Update to 2021-12-01 19:13

roles/nginx/tasks/conf.yml

@@ -0,0 +1,67 @@
+---
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest=/etc/nginx/{{ item }}
+  with_items:
+    - nginx.conf
+    - mime.types
+    - ansible_modules.d/10-common.conf
+    - ansible_location.d/10-status.conf
+    - ansible_conf.d/09-cacheable.conf
+    - ansible_conf.d/maintenance.inc
+    - ansible_conf.d/perf.inc
+    - ansible_conf.d/force_ssl.inc
+    - ansible_conf.d/acme.inc
+    - ansible_conf.d/custom.inc
+    - ansible_conf.d/cache.inc
+    - ansible_conf.d/10-cache.conf
+    - ansible_conf.d/10-perf.conf
+    - ansible_conf.d/10-limits.conf
+    - ansible_conf.d/10-ws.conf
+    - ansible_conf.d/10-ssl.conf
+    - ansible_conf.d/30-vhosts.conf
+  notify: reload nginx
+  tags: [web,conf]
+
+- name: Remove naxsi configuration
+  file: path=/etc/nginx/{{ item }} state=absent
+  loop:
+    - ansible_conf.d/naxsi.inc
+    - ansible_conf.d/10-naxsi_rules.conf
+  notify: reload nginx
+  tags: web,conf
+
+- name: Remove obsolete configuration
+  file: path=/etc/nginx/{{ item }} state=absent
+  with_items:
+    - ansible_conf.d/filter.inc
+    - ansible_conf.d/10-filter.conf
+    - ansible_conf.d/headers.inc
+  notify: reload nginx
+  tags: [web,conf]
+
+  # TODO make it configurable
+- name: Create dummy white and blacklist files for nginx
+  copy:
+    content: "# TODO"
+    dest: /etc/nginx/bots.d/{{ item }}
+  with_items:
+    - bad-referrer-words.conf
+    - blacklist-domains.conf
+    - blacklist-ips.conf
+    - blacklist-user-agents.conf
+    - custom-bad-referrers.conf
+    - whitelist-domains.conf
+    - whitelist-ips.conf
+  tags: web
+
+- name: Configure log rotation
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx
+  tags: web
+
+- name: Ensure log files has correct permission
+  file: path=/var/log/nginx/{{ item }} owner=nginx group=nginx state=touch
+  loop:
+    - error.log
+    - access.log
+  changed_when: False
+  tags: web

roles/nginx/tasks/dir.yml

@@ -0,0 +1,17 @@
+---
+- name: Create default root dir
+  file: path=/var/www/html state=directory
+  tags: web
+
+- name: Create ansible conf directory
+  file: path=/etc/nginx/{{ item }} state=directory
+  with_items:
+    - ansible_conf.d
+    - ansible_modules.d
+    - ansible_location.d
+    - bots.d
+  tags: web
+
+- name: Create cache directory
+  file: path=/var/cache/nginx state=directory mode=700 owner=nginx group=nginx
+  tags: web

roles/nginx/tasks/facts.yml

@@ -0,0 +1,32 @@
+---
+- name: List http ports
+  set_fact: nginx_ports={{ nginx_ports + (nginx_vhosts | selectattr('port','defined') | map(attribute='port') | list) | flatten | unique }}
+  tags: [firewall,web]
+
+- name: List https ports
+  set_fact: nginx_ssl_ports={{ nginx_ssl_ports + (nginx_vhosts | selectattr('ssl','defined') | selectattr('ssl.port','defined') | map(attribute='ssl.port') | list) | flatten | unique }}
+  tags: [firewall,web]
+
+- set_fact: nginx_cert_path={{ '/var/lib/dehydrated/certificates/certs/' + nginx_letsencrypt_cert + '/fullchain.pem' }}
+  when: nginx_letsencrypt_cert is defined
+  tags: [web,conf]
+- set_fact: nginx_key_path={{ '/var/lib/dehydrated/certificates/certs/' + nginx_letsencrypt_cert + '/privkey.pem' }}
+  when: nginx_letsencrypt_cert is defined
+  tags: [web,conf]
+
+- name: Merge vhosts settings with defaults
+  set_fact: nginx_vhosts_conf={{ nginx_vhosts_conf | default([]) + [ nginx_default_vhost | combine(item, recursive=True) ] }}
+  with_items: "{{ nginx_vhosts }}"
+  tags: [web,conf]
+- set_fact: nginx_vhosts={{ nginx_vhosts_conf | default([]) }}
+  tags: [web,conf]
+
+- name: Check if Lemonldap::NG is installed
+  stat: path=/etc/lemonldap-ng/lemonldap-ng.ini
+  register: nginx_llng
+  tags: web
+
+- name: Check if llng_header.inc conf is installed
+  stat: path=/etc/nginx/ansible_conf.d/llng_headers.inc
+  register: nginx_llng_headers
+  tags: web

