roles/nginx: Add role for nginx

This role installs nginx and provides a base/skeleton configuration
suitable for most deployments.

roles/nginx/defaults/main.yml

@@ -0,0 +1,7 @@
+nginx_ssl_certificate: /etc/pki/nginx/server.crt
+nginx_ssl_certificate_key: /etc/pki/nginx/private/server.key
+nginx_ssl_session_cache: shared:SSL:1m
+nginx_ssl_session_timeout: 10m
+nginx_ssl_ciphers: '{{ nginx_default_ssl_ciphers }}'
+nginx_log_syslog: true
+nginx_redirect_http_https: false

roles/nginx/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: reload nginx
+  service:
+    name=nginx
+    state=reloaded
+- name: save firewalld configuration
+  command:
+    firewall-cmd --runtime-to-permanent

roles/nginx/tasks/main.yml

@@ -0,0 +1,81 @@
+- name: load distribution-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+
+- name: ensure nginx is installed
+  package:
+    name: '{{ nginx_packages|join(",") }}'
+    state: present
+  tags:
+  - install
+
+- name: ensure nginx pki directories exist
+  file:
+    path: '{{ item.path }}'
+    mode: '{{ item.mode }}'
+    state: directory
+  with_items:
+  - path: /etc/pki/nginx
+    mode: '0755'
+  - path: /etc/pki/nginx/private
+    mode: '0700'
+- name: ensure tls private key exists
+  copy:
+    src: '{{ item }}'
+    dest: '{{ nginx_ssl_certificate_key }}'
+    mode: '0400'
+    setype: cert_t
+  diff: false
+  with_fileglob:
+  - 'certs/nginx/{{ inventory_hostname }}/server.key'
+  notify: reload nginx
+- name: ensure tls certificate exists
+  copy:
+   src: '{{ item }}'
+   dest: '{{ nginx_ssl_certificate }}'
+   mode: '0644'
+   setype: cert_t
+  with_fileglob:
+  - 'certs/nginx/{{ inventory_hostname }}/server.cer'
+  notify: reload nginx
+- name: ensure tls ca certificate exists
+  copy:
+    src: '{{ item }}'
+    dest: '{{ nginx_ssl_ca_certificate }}'
+    mode: '0644'
+    setype: cert_t
+  when: nginx_ssl_ca_certificate is defined
+  with_fileglob:
+  - 'certs/nginx/{{ inventory_hostname }}/ca.crt'
+  notify: reload nginx
+
+- name: ensure nginx is configured
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  notify: reload nginx
+  tags:
+  - nginx-config
+
+- name: ensure nginx is allowed in the firewall
+  firewalld:
+    service: '{{ item }}'
+    state: enabled
+    permanent: no
+    immediate: yes
+  with_items:
+  - http
+  - https
+  notify: save firewalld configuration
+
+- name: ensure nginx starts at boot
+  service:
+    name: nginx
+    enabled: yes

roles/nginx/templates/nginx.conf.j2

@@ -0,0 +1,98 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+{% if nginx_log_syslog|bool %}
+error_log syslog:server=unix:/dev/log,facility=daemon,nohostname;
+{% endif %}
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+{% if nginx_log_syslog|bool %}
+    access_log  syslog:server=unix:/dev/log,facility=daemon,nohostname main;
+{% endif %}
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+{% if nginx_redirect_http_https %}
+        return 301 https://$host$request_uri;
+{% else %}
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+{% endif %}
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+{% if not nginx_disable_tls|d %}
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "{{ nginx_ssl_certificate }}";
+        ssl_certificate_key "{{ nginx_ssl_certificate_key }}";
+{% if nginx_ssl_ca_certificate is defined %}
+        ssl_client_certificate "{{ nginx_ssl_ca_certificate }}";
+{% endif %}
+        ssl_session_cache {{ nginx_ssl_session_cache }};
+        ssl_session_timeout  {{ nginx_ssl_session_timeout }};
+        ssl_ciphers {{ nginx_ssl_ciphers|join(':') }};
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+{% endif %}
+
+}

roles/nginx/vars/CentOS-8.yml

@@ -0,0 +1,2 @@
+nginx_default_ssl_ciphers:
+- PROFILE=SYSTEM

roles/nginx/vars/Fedora.yml

@@ -0,0 +1,2 @@
+nginx_default_ssl_ciphers:
+- PROFILE=SYSTEM

roles/nginx/vars/defaults.yml

@@ -0,0 +1,4 @@
+nginx_default_ssl_ciphers:
+- HIGH
+- '!aNULL'
+- '!MD5'

roles/nginx/vars/main.yml

@@ -0,0 +1,2 @@
+nginx_packages:
+- nginx