginx_conf_dir}}/sites-available/ala_default.conf" - when: ala_default_vhost and vhost_required + src: "nginx_vhost_default.j2" + dest: "{{ nginx_conf_dir }}/sites-available/ala_default.conf" + when: vhost_required | bool == True notify: - - reload nginx + - reload nginx tags: - nginx_vhost @@ -147,4 +72,3 @@ ala_default_vhost: False tags: - nginx_vhost - diff --git a/ansible/roles/nginx_vhost/tasks/main.yml b/ansible/roles/nginx_vhost/tasks/main.yml index d85fbd983..f91427165 100644 --- a/ansible/roles/nginx_vhost/tasks/main.yml +++ b/ansible/roles/nginx_vhost/tasks/main.yml @@ -204,18 +204,6 @@ tags: - nginx_vhost -# check dir exists for servername fragments -- name: ensure vhost fragments dir is present - file: - path: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}" - state: directory - mode: 0755 - owner: root - group: root - when: vhost_required | bool == True - tags: - - nginx_vhost - - name: ensure nginx cache dir is present if configured file: path: "{{nginx_cache_path}}" @@ -251,281 +239,19 @@ tags: - nginx_vhost -- name: add upstream fragment - template: - src: "fragment_02_upstream.j2" - dest: "{{nginx_conf_dir}}/conf.d/http_02_upstream_{{ hostname }}_127.0.0.1_{{ tomcat_server_port | default('8080', True) }}.conf" - when: vhost_required | bool == True and nginx_load_balancing | bool == true and item.is_proxy and item.proxy_pass is defined - with_items: - - "{{ nginx_paths}} " - notify: - - reload nginx - tags: - - nginx_vhost - -- name: remove upstream fragment if not needed - file: - path: "{{nginx_conf_dir}}/conf.d/http_02_upstream_{{ hostname }}_127.0.0.1_{{ tomcat_server_port | default('8080', True) }}.conf" - state: absent - when: vhost_required | bool == True and nginx_load_balancing | bool != true - with_items: - - "{{ nginx_paths}} " - notify: - - reload nginx - tags: - - nginx_vhost - -- name: add blocking if configured - template: - src: "fragment_03_blocking.j2" - dest: "{{nginx_conf_dir}}/conf.d/http_03_blocking.conf" - when: vhost_required | bool == True - notify: - - reload nginx - tags: - - nginx_vhost - -- name: add nginx rate limiter if configured - template: - src: "fragment_04_ratelimit.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_04_ratelimit" - when: vhost_required | bool == True and nginx_rate_limit_enabled | bool == True - tags: - - nginx_vhost - -- name: add cache fragment if configured - template: - src: "fragment_05_cache.j2" - dest: "{{nginx_conf_dir}}/conf.d/http_05_cache_{{ nginx_cache_zone }}.conf" - when: vhost_required | bool == True and nginx_cache | bool == True - notify: - - reload nginx - tags: - - nginx_vhost - -# If any of the nginx_paths has is_websocket, we need to add this template -- name: add connection upgrade fragment - template: - src: "fragment_06_connection.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_06_connection" - when: vhost_required | bool == True and nginx_load_balancing | bool == false and item.is_websocket is defined and item.is_websocket | bool == true - with_items: - - "{{ nginx_paths}} " - -# copy 10, 20, 90 as http (e.g. dest file might be /etc/nginx/vhost_fragments/bie-test.ala.org.au/http_10_start) -- name: add start http fragment - template: - src: "fragment_10_start_http.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_10_start" - when: vhost_required | bool == True - tags: - - nginx_vhost - -- name: add basic http fragments - template: - src: "fragment_{{ item }}.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_{{ item }}" - with_items: - - "20_servername" - - "90_end" - when: vhost_required | bool == True - tags: - - nginx_vhost - -- name: Find https fragments if not using https - find: - paths: "{{ nginx_conf_dir }}/vhost_fragments/{{ hostname }}/" - patterns: "https_*" - register: https_fragments_to_delete - when: ssl | bool == False and vhost_required | bool == True - tags: - - nginx_vhost - -- name: Delete https fragments if not using https - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ https_fragments_to_delete.files }}" - when: ssl | bool == False and vhost_required | bool == True - tags: - - nginx_vhost - - name: create root directory file: path="{{ nginx_root }}" state=directory mode=0755 force=yes follow=yes when: vhost_required | bool == True tags: - nginx_vhost -# if not ssl or (ssl and not force_https): copy 50 http -- name: if not using force_https, add root http fragment +- name: Create Nginx config from template template: - src: "fragment_{{ item }}.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_{{ item }}" - with_items: - - "50_root" - - "55_include" - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -# if not ssl or (ssl and not force_https): copy 60 robots -- name: if not using force_https, add robots http fragment - template: - src: "fragment_{{ item }}.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_{{ item }}" - with_items: - - "60_robots" - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -# if not ssl or (ssl and not force_https): copy (70 per path) http -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: if not using force_https, add location http fragments - template: - src: "fragment_70_location_start.