INF-113 - nginx ansible role
Initial commit
disabled the default site, and added default_site as an option
Use nginx repo for newer version
Change-Id: I994a1f2f2f18cc2d1c42a2d9bb7321835a5dd1a1
diff --git a/.cookiecutter_params.json b/.cookiecutter_params.json
new file mode 100644
index 0000000..9ea4f5e
--- /dev/null
+++ b/.cookiecutter_params.json
@@ -0,0 +1,24 @@
+{
+ "_template": "cookiecutters/role/",
+ "author": "Open Networking Foundation",
+ "company": "Open Networking Foundation",
+ "description": "NGINX Web Server",
+ "email": "support@opennetworking.org",
+ "issue_tracker_url": "https://jira.opennetworking.org/",
+ "license": "Apache-2.0",
+ "min_ansible_version": "2.9.5",
+ "molecule_privileged": "true",
+ "platform": "deleteme",
+ "platforms": {
+ "Ubuntu": [
+ "16.04",
+ "18.04"
+ ]
+ },
+ "role_defaults": {
+ "example_default1": "example_value1",
+ "example_default2": "example_value2"
+ },
+ "role_name": "nginx",
+ "year": "2020"
+}
diff --git a/.gitreview b/.gitreview
new file mode 100644
index 0000000..f3a5f3d
--- /dev/null
+++ b/.gitreview
@@ -0,0 +1,5 @@
+[gerrit]
+host=gerrit.opencord.org
+port=29418
+project=ansible/role/nginx.git
+defaultremote=origin
diff --git a/.reuse/dep5 b/.reuse/dep5
new file mode 100644
index 0000000..4de5ce8
--- /dev/null
+++ b/.reuse/dep5
@@ -0,0 +1,14 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+# from: https://github.com/mozilla/ssl-config-generator/blob/master/src/static/ffdhe2048.txt
+Files: files/ffdhe2048.txt
+Copyright: 2019 Mozilla
+License: MPL-2.0
+
+Files: files/nginx_signing.key
+Copyright: 2020 Nginx, Inc.
+License: BSD-2-Clause
+
+Files: .cookiecutter_params.json VERSION .gitreview
+Copyright: 2020 Open Networking Foundation
+License: Apache-2.0
diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/LICENSES/Apache-2.0.txt
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/LICENSES/BSD-2-Clause.txt b/LICENSES/BSD-2-Clause.txt
new file mode 100644
index 0000000..2d2bab1
--- /dev/null
+++ b/LICENSES/BSD-2-Clause.txt
@@ -0,0 +1,22 @@
+Copyright (c) <year> <owner>. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/LICENSES/MPL-2.0.txt b/LICENSES/MPL-2.0.txt
new file mode 100644
index 0000000..09f2798
--- /dev/null
+++ b/LICENSES/MPL-2.0.txt
@@ -0,0 +1,312 @@
+Mozilla Public License Version 2.0
+
+ 1. Definitions
+
+1.1. "Contributor" means each individual or legal entity that creates, contributes
+to the creation of, or owns Covered Software.
+
+1.2. "Contributor Version" means the combination of the Contributions of others
+(if any) used by a Contributor and that particular Contributor's Contribution.
+
+ 1.3. "Contribution" means Covered Software of a particular Contributor.
+
+1.4. "Covered Software" means Source Code Form to which the initial Contributor
+has attached the notice in Exhibit A, the Executable Form of such Source Code
+Form, and Modifications of such Source Code Form, in each case including portions
+thereof.
+
+ 1.5. "Incompatible With Secondary Licenses" means
+
+(a) that the initial Contributor has attached the notice described in Exhibit
+B to the Covered Software; or
+
+(b) that the Covered Software was made available under the terms of version
+1.1 or earlier of the License, but not also under the terms of a Secondary
+License.
+
+1.6. "Executable Form" means any form of the work other than Source Code Form.
+
+1.7. "Larger Work" means a work that combines Covered Software with other
+material, in a separate file or files, that is not Covered Software.
+
+ 1.8. "License" means this document.
+
+1.9. "Licensable" means having the right to grant, to the maximum extent possible,
+whether at the time of the initial grant or subsequently, any and all of the
+rights conveyed by this License.
+
+ 1.10. "Modifications" means any of the following:
+
+(a) any file in Source Code Form that results from an addition to, deletion
+from, or modification of the contents of Covered Software; or
+
+(b) any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor means any patent claim(s), including
+without limitation, method, process, and apparatus claims, in any patent Licensable
+by such Contributor that would be infringed, but for the grant of the License,
+by the making, using, selling, offering for sale, having made, import, or
+transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License" means either the GNU General Public License, Version
+2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General
+Public License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form" means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your") means an individual or a legal entity exercising rights
+under this License. For legal entities, "You" includes any entity that controls,
+is controlled by, or is under common control with You. For purposes of this
+definition, "control" means (a) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or otherwise,
+or (b) ownership of more than fifty percent (50%) of the outstanding shares
+or beneficial ownership of such entity.
+
+ 2. License Grants and Conditions
+
+ 2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
+license:
+
+(a) under intellectual property rights (other than patent or trademark) Licensable
+by such Contributor to use, reproduce, make available, modify, display, perform,
+distribute, and otherwise exploit its Contributions, either on an unmodified
+basis, with Modifications, or as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer for
+sale, have made, import, and otherwise transfer either its Contributions or
+its Contributor Version.
