From 5f1fc18917fd9ccebd0dd3306150c5968873c99e Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 7 Dec 2021 02:47:13 +0100 Subject: [PATCH] Improve uninstalling NGINX capabilities (#472) --- .github/workflows/molecule.yml | 3 + .gitignore | 4 + CHANGELOG.md | 14 +++- defaults/main/main.yml | 28 +++---- defaults/main/selinux.yml | 3 + handlers/main.yml | 3 + molecule/default/converge.yml | 1 - molecule/default/verify.yml | 8 ++ molecule/uninstall/converge.yml | 9 +++ molecule/uninstall/molecule.yml | 91 +++++++++++++++++++++ molecule/uninstall/prepare.yml | 7 ++ molecule/uninstall/verify.yml | 11 +++ molecule/uninstall_plus/converge.yml | 11 +++ molecule/uninstall_plus/molecule.yml | 91 +++++++++++++++++++++ molecule/uninstall_plus/prepare.yml | 30 +++++++ molecule/uninstall_plus/verify.yml | 11 +++ molecule/upgrade/converge.yml | 9 +++ molecule/upgrade/molecule.yml | 62 +++++++++++++++ molecule/upgrade/prepare.yml | 29 +++++++ molecule/upgrade/verify.yml | 33 ++++++++ tasks/main.yml | 114 +++++++++++++++------------ tasks/modules/install-modules.yml | 2 +- tasks/opensource/install-alpine.yml | 7 +- tasks/opensource/install-bsd.yml | 28 +++---- tasks/opensource/install-debian.yml | 8 +- tasks/opensource/install-oss.yml | 10 +-- tasks/opensource/install-redhat.yml | 5 +- tasks/opensource/install-suse.yml | 5 +- tasks/plus/install-alpine.yml | 4 +- tasks/plus/install-debian.yml | 6 +- tasks/plus/install-freebsd.yml | 2 +- tasks/plus/install-redhat.yml | 6 +- tasks/plus/install-suse.yml | 11 +-- tasks/plus/setup-license.yml | 7 ++ vars/main.yml | 13 +++ 35 files changed, 565 insertions(+), 121 deletions(-) create mode 100644 molecule/uninstall/converge.yml create mode 100644 molecule/uninstall/molecule.yml create mode 100644 molecule/uninstall/prepare.yml create mode 100644 molecule/uninstall/verify.yml create mode 100644 molecule/uninstall_plus/converge.yml create mode 100644 molecule/uninstall_plus/molecule.yml create mode 100644 molecule/uninstall_plus/prepare.yml create mode 100644 molecule/uninstall_plus/verify.yml create mode 100644 molecule/upgrade/converge.yml create mode 100644 molecule/upgrade/molecule.yml create mode 100644 molecule/upgrade/prepare.yml create mode 100644 molecule/upgrade/verify.yml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 37fb4e2..267b068 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -23,6 +23,9 @@ jobs: - module - plus - source + - uninstall + - uninstall_plus + - upgrade steps: - name: Check out the codebase if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" diff --git a/.gitignore b/.gitignore index 4bb7c3f..b671d1b 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,7 @@ Thumbs.db # Python specific # ################### __pycache__ + +# Logs # +######## +*.log diff --git a/CHANGELOG.md b/CHANGELOG.md index 00fd403..c99d9f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Changelog -## 0.21.4 (Unreleased) +## 0.22.0 (Unreleased) + +BREAKING CHANGES: + +* The `nginx_state` variable has been replaced with `nginx_setup` and instead of using `present`, `absent`, `latest` you should now use `install`, `uninstall` and `upgrade`. +* `nginx_install` variable is no more. Use `nginx_enable` instead. FEATURES: @@ -12,7 +17,8 @@ Add Alpine Linux 3.15 to list of tested and supported platforms. BUG FIXES: -When building NGINX from source, the original source FTP repository `ftp.pcre.org` is not available anymore, according to . The FTP repository has been updated to use `ftp.exim.org` instead. +* When building NGINX from source, the original source FTP repository `ftp.pcre.org` is not available anymore, according to . The FTP repository has been updated to use `ftp.exim.org` instead. +* Uninstalling NGINX should now work correctly under most scenarios. ## 0.21.3 (October 25, 2021) @@ -217,7 +223,7 @@ FEATURES: * A new variable has been introduced: * `nginx_setup_license` -- Determine whether you want to use this role to upload your NGINX license to your target host. * The role will now fail automatically if you try to deploy NGINX from an official repository in an unsupported distribution. You can find a list of supported distributions for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml) -* Three new tags have been introduced -- `nginx_setup_license`, `nginx_install` and `nginx_check_support`. +* Three new tags have been introduced -- `nginx_setup_license`, `nginx_enable` and `nginx_check_support`. * Add Alpine 3.12 to the list of supported platforms. * Remove Alpine 3.8 from the list of supported platforms. * Add NGINX Plus tests to TravisCI @@ -301,7 +307,7 @@ FEATURES: * Add support to configure logrotate. * Add support for Ubuntu Focal. * Add support to configure SELinux. -* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both. +* Two new variables have been introduced -- `nginx_enable` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both. ENHANCEMENTS: diff --git a/defaults/main/main.yml b/defaults/main/main.yml index e358388..1a127a3 100644 --- a/defaults/main/main.yml +++ b/defaults/main/main.yml @@ -1,16 +1,8 @@ --- -# Enable NGINX options -- `nginx_install` and `nginx_configure`. -# Default is true. -nginx_enable: true - -# Install NGINX and NGINX modules. +# Enable NGINX and NGINX modules. # Variables for these options can be found below. # Default is true. -nginx_install: true - -# Start NGINX service. -# Default is true. -nginx_start: true +nginx_enable: true # Print NGINX configuration file to terminal after executing playbook. nginx_debug_output: false @@ -26,13 +18,17 @@ nginx_type: opensource # For NGINX Plus and modules you'll need a wilcard like below (which installs plus-20 and modules) # nginx_version: "-20*" +# Start NGINX service. +# Default is true. +nginx_start: true + # Specify whether you want to maintain your version of NGINX, upgrade to the latest version, or remove NGINX. -# Can be used with `nginx_version` to fine tune control on which version of NGINX is installed/used on each playbook execution. -# Using 'present' will install the latest version (or 'nginx_version') of NGINX on a fresh install. -# Using 'latest' will upgrade NGINX to the latest version (that matches your 'nginx_version') of NGINX on every playbook execution. -# Using 'absent' will remove NGINX from your system. -# Default is present. -nginx_state: present +# Can be used with `nginx_version` to fine tune control which version of NGINX is installed/used on each playbook execution. +# Using 'install' will install the latest version (or 'nginx_version') of NGINX on a fresh install. +# Using 'upgrade' will upgrade NGINX to the latest version (that matches your 'nginx_version') of NGINX on every playbook execution. Does not work on Alpine Linux. +# Using 'uninstall' will remove NGINX from your system. +# Default is install. +nginx_setup: install # Specify whether or not you want to manage the NGINX repositories. # Using 'true' will manage NGINX repositories. diff --git a/defaults/main/selinux.yml b/defaults/main/selinux.yml index 5c6afb5..eec9968 100644 --- a/defaults/main/selinux.yml +++ b/defaults/main/selinux.yml @@ -1,12 +1,15 @@ --- # Set SELinux enforcing for NGINX (CentOS/Red Hat only) - you may need to open ports on your own nginx_selinux: false + # Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true) + nginx_selinux_enforcing: true # List of TCP ports to add to http_port_t type (80 and 443 have this type already) # nginx_selinux_tcp_ports: # - 80 # - 443 + # List of UDP ports to add to http_port_t type # nginx_selinux_udp_ports: # - 80 diff --git a/handlers/main.yml b/handlers/main.yml index bb8db49..8d28475 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,6 +10,7 @@ enabled: true when: - nginx_start | bool + - nginx_state != "absent" - not ansible_check_mode | bool listen: (Handler) Run NGINX @@ -21,6 +22,7 @@ ignore_errors: true check_mode: false changed_when: false + when: nginx_state != "absent" listen: (Handler) Run NGINX - name: (Handler) Print NGINX error if syntax check fails @@ -30,6 +32,7 @@ when: - config_check.stderr_lines is defined - config_check.rc != 0 + - nginx_state != "absent" listen: (Handler) Run NGINX - name: (Handler) Start NGINX Amplify agent diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index e4e2911..17427dd 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -32,7 +32,6 @@ - 80 - 443 nginx_version: "{{ version }}" - nginx_configure: false nginx_logrotate_conf_enable: true nginx_logrotate_conf: paths: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 