2024-07-12 15:00:55 +02:00
|
|
|
|
---
|
|
|
|
|
- name: Packages
|
|
|
|
|
ansible.builtin.include_tasks: install.yml
|
|
|
|
|
tags: install
|
|
|
|
|
|
|
|
|
|
- name: Install the proxy snippet
|
|
|
|
|
ansible.builtin.copy:
|
|
|
|
|
src: files/proxy.conf
|
|
|
|
|
dest: /etc/nginx/proxy.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
|
|
|
|
|
- name: Install the SSL snippet
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: templates/ssl.conf
|
|
|
|
|
dest: /etc/nginx/ssl.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
|
|
|
|
|
- name: Install the default config
|
|
|
|
|
ansible.builtin.copy:
|
|
|
|
|
src: files/nginx.conf
|
|
|
|
|
dest: /etc/nginx/nginx.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
|
|
|
|
|
- name: Install the HTTP config
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: templates/http.conf
|
|
|
|
|
dest: /etc/nginx/http.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
|
|
|
|
|
- name: Enable $HOME shortcut
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: templates/me.conf
|
|
|
|
|
dest: /etc/nginx/conf.d/me.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
|
|
|
|
|
- name: Allow httpd in homedirs in SELinux
|
|
|
|
|
ansible.posix.seboolean:
|
|
|
|
|
name: httpd_enable_homedirs
|
|
|
|
|
state: true
|
|
|
|
|
persistent: true
|
|
|
|
|
when: ansible_facts.selinux.status == 'enabled'
|
|
|
|
|
|
|
|
|
|
- name: Enable reverse proxy
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: templates/reverse_proxy.conf
|
|
|
|
|
dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
vars:
|
|
|
|
|
proxy_domain: "{{ item.domain }}"
|
|
|
|
|
proxy_upstream: "{{ item.upstream }}"
|
|
|
|
|
proxy_protocol: "{{ item.protocol }}"
|
2024-07-12 21:06:00 +02:00
|
|
|
|
loop: "{{ nginx_reverse_proxy }}"
|
2024-07-12 15:00:55 +02:00
|
|
|
|
|
|
|
|
|
# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
|
|
|
|
|
- name: Allow reverse proxy in SELinux
|
|
|
|
|
ansible.posix.seboolean:
|
|
|
|
|
name: httpd_can_network_connect
|
|
|
|
|
state: true
|
|
|
|
|
persistent: true
|
2024-07-12 21:06:00 +02:00
|
|
|
|
when: "ansible_facts.selinux.status == 'enabled' and nginx_reverse_proxy"
|
2024-07-12 15:00:55 +02:00
|
|
|
|
|
|
|
|
|
- name: Enable nginx on firewall
|
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
|
service: "{{ item }}"
|
|
|
|
|
immediate: true
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
|
|
|
|
loop:
|
|
|
|
|
- http
|
|
|
|
|
- https
|
2024-07-22 10:39:21 +02:00
|
|
|
|
when: ansible_facts.services['firewalld'] is defined
|
2024-07-12 15:00:55 +02:00
|
|
|
|
tags: firewall
|
|
|
|
|
|
|
|
|
|
- name: Enable nginx
|
|
|
|
|
ansible.builtin.service:
|
|
|
|
|
name: nginx
|
|
|
|
|
enabled: true
|
|
|
|
|
state: restarted
|