+
+ 2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution become
+effective for each Contribution on the date the Contributor first distributes
+such Contribution.
+
+ 2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under this
+License. No additional rights or licenses will be implied from the distribution
+or licensing of Covered Software under this License. Notwithstanding Section
+2.1(b) above, no patent license is granted by a Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software; or
+
+(b) for infringements caused by: (i) Your and any other third party's modifications
+of Covered Software, or (ii) the combination of its Contributions with other
+software (except as part of its Contributor Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of its
+Contributions.
+
+This License does not grant any rights in the trademarks, service marks, or
+logos of any Contributor (except as may be necessary to comply with the notice
+requirements in Section 3.4).
+
+ 2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to distribute
+the Covered Software under a subsequent version of this License (see Section
+10.2) or under the terms of a Secondary License (if permitted under the terms
+of Section 3.3).
+
+ 2.5. Representation
+
+Each Contributor represents that the Contributor believes its Contributions
+are its original creation(s) or it has sufficient rights to grant the rights
+to its Contributions conveyed by this License.
+
+ 2.6. Fair Use
+
+This License is not intended to limit any rights You have under applicable
+copyright doctrines of fair use, fair dealing, or other equivalents.
+
+ 2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+Section 2.1.
+
+ 3. Responsibilities
+
+ 3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any Modifications
+that You create or to which You contribute, must be under the terms of this
+License. You must inform recipients that the Source Code Form of the Covered
+Software is governed by the terms of this License, and how they can obtain
+a copy of this License. You may not attempt to alter or restrict the recipients'
+rights in the Source Code Form.
+
+ 3.2. Distribution of Executable Form
+
+ If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code Form,
+as described in Section 3.1, and You must inform recipients of the Executable
+Form how they can obtain a copy of such Source Code Form by reasonable means
+in a timely manner, at a charge no more than the cost of distribution to the
+recipient; and
+
+(b) You may distribute such Executable Form under the terms of this License,
+or sublicense it under different terms, provided that the license for the
+Executable Form does not attempt to limit or alter the recipients' rights
+in the Source Code Form under this License.
+
+ 3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice, provided
+that You also comply with the requirements of this License for the Covered
+Software. If the Larger Work is a combination of Covered Software with a work
+governed by one or more Secondary Licenses, and the Covered Software is not
+Incompatible With Secondary Licenses, this License permits You to additionally
+distribute such Covered Software under the terms of such Secondary License(s),
+so that the recipient of the Larger Work may, at their option, further distribute
+the Covered Software under the terms of either this License or such Secondary
+License(s).
+
+ 3.4. Notices
+
+You may not remove or alter the substance of any license notices (including
+copyright notices, patent notices, disclaimers of warranty, or limitations
+of liability) contained within the Source Code Form of the Covered Software,
+except that You may alter any license notices to the extent required to remedy
+known factual inaccuracies.
+
+ 3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support, indemnity
+or liability obligations to one or more recipients of Covered Software. However,
+You may do so only on Your own behalf, and not on behalf of any Contributor.
+You must make it absolutely clear that any such warranty, support, indemnity,
+or liability obligation is offered by You alone, and You hereby agree to indemnify
+every Contributor for any liability incurred by such Contributor as a result
+of warranty, support, indemnity or liability terms You offer. You may include
+additional disclaimers of warranty and limitations of liability specific to
+any jurisdiction.
+
+ 4. Inability to Comply Due to Statute or Regulation
+
+If it is impossible for You to comply with any of the terms of this License
+with respect to some or all of the Covered Software due to statute, judicial
+order, or regulation then You must: (a) comply with the terms of this License
+to the maximum extent possible; and (b) describe the limitations and the code
+they affect. Such description must be placed in a text file included with
+all distributions of the Covered Software under this License. Except to the
+extent prohibited by statute or regulation, such description must be sufficiently
+detailed for a recipient of ordinary skill to be able to understand it.
+
+ 5. Termination
+
+5.1. The rights granted under this License will terminate automatically if
+You fail to comply with any of its terms. However, if You become compliant,
+then the rights granted under this License from a particular Contributor are
+reinstated (a) provisionally, unless and until such Contributor explicitly
+and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor
+fails to notify You of the non-compliance by some reasonable means prior to
+60 days after You have come back into compliance. Moreover, Your grants from
+a particular Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the first
+time You have received notice of non-compliance with this License from such
+Contributor, and You become compliant prior to 30 days after Your receipt
+of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent infringement
+claim (excluding declaratory judgment actions, counter-claims, and cross-claims)
+alleging that a Contributor Version directly or indirectly infringes any patent,
+then the rights granted to You by any and all Contributors for the Covered
+Software under Section 2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end
+user license agreements (excluding distributors and resellers) which have
+been validly granted by You or Your distributors under this License prior
+to termination shall survive termination.
+
+ 6. Disclaimer of Warranty
+
+Covered Software is provided under this License on an "as is" basis, without
+warranty of any kind, either expressed, implied, or statutory, including,
+without limitation, warranties that the Covered Software is free of defects,
+merchantable, fit for a particular purpose or non-infringing. The entire risk
+as to the quality and performance of the Covered Software is with You. Should
+any Covered Software prove defective in any respect, You (not any Contributor)
+assume the cost of any necessary servicing, repair, or correction. This disclaimer
+of warranty constitutes an essential part of this License. No use of any Covered
+Software is authorized under this License except under this disclaimer.