roles/nginx/tasks/filebeat.yml

@@ -0,0 +1,4 @@
+---
+- name: Deploy filebeat module
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_modules.d/nginx.yml
+  tags: web,log

roles/nginx/tasks/htpasswd.yml

@@ -0,0 +1,15 @@
+---
+- name: Create or update htpasswd files
+  htpasswd:
+    path: "{{ item[0].path }}"
+    name: "{{ item[1].login }}"
+    password: "{{ item[1].pass | default(omit) }}"
+    owner: root
+    group: nginx
+    mode: 0640
+    state: "{{ (item[1].state | default('present')) }}"
+  with_subelements:
+    - "{{ nginx_htpasswd }}"
+    - users
+  tags: web
+

roles/nginx/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+
+- include: install_openresty.yml
+  when: nginx_openresty
+
+- include: install_nginx.yml
+  when: not nginx_openresty
+

roles/nginx/tasks/install_nginx.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Remove openresty
+  yum:
+    name:
+      - openresty
+    state: absent
+  tags: web
+
+- name: Enable 1.16 module
+  shell: |
+    yum -y module reset nginx
+    yum -y module enable nginx:1.16
+  args:
+    warn: False
+  changed_when: False
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8', '>=')
+  tags: web
+
+- name: Install nginx
+  yum:
+    name:
+      - nginx
+      - nginx-all-modules
+  tags: web
+

roles/nginx/tasks/install_openresty.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Check if nginx is installed
+  stat: path=/lib/systemd/system/nginx.service
+  register: nginx_nginx_service
+  tags: web
+
+- name: Stop nginx
+  service: name=nginx state=stopped
+  when: nginx_nginx_service.stat.exists
+  tags: web
+
+- name: Create the nginx user account
+  user:
+    name: nginx
+    system: True
+    shell: /sbin/nologin
+    home: /var/lib/nginx
+  tags: web
+
+- name: Prepare directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /var/lib/nginx/tmp
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/cache/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/log/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /usr/share/nginx
+    - dir: /etc/nginx
+    - dir: /usr/local/openresty/nginx
+  tags: web
+
+  # Create links so openresty uses nginx compatible paths
+- name: Prepare links
+  file: src={{ item.src }} dest={{ item.dest }} state=link
+  loop:
+    - src: /etc/nginx
+      dest: /usr/local/openresty/nginx/conf
+    - src: /var/log/nginx
+      dest: /usr/local/openresty/nginx/logs
+    - src: /usr/share/nginx
+      dest: /usr/local/openresty/nginx/html
+  tags: web
+
+- name: Remove nginx
+  yum:
+    name:
+      - nginx
+    state: absent
+  tags: web
+
+- name: Install packages
+  yum:
+    name:
+      - openresty
+  tags: web
+
+- name: Add a link to nginx in /sbin
+  file: src=/usr/local/openresty/nginx/sbin/nginx dest=/sbin/nginx state=link
+  tags: web
+

roles/nginx/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+- name: Handle HTTP and HTTPS ports
+  iptables_raw:
+    name: nginx_ports
+    state: "{{ (nginx_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ (nginx_ports + nginx_ssl_ports) | join(',') }} -s {{ nginx_src_ip | join(',') }} -j ACCEPT\n"
+  when: iptables_manage | default(True)
+  tags: [firewall,web]

