commit b313baee16bd5606f793dea1b367f1ec07fbeefd
author Zack Williams <zdw@opennetworking.org> Wed Apr 22 22:00:53 2020 -0700
committer Zack Williams <zdw@opennetworking.org> Fri Oct 02 18:04:14 2020 -0700
tree cc4d2a62cc306b14e38e26ffdc216191df70beb0

INF-113 - nginx ansible role

Initial commit
disabled the default site, and added default_site as an option
Use nginx repo for newer version

Change-Id: I994a1f2f2f18cc2d1c42a2d9bb7321835a5dd1a1

templates/nginx.conf.j2

diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
new file mode 100644
index 0000000..01ff7d1
--- /dev/null
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,62 @@
+# nginx templates/nginx.conf.j2 - {{ ansible_managed }}
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+user {{ nginx_username }};
+
+pid {{ nginx_pid_file }};
+
+worker_processes {{ nginx_conf_worker_processes }};
+
+include {{ nginx_conf_dir }}/modules-enabled/*.conf;
+
+events {
+  worker_connections {{ nginx_conf_worker_connections }};
+  multi_accept {{ nginx_conf_multi_accept }};
+}
+
+http {
+  # Basic Settings
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+
+  client_max_body_size {{ nginx_conf_client_max_body_size }};
+
+  # MIME Types
+  include {{ nginx_conf_dir }}/mime.types;
+  # YAML has official MIME type defined: http://www.iana.org/assignments/media-types/media-types.xhtml
+  # but many other websites (GitHub, etc.) use this type which displays YAML directly in the browser.
+  types {
+    text/yaml yaml yml;
+  }
+  default_type application/octet-stream;
+
+  # SSL Settings
+  # from https://ssl-config.mozilla.org/
+  ssl_session_cache   shared:SSL:10m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+
+  ssl_dhparam {{ nginx_conf_dir }}/dhparam;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  # Logging Settings
+  access_log {{ nginx_log_dir }}/access.log;
+  error_log {{ nginx_log_dir }}/error.log;
+
+  # gzip Settings
+  gzip on;
+  gzip_proxied any;
+  gzip_types text/plain text/css text/javascript text/xml application/json application/javascript application/xml application/xml+rss;
+
+  # include Configuration and Enabled Sites
+  include {{ nginx_conf_dir }}/conf.d/*.conf;
+  include {{ nginx_conf_dir }}/sites-enabled/*;
+}

templates/vhost.conf.j2

diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
new file mode 100644
index 0000000..94ea8da
--- /dev/null
+++ b/templates/vhost.conf.j2
@@ -0,0 +1,120 @@
+# nginx templates/vhost.conf.j2 - {{ ansible_managed }}
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+{% if item.aliases is defined %}
+# Redirection of aliases to canonical URL
+server {
+  server_name {{ item.aliases | join(" ") }};
+
+  listen           {{ item.insecure_port | default("80") }};
+  listen      [::]:{{ item.insecure_port | default("80") }};
+{% if item.tls is defined and item.tls %}
+  listen           {{ item.secure_port | default("443") }} ssl http2;
+  listen      [::]:{{ item.secure_port | default("443") }} ssl http2;
+
+  ssl_certificate {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/fullchain.pem;
+  ssl_certificate_key {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/privkey.pem;
+{% endif %}
+
+  # serve ACME Challenges
+  location /.well-known/acme-challenge {
+    root {{ acme_challenge_dir }};
+  }
+
+{% if item.strip_request_uri is defined and item.strip_request_uri %}
+{% set uri = "" %}
+{% else %}
+{% set uri = "$request_uri" %}
+{% endif %}
+  location / {
+    return      301 {{ item.redirect_url | default("https://" ~ item.name) }}{{ uri }};
+  }
+}
+
+{% endif %}
+{% if item.redirect_url is not defined %}
+{% if item.tls is defined and item.tls %}
+# HTTP -> HTTPS redirect
+server {
+  server_name {{ item.name }};
+
+  listen           {{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+  listen      [::]:{{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+  # serve ACME Challenges
+  location /.well-known/acme-challenge {
+    root {{ acme_challenge_dir }};
+  }
+
+  location / {
+    return      301 https://{{ item.name }}$request_uri;
+  }
+}
+
+{% endif %}
+# Server with content
+server {
+  server_name {{ item.name }};
+
+  # Listening ports
+{% if item.tls is defined and item.tls %}
+  listen           {{ item.secure_port | default("443") }} ssl http2 {% if item.default_server is defined and item.default_server %} default_server{% endif %};
+  listen      [::]:{{ item.secure_port | default("443") }} ssl http2 {% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+  ssl_certificate {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/fullchain.pem;
+  ssl_certificate_key {{ certificate_dir }}/{{ item.cert_name | default(item.name) }}/privkey.pem;
+{% else %}
+  listen           {{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+  listen      [::]:{{ item.insecure_port | default("80") }}{% if item.default_server is defined and item.default_server %} default_server{% endif %};
+
+  # serve ACME Challenges
+  location /.well-known/acme-challenge {
+    root {{ acme_challenge_dir }};
+  }
+{% endif %}
+
+  # logfile locations
+  access_log {{ nginx_log_dir }}/{{ item.name }}_access.log;
+  error_log  {{ nginx_log_dir }}/{{ item.name }}_error.log;
+
+{% if item.extra_config is defined and item.extra_config %}
+  # extra config
+  {{ item.extra_config | indent(2) }}
+
+{% endif %}
+  location / {
+{% if item.auth_scope is defined and item.auth_scope %}
+    auth_basic "{{ item.auth_scope }}";
+    auth_basic_user_file "{{ nginx_auth_basic_dir }}/{{ item.auth_scope }}.htpasswd";
+{% endif %}
+{% if item.proxy_pass is not defined or not item.proxy_pass %}
+  # Static site configuration
+{% if item.custom_root is defined and item.custom_root %}
+    root  {{ item.custom_root }};
+{% else %}
+    root  {{ nginx_static_dir }}/{{ item.name }};
+{% endif %}
+    index index.html index.htm;
+{% if item.autoindex is defined and item.autoindex %}
+    autoindex on;
+    autoindex_exact_size on;
+{% endif %}
+{% else %}
+  # Proxy configuration
+    proxy_pass            {{ item.proxy_pass }};
+    proxy_buffering       off;
+    proxy_http_version    1.1;
+    proxy_read_timeout    60;
+    proxy_connect_timeout 90;
+
+    proxy_set_header      Host              $host;
+    proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-Proto $scheme;
+    proxy_set_header      X-Real-IP         $remote_addr;
+    proxy_set_header      Accept-Encoding   "";
+{% endif %}
+  }
+}
+{% endif %}