simplify nginx role templating

- remove the handling of which template to use - do not access parent role - update riot-web nginx configuration - update icinga role to use new nginx templating - update synapse nginx configuration - update matrix role to use new nginx templates - update dokuwiki to use new nginx template - extend nginx template in dokuwiki - update login role to new nginx templates - add protocol for default option - add extra block to nginx template - update riote-web version - fix template extension for riot web nginx definition - update login template for nginx endpoint
7 years ago · 5d2fd43425
--- a/roles/dokuwiki/meta/main.yaml
+++ b/roles/dokuwiki/meta/main.yaml
@ -1,6 +1,4 @@
 ---
 dependencies:
  - role: nginx
    php: true
    config_name: "dokuwiki"
    parent_role_path: "dokuwiki"
    server_fqdn: "wiki.lilik.it"
--- a/roles/dokuwiki/tasks/main.yaml
+++ b/roles/dokuwiki/tasks/main.yaml
@ -1,15 +1,23 @@
 ---
 - name: install dokuwiki and associated packages
  apt:
      name: "{{ item }}"
      state: present
      update_cache: yes
      cache_valid_time: 3600
    name: "{{ item }}"
    state: present
    update_cache: yes
    cache_valid_time: 3600
  with_items:
      - dokuwiki
    - dokuwiki
 - name: add nginx configurations
  template:
    src: dokuwiki.conf
    dest: "/etc/nginx/locations/{{ server_fqdn }}/dokuwiki.conf"
  notify:
    - restart nginx
 - name: Write dokuwiki configuration to local.php
  copy:
    src: dokuwiki.php
    dest: /etc/dokuwiki/local.php
  notify:
      - restart nginx
    - restart nginx
--- a/roles/dokuwiki/templates/dokuwiki.conf
+++ b/roles/dokuwiki/templates/dokuwiki.conf
@ -0,0 +1,24 @@
 {% extends "proxy.conf.nginx.j2" %}
    {% block proxy_conf %}
        root /usr/share/dokuwiki;
        index doku.php;
        location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; }
        location / { try_files $uri $uri/ @dokuwiki; }
        location @dokuwiki {
            rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
            rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
            rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
            rewrite ^/(.*) /doku.php?id=$1&$args last;
        }
        location ~ \.php$ {
            try_files $uri $uri/ /doku.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param REDIRECT_STATUS 200;
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }
    {% endblock %}
--- a/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2
+++ b/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2
@ -1,20 +0,0 @@
    root /usr/share/dokuwiki;
    index doku.php;
    location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; }
    location / { try_files $uri $uri/ @dokuwiki; }
    location @dokuwiki {
        rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
        rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
        rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
        rewrite ^/(.*) /doku.php?id=$1&$args last;
    }
    location ~ \.php$ {
        try_files $uri $uri/ /doku.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param REDIRECT_STATUS 200;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    }
--- a/roles/icinga2/meta/main.yaml
+++ b/roles/icinga2/meta/main.yaml
@ -1,7 +1,5 @@
 ---
 dependencies:
  - role: nginx
    php: true
    parent_role_path: "icinga2"
    config_name: "icinga2"
    server_fqdn: "status.lilik.it"
  - role: postgresql
--- a/roles/icinga2/tasks/main.yaml
+++ b/roles/icinga2/tasks/main.yaml
@ -1,3 +1,4 @@
 ---
 - name: configure icinga2-ido-pgsql (host)
  debconf:
      name: 'icinga2-ido-pgsql'
@ -100,3 +101,10 @@
    mode: 0770
  with_items:
    - /etc/icinga2/conf.d/hosts/
 - name: add nginx configurations
  template:
    src: icinga.conf
    dest: "/etc/nginx/locations/{{ server_fqdn }}/service.conf"
  notify:
    - restart nginx
--- a/roles/icinga2/templates/icinga2.conf.nginx.j2
+++ b/roles/icinga2/templates/icinga2.conf.nginx.j2
--- a/roles/login/defaults/main.yaml
+++ b/roles/login/defaults/main.yaml
@ -1 +1,5 @@
 ---
 ldap_server: ldap.dmz.lilik
 proxy_location_path: api
