nginx
Ansible Nginx Passenger Role
This role will install Nginx server along with Phusion Passenger bindings for serving Node, Python, or Ruby. It can also setup and configure a site for a given domain.
Requirements
This role takes advantage of Linux filesystem ACLs and a group called "web-admin" for granting access configuration directories. You can either configure those steps manually or install the bbatsche.Base
role.
Role Variables
env_name
— Whether this server is in a "development", "production", or other type of environment. Default is "dev"http_root
— Where site directores should be created. Default is "/srv/http"public_directory
— Publicly visible directory for site, eg "public" or "htdocs". Default is "public"max_upload_size
— Maximum upload size in MB. Default is "10"domain
— Domain name for site to create. Undefined by default.content_security_policy
— Content security policy to add to domain, formatted as a dict of lists or booleans. Appropriate values will automatically have single quotes ('
) applied. Default: see defaults/main.ymlnginx_configs
— Additional config files to add to the end of the domain'sserver
block. These files should be copied to/etc/nginx/conf.d
. Add configs for your particular application server type here. Default is an empty arraypassenger_app
— Is the current domain a Passenger app (ie, Node, Ruby, Python)? Useful if the app needs to be restarted after updating configs. Default is nocopy_index
— Copy an index.html stub to the site. Default is no.use_ssl
— Whether to serve content via SSL (really TLS). Default is no.use_letsencrypt
— Whether to use Let's Encrypt to generate a certificate for a site. Otherwise a server wide self signed certificate will be used. Default is no.privatekey_bits
— Number of bits to use when generating a self signed private key. Default is 4096.dhparam_bits
— Number of bits to use when generating static DH param certificate. Default is 2048. Going much higher can be very time consuming.cert_valid_days
— Number of days the self signed certificate will be valid for. Default is 3650 (~1 year).email_address
— Email address to use for self signed certificate and Let's Encrypt. Undefined by default.country_name
— Two letter country abbreviation to use when generating self signed certificate. Undefined by default.state_name
— State or province name to use when generating self signed certificate. Undefined by default.locality_name
— City or locality name to use when generating self signed certificate. Undefined by default.org_name
— Organization name to use when generating self signed certificate. Undefined by default.h5bp_commit
— Git hash or version number to use for pulling files from HTML5 Boilerplate Server Configs. Default is "3.1.0".setuptools_version
— Version ofsetuptools
to install via Pip. Default is 40.6.2.
SSL & Let's Encrypt
Let's Encrypt requires that your web server be externally accessable, therefore you should not use it when generating development sites in Vagrant or Docker. Furthermore, you must make sure your DNS is properly configured before creating your certificate. Once this is done, a fully supported and signed certificate will be issued for your domain, as well as a cron job to make sure it will continue to be renewed in the future. The server and certificate have been optimized for best possible security going forward, gaining an "A+" rating from SSL Labs as of October 2017.
Example Playbook
- hosts: servers
roles:
- { role: bbatsche.Nginx, domain: my-test-domain.test }
License
MIT
Testing
Included with this role is a set of specs for testing each task individually or as a whole. To run these tests you will first need to have Vagrant and VirtualBox installed. The spec files are written using Serverspec so you will need Ruby and Bundler.
To run the full suite of specs:
$ gem install bundler
$ bundle install
$ rake
The spec suite will target Ubuntu Trusty Tahr (14.04), Xenial Xerus (16.04), and Bionic Bever (18.04).
To see the available rake tasks (and specs):
$ rake -T
These specs are not meant to test for idempotence. They are meant to check that the specified tasks perform their expected steps. Idempotency is tested independently via integration testing.
Install and configure Nginx and Phusion Passenger along with any number of server blocks (aka vhosts).
ansible-galaxy install bbatsche/Ansible-Nginx-Passenger-Role