+
+ 7. Limitation of Liability
+
+Under no circumstances and under no legal theory, whether tort (including
+negligence), contract, or otherwise, shall any Contributor, or anyone who
+distributes Covered Software as permitted above, be liable to You for any
+direct, indirect, special, incidental, or consequential damages of any character
+including, without limitation, damages for lost profits, loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all other commercial
+damages or losses, even if such party shall have been informed of the possibility
+of such damages. This limitation of liability shall not apply to liability
+for death or personal injury resulting from such party's negligence to the
+extent applicable law prohibits such limitation. Some jurisdictions do not
+allow the exclusion or limitation of incidental or consequential damages,
+so this exclusion and limitation may not apply to You.
+
+ 8. Litigation
+
+Any litigation relating to this License may be brought only in the courts
+of a jurisdiction where the defendant maintains its principal place of business
+and such litigation shall be governed by laws of that jurisdiction, without
+reference to its conflict-of-law provisions. Nothing in this Section shall
+prevent a party's ability to bring cross-claims or counter-claims.
+
+ 9. Miscellaneous
+
+This License represents the complete agreement concerning the subject matter
+hereof. If any provision of this License is held to be unenforceable, such
+provision shall be reformed only to the extent necessary to make it enforceable.
+Any law or regulation which provides that the language of a contract shall
+be construed against the drafter shall not be used to construe this License
+against a Contributor.
+
+ 10. Versions of the License
+
+ 10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section 10.3,
+no one other than the license steward has the right to modify or publish new
+versions of this License. Each version will be given a distinguishing version
+number.
+
+ 10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version of
+the License under which You originally received the Covered Software, or under
+the terms of any subsequent version published by the license steward.
+
+ 10.3. Modified Versions
+
+If you create software not governed by this License, and you want to create
+a new license for such software, you may create and use a modified version
+of this License if you rename the license and remove any references to the
+name of the license steward (except to note that such modified license differs
+from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With Secondary
+Licenses under the terms of this version of the License, the notice described
+in Exhibit B of this License must be attached. Exhibit A - Source Code Form
+License Notice
+
+This Source Code Form is subject to the terms of the Mozilla Public License,
+v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
+one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+This Source Code Form is "Incompatible With Secondary Licenses", as defined
+by the Mozilla Public License, v. 2.0.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..9074558
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,39 @@
+# nginx Makefile
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+SHELL = bash -eu -o pipefail
+
+.DEFAULT_GOAL := help
+.PHONY: test lint yamllint ansiblelint license help
+
+test: ## run tests on the playbook with molecule
+ molecule --version
+ molecule test
+
+lint: yamllint ansiblelint ## run all lint checks
+
+# all YAML files
+YAML_FILES ?= $(shell find . -type f \( -name '*.yaml' -o -name '*.yml' \) -print )
+
+yamllint: ## lint check with yamllint
+ yamllint --version
+ yamllint \
+ -d "{extends: default, rules: {line-length: {max: 99}}}" \
+ -s $(YAML_FILES)
+
+ansiblelint: ## lint check with ansible-lint
+ ansible-lint --version
+ ansible-lint -v .
+ ansible-lint -v molecule/*/*
+
+license: ## Check license with the reuse tool
+ reuse --version
+ reuse --root . lint
+
+help: ## Print help for each target
+ @echo nginx test targets
+ @echo
+ @grep '^[[:alnum:]_-]*:.* ##' $(MAKEFILE_LIST) \
+ | sort | awk 'BEGIN {FS=":.* ## "}; {printf "%-25s %s\n", $$1, $$2};'
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..707378c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,221 @@
+<!--
+SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+SPDX-License-Identifier: Apache-2.0
+--!>
+# nginx
+
+NGINX Web Server
+
+## Requirements
+
+Minimum tested Ansible version: 2.9.5
+
+## What this role does
+
+This runs an nginx web server, which can be configured to to:
+
+1. Serve static files
+2. Redirect traffic to another location
+3. Reverse proxy for another service
+
+It also can provide TLS termination (and a 301 redirect from http:// to
+https:// URLs if TLS is enabled), as well as providing HTTP Basic
+Authentication support.
+
+The TLS configuration settings are designed to qualify for a minimum of an *A*
+rating (as of 2020-07-04) on the [Qualsys SSL Labs server
+test](https://www.ssllabs.com/), using the recommendations from the [Mozilla
+SSL configuration generator](https://ssl-config.mozilla.org/).
+
+HTTP Basic authentication covers the entire root (`/`) of the site, and can
+also apply to proxied connections.
+
+To allow LetsEncrypt and other ACME based certificate issuing programs to
+function, the `http://<anything>/.well-known/acme-challenge` uri on all hosts
+is served from a directory specified by the `acme_challenge_dir` variable. This
+also works for redirects, basic authentication required, and reverse proxied
+sites.
+
+If the role or configuration has changed and the templated files are changed
+when the role is re-run, backups of the configuration files will be generated
+on the target host.
+
+Before restarting the `nginx` daemon on the host system, the entire
+configuration will be checked by running `nginx -t` by the `test-nginx-config`
+handler. If this handler fails, it will give the running admin a chance to fix
+any configuration problems prior to restarting the daemon, but will leave the
+configuration in a broken state.
+
+## What this role doesn't do
+
+This is an opinionated role and only handles the most common use cases. It does
+not handle:
+
+- Every configuration option available in nginx. The [official nginx
+ role](https://github.com/nginxinc/ansible-role-nginx) has many more
+ configuration options exposed, at a cost of being much more complicated to
+ configure.