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_70_start" - with_items: - - "{{ nginx_paths}} " - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -# if not ssl or (ssl and not force_https): copy (73 per path) http -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: if not using force_https, add location http fragments - template: - src: "fragment_73_location.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_73_content" - with_items: - - "{{ nginx_paths}} " - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -- name: add cors fragment if required - template: - src: "fragment_74_location_cors.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors" - with_items: - - "{{ nginx_paths}} " - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True and nginx_cors_origin_regexp is defined - tags: - - nginx_vhost - -# if not ssl or (ssl and not force_https): copy (75 per path) http -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: if not using force_https, add location http fragments - template: - src: "fragment_75_location_end.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_75_end" - with_items: - - "{{ nginx_paths}} " - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -# if not ssl or (ssl and not force_https), delete 30 http -- name: if not using force_https, delete force_https fragment - file: - path: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_30_force_https" - state: absent - when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True - tags: - - nginx_vhost - -# if ssl and force_https, copy 30 as http -- name: if using force_https, add force_https fragment - template: - src: "fragment_{{ item }}.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_{{ item }}" - with_items: - - "30_force_https" - when: ssl | bool == True and force_https | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -# if ssl, copy 10, 20, 40, 50, 90 as https -- name: add start https fragment - template: - src: "fragment_10_start_https.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_10_start" - when: ssl | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -- name: add basic https fragments - template: - src: "fragment_{{ item }}.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_{{ item }}" - with_items: - - "20_servername" - - "40_ssl" - - "50_root" - - "55_include" - - "60_robots" - - "90_end" - when: ssl | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -# if ssl, copy (70 per path) https -# example https location for /ws path: /etc/nginx/vhost_fragments/bie-test.ala.org.au/https_70_location_start_ws -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: add location https fragments - template: - src: "fragment_70_location_start.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_70_start" - with_items: - - "{{ nginx_paths }}" - when: ssl | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -# if ssl, copy (73 per path) https -# example https location for /ws path: /etc/nginx/vhost_fragments/bie-test.ala.org.au/https_73_location_ws -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: add location https fragments - template: - src: "fragment_73_location.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_73_content" - with_items: - - "{{ nginx_paths }}" - when: ssl | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -- name: add cors fragment if required - template: - src: "fragment_74_location_cors.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors" - with_items: - - "{{ nginx_paths}} " - when: ssl | bool == True and vhost_required | bool == True and nginx_cors_origin_regexp is defined - tags: - - nginx_vhost - -# if ssl, copy (75 per path) https -# example https location for /ws path: /etc/nginx/vhost_fragments/bie-test.ala.org.au/https_75_location_end_ws -# basename filter returns last part of path e.g. for /ws returns ws, for / returns empty -- name: add location https fragments - template: - src: "fragment_75_location_end.j2" - dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_75_end" - with_items: - - "{{ nginx_paths }}" - when: ssl | bool == True and vhost_required | bool == True - tags: - - nginx_vhost - -# assemble servername fragments dir, put in sites-available as servername.conf -- name: assemble fragments into nginx vhost config - assemble: - src: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}" - dest: "{{nginx_conf_dir}}/sites-available/{{hostname}}{{vfragments_suffix}}.conf" + src: "nginx_vhost.j2" + dest: "{{ nginx_conf_dir }}/sites-available/{{ hostname }}{{ vfragments_suffix }}.conf" when: vhost_required | bool == True notify: - - reload nginx + - reload nginx tags: - nginx_vhost diff --git a/ansible/roles/nginx_vhost/templates/nginx_vhost.j2 b/ansible/roles/nginx_vhost/templates/nginx_vhost.j2 new file mode 100644 index 000000000..cf4151756 --- /dev/null +++ b/ansible/roles/nginx_vhost/templates/nginx_vhost.j2 @@ -0,0 +1,48 @@ +{% import 'nginx_vhost_macros.j2' as m with context %} +{% if (vhost_required | bool == True and nginx_rate_limit_enabled | bool == True) -%} +{{ m.fragment_04_ratelimit() }} +{%- endif %} +{% if (vhost_required | bool == True and nginx_load_balancing | bool == false and item.is_websocket is defined and item.is_websocket | bool == true) -%} +{{ m.fragment_06_connection() }} +{%- endif %} +{# Fragment-specific for HTTP #} +{% if (vhost_required | bool == True) %} +{{ m.fragment_10_start_http() }} +{{ m.fragment_20_servername() -}} +{% if (ssl | bool == True and force_https | bool == True and vhost_required | bool == True) -%} +{{ m.fragment_30_force_https() -}} +{% else %} +{% if ((ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True) -%} +{{ m.fragment_50_root() }} +{{ m.fragment_55_include() -}} +{{ m.fragment_60_robots() }} +{% for item in nginx_paths | sort(attribute='sort_label') %} +{{ m.fragment_70_location_start(item) -}} +{{ m.fragment_73_location(item) -}} +{% if (nginx_cors_origin_regexp is defined) -%} +{{ m.fragment_74_location_cors() }} +{%- endif %} +{{ m.fragment_75_location_end() }} +{% endfor %} +{%- endif %} +{%- endif %} +{# Close the HTTP server block #} +{{ m.fragment_90_end() }} +{% endif %} +{# Fragment-specific for HTTPS #} +{% if (ssl | bool == True and vhost_required | bool == True) -%} +{{ m.fragment_10_start_https() }} +{{ m.fragment_20_servername() -}} +{{ m.fragment_40_ssl() -}} +{{ m.fragment_50_root() }} +{{ m.fragment_55_include() -}} +{{ m.fragment_60_robots() }} +{% for item in nginx_paths | sort(attribute='sort_label') %} +{{ m.fragment_70_location_start(item) -}} +{{ m.fragment_73_location(item) -}} +{{ m.fragment_74_location_cors() }} +{{ m.fragment_75_location_end() }} +{% endfor %} +{# Close the HTTPS server block #} +{{ m.fragment_90_end() }} +{%- endif %} diff --git a/ansible/roles/nginx_vhost/templates/nginx_vhost_default.j2 b/ansible/roles/nginx_vhost/templates/nginx_vhost_default.j2 new file mode 100644 index 000000000..dcd623550 --- /dev/null +++ b/ansible/roles/nginx_vhost/templates/nginx_vhost_default.j2 @@ -0,0 +1,12 @@ +{% import 'nginx_vhost_macros.j2' as m with context %} +{% if (ala_default_vhost and vhost_required) -%} +{{ m.ala_default_start() }} +{% for item in nginx_paths | sort(attribute='sort_label') %} +{{ m.fragment_70_location_start(item) -}} +{{ m.fragment_71_location_default(item) }} +{{ m.fragment_73_location(item) }} +{{ m.fragment_75_location_end() }} +{% endfor %} +{# Close the HTTPS server block #} +{{ m.ala_default_end() }} +{%- endif %} diff --git a/ansible/roles/nginx_vhost/templates/nginx_vhost_macros.j2 b/ansible/roles/nginx_vhost/templates/nginx_vhost_macros.j2 new file mode 100644 index 000000000..96d8a847c --- /dev/null +++ b/ansible/roles/nginx_vhost/templates/nginx_vhost_macros.j2 @@ -0,0 +1,84 @@ +{% macro ala_default_start() -%} +{% include 'ala_default_start.j2' %} +{%- endmacro %} + +{% macro ala_default_end() -%} +{% include 'ala_default_end.j2' %} +{%- endmacro %} + +{% macro fragment_02_upstream(item) -%} +{% include 'fragment_02_upstream.j2' %} +{%- endmacro %} + +{% macro fragment_03_blocking() -%} +{% include 'fragment_03_blocking.j2' %} +{%- endmacro %} + +{% macro fragment_04_ratelimit() -%} +{% include 'fragment_04_ratelimit.j2' %} +{%- endmacro %} + +{% macro fragment_05_cache() -%} +{% include 'fragment_05_cache.j2' %} +{%- endmacro %} + +{% macro fragment_06_connection() -%} +{% include 'fragment_06_connection.j2' %} +{%- endmacro %} + +{% macro fragment_10_start_http() -%} +{% include 'fragment_10_start_http.j2' %} +{%- endmacro %} + +{% macro fragment_10_start_https() -%} +{% include 'fragment_10_start_https.j2' %} +{%- endmacro %} + +{% macro fragment_20_servername() -%} +{% include 'fragment_20_servername.j2' %} +{%- endmacro %} + +{% macro fragment_30_force_https() -%} +{% include 'fragment_30_force_https.j2' %} +{%- endmacro %} + +{% macro fragment_40_ssl() -%} +{% include 'fragment_40_ssl.j2' %} +{%- endmacro %} + +{% macro fragment_50_root() -%} +{% include 'fragment_50_root.j2' %} +{%- endmacro %} + +{% macro fragment_55_include() -%} +{% include 'fragment_55_include.j2' %} +{%- endmacro %} + +{% macro fragment_60_robots() -%} +{% include 'fragment_60_robots.j2' %} +{%- endmacro %} + +{% macro fragment_70_location_start(item) -%} +{% include 'fragment_70_location_start.j2' %} +{%- endmacro %} + +{% macro fragment_71_location_default(item) -%} +{% include 'fragment_71_location_default.j2' %} +{%- endmacro %} + +{% macro fragment_73_location(item) -%} +{% include 'fragment_73_location.j2' %} +{%- endmacro %} + +{% macro fragment_74_location_cors() -%} +{% include 'fragment_74_location_cors.j2' -%} +{%- endmacro %} + +{% macro fragment_75_location_end() -%} +{% include 'fragment_75_location_end.j2' %} +{%- endmacro %} + +{% macro fragment_90_end() -%} +{% include 'fragment_90_end.j2' %} +{%- endmacro %} +