 remote_host: "http://localhost:5000"
 server_fqdn: "login.lilik.it"
--- a/roles/login/meta/main.yaml
+++ b/roles/login/meta/main.yaml
@ -1,8 +1,4 @@
 ---
 dependencies:
  - role: nginx
    is_proxy: true
    config_name: "login"
    remote_host: "http://localhost:5000"
    server_fqdn: "login.lilik.it"
    parent_role_path: "login"
--- a/roles/login/tasks/main.yaml
+++ b/roles/login/tasks/main.yaml
@ -61,6 +61,13 @@
    mode: 0664
    state: file
 - name: add nginx configurations
  template:
    src: login.conf
    dest: "/etc/nginx/locations/{{ server_fqdn }}/login.conf"
  notify:
    - restart nginx
 - name: reload systemd
  systemd:
    daemon_reload: yes
--- a/roles/login/templates/login.conf
+++ b/roles/login/templates/login.conf
@ -0,0 +1,5 @@
 {% extends "roles/nginx/templates/service.conf" %}
 {% block extra %}
    root /srv/login/static;
 {% block extra %}
--- a/roles/login/templates/login.conf.nginx.j2
+++ b/roles/login/templates/login.conf.nginx.j2
@ -1 +0,0 @@
    rewrite ^/$ /static/index.html permanent;
--- a/roles/matrix-synapse/meta/main.yaml
+++ b/roles/matrix-synapse/meta/main.yaml
@ -1,8 +1,4 @@
 ---
 dependencies:
  - role: nginx
    is_proxy: true
    parent_role_path: "matrix-synapse"
    remote_host: "http://127.0.0.1:8008/_matrix"
    proxy_location_path: "_matrix"
    server_fqdn: "{{ ansible_hostname }}.lilik.it"
    server_fqdn: "matrix.lilik.it"
--- a/roles/matrix-synapse/tasks/main.yaml
+++ b/roles/matrix-synapse/tasks/main.yaml
@ -1,9 +1,10 @@
 ---
 - name: set synapse server name
  debconf:
      name: 'matrix-synapse'
      question: 'matrix-synapse/server-name'
      vtype: 'string'
      value: '{{ ansible_hostname }}'
    name: 'matrix-synapse'
    question: 'matrix-synapse/server-name'
    vtype: 'string'
    value: '{{ ansible_hostname }}'
 - name: install synapse
  include_role:
@ -25,7 +26,15 @@
    - /etc/matrix-synapse
    - /etc/matrix-synapse/conf.d
 - template:
 - name: upload synapse reverse proxy conf
  template:
    src: synapse.conf
    dest: "/etc/nginx/locations/{{ server_fqdn }}/synapse.conf"
  notify:
    - restart nginx
 - name: upload synapse conf
  template:
    src: homeserver.yaml.j2
    dest: /etc/matrix-synapse/homeserver.yaml
  notify: "restart matrix-synapse"
--- a/roles/matrix-synapse/templates/synapse.conf
+++ b/roles/matrix-synapse/templates/synapse.conf
@ -0,0 +1 @@
 {% extends "roles/nginx/templates/service.conf" %}
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,38 +1,2 @@
 ---
 is_proxy: false
 php: false
 config_name: null
 # max body size in Mb
 max_body_size: 8
 server_fqdn: "{{ ansible_hostname }}.lilik.it"
 proxy_location_path: ''
 # Same example usages:
 #
 #   Redirect trakt folder to a proxy on fqdn_domain,
 #   create a location file in /etc/nginx/locations/media.lilik.it/trakt.conf
 #     dependencies:
 #       - role: nginx
 #         is_proxy: true
 #         proxy_location_path: "trakt"
 #         remote_host: "http://localhost:5000"
 #         server_fqdn: "media.lilik.it"
 #         parent_role_path: "trakt"
 #
 #   Serve a location based on role template 'kodi-repository.conf.nginx.j2' on fqdn_domain,
 #   create a location file in /etc/nginx/locations/media.lilik.it/kodi-repository.conf
 #     dependencies:
 #       - role: nginx
 #         config_name: "kodi-repository"
 #         server_fqdn: "{{ fqdn_domain }}"
 #         parent_role_path: "kodi-repository"
 #
 #   Serve a location based on role template 'roundcube.conf.nginx.j2' on fqdn_domain,
 #   create a location file in /etc/nginx/locations/media.lilik.it/roundcube.conf,
 #   serve php file using php pfm
 #     dependencies:
 #       - role: nginx
 #         php: true
 #         config_name: "roundcube"
 #         server_fqdn: "webmail.lilik.it"
 #         parent_role_path: "roundcube"
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@ -1,11 +1,10 @@
 ---
 - include_role:
    name: service
  # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
  vars:
    service_name: nginx
    service_packages:
        - nginx
      - nginx
 - name: disable nginx default configuration
  file:
@ -13,27 +12,6 @@