+
+- Complicated redirect rules. The grammar for these was too complicated to make
+ into a general case, so if they're required use the `extra_config` which is
+ loaded into the `server {}` configuration scope, and specify rules using the
+ [rewrite module](http://nginx.org/en/docs/http/ngx_http_rewrite_module.html)
+
+- Wildcard matching of domains. These were generally done to host many sites
+ behind one TLS certificate, which is less needed now that we have
+ LetsEncrypt. Define site aliases instead, setting `cert_name` and use SAN to
+ generate a multi-domain certificate.
+
+## How do I obtain certificates for many domains?
+
+This is a bit of a chicken/egg problem. Here's one solution:
+
+1. Run the `acme` role with no config to create the challenge dir and user
+ accounts that will own that dir.
+
+2. Run this role without TLS configured in the variable files, to create
+ virtualhosts that can obtain http-01 challenges.
+
+3. Run the `acme` role to obtain and install LetsEncrypt certificate for just
+ the `cert_name` domain.
+
+4. Configure TLS for all domains then rerun this role
+
+5. Rerun the `acme` role to obtain and install certificates for all the
+ domains. It will restart `nginx`.
+
+Or, use DNS based challenges with `acme`, which don't depend on nginx serving
+the challenges.
+
+## Defaults
+
+There are several global config options, which apply to all sites being hosted.
+
+``` yaml
+# http://nginx.org/en/docs/ngx_core_module.html#worker_processes
+nginx_conf_worker_processes: "auto"
+
+# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
+nginx_conf_worker_connections: 512
+
+# http://nginx.org/en/docs/ngx_core_module.html#multi_accept
+nginx_conf_multi_accept: "off"
+
+# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+nginx_conf_client_max_body_size: "1m"
+
+# location of TLS certificates
+certificate_dir: "/etc/acme/certs"
+
+# location of ACME Challenges (LetsEncrypt)
+acme_challenge_dir: "/srv/acme"
+
+# ACME software user name for setting permissions on challenge dir
+# NOTE: this will cause failures if you haven't previously run the the acme
+# role, so override it when that role isn't being used.
+acme_username: "acme"
+```
+
+The `vhosts` is used to define virtualhosts on the nginx server. This is a list
+of all available options:
+
+``` yaml
+vhosts:
+ - name: site.example.com # name of the server being used.
+ tls: true # whether or not to enable TLS. Requires that certificates be created.
+ cert_name: static.example.com # used to specify the filepath to the TLS certificate, if a multi-domain SAN cert is used. Default is to use the `name` value
+ owner: root # username of owner of static files for this virtualhost, used to delegate the ability to update a static site.
+ insecure_port: 80 # default http:// port
+ secure_port: 443 # default https:// port
+ auth_scope: "mysite" # which item in auth_scopes to use for passwords. Setting this enables HTTP Basic Auth.
+ proxy_pass: "http://localhost:8080" # set this to the URL to reverse proxy traffic to another service
+ custom_root: "/path/to/site/root" # set this to serve files from a nonstandard (not /srv/sites/<url>) location
+ autoindex: false # whether or not to automatically generate an index in directories that lack an index.html file
+ aliases: # list of domain aliases to redirect
+ - static.example.com
+ - www.example.com
+ redirect_url: https://google.com # destination for 301 redirection of the aliases
+ strip_request_uri: true # Set to true to strip off the path at the end of the URI when redirecting
+ extra_config: | # Extra arbitrary configuration to put inside the server {} block
+ <arbitrary configuration>
+```
+
+To provide HTTP basic auth, you can create an item in `auth_scopes`, which
+gives a scope and lists of usernames and password.
+
+This configuration is separate from the vhosts block so scopes can be reused on
+multiple sites, and so that passwords can be can be stored in a separate
+configuration file. The passwords are encrypted using [salted
+SHA1](http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html#auth_basic_user_file).
+
+``` yaml
+auth_scopes:
+ - scope: mysite
+ users:
+ - name: ghopper
+ password: verysecurepassword
+ - name: dknuth
+ password: anotherpassword
+ - scope: othersite
+ users:
+ - name: aturing
+ password: yetanotherpw
+```
+
+### Example: Static site without TLS enabled
+
+``` yaml
+vhosts:
+ - name: site.example.com
+```
+
+### Example: Static site with TLS enabled
+
+> NOTE: Must create TLS certificates outside of this role. The recommended role
+> to do this is the `acme` role.
+
+``` yaml
+vhosts:
+ - name: site.example.com
+ tls: true
+```
+
+### Example: Proxy site with TLS enabled
+
+``` yaml
+vhosts:
+ - name: site.example.com
+ tls: true
+ proxy_pass: "http://localhost:8080"
+```
+
+## Example Playbook
+
+```yaml
+- hosts: all
+ vars:
+ - vhosts:
+ - name: site.example.com
+ roles:
+ - nginx
+```
+
+## Testing
+
+There are many tests in the `molecule/` directory, covering static, autoindexed
+authenticated, redirect, and proxy examples.
+
+If you want to add functionality to this role, please write tests to cover that
+functionality.
+
+## License and Author
+
+© 2020 Open Networking Foundation <info@opennetworking.org>
+
+License: Apache-2.0
+
+`files/ffdhe2048.txt` was obtained from the [Mozilla SSL configuration
+generator website](https://ssl-config.mozilla.org/) and appears to be under
+MPL-2.0, as it came from the
+[mozilla/ssl-config-generator](https://github.com/mozilla/ssl-config-generator/)
+repo.
