aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles/nginx/tasks/main.yml
blob: b9b08210f9fcb33bde5dfb8ebc9ab30bf4092897 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
- name: Install nginx
  package:
    name: nginx
    state: present

- name: Create snippets dir
  file:
    path: /etc/nginx/snippets
    state: directory
    mode: '0755'

- name: Create snippets
  template:
    src:  "{{ item }}.j2"
    dest: "/etc/nginx/snippets/{{ item }}"
  with_items:
    - letsencrypt.conf
    - ssl.conf

# We need to determine whether or not the tls_certs variable changed since the last time ansible was run.
# we use a file /etc/nginx/ansible_automation_tls_certs_list  to achieve this
# first we touch the file (create an empty file if no file with that name existed)
# then we make a copy of the file, naming the copy /etc/nginx/ansible_automation_tls_certs_list_last
# Finally, we write the tls_certs variable to the file via a jinja2 template
# and we compare the two, the copy of the original and the one we just wrote.
- name: ensure /etc/nginx/ansible_automation_tls_certs_list exists
  file:
    path: /etc/nginx/ansible_automation_tls_certs_list
    state: touch

- name: make a copy of the previous ansible_automation_tls_certs_list
  copy:
    remote_src: true
    src: /etc/nginx/ansible_automation_tls_certs_list
    dest: /etc/nginx/ansible_automation_tls_certs_list_last

- name: write the new tls_certs variable to ansible_automation_tls_certs_list file
  template: 
    src: tls_certs_list.j2
    dest: /etc/nginx/ansible_automation_tls_certs_list
    owner: root
    group: root
    mode: 0644

- name: checksum the ansible_automation_tls_certs_list 
  stat:
    path: /etc/nginx/ansible_automation_tls_certs_list
  register: tls_certs_file

- name: checksum the ansible_automation_tls_certs_list_last 
  stat:
    path: /etc/nginx/ansible_automation_tls_certs_list_last
  register: old_tls_certs_file

# this way invalid configs cant prevent nginx from starting, thus preventing uacme from running
- name: delete nginx custom configs if the tls_certs variable has changed
  file:
    path: /etc/nginx/conf.d
    state: absent
  when: tls_certs_file.stat.checksum != old_tls_certs_file.stat.checksum

- name: ensure /etc/nginx/conf.d exists
  file:
    path: /etc/nginx/conf.d
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Configure base nginx
  template:
    src: default.conf.j2
    dest: /etc/nginx/conf.d/default.conf
    owner: root
    group: root
    mode: 0644

- name: Start nginx
  service:
    name: nginx
    state: started
    enabled: yes

- name: Allow HTTP + HTTPS
  iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "{{ item }}"
    jump: ACCEPT
  with_items: [ '80', '443' ]