From e95bd87ab577970f4dc1735bd617c871499a1eb9 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 27 May 2019 22:36:35 +0300
Subject: [PATCH] fix nginx/server role for openbsd

---
 roles/nginx/server/defaults/main.yml       |  3 +++
 roles/nginx/server/tasks/main.yml          |  7 +++++--
 roles/nginx/server/templates/nginx.conf.j2 | 17 +++++++++--------
 roles/nginx/server/vars/OpenBSD.yml        |  3 +++
 4 files changed, 20 insertions(+), 10 deletions(-)
 create mode 100644 roles/nginx/server/defaults/main.yml
 create mode 100644 roles/nginx/server/vars/OpenBSD.yml

diff --git a/roles/nginx/server/defaults/main.yml b/roles/nginx/server/defaults/main.yml
new file mode 100644
index 0000000..a0888ab
--- /dev/null
+++ b/roles/nginx/server/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+nginx_user: nginx
+nginx_logdir: /var/log/nginx
diff --git a/roles/nginx/server/tasks/main.yml b/roles/nginx/server/tasks/main.yml
index 6d06537..91e18f2 100644
--- a/roles/nginx/server/tasks/main.yml
+++ b/roles/nginx/server/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- name: include os-specific variables
+  include_vars: "{{ ansible_os_family }}.yml"
 
 - name: install nginx packages
   package:
@@ -11,7 +13,7 @@
     path: "{{ item }}"
     mode: 0755
     owner: root
-    group: root
+    group: "{{ ansible_wheel }}"
   with_items:
     - /srv/web
     - "/srv/web/{{ inventory_hostname }}"
@@ -21,6 +23,7 @@
   sefcontext:
     path: /srv/web(/.*)?
     setype: httpd_sys_content_t
+  when: ansible_selinux_python_present == true
 
 - name: create nginx base config
   template:
@@ -28,7 +31,7 @@
     dest: /etc/nginx/nginx.conf
     mode: 0644
     owner: root
-    group: root
+    group: "{{ ansible_wheel }}"
   notify: restart nginx
 
 - name: enable nginx service
diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index 7dbdb3e..f594ede 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -1,10 +1,11 @@
 
+{% if ansible_os_family == "RedHat" %}
 include /usr/share/nginx/modules/mod-http-xslt-filter.conf;
+{% endif %}
 
-user nginx;
+user {{ nginx_user }};
 worker_processes auto;
-error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
+error_log {{ nginx_logdir }}/error.log;
 
 events {
     worker_connections 1024;
@@ -14,7 +15,7 @@ http {
     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" $host';
-    access_log /var/log/nginx/access.log main;
+    access_log {{ nginx_logdir }}/access.log main;
 
     ssl on;
     ssl_session_cache builtin:1000 shared:SSL:10m;
@@ -27,11 +28,11 @@ http {
         listen [::]:443 ssl;
         server_name {{ inventory_hostname }};
 
-        ssl_certificate /etc/pki/tls/certs/{{ inventory_hostname }}.crt;
-        ssl_trusted_certificate /etc/pki/tls/certs/ca.crt;
-        ssl_certificate_key /etc/pki/tls/private/{{ inventory_hostname }}.key;
+        ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+        ssl_trusted_certificate {{ tls_certs }}/ca.crt;
+        ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
 
-        ssl_client_certificate /etc/pki/tls/certs/ca.crt;
+        ssl_client_certificate {{ tls_certs }}/ca.crt;
         ssl_verify_client on;
 
         root /srv/web/{{ inventory_hostname }};
diff --git a/roles/nginx/server/vars/OpenBSD.yml b/roles/nginx/server/vars/OpenBSD.yml
new file mode 100644
index 0000000..930735f
--- /dev/null
+++ b/roles/nginx/server/vars/OpenBSD.yml
@@ -0,0 +1,3 @@
+---
+nginx_user: www
+nginx_logdir: /var/www/logs