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..c0ab82c
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+0.0.1-dev
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..70e2731
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,41 @@
+---
+# nginx defaults/main.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+# nginx_conf_* items go into the global nginx.conf file
+# Values set here are the same as default settings in nginx docs
+#
+# Upstream docs:
+# http://nginx.org/en/docs/ngx_core_module.html
+# http://nginx.org/en/docs/http/ngx_http_core_module.html
+
+# http://nginx.org/en/docs/ngx_core_module.html#worker_processes
+nginx_conf_worker_processes: "auto"
+
+# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
+nginx_conf_worker_connections: 512
+
+# http://nginx.org/en/docs/ngx_core_module.html#multi_accept
+nginx_conf_multi_accept: "off"
+
+# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+nginx_conf_client_max_body_size: "1m"
+
+# location of TLS certificates
+certificate_dir: "/etc/acme/certs"
+
+# webroot directory for acme challenges (aiso in acme/letsencrypt roles)
+acme_challenge_dir: "/etc/acme/challenges"
+
+# ACME software user name for setting permissions on challenge dir
+# NOTE: this will cause failures if you haven't previously run the the acme
+# role, so override it when that role isn't being used.
+acme_username: "acme"
+
+# vhosts is a list of virtualhosts to configure - see README.md
+vhosts: []
+
+# authentication scope dict to create htpasswd files - see README.md
+auth_scopes: {}
diff --git a/files/ffdhe2048.txt b/files/ffdhe2048.txt
new file mode 100644
index 0000000..088f967
--- /dev/null
+++ b/files/ffdhe2048.txt
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/files/nginx_signing.key b/files/nginx_signing.key
new file mode 100644
index 0000000..d2258b8
--- /dev/null
+++ b/files/nginx_signing.key
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
+W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
+QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
+fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
+97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
+XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
+a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
+CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
+kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
+KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
+F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
+1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
+oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
+MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
+YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
+JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
+Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
+RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
+SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
+Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
+cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
+YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
+Va3l3WuB+rgKjsQ=
+=EWWI
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..ee748ab
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,28 @@
+---
+# nginx handlers/main.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: test-nginx-config
+ # test that the entire set of config files are correct
+ #
+ # NOTE: handlers are run in the order they are listed in this file, so it's
+ # listed first before starting/reloading/restarting the daemon
+ command:
+ cmd: "nginx -t -c {{ nginx_conf_dir }}/nginx.conf"
+
+- name: start-nginx
+ service:
+ name: "{{ nginx_service }}"
+ state: started
+
+- name: reload-nginx
+ service:
+ name: "{{ nginx_service }}"
+ state: reloaded
+
+- name: restart-nginx
+ service:
+ name: "{{ nginx_service }}"
+ state: restarted
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..5807e9b
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,26 @@
+---
+# nginx meta/main.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+galaxy_info:
+ author: Open Networking Foundation
+ description: NGINX Web Server
+ company: Open Networking Foundation
+
+ issue_tracker_url: https://jira.opennetworking.org/
+
+ license: Apache-2.0
+
+ min_ansible_version: 2.9.5
+
+ platforms:
+ - name: Ubuntu
+ versions:
+ - "18.04"
+
+ galaxy_tags:
+ - nginx
+
+dependencies: []
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
new file mode 100644
index 0000000..791dac6
--- /dev/null
+++ b/molecule/default/converge.yml
@@ -0,0 +1,43 @@
+---
+# nginx molecule/default/verify.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Converge
+ hosts: all
+ vars:
+ acme_username: "www-data" # make independent of the acme role
+ vhosts:
+ - name: "static.example.com"
+ default_server: true
+ extra_config: |
+ location /teapot {
+ return 418;
+ }
+ - name: "autoindex.example.com"
+ autoindex: true
+ - name: "authenticated.example.com"
+ auth_scope: "mysite"
+ - name: "proxy.example.com"
+ proxy_pass: "http://localhost:8000"
+ - name: "redirects"
+ aliases:
+ - "redirect.example.com"
+ redirect_url: "https://destination.example.com"
+ strip_request_uri: true
+ auth_scopes:
+ - scope: mysite
+ users:
+ - name: ghopper
+ password: verysecurepassword
+ - name: dknuth
+ password: anotherpassword
+ - scope: othersite
+ users:
+ - name: aturing
+ password: yetanotherpw
+ tasks:
+ - name: "Include nginx"
+ include_role:
+ name: "nginx"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
