aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ansible/roles/nginx-custom-configs/handlers/main.yml5
-rw-r--r--ansible/roles/nginx-custom-configs/tasks/main.yml12
-rw-r--r--ansible/roles/nginx/tasks/main.yml63
-rw-r--r--ansible/roles/nginx/templates/tls_certs_list.j23
-rw-r--r--ansible/site.yml1
5 files changed, 71 insertions, 13 deletions
diff --git a/ansible/roles/nginx-custom-configs/handlers/main.yml b/ansible/roles/nginx-custom-configs/handlers/main.yml
new file mode 100644
index 0000000..94874ad
--- /dev/null
+++ b/ansible/roles/nginx-custom-configs/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart-nginx
+ service:
+ name: nginx
+ state: restarted
diff --git a/ansible/roles/nginx-custom-configs/tasks/main.yml b/ansible/roles/nginx-custom-configs/tasks/main.yml
new file mode 100644
index 0000000..6abd05f
--- /dev/null
+++ b/ansible/roles/nginx-custom-configs/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: Write nginx custom configs
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/nginx/conf.d/{{ item | basename }}"
+ owner: root
+ group: root
+ mode: 0644
+ with_fileglob:
+ - "files/{{ inventory_hostname }}/nginx/*"
+#TODO - allow files to be stored on a by-group basis, rather than a per-host basis
+# - "files/{{ ansible_role_names }}/nginx/*"
+ notify: restart-nginx \ No newline at end of file
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index ca90f73..b163ae7 100644
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -18,6 +18,56 @@
- letsencrypt.conf
- ssl.conf
+# We need to determine whether or not the tls_certs variable changed since the last time ansible was run.
+# we use a file /etc/nginx/ansible_automation_tls_certs_list to achieve this
+# first we touch the file (create an empty file if no file with that name existed)
+# then we make a copy of the file named /etc/nginx/ansible_automation_tls_certs_list_last
+# Finally, we write the tls_certs variable to the file via a jinja2 template
+# and we compare the two, the copy of the original and the one we just wrote.
+- name: ensure /etc/nginx/ansible_automation_tls_certs_list exists
+ file:
+ path: /etc/nginx/ansible_automation_tls_certs_list
+ state: touch
+
+- name: make a copy of the previous ansible_automation_tls_certs_list
+ copy:
+ remote_src: true
+ src: /etc/nginx/ansible_automation_tls_certs_list
+ dest: /etc/nginx/ansible_automation_tls_certs_list_last
+
+- name: write the new tls_certs variable to ansible_automation_tls_certs_list file
+ template:
+ src: tls_certs_list.j2
+ dest: /etc/nginx/ansible_automation_tls_certs_list
+ owner: root
+ group: root
+ mode: 0644
+
+- name: checksum the ansible_automation_tls_certs_list
+ stat:
+ path: /etc/nginx/ansible_automation_tls_certs_list
+ register: tls_certs_file
+
+- name: checksum the ansible_automation_tls_certs_list_last
+ stat:
+ path: /etc/nginx/ansible_automation_tls_certs_list_last
+ register: old_tls_certs_file
+
+# this way invalid configs cant prevent nginx from starting, thus preventing uacme from running
+- name: delete nginx custom configs if the tls_certs variable has changed
+ file:
+ path: /etc/nginx/conf.d
+ state: absent
+ when: tls_certs_file.stat.checksum != old_tls_certs_file.stat.checksum
+
+- name: ensure /etc/nginx/conf.d exists
+ file:
+ path: /etc/nginx/conf.d
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
- name: Configure base nginx
template:
src: default.conf.j2
@@ -32,19 +82,6 @@
state: started
enabled: yes
-- name: Write nginx custom configs
- copy:
- src: "{{ item }}"
- dest: "/etc/nginx/conf.d/{{ item | basename }}"
- owner: root
- group: root
- mode: 0644
- with_fileglob:
- - "files/{{ inventory_hostname }}/nginx/*"
-#TODO - allow files to be stored on a by-group basis, rather than a per-host basis
-# - "files/{{ ansible_role_names }}/nginx/*"
- notify: restart-nginx
-
- name: Allow HTTP + HTTPS
iptables:
chain: INPUT
diff --git a/ansible/roles/nginx/templates/tls_certs_list.j2 b/ansible/roles/nginx/templates/tls_certs_list.j2
new file mode 100644
index 0000000..42f47ae
--- /dev/null
+++ b/ansible/roles/nginx/templates/tls_certs_list.j2
@@ -0,0 +1,3 @@
+{% for tls_cert in tls_certs %}
+{{ tls_cert }}
+{% endfor %} \ No newline at end of file
diff --git a/ansible/site.yml b/ansible/site.yml
index f47b6e1..ec8ff7a 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -8,6 +8,7 @@
- common
- nginx
- uacme
+ - nginx-custom-configs
- name: setup DBServer
hosts: dbservers