68c7890..d93a4e9 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -23,3 +23,11 @@ uri: url: http://localhost status_code: 200 + + - name: Verify correct version of NGINX has been installed + command: nginx -v + args: + chdir: "{{ ((ansible_facts['system'] | lower is not search('bsd')) | ternary('/etc/nginx', '/usr/local/sbin')) }}" + changed_when: false + register: version + failed_when: version is not search('1.21.4') diff --git a/molecule/uninstall/converge.yml b/molecule/uninstall/converge.yml new file mode 100644 index 0000000..44e90cb --- /dev/null +++ b/molecule/uninstall/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Uninstall NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_setup: uninstall diff --git a/molecule/uninstall/molecule.yml b/molecule/uninstall/molecule.yml new file mode 100644 index 0000000..46d6c10 --- /dev/null +++ b/molecule/uninstall/molecule.yml @@ -0,0 +1,91 @@ +--- +driver: + name: docker +lint: | + set -e + yamllint . + ansible-lint --force-color +platforms: + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.13 + image: alpine:3.13 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.14 + image: alpine:3.14 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.15 + image: alpine:3.15 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: amazonlinux-2 + image: amazonlinux:2 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-7 + image: centos:7 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-8 + image: centos:8 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: debian-buster + image: debian:buster-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: debian-bullseye + image: debian:bullseye-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml new file mode 100644 index 0000000..5c8d5bd --- /dev/null +++ b/molecule/uninstall/prepare.yml @@ -0,0 +1,7 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx diff --git a/molecule/uninstall/verify.yml b/molecule/uninstall/verify.yml new file mode 100644 index 0000000..d5729f0 --- /dev/null +++ b/molecule/uninstall/verify.yml @@ -0,0 +1,11 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + state: absent + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) diff --git a/molecule/uninstall_plus/converge.yml b/molecule/uninstall_plus/converge.yml new file mode 100644 index 0000000..154b570 --- /dev/null +++ b/molecule/uninstall_plus/converge.yml @@ -0,0 +1,11 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Uninstall NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_setup: uninstall + nginx_type: plus + nginx_setup_license: false diff --git a/molecule/uninstall_plus/molecule.yml b/molecule/uninstall_plus/molecule.yml new file mode 100644 index 0000000..15dbff0 --- /dev/null +++ b/molecule/uninstall_plus/molecule.yml @@ -0,0 +1,91 @@ +--- +driver: + name: docker +lint: | + set -e + yamllint . + ansible-lint --force-color +platforms: + - name: alpine-3.11 + image: alpine:3.11 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.13 + image: alpine:3.13 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.14 + image: alpine:3.14 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: amazonlinux-2 + image: amazonlinux:2 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-7 + image: centos:7 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-8 + image: centos:8 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: debian-buster + image: debian:buster-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: debian-bullseye + image: debian:bullseye-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/uninstall_plus/prepare.yml b/molecule/uninstall_plus/prepare.yml new file mode 100644 index 0000000..cd3b0b5 --- /dev/null +++ b/molecule/uninstall_plus/prepare.yml @@ -0,0 +1,30 @@ +--- +- name: Prepare license + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_CRT') | b64decode }}" + dest: ../../files/license/nginx-repo.crt + force: false + mode: 0444 + + - name: Create ephemeral license key file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_KEY') | b64decode }}" + dest: ../../files/license/nginx-repo.key + force: false + mode: 0444 + +- name: Prepare NGINX + hosts: all + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_type: plus + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key diff --git a/molecule/uninstall_plus/verify.yml b/molecule/uninstall_plus/verify.yml new file mode 100644 index 0000000..203bf03 --- /dev/null +++ b/molecule/uninstall_plus/verify.yml @@ -0,0 +1,11 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx-plus + state: absent + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) diff --git a/molecule/upgrade/converge.yml b/molecule/upgrade/converge.yml new file mode 100644 index 0000000..96c97f4 --- /dev/null +++ b/molecule/upgrade/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_setup: upgrade diff --git a/molecule/upgrade/molecule.yml b/molecule/upgrade/molecule.yml new file mode 100644 index 0000000..d0a3c1e --- /dev/null +++ b/molecule/upgrade/molecule.yml @@ -0,0 +1,62 @@ +--- +driver: + name: docker +lint: | + set -e + yamllint . + ansible-lint --force-color +platforms: + - name: amazonlinux-2 + image: amazonlinux:2 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-7 + image: centos:7 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: centos-8 + image: centos:8 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: debian-buster + image: debian:buster-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: debian-bullseye + image: debian:bullseye-slim + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" +provisioner: + name: ansible + playbooks: + converge: converge.yml + verify: verify.yml diff --git a/molecule/upgrade/prepare.yml b/molecule/upgrade/prepare.yml new file mode 100644 index 0000000..8d06299 --- /dev/null +++ b/molecule/upgrade/prepare.yml @@ -0,0 +1,29 @@ +--- +- name: Prepare + hosts: all + pre_tasks: + - name: Set repo if Alpine + set_fact: + version: "=1.21.3-r1" + when: ansible_facts['os_family'] == "Alpine" + - name: Set repo if Debian + set_fact: + version: "=1.21.3-1~{{ ansible_facts['distribution_release'] }}" + when: ansible_facts['os_family'] == "Debian" + - name: Set repo if Red Hat + set_fact: + version: "-1.21.3-1.{{ (ansible_facts['distribution']=='Amazon') | ternary('amzn2', ('el' + ansible_facts['distribution_major_version'] | string)) }}.ngx" + when: ansible_facts['os_family'] == "RedHat" + - name: Enable NGINX @CentOS-AppStream dnf modules + shell: + args: + cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx # noqa command-instead-of-module + register: dnf_module_enable + changed_when: dnf_module_enable.stdout != 'ENABLED' + when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==') + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_version: "{{ version }}" diff --git a/molecule/upgrade/verify.yml b/molecule/upgrade/verify.yml new file mode 100644 index 0000000..4664d05 --- /dev/null +++ b/molecule/upgrade/verify.yml @@ -0,0 +1,33 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + state: present + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: true + check_mode: true + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 + + - name: Verify NGINX has been upgraded + command: nginx -v + args: + chdir: "{{ ((ansible_facts['system'] | lower is not search('bsd')) | ternary('/etc/nginx', '/usr/local/sbin')) }}" + changed_when: false + register: version + failed_when: version is not search('1.21.4') diff --git a/tasks/main.yml b/tasks/main.yml index 573d43a..a99ea63 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,78 +6,88 @@ success_msg: "Your OS, {{ ansible_facts['distribution'] }} is supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" fail_msg: "Your OS, {{ ansible_facts['distribution'] }} is not supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" when: - - nginx_install | bool + - nginx_enable | bool - (nginx_install_from == "nginx_repository" or nginx_type == "plus") ignore_errors: true # noqa ignore-errors tags: nginx_check_support +- name: Check that NGINX setup is an allowed value + assert: + that: nginx_setup in nginx_setup_vars + fail_msg: The value {{ nginx_setup }} you used for `nginx_setup` is not allowed. Try one of {{ nginx_setup_vars | join(', ') }}. + when: nginx_enable | bool + ignore_errors: true # noqa ignore-errors + tags: nginx_check_support + - name: Set up prerequisites include_tasks: "{{ role_path }}/tasks/prerequisites/prerequisites.yml" + when: nginx_state != "absent" tags: nginx_prerequisites - name: Set up signing keys include_tasks: "{{ role_path }}/tasks/keys/setup-keys.yml" - when: (nginx_install | bool and nginx_install_from == "nginx_repository") + when: (nginx_enable | bool and nginx_install_from == "nginx_repository") or nginx_amplify_enable | bool tags: nginx_key -- name: Install and Configure NGINX +- name: "{{ nginx_setup | capitalize }} NGINX" block: - - name: Install NGINX - block: - - name: Install NGINX Open Source - include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml" - when: nginx_type == "opensource" - tags: nginx_install_oss + - name: "{{ nginx_setup | capitalize }} NGINX Open Source" + include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml" + when: nginx_type == "opensource" + tags: nginx_install_oss - - name: Set up NGINX Plus license - include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml" - when: - - nginx_type == "plus" - - nginx_setup_license | bool - tags: nginx_setup_license + - name: Set up NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml" + when: + - nginx_type == "plus" + - nginx_setup_license | bool + tags: nginx_setup_license - - name: Install NGINX Plus - include_tasks: "{{ role_path }}/tasks/plus/install-{{ ansible_facts['os_family'] | lower }}.yml" - when: nginx_type == "plus" - tags: nginx_install_plus + - name: "{{ nginx_setup | capitalize }} NGINX Plus" + include_tasks: "{{ role_path }}/tasks/plus/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nginx_type == "plus" + tags: nginx_install_plus - - name: Install NGINX dynamic modules - include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" - when: - - nginx_modules is defined - - nginx_modules | length > 0 - tags: nginx_install_modules + - name: "{{ nginx_setup | capitalize }} NGINX dynamic modules" + include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" + when: + - nginx_modules is defined + - nginx_modules | length > 0 + tags: nginx_install_modules - - name: Remove NGINX Plus license - include_tasks: "{{ role_path }}/tasks/plus/remove-license.yml" - when: - - nginx_type == "plus" - - nginx_remove_license | bool - tags: nginx_remove_license + - name: Remove NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/remove-license.yml" + when: + - nginx_type == "plus" + - nginx_remove_license | bool + tags: nginx_remove_license - - name: Modify systemd parameters - include_tasks: "{{ role_path }}/tasks/config/modify-systemd.yml" - when: - - ansible_facts['service_mgr'] == "systemd" - - nginx_service_modify | bool - tags: nginx_modify_systemd - when: nginx_install | bool - tags: nginx_install - - - name: Ensure NGINX is running - meta: flush_handlers - - - name: Debug NGINX output - include_tasks: "{{ role_path }}/tasks/config/debug-output.yml" - when: nginx_debug_output | bool - tags: nginx_debug_output - - - name: Configure logrotate for NGINX - include_tasks: "{{ role_path }}/tasks/config/setup-logrotate.yml" - when: nginx_logrotate_conf_enable | bool - tags: nginx_logrotate_config + - name: Modify systemd parameters + include_tasks: "{{ role_path }}/tasks/config/modify-systemd.yml" + when: + - ansible_facts['service_mgr'] == "systemd" + - nginx_service_modify | bool + tags: nginx_modify_systemd when: nginx_enable | bool + tags: nginx_enable + +- name: Trigger handlers if necessary + meta: flush_handlers + +- name: Debug NGINX output + include_tasks: "{{ role_path }}/tasks/config/debug-output.yml" + when: + - nginx_debug_output | bool + - nginx_state != "absent" + tags: nginx_debug_output + +- name: Configure logrotate for NGINX + include_tasks: "{{ role_path }}/tasks/config/setup-logrotate.yml" + when: + - nginx_logrotate_conf_enable | bool + - nginx_state != "absent" + tags: nginx_logrotate_config - name: Install NGINX Amplify include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml" diff --git a/tasks/modules/install-modules.yml b/tasks/modules/install-modules.yml index 25eec76..dbe302d 100644 --- a/tasks/modules/install-modules.yml +++ b/tasks/modules/install-modules.yml @@ -7,7 +7,7 @@ - '"geoip" in nginx_modules' - nginx_install_epel_release | bool -- name: Install NGINX modules +- name: Setup NGINX modules package: name: "nginx-{{ (nginx_type == 'plus') | ternary('plus-', '') }}module-{{ item.name | default(item) }}\ {{ item.version | default(nginx_version) | default('') }}{{ (nginx_repository is not defined and ansible_facts['os_family'] == 'Alpine' and nginx_type != 'plus') | ternary('@nginx', '') }}" diff --git a/tasks/opensource/install-alpine.yml b/tasks/opensource/install-alpine.yml index 7d40910..e0fd382 100644 --- a/tasks/opensource/install-alpine.yml +++ b/tasks/opensource/install-alpine.yml @@ -1,14 +1,15 @@ --- -- name: (Alpine Linux) Configure NGINX repository +- name: (Alpine Linux) {{ (nginx_setup == 'uninstall') | ternary('Remove', 'Configure') }} NGINX repository lineinfile: path: /etc/apk/repositories insertafter: EOF line: "{{ nginx_repository | default(nginx_default_repository_alpine) }}" + state: "{{ (nginx_state == 'uninstall') | ternary('absent', 'present') }}" when: nginx_manage_repo | bool -- name: (Alpine Linux) Install NGINX +- name: (Alpine Linux) {{ nginx_setup | capitalize }} NGINX apk: - name: "nginx{{ nginx_repository is not defined | ternary('@nginx', '') }}{{ nginx_version | default('') }}" + name: "nginx{{ (nginx_repository is not defined and nginx_setup != 'uninstall') | ternary('@nginx', '') }}{{ nginx_version | default('') }}" state: "{{ nginx_state }}" update_cache: true ignore_errors: "{{ ansible_check_mode }}" diff --git a/tasks/opensource/install-bsd.yml b/tasks/opensource/install-bsd.yml index bd8d24c..153f699 100644 --- a/tasks/opensource/install-bsd.yml +++ b/tasks/opensource/install-bsd.yml @@ -14,16 +14,16 @@ - ansible_facts['system'] == "FreeBSD" - nginx_bsd_update_ports | bool -- name: (FreeBSD) Install NGINX +- name: (FreeBSD) {{ nginx_setup | capitalize }} NGINX block: - - name: (FreeBSD) Install NGINX package + - name: (FreeBSD) {{ nginx_setup | capitalize }} NGINX package pkgng: name: "www/nginx{{ nginx_version | default('') }}" state: "{{ nginx_state }}" when: nginx_bsd_install_packages | bool notify: (Handler) Run NGINX - - name: (FreeBSD) Install NGINX port + - name: (FreeBSD) {{ nginx_setup | capitalize }} NGINX port portinstall: name: "www/nginx{{ nginx_version | default('') }}" use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" @@ -32,9 +32,9 @@ notify: (Handler) Run NGINX when: ansible_facts['system'] == "FreeBSD" -- name: (OpenBSD) Install NGINX +- name: (OpenBSD) {{ nginx_setup | capitalize }} NGINX block: - - name: (OpenBSD) Install NGINX package + - name: (OpenBSD) {{ nginx_setup | capitalize }} NGINX package openbsd_pkg: name: "nginx{{ nginx_version | default('') }}" build: false @@ -42,7 +42,7 @@ when: nginx_bsd_install_packages | bool notify: (Handler) Run NGINX - - name: (OpenBSD) Install NGINX port + - name: (OpenBSD) {{ nginx_setup | capitalize }} NGINX port openbsd_pkg: name: "nginx{{ nginx_version | default('') }}" build: true @@ -51,28 +51,28 @@ notify: (Handler) Run NGINX when: ansible_facts['system'] == "OpenBSD" -- name: (NetBSD) Install NGINX +- name: (NetBSD) {{ nginx_setup | capitalize }} NGINX block: - - name: (NetBSD) Install NGINX package + - name: (NetBSD) {{ nginx_setup | capitalize }} NGINX package command: "pkg_add www/nginx{{ nginx_version | default('') }}" when: nginx_bsd_install_packages | bool notify: (Handler) Run NGINX - - name: (NetBSD) Install NGINX port + - name: (NetBSD) {{ nginx_setup | capitalize }} NGINX port fail: - msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + msg: "{{ ansible_facts['system'] }} {{ nginx_setup | capitalize }} NGINX port not implemented." when: not nginx_bsd_install_packages | bool when: ansible_facts['system'] == "NetBSD" -- name: (DragonFlyBSD/HardenedBSD) Install NGINX +- name: (DragonFlyBSD/HardenedBSD) {{ nginx_setup | capitalize }} NGINX block: - - name: (DragonFlyBSD/HardenedBSD) Install NGINX package + - name: (DragonFlyBSD/HardenedBSD) {{ nginx_setup | capitalize }} NGINX package command: "pkg install www/nginx{{ nginx_version | default('') }}" when: nginx_bsd_install_packages | bool notify: (Handler) Run NGINX - - name: (DragonFlyBSD/HardenedBSD) Install NGINX port + - name: (DragonFlyBSD/HardenedBSD) {{ nginx_setup | capitalize }} NGINX port fail: - msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + msg: "{{ ansible_facts['system'] }} {{ nginx_setup | capitalize }} NGINX port not implemented." when: not nginx_bsd_install_packages | bool