From ae969d9ce372d064ddbdadd4f282438b4df30e97 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 17 May 2019 11:00:19 +0300
Subject: [PATCH] initial version of nginx role

---
 roles/nginx/server/handlers/main.yml       |  6 ++++
 roles/nginx/server/tasks/main.yml          | 32 +++++++++++++++++
 roles/nginx/server/templates/nginx.conf.j2 | 41 ++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 roles/nginx/server/handlers/main.yml
 create mode 100644 roles/nginx/server/tasks/main.yml
 create mode 100644 roles/nginx/server/templates/nginx.conf.j2

diff --git a/roles/nginx/server/handlers/main.yml b/roles/nginx/server/handlers/main.yml
new file mode 100644
index 0000000..f7639fd
--- /dev/null
+++ b/roles/nginx/server/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml
new file mode 100644
index 0000000..a265754
--- /dev/null
+++ b/roles/nginx/server/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+
+- name: install nginx packages
+  package:
+    name: nginx
+    state: installed
+
+- name: create nginx data directories
+  file:
+    state: directory
+    path: "{{ item }}"
+    mode: 0755
+    owner: root
+    group: root
+  with_items:
+    - /srv/web
+    - "/srv/web/{{ inventory_hostname }}"
+
+- name: create nginx base config
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: 0644
+    owner: root
+    group: root
+  notify: restart nginx
+
+- name: enable nginx service
+  service:
+    name: nginx
+    state: started
+    enabled: yes
diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
new file mode 100644
index 0000000..b968c49
--- /dev/null
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -0,0 +1,41 @@
+
+include /usr/share/nginx/modules/mod-http-xslt-filter.conf;
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" $host';
+    access_log /var/log/nginx/access.log main;
+
+    ssl on;
+    ssl_session_cache builtin:1000 shared:SSL:10m;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers on;
+
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        server_name {{ inventory_hostname }};
+
+        ssl_certificate /etc/pki/tls/certs/{{ inventory_hostname }}.crt;
+        ssl_trusted_certificate /etc/pki/tls/certs/ca.crt;
+        ssl_certificate_key /etc/pki/tls/private/{{ inventory_hostname }}.key;
+
+        root /srv/web/{{ inventory_hostname }};
+
+        include /etc/nginx/conf.d/{{ inventory_hostname }}/*.conf;
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+
+}