new file mode 100644
index 0000000..5c40573
--- /dev/null
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+# nginx molecule/default/molecule.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+dependency:
+ name: galaxy
+driver:
+ name: docker
+platforms:
+ - name: "ubuntu-18.04-priv"
+ image: "quay.io/paulfantom/molecule-systemd:ubuntu-18.04"
+ privileged: true
+ volumes:
+ - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+provisioner:
+ name: ansible
+verifier:
+ name: ansible
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
new file mode 100644
index 0000000..829bbf1
--- /dev/null
+++ b/molecule/default/prepare.yml
@@ -0,0 +1,15 @@
+---
+# nginx molecule/default/prepare.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Prepare
+ hosts: all
+
+ tasks:
+ - name: Install GPG to support adding apt repo keys
+ apt:
+ name: "gpg"
+ state: "present"
+ update_cache: true
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..5e2e15c
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,203 @@
+---
+# nginx molecule/default/verify.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Verify
+ hosts: all
+ vars:
+ nginx_static_dir: "/srv/sites"
+ tasks:
+
+ # Static site tests
+ - name: Create a test file to be served for the static site
+ lineinfile:
+ path: "{{ nginx_static_dir }}/static.example.com/index.html"
+ line: "This file is served from static.example.com"
+ mode: 0644
+ create: true
+
+ - name: Test that static site is being served with index.yaml
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "static.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'This file is served from static.example.com' not in webpage.content"
+
+ - name: Test that the static site is the default site
+ uri:
+ url: http://127.0.0.1/
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'This file is served from static.example.com' not in webpage.content"
+
+ - name: Delete static site test file
+ file:
+ path: "{{ nginx_static_dir }}/static.example.com/index.html"
+ mode: 0644
+ state: absent
+
+ - name: Verify that 403 is returned when no index.html file exists and autoindex is off
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "static.example.com"
+ status_code: 403
+
+ - name: See if extra_config (teapot with code 418 at /teapot) is working
+ uri:
+ url: http://127.0.0.1/teapot
+ headers:
+ Host: "static.example.com"
+ status_code: 418
+
+ - name: Create a yaml file to check that MIME config is working
+ copy:
+ dest: "{{ nginx_static_dir }}/static.example.com/example.yaml"
+ mode: 0644
+ content: |
+ ---
+ # example YAML file
+
+ - name: Retrieve YAML file
+ uri:
+ url: http://127.0.0.1/example.yaml
+ headers:
+ Host: "static.example.com"
+ status_code: 200
+ return_content: true
+ register: webpagey
+
+ - name: Assert that yaml file uses text/yaml MIME type
+ assert:
+ that:
+ - webpagey['content_type'] == 'text/yaml'
+
+ - name: Delete yaml test file
+ file:
+ path: "{{ nginx_static_dir }}/static.example.com/example.yaml"
+ state: absent
+
+ # Test nginx autoindex
+ - name: Create a test dir to be served for the autoindex site
+ file:
+ path: "{{ nginx_static_dir }}/autoindex.example.com/autoindex_example_dir"
+ mode: 0755
+ state: directory
+
+ - name: Test that autoindex is created and lists directory
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "autoindex.example.com"
+ status_code: 200
+ return_content: true
+ register: webpageai
+ failed_when: "'autoindex_example_dir' not in webpageai.content"
+
+ - name: Delete test dir for autoindex site
+ file:
+ path: "{{ nginx_static_dir }}/autoindex.example.com/autoindex_example_dir"
+ state: absent
+
+ # HTTP Basic Authentication tests
+ - name: Create a test file to be served for the authenticated site
+ lineinfile:
+ path: "{{ nginx_static_dir }}/authenticated.example.com/index.html"
+ line: "This file is served from authenticated.example.com"
+ mode: 0644
+ create: true
+
+ - name: Test that the authenticated file can't be accessed without authentication
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 401
+
+ - name: Test that the authenticated file can be accessed by authorized user
+ uri:
+ url: http://127.0.0.1/
+ url_username: "ghopper"
+ url_password: "verysecurepassword"
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'authenticated.example.com' not in webpage.content"
+
+ - name: Test that the authenticated file can't be accessed by unauthorized user
+ uri:
+ url: http://127.0.0.1/
+ url_username: "aturing"
+ url_password: "yetanotherpw"
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 401
+
+ - name: Delete authenticated site test file
+ file:
+ path: "{{ nginx_static_dir }}/authenticated.example.com/index.html"
+ state: absent
+
+ # Proxy tests
+ - name: Verify that when proxy isn't running, NGINX returns a 502 "Bad Gateway" error
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "proxy.example.com"
+ status_code: 502
+
+ - name: Create a test file to be served by the proxy
+ lineinfile:
+ path: "/tmp/index.html"
+ line: "This file is served from proxy.example.com"
+ mode: 0644
+ create: true
+
+ - name: Run a python http.server as proxy target for 20 seconds in the background
+ shell: >-
+ (cd /tmp;
+ python3 -m http.server & PY_PID=$!;
+ echo "server running: $PY_PID";
+ sleep 20;
+ kill $PY_PID) &
+ tags:
+ - skip_ansible_lint
+
+ - name: Wait 10 seconds for Python http.server to get started
+ pause:
+ seconds: 10
+
+ - name: Test that the proxy site is being served
+ uri:
