Ansible Nginx Passenger Role

This role will set up the Nginx server with Phusion Passenger support to run Node, Python, or Ruby applications. It can also create and configure a website for a specified domain.

Requirements

This role uses Linux filesystem ACLs and a group called "web-admin" for managing access to configuration directories. You can set this up manually or install the bbatsche.Base role.

Role Variables

• env_name: Indicates if the server is in a "development", "production", or other environment. Default is "dev".
• http_root: Directory where site folders should be created. Default is "/srv/http".
• public_directory: Publicly visible folder for the site, like "public" or "htdocs". Default is "public".
• max_upload_size: Maximum file upload size in MB. Default is "10".
• domain: Domain name for the site to create. Not set by default.
• content_security_policy: Security policy to apply to the domain, formatted as a dict of lists or booleans. Defaults can be found in defaults/main.yml.
• nginx_configs: Additional config files to add to the domain's server block. These should go in /etc/nginx/conf.d. Default is empty.
• passenger_app: Specifies whether the domain is a Passenger application (Node, Ruby, Python). Useful if the app needs to restart after config updates. Default is no.
• copy_index: If an index.html file should be copied to the site. Default is no.
• use_ssl: Specifies if content should be served via SSL (technically TLS). Default is no.
• use_letsencrypt: If Let's Encrypt should be used to create a certificate for the site. If not, a self-signed certificate is used. Default is no.
• privatekey_bits: Number of bits for a self-signed private key. Default is 4096.
• dhparam_bits: Number of bits for static DH parameter certificate. Default is 2048; higher numbers can be slow.
• cert_valid_days: How long the self-signed certificate is valid. Default is 3650 (~1 year).
• email_address: Email for self-signed certificate and Let's Encrypt. Not set by default.
• country_name: Two-letter country code for self-signed certificate. Not set by default.
• state_name: State or province name for self-signed certificate. Not set by default.
• locality_name: City name for self-signed certificate. Not set by default.
• org_name: Organization name for self-signed certificate. Not set by default.
• h5bp_commit: Git hash or version for pulling files from HTML5 Boilerplate Server Configs. Default is "3.1.0".
• setuptools_version: Version of setuptools to install via Pip. Default is 40.6.2.

SSL & Let's Encrypt

Let's Encrypt needs your web server to be accessible from the internet, so it's not suitable for development sites in Vagrant or Docker. Ensure your DNS is correctly set up before creating your certificate. Once done, a valid certificate will be issued for your domain, along with a cron job for automatic renewals. The server and certificate are optimized for high security, earning an "A+" rating from SSL Labs as of October 2017.

Example Playbook

- hosts: servers
  roles:
     - { role: bbatsche.Nginx, domain: my-test-domain.test }

License

MIT

Testing

This role includes tests for each task, which you can run if you have Vagrant and VirtualBox installed. The tests are written with Serverspec, so you'll need Ruby and Bundler.

To run all tests:

$ gem install bundler
$ bundle install
$ rake

The tests target Ubuntu Trusty Tahr (14.04), Xenial Xerus (16.04), and Bionic Beaver (18.04).

To list available rake tasks (and tests):

$ rake -T

These tests do not check for idempotence; they check if tasks perform as expected. Idempotence is tested separately through integration tests.