--- - name: Install Nginx and Certbot hosts: nginx vars: user: nginx home: "/etc/{{ user }}" nginx_key: https://nginx.org/keys/nginx_signing.key nginx_version: 1.16.1 nginx_headers_version: 552e216a0da95c685d9db4f43e209c3f2a803e49 brotli_version: e505dce68acc190cc5a1e780a3b0275e39f160ca quiche_version: 3c75701c6fa5b29a9076d9f82251f5aeee2c7f79 tasks: - name: Ensuring group exists group: name: "{{ user }}" state: present - name: Creating user and making home directory user: system: yes state: present name: "{{ user }}" groups: "{{ user }}" home: "{{ home }}" - name: Installing packages apk: state: present update_cache: yes name: - logrotate - certbot - certbot-nginx - name: Installing the required nginx dependencies apk: state: present update_cache: yes name: - gcc - libc-dev - make - openssl-dev - pcre-dev - zlib-dev - linux-headers - curl - gnupg - libxslt-dev - gd-dev - geoip-dev - perl-dev - tar - openssl - name: Installing the required brotli dependencies apk: state: present update_cache: yes name: - autoconf - libtool - automake - git - g++ - cmake - go - perl - rust - cargo - name: Cloning repositories git: repo: "{{ item.repo }}" dest: "{{ item.dest }}" version: "{{ item.version }}" with_items: - repo: https://github.com/google/ngx_brotli.git dest: /opt/nginx/brotli version: "{{ brotli_version }}" - repo: https://github.com/openresty/headers-more-nginx-module.git dest: /opt/nginx/nginx-headers version: "{{ nginx_headers_version }}" - repo: https://github.com/cloudflare/quiche dest: /opt/nginx/quiche version: "{{ quiche_version }}" - name: Downloading nginx get_url: url: "{{ item.url }}" dest: "{{ item.dest }}" with_items: - url: https://nginx.org/download/nginx-{{ nginx_version }}.tar.gz dest: /opt/nginx - url: https://nginx.org/download/nginx-{{ nginx_version }}.tar.gz.asc dest: /opt/nginx - name: Importing keys shell: | curl -sSL "{{ nginx_key }}" | gpg --import - touch .nginx-key-imported args: chdir: /opt/nginx creates: .nginx-key-imported - name: Verifying application shell: | gpg --batch --verify nginx-{{ nginx_version }}-tar.gz nginx-{{ nginx_version }}.tar.gz.asc touch .nginx-{{ nginx_version }}-verified args: chdir: /opt/nginx creates: .nginx-{{ nginx_version }}-verified - name: Copying patches copy: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - src: enable_boringssl_ocsp.patch dest: /opt/nginx - name: Extracting application source unarchive: src: /opt/nginx/nginx-{{ nginx_version}}.tar.gz dest: /opt/nginx remote_src: yes - name: Building application shell: > export CONFIG=" --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --with-http_v3_module --with-openssl=/opt/nginx/quiche/deps/boringssl --with-quiche=/opt/nginx/quiche --with-ipv6 --add-module=/opt/nginx/brotli --add-module=/opt/nginx/nginx-headers --with-cc-opt=-Wno-error --with-debug" && patch -p01 < ../quiche/extras/nginx/nginx-1.16.patch && patch -p01 < ../enable_boringssl_ocsp.patch && ./configure $CONFIG && make -j$(getconf _NPROCESSORS_ONLN) args: chdir: /opt/nginx/nginx-{{ nginx_version }} creates: objs/nginx register: output - debug: var=output - name: Installing Application shell: > make install && mkdir -p /etc/nginx/default.d && mkdir -p /etc/nginx/conf.d && mkdir -p /etc/nginx/sites-available && mkdir -p /etc/nginx/sites-enabled && mkdir -p /var/cache/nginx && rm -rf /etc/nginx/*.default && rm -rf /etc/nginx/html && rm -rf /usr/sbin/nginx.old && strip /usr/sbin/nginx* && strip /usr/lib/nginx/modules/*.so args: chdir: /opt/nginx/nginx-{{ nginx_version }} register: output - debug: var=output - name: Generating self signed certificate shell: > openssl req -x509 -newkey rsa:4096 -nodes -keyout nginx.key -out nginx.crt -days 1095 -sha256 -subj '/CN=localhost' args: chdir: /etc/nginx creates: nginx.crt - name: Generating Diffie Hellman group shell: openssl dhparam -out dhparam.pem 2048 args: chdir: /etc/nginx creates: dhparam.pem - name: Copying configuration files copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" mode: "{{ item.mode }}" with_items: - src: default.conf dest: /etc/nginx/default.d/default.conf owner: "{{ user }}" group: "{{ user }}" mode: '0644' - src: nginx.init.d dest: /etc/init.d/nginx owner: root group: root mode: '0755' - src: nginx.logrotate dest: /etc/logrotate.d/nginx owner: root group: root mode: '0644' - src: nginx.conf dest: /etc/nginx/nginx.conf owner: "{{ user }}" group: "{{ user }}" mode: '0644' - src: mime.types dest: /etc/nginx/mime.types owner: "{{ user }}" group: "{{ user }}" mode: '0644' - src: certbot dest: /etc/periodic/daily/certbot owner: root group: root mode: '0755' - name: Enabling services service: name: "{{ item }}" state: started enabled: yes with_items: - nginx