+ url: http://127.0.0.1
+ headers:
+ Host: "proxy.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'proxy.example.com' not in webpage.content"
+
+ - name: Delete proxy site test file
+ file:
+ path: "/tmp/index.html"
+ state: absent
+
+ # Redirect tests
+ - name: Check that 301 redirect is being served
+ uri:
+ url: http://127.0.0.1
+ headers:
+ Host: "redirect.example.com"
+ follow_redirects: "none"
+ status_code: 301
+ return_content: true
+ register: webpage
+ failed_when: "webpage.location != 'https://destination.example.com'"
diff --git a/tasks/Debian.yml b/tasks/Debian.yml
new file mode 100644
index 0000000..eebc077
--- /dev/null
+++ b/tasks/Debian.yml
@@ -0,0 +1,32 @@
+---
+# nginx tasks/Debian.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+# Docs: http://nginx.org/en/linux_packages.html
+- name: Add NGINX apt repo key
+ apt_key:
+ data: "{{ lookup('file','nginx_signing.key') }}"
+ state: "present"
+
+- name: Add NGINX apt repo
+ apt_repository:
+ repo: >-
+ deb http://nginx.org/packages/{{ ansible_lsb['id'] | lower }}
+ {{ ansible_lsb['codename'] }} nginx
+ update_cache: true
+
+- name: Install NGINX packages (Debian)
+ apt:
+ name: "{{ nginx_packages }}"
+ state: "present"
+ update_cache: true
+ cache_valid_time: 3600
+ notify:
+ - start-nginx
+
+- name: Enable NGINX Service
+ service:
+ name: "{{ nginx_service }}"
+ enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..f88f50e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,121 @@
+---
+# nginx tasks/main.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: include OS-specific vars
+ include_vars: "{{ ansible_os_family }}.yml"
+
+- name: include OS-specific tasks
+ include_tasks: "{{ ansible_os_family }}.yml"
+
+- name: Create Static Virtualhost root directories
+ when: >
+ (item.proxy_pass is not defined or not item.proxy_pass) and
+ (item.redirect_url is not defined)
+ file:
+ state: directory
+ path: "{{ nginx_static_dir }}/{{ item.name }}"
+ owner: "{{ item.owner | default('root') }}"
+ group: "{{ nginx_groupname }}"
+ mode: 0755
+ with_items: "{{ vhosts }}"
+
+- name: Create directory for ACME challenges files
+ file:
+ state: directory
+ path: "{{ acme_challenge_dir }}"
+ owner: "{{ acme_username }}"
+ group: "{{ nginx_groupname }}"
+ mode: 0755
+
+- name: Create directory for auth_basic htpasswd files
+ file:
+ state: directory
+ path: "{{ nginx_auth_basic_dir }}"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0750
+
+- name: Create auth_basic htpasswd files
+ htpasswd:
+ name: "{{ item.1.name }}"
+ password: "{{ item.1.password }}"
+ path: "{{ nginx_auth_basic_dir }}/{{ item.0.scope }}.htpasswd"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0640
+ crypt_scheme: ldap_salted_sha1
+ with_subelements:
+ - "{{ auth_scopes }}"
+ - users
+ no_log: true
+
+# file obtained on 2020-07-05 from https://ssl-config.mozilla.org/ffdhe2048.txt
+- name: Copy over Mozilla-supplied dhparam config file
+ copy:
+ src: "ffdhe2048.txt"
+ dest: "{{ nginx_conf_dir }}/dhparam"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0644
+
+- name: Global NGINX configuration from template
+ template:
+ src: "nginx.conf.j2"
+ dest: "{{ nginx_conf_dir }}/nginx.conf"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0644
+ backup: true
+ validate: "nginx -t -c %s"
+ notify:
+ - test-nginx-config
+ - reload-nginx
+
+# this is needed when using the NGINX apt repo, already exists in the
+# ubuntu/debian distro version
+- name: Create sites-available and sites-enabled directories
+ file:
+ state: directory
+ path: "{{ nginx_conf_dir }}/{{ item }}"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0755
+ with_items:
+ - "sites-available"
+ - "sites-enabled"
+
+- name: Create VirtualHost configurations from template
+ template:
+ src: "vhost.conf.j2"
+ dest: "{{ nginx_conf_dir }}/sites-available/{{ item.name }}.conf"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ mode: 0644
+ backup: true
+ with_items: "{{ vhosts }}"
+ notify:
+ - test-nginx-config
+ - reload-nginx
+
+- name: Disable default host
+ file:
+ state: absent
+ path: "{{ nginx_conf_dir }}/sites-enabled/default"
+
+- name: Enable VirtualHosts via symlink
+ file:
+ state: link
+ src: "{{ nginx_conf_dir }}/sites-available/{{ item.name }}.conf"
+ dest: "{{ nginx_conf_dir }}/sites-enabled/{{ item.name }}.conf"
+ owner: root
+ group: "{{ nginx_groupname }}"
+ with_items: "{{ vhosts }}"
+ notify:
+ - test-nginx-config
+ - reload-nginx
+
+- name: Flush handlers to reconfigure before dependent roles run (acme, etc.)
+ meta: flush_handlers
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
new file mode 100644
index 0000000..01ff7d1
--- /dev/null
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,62 @@
+# nginx templates/nginx.conf.j2 - {{ ansible_managed }}
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+user {{ nginx_username }};
+
+pid {{ nginx_pid_file }};
+
+worker_processes {{ nginx_conf_worker_processes }};
+
+include {{ nginx_conf_dir }}/modules-enabled/*.conf;
+
+events {
+ worker_connections {{ nginx_conf_worker_connections }};
+ multi_accept {{ nginx_conf_multi_accept }};
+}
+
+http {
+ # Basic Settings
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ client_max_body_size {{ nginx_conf_client_max_body_size }};
+
+ # MIME Types
+ include {{ nginx_conf_dir }}/mime.types;
+ # YAML has official MIME type defined: http://www.iana.org/assignments/media-types/media-types.xhtml
+ # but many other websites (GitHub, etc.) use this type which displays YAML directly in the browser.