    state: absent
  notify: restart nginx
 - name: install php-fpm
  apt:
    name: "{{ item }}"
    state: present
    update_cache: yes
    cache_valid_time: 3600
  with_items:
      - php-fpm
  when: php | bool
  notify:
      - restart nginx
 - name: add timezone to php.ini
  lineinfile:
    dest: /etc/php/7.0/fpm/php.ini
    regexp: '^;?date.timezone ='
    line: 'date.timezone = Europe/Berlin'
  when: php | bool
  notify:
      - restart nginx
 - name: create nginx location configuration directory
  file:
    path: '{{ item }}'
@ -47,23 +25,10 @@
 - name: upload nginx configuration
  template:
      src: base.j2
      dest: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
    src: base.j2
    dest: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
  notify:
      - restart nginx
 # - name: add nginx configurations
 #   template:
 #       src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
 #       dest: /etc/nginx/sites-available/{{ item }}.conf
 #   with_items: "{{ config_names }}"
 #   notify:
 #       - restart nginx
 # - name: add proxy to config_names
 #   set_fact:
 #     config_names: "{{ config_names | union( [config_name])}}"
 #   when: is_proxy | bool
    - restart nginx
 - name: create Diffie Hellman exchange parameters
  command: openssl dhparam -out /etc/nginx/dhparam.pem 2048
@ -73,24 +38,7 @@
 - name: enable nginx configurations
  file:
      src: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ server_fqdn }}.conf"
      state: link
  # with_items: "{{ config_names }}"
    src: "/etc/nginx/sites-available/{{ server_fqdn }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ server_fqdn }}.conf"
    state: link
  notify: restart nginx
 - name: upload nginx location configuration from parent role
  template:
      src: "roles/{{ parent_role_path }}/templates/{{ config_name }}.conf.nginx.j2"
      dest: "/etc/nginx/locations/{{ server_fqdn }}/{{ config_name }}.conf"
  notify:
      - restart nginx
  when: 'config_name is not none'
 - name: upload nginx location configuration for proxy
  template:
      src: proxy.conf.nginx.j2
      dest: "/etc/nginx/locations/{{ server_fqdn }}/{{ parent_role_path or 'proxy' }}.conf"
  notify:
      - restart nginx
  when: 'is_proxy'
--- a/roles/nginx/templates/proxy.conf.nginx.j2
+++ b/roles/nginx/templates/proxy.conf.nginx.j2
@ -1,11 +0,0 @@
    location /{{ proxy_location_path }} {
        client_max_body_size {{ max_body_size }}M;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_pass {{ remote_host }};
    }
--- a/roles/nginx/templates/service.conf
+++ b/roles/nginx/templates/service.conf
@ -0,0 +1,20 @@
 {% block proxy_conf %}
    {#
        This is the default block that gets included if the
        child template does not declare a {% block proxy_conf %}
    #}
    location /{{ proxy_location_path | default("")}} {
        client_max_body_size {{ max_body_size | default(8) }}M;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_pass {{ remote_host | default("http://127.0.0.1:8080") }};
    }
 {% endblock %}
 {% block extra %}
 {% endblock %}
--- a/roles/riot-web/defaults/main.yaml
+++ b/roles/riot-web/defaults/main.yaml
@ -1,2 +1,4 @@
 # Based on https://github.com/vector-im/riot-web/releases
 riot_web_version: "v0.12.2"
 ---
 riot_web_version: "v0.15.4"
 server_fqdn: "{{ ansible_hostname }}.lilik.it"
--- a/roles/riot-web/tasks/main.yaml
+++ b/roles/riot-web/tasks/main.yaml
@ -18,6 +18,13 @@
    owner: www-data
    group: www-data
 - template:
    src: riot.conf
    dest: "/etc/nginx/locations/{{ server_fqdn }}/riot.conf"
  notify:
    - restart nginx
 - template:
    src: config.json.j2
    dest: "/srv/riot-web/riot-{{ riot_web_version }}/config.json"
--- a/roles/riot-web/templates/riot.conf
+++ b/roles/riot-web/templates/riot.conf
@ -0,0 +1,7 @@
 {% extends "roles/nginx/templates/service.conf" %}
 {% block proxy_conf %}
 location / {
    root /srv/riot-web/riot-{{ riot_web_version }};
 }
 {% endblock %}
--- a/roles/riot-web/templates/riot.conf.nginx.j2
+++ b/roles/riot-web/templates/riot.conf.nginx.j2
@ -1,3 +0,0 @@
 location / {
    root /srv/riot-web/riot-{{ riot_web_version }};
 }