aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/nginx/defaults/main.yml7
-rw-r--r--roles/nginx/handlers/main.yml7
-rw-r--r--roles/nginx/tasks/main.yml64
-rw-r--r--roles/nginx/templates/nginx.conf.j273
-rw-r--r--roles/sky/files/wait-online.conf3
5 files changed, 154 insertions, 0 deletions
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 0000000..914dde8
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+nginx_worker_connections: 768
+
+nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..f335839
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: reload nginx
+ systemd:
+ name: nginx.service
+ state: reloaded
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..f73e5e1
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: Configure /etc/nginx/nginx.conf
+ template:
+ dest: '/etc/nginx/nginx.conf'
+ src: nginx.conf.j2
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - reload nginx
+ tags:
+ - nginx
+
+- name: Disable default site
+ file:
+ path: '/etc/nginx/sites-enabled/default'
+ state: absent
+ notify:
+ - reload nginx
+ tags:
+ - nginx
+
+- name: Download dhparam
+ get_url:
+ dest: '/etc/nginx/dhparam'
+ url: 'https://ssl-config.mozilla.org/ffdhe2048.txt'
+ owner: root
+ group: root
+ mode: 0440
+ notify:
+ - reload nginx
+ tags:
+ - nginx
+
+- name: Create service drop-in directory
+ file:
+ dest: '/etc/systemd/system/nginx.service.d'
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+ tags:
+ - nginx
+
+- name: Start nginx after networks are configured
+ copy:
+ dest: '/etc/systemd/system/nginx.service.d/wait-online.conf'
+ src: wait-online.conf
+ owner: root
+ group: root
+ mode: 0644
+ tags:
+ - nginx
+
+- name: Enable nginx service
+ systemd:
+ name: nginx.service
+ enabled: yes
+ masked: no
+ state: started
+ tags:
+ - nginx
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
new file mode 100644
index 0000000..1188e53
--- /dev/null
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,73 @@
+user www-data;
+worker_processes auto;
+{% if nginx_worker_rlimit_nofile is defined %}
+worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
+{% endif %}
+pid /run/nginx.pid;
+error_log /dev/null debug;
+error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx notice;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections {{ nginx_worker_connections }};
+ # multi_accept on;
+}
+
+http {
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # Resolver
+ ##
+
+ resolver 127.0.0.53 valid=30s; # systemd-resolved listens here
+
+ ##
+ # SSL Settings
+ ##
+
+ ssl_protocols {{ nginx_ssl_protocols }};
+ ssl_ciphers {{ nginx_ssl_ciphers }};
+ ssl_prefer_server_ciphers off;
+ ssl_dhparam /etc/nginx/dhparam;
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log off;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
diff --git a/roles/sky/files/wait-online.conf b/roles/sky/files/wait-online.conf
new file mode 100644
index 0000000..0a38143
--- /dev/null
+++ b/roles/sky/files/wait-online.conf
@@ -0,0 +1,3 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-08 04:18:55 +0000