roles/nginx/tasks/letsencrypt.yml

@@ -0,0 +1,95 @@
+---
+- name: Create dehydrated hook dir
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory
+  tags: web
+
+- name: Deploy dehydrated deploy hook
+  copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/11nginx.sh mode=755
+  tags: web
+
+- name: Check if Let's Encrypt cert for the default vhost exists
+  stat: path=/var/lib/dehydrated/certificates/certs/{{ nginx_letsencrypt_cert }}/fullchain.pem
+  register: nginx_letsencrypt_default_cert
+  when: nginx_letsencrypt_cert is defined
+  tags: web
+
+- name: Create directory for the default certificate
+  file: path=/var/lib/dehydrated/certificates/certs/{{ nginx_letsencrypt_cert }}/ state=directory
+  when: nginx_letsencrypt_cert is defined
+  tags: web
+
+- name: Link certificate to the self signed default one
+  file: src=/etc/nginx/ssl/{{ item.src }}.pem dest=/var/lib/dehydrated/certificates/certs/{{ nginx_letsencrypt_cert }}/{{ item.dest }}.pem state=link
+  with_items:
+    - src: cert
+      dest: fullchain
+    - src: key
+      dest: privkey
+  when:
+    - nginx_letsencrypt_cert is defined
+    - nginx_letsencrypt_default_cert.stat is defined
+    - not nginx_letsencrypt_default_cert.stat.exists
+  tags: web
+
+- name: Check if Let's Encrypt's cert exist
+  stat: path=/var/lib/dehydrated/certificates/certs/{{ item.ssl.letsencrypt_cert }}/fullchain.pem
+  register: nginx_letsencrypt_certs
+  with_items: "{{ nginx_vhosts }}"
+  when: item.ssl.letsencrypt_cert is defined
+  tags: web
+
+- name: Create directories for missing Let's Encrypt cert
+  file: path=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }} state=directory
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt cert to the default one
+  file: src={{ nginx_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/fullchain.pem state=link
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt key to the default one
+  file: src={{ nginx_key_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/privkey.pem state=link
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Check if Let's Encrypt's cert exist (auto certificates)
+  stat: path=/var/lib/dehydrated/certificates/certs/{{ item.name }}/fullchain.pem
+  register: nginx_letsencrypt_certs
+  with_items: "{{ nginx_vhosts }}"
+  when: item.ssl.cert is not defined and item.ssl.letsencrypt_cert is not defined and nginx_auto_letsencrypt_cert
+  tags: web
+
+- name: Create directories for missing Let's Encrypt cert (auto certificates)
+  file: path=/var/lib/dehydrated/certificates/certs/{{ item.item.name }} state=directory
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt cert to the default one (auto certificates)
+  file: src={{ nginx_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.name }}/fullchain.pem state=link
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt key to the default one (auto certificates)
+  file: src={{ nginx_key_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.name }}/privkey.pem state=link
+  with_items: "{{ nginx_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+

roles/nginx/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- include: install.yml
+- include: facts.yml
+- include: ssl.yml
+- include: dir.yml
+- include: conf.yml
+- include: letsencrypt.yml
+- include: selinux.yml
+- include: iptables.yml
+- include: htpasswd.yml
+- include: service.yml
+- include: filebeat.yml

roles/nginx/tasks/selinux.yml

@@ -0,0 +1,24 @@
+---
+- name: Allow network connections in SELinux
+  seboolean: name={{ item }} state=True persistent=True
+  with_items:
+    - httpd_can_network_connect
+  when: ansible_selinux.status == 'enabled'
+  tags: web
+
+- name: Allow nginx to bind on ports
+  seport: ports={{ (nginx_ports + nginx_ssl_ports ) | join(',') }} proto=tcp setype=http_port_t state=present
+  when: ansible_selinux.status == 'enabled'
+  tags: web
+
+- name: Ensure correct context on cache
+  sefcontext:
+    target: '/var/cache/nginx(/.*)?'
+    setype: httpd_cache_t
+  register: nginx_cache_context
+  tags: web
+
+- name: Restore context of cache files
+  command: restorecon -R /var/cache/nginx
+  changed_when: nginx_cache_context.changed
+  tags: web

roles/nginx/tasks/service.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Unit]
+      Description=The nginx HTTP and reverse proxy server
+      After=syslog.target network-online.target remote-fs.target nss-lookup.target
+      Wants=network-online.target
+      
+      [Service]
+      Type=forking
+      PIDFile=/run/nginx.pid
+      ExecStartPre={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }} -t
+      ExecStartPre=/bin/rm -f /run/nginx.pid
+      ExecStart={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }}
+      ExecReload=/bin/kill -s HUP $MAINPID
+      ExecStop=/bin/kill -s QUIT $MAINPID
+      PrivateTmp=true
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=5
+      
+      [Install]
+      WantedBy=multi-user.target
+    dest: /etc/systemd/system/nginx.service
+  register: nginx_unit
+  notify: restart nginx
+  tags: web
+
+- name: Remove obsolete unit conf
+  file: path=/etc/systemd/system/nginx.service.d/ansible.conf state=absent
+  tags: web
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: nginx_unit.changed
+  tags: web
+
+- name: Start and enable the service
+  service: name=nginx state=started enabled=True
+  tags: web

roles/nginx/tasks/ssl.yml

@@ -0,0 +1,14 @@
+---
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/nginx/ssl/cert.pem
+    - cert_key_path: /etc/nginx/ssl/key.pem
+    - cert_user: nginx
+  tags: web
+
+- name: Create DH param
+  command: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
+  args:
+    creates: /etc/nginx/ssl/dhparam.pem
+  tags: web
+