+ types {
+ text/yaml yaml yml;
+ }
+ default_type application/octet-stream;
+
+ # SSL Settings
+ # from https://ssl-config.mozilla.org/
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 1d;
+ ssl_session_tickets off;
+
+ ssl_dhparam {{ nginx_conf_dir }}/dhparam;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ # Logging Settings
+ access_log {{ nginx_log_dir }}/access.log;
+ error_log {{ nginx_log_dir }}/error.log;
+
+ # gzip Settings
+ gzip on;
+ gzip_proxied any;
+ gzip_types text/plain text/css text/javascript text/xml application/json application/javascript application/xml application/xml+rss;
+
+ # include Configuration and Enabled Sites
+ include {{ nginx_conf_dir }}/conf.d/*.conf;
+ include {{ nginx_conf_dir }}/sites-enabled/*;
+}
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
new file mode 100644
index 0000000..94ea8da
--- /dev/null
+++ b/templates/vhost.conf.j2
@@ -0,0 +1,120 @@
+# nginx templates/vhost.conf.j2 - {{ ansible_managed }}
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+{% if item.aliases is defined %}
+# Redirection of aliases to canonical URL
+server {
+ server_name {{ item.aliases | join(" ") }};
+
+ listen {{ item.insecure_port | default("80") }};
+ listen [::]:{{ item.insecure_port | default("80") }};
+{% if item.tls is defined and item.tls %}
+ listen {{ item.secure_port | default("443") }} ssl http2;
+ listen [::]:{{ item.secure_port | default("443") }} ssl http2;
+
+ ssl_certificate {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/fullchain.pem;
+ ssl_certificate_key {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/privkey.pem;
+{% endif %}
+
+ # serve ACME Challenges
+ location /.well-known/acme-challenge {
+ root {{ acme_challenge_dir }};
+ }
+
+{% if item.strip_request_uri is defined and item.strip_request_uri %}
+{% set uri = "" %}
+{% else %}
+{% set uri = "$request_uri" %}
+{% endif %}
+ location / {
+ return 301 {{ item.redirect_url | default("https://" ~ item.name) }}{{ uri }};
+ }
+}
+
+{% endif %}
+{% if item.redirect_url is not defined %}
+{% if item.tls is defined and item.tls %}
+# HTTP -> HTTPS redirect
+server {
+ server_name {{ item.name }};
+
+ listen {{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+ listen [::]:{{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+ # serve ACME Challenges
+ location /.well-known/acme-challenge {
+ root {{ acme_challenge_dir }};
+ }
+
+ location / {
+ return 301 https://{{ item.name }}$request_uri;
+ }
+}
+
+{% endif %}
+# Server with content
+server {
+ server_name {{ item.name }};
+
+ # Listening ports
+{% if item.tls is defined and item.tls %}
+ listen {{ item.secure_port | default("443") }} ssl http2 {% if item.default_server is defined and item.default_server %} default_server{% endif %};
+ listen [::]:{{ item.secure_port | default("443") }} ssl http2 {% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+ ssl_certificate {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/fullchain.pem;
+ ssl_certificate_key {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/privkey.pem;
+{% else %}
+ listen {{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+ listen [::]:{{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+ # serve ACME Challenges
+ location /.well-known/acme-challenge {
+ root {{ acme_challenge_dir }};
+ }
+{% endif %}
+
+ # logfile locations
+ access_log {{ nginx_log_dir }}/{{ item.name }}_access.log;
+ error_log {{ nginx_log_dir }}/{{ item.name }}_error.log;
+
+{% if item.extra_config is defined and item.extra_config %}
+ # extra config
+ {{ item.extra_config | indent(2) }}
+
+{% endif %}
+ location / {
+{% if item.auth_scope is defined and item.auth_scope %}
+ auth_basic "{{ item.auth_scope }}";
+ auth_basic_user_file "{{ nginx_auth_basic_dir }}/{{ item.auth_scope }}.htpasswd";
+{% endif %}
+{% if item.proxy_pass is not defined or not item.proxy_pass %}
+ # Static site configuration
+{% if item.custom_root is defined and item.custom_root %}
+ root {{ item.custom_root }};
+{% else %}
+ root {{ nginx_static_dir }}/{{ item.name }};
+{% endif %}
+ index index.html index.htm;
+{% if item.autoindex is defined and item.autoindex %}
+ autoindex on;
+ autoindex_exact_size on;
+{% endif %}
+{% else %}
+ # Proxy configuration
+ proxy_pass {{ item.proxy_pass }};
+ proxy_buffering off;
+ proxy_http_version 1.1;
+ proxy_read_timeout 60;
+ proxy_connect_timeout 90;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header Accept-Encoding "";
+{% endif %}
+ }
+}
+{% endif %}
diff --git a/vars/Debian.yml b/vars/Debian.yml
new file mode 100644
index 0000000..ff3cd40
--- /dev/null
+++ b/vars/Debian.yml
@@ -0,0 +1,31 @@
+---
+# nginx vars/Debian.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+#
+# NOTE: Only put platform/OS-specific variables in this file.
+# Put all other variables in the 'defaults/main.yml' file.
+
+nginx_packages:
+ - "nginx"
+ - "python3-passlib"
+
+nginx_username: "www-data"
+nginx_groupname: "www-data"
+
+# name of the NGINX service
+nginx_service: "nginx"
+
+# Debian default settings
+nginx_conf_dir: "/etc/nginx"
+nginx_pid_file: "/run/nginx.pid"
+
+# logfile names must end in .log for logrotate (per /etc/logrotate.d/nginx)
+nginx_log_dir: "/var/log/nginx"
+
+# Not default. The /srv hierarchy is a good place for static sites.
+nginx_static_dir: "/srv/sites"
+
+# used for http basic auth .htpasswd files
+nginx_auth_basic_dir: "/srv/auth"