when: ansible_facts['system'] in ['DragonFlyBSD', 'HardenedBSD'] diff --git a/tasks/opensource/install-debian.yml b/tasks/opensource/install-debian.yml index 87e57ec..486fb3b 100644 --- a/tasks/opensource/install-debian.yml +++ b/tasks/opensource/install-debian.yml @@ -1,14 +1,15 @@ --- -- name: (Debian/Ubuntu) Configure NGINX repository +- name: (Debian/Ubuntu) {{ (nginx_setup == 'uninstall') | ternary('Remove', 'Configure') }} NGINX repository apt_repository: filename: nginx repo: "{{ item }}" update_cache: true mode: 0644 + state: "{{ (nginx_state == 'uninstall') | ternary('absent', 'present') }}" loop: "{{ nginx_repository | default(nginx_default_repository_debian) }}" when: nginx_manage_repo | bool -- name: (Debian/Ubuntu) Pin NGINX repository +- name: (Debian/Ubuntu) {{ (nginx_setup == 'uninstall') | ternary('Unpin', 'Pin') }} NGINX repository blockinfile: path: /etc/apt/preferences.d/99nginx create: true @@ -18,9 +19,10 @@ Pin: release o=nginx Pin-Priority: 900 mode: 0644 + state: "{{ (nginx_state == 'uninstall') | ternary('absent', 'present') }}" when: nginx_repository is not defined -- name: (Debian/Ubuntu) Install NGINX +- name: (Debian/Ubuntu) {{ nginx_setup | capitalize }} NGINX apt: name: "nginx{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/opensource/install-oss.yml b/tasks/opensource/install-oss.yml index 1a573ad..6605561 100644 --- a/tasks/opensource/install-oss.yml +++ b/tasks/opensource/install-oss.yml @@ -1,15 +1,15 @@ --- -- name: Install NGINX in Linux systems +- name: "{{ nginx_setup | capitalize }} NGINX in Linux systems" block: - - name: Install NGINX from repository + - name: "{{ nginx_setup | capitalize }} NGINX from repository" include_tasks: "{{ role_path }}/tasks/opensource/install-{{ ansible_facts['os_family'] | lower }}.yml" when: nginx_install_from == "nginx_repository" - - name: Install NGINX from source + - name: "{{ nginx_setup | capitalize }} NGINX from source" include_tasks: "{{ role_path }}/tasks/opensource/install-source.yml" when: nginx_install_from == "source" - - name: Install NGINX from package + - name: "{{ nginx_setup | capitalize }} NGINX from package" package: name: "nginx{{ nginx_version | default('') }}" state: "{{ nginx_state }}" @@ -17,6 +17,6 @@ notify: (Handler) Run NGINX when: ansible_facts['system'] | lower is not search('bsd') -- name: Install NGINX in Unix systems +- name: "{{ nginx_setup | capitalize }} NGINX in Unix systems" include_tasks: "{{ role_path }}/tasks/opensource/install-bsd.yml" when: ansible_facts['system'] | lower is search('bsd') diff --git a/tasks/opensource/install-redhat.yml b/tasks/opensource/install-redhat.yml index 82451f4..8e6a7bc 100644 --- a/tasks/opensource/install-redhat.yml +++ b/tasks/opensource/install-redhat.yml @@ -1,5 +1,5 @@ --- -- name: (Amazon Linux/CentOS/RHEL) Configure NGINX repository +- name: (Amazon Linux/CentOS/RHEL) {{ (nginx_setup == 'uninstall') | ternary('Remove', 'Configure') }} NGINX repository yum_repository: name: nginx baseurl: "{{ nginx_repository | @@ -9,9 +9,10 @@ gpgcheck: true mode: 0644 module_hotfixes: true + state: "{{ (nginx_state == 'uninstall') | ternary('absent', 'present') }}" when: nginx_manage_repo | bool -- name: (Amazon Linux/CentOS/RHEL) Install NGINX +- name: (Amazon Linux/CentOS/RHEL) {{ nginx_setup | capitalize }} NGINX yum: name: "nginx{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/opensource/install-suse.yml b/tasks/opensource/install-suse.yml index eff066f..b8f157d 100644 --- a/tasks/opensource/install-suse.yml +++ b/tasks/opensource/install-suse.yml @@ -1,11 +1,12 @@ --- -- name: (SLES) Configure NGINX repository +- name: (SLES) {{ (nginx_setup == 'uninstall') | ternary('Remove', 'Configure') }} NGINX repository zypper_repository: name: "nginx-{{ nginx_branch }}" repo: "{{ nginx_repository | default(nginx_default_repository_suse) }}" + state: "{{ (nginx_state == 'uninstall') | ternary('absent', 'present') }}" when: nginx_manage_repo | bool -- name: (SLES) Install NGINX +- name: (SLES) {{ nginx_setup | capitalize }} NGINX zypper: name: "nginx{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/plus/install-alpine.yml b/tasks/plus/install-alpine.yml index 42aeb1e..bb5d7bb 100644 --- a/tasks/plus/install-alpine.yml +++ b/tasks/plus/install-alpine.yml @@ -4,10 +4,10 @@ path: /etc/apk/repositories insertafter: EOF line: "{{ nginx_repository | default(nginx_plus_default_repository_alpine) }}" - state: "{{ nginx_license_status | default ('present') }}" + state: "{{ nginx_license_status | default((nginx_setup == 'uninstall') | ternary('absent', 'present')) }}" when: nginx_manage_repo | bool -- name: (Alpine Linux) Install NGINX Plus +- name: (Alpine Linux) {{ nginx_setup | capitalize }} NGINX Plus apk: name: "nginx-plus{{ nginx_version | default('') }}" repository: "{{ nginx_repository | default(nginx_plus_default_repository_alpine) }}" diff --git a/tasks/plus/install-debian.yml b/tasks/plus/install-debian.yml index 5b4c685..0cd19f3 100644 --- a/tasks/plus/install-debian.yml +++ b/tasks/plus/install-debian.yml @@ -8,7 +8,7 @@ Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true"; Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert "/etc/ssl/nginx/nginx-repo.crt"; Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey "/etc/ssl/nginx/nginx-repo.key"; - state: "{{ nginx_license_status | default ('present') }}" + state: "{{ nginx_license_status | default((nginx_setup == 'uninstall') | ternary('absent', 'present')) }}" mode: 0444 - name: (Debian/Ubuntu) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository @@ -16,11 +16,11 @@ filename: nginx-plus repo: "{{ nginx_repository | default(nginx_plus_default_repository_debian) }}" update_cache: false - state: "{{ nginx_license_status | default ('present') }}" + state: "{{ nginx_license_status | default((nginx_setup == 'uninstall') | ternary('absent', 'present')) }}" mode: 0644 when: nginx_manage_repo | bool -- name: (Debian/Ubuntu) Install NGINX Plus +- name: (Debian/Ubuntu) {{ nginx_setup | capitalize }} NGINX Plus apt: name: "nginx-plus{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/plus/install-freebsd.yml b/tasks/plus/install-freebsd.yml index 219f522..373ca52 100644 --- a/tasks/plus/install-freebsd.yml +++ b/tasks/plus/install-freebsd.yml @@ -22,7 +22,7 @@ mode: 0644 when: nginx_manage_repo | bool -- name: (FreeBSD) Install NGINX Plus +- name: (FreeBSD) {{ nginx_setup | capitalize }} NGINX Plus pkgng: name: "nginx-plus{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/plus/install-redhat.yml b/tasks/plus/install-redhat.yml index b87bf7f..abef8db 100644 --- a/tasks/plus/install-redhat.yml +++ b/tasks/plus/install-redhat.yml @@ -1,5 +1,5 @@ --- -- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ (nginx_license_status is defined or nginx_setup == 'uninstall') | ternary('Remove', 'Configure') }} NGINX Plus repository yum_repository: name: nginx-plus baseurl: "{{ nginx_repository | @@ -9,11 +9,11 @@ sslclientkey: /etc/ssl/nginx/nginx-repo.key enabled: true gpgcheck: true - state: "{{ nginx_license_status | default ('present') }}" + state: "{{ nginx_license_status | default((nginx_setup == 'uninstall') | ternary('absent', 'present')) }}" mode: 0644 when: nginx_manage_repo | bool -- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install NGINX Plus +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ nginx_setup | capitalize }} NGINX Plus yum: name: "nginx-plus{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/plus/install-suse.yml b/tasks/plus/install-suse.yml index 88be166..2237bd5 100644 --- a/tasks/plus/install-suse.yml +++ b/tasks/plus/install-suse.yml @@ -1,19 +1,12 @@ --- -- name: (SLES) Combine NGINX Plus certificate and license key - assemble: - src: /etc/ssl/nginx - dest: /etc/ssl/nginx/nginx-repo-bundle.crt - mode: 0444 - when: nginx_license_status is not defined - - name: (SLES) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository zypper_repository: name: nginx-plus repo: "{{ nginx_repository | default(nginx_plus_default_repository_suse) }}" - state: "{{ nginx_license_status | default ('present') }}" + state: "{{ nginx_license_status | default((nginx_setup == 'uninstall') | ternary('absent', 'present')) }}" when: nginx_manage_repo | bool -- name: (SLES) Install NGINX Plus +- name: (SLES) {{ nginx_setup | capitalize }} NGINX Plus zypper: name: "nginx-plus{{ nginx_version | default('') }}" state: "{{ nginx_state }}" diff --git a/tasks/plus/setup-license.yml b/tasks/plus/setup-license.yml index ec9bdd3..7fa6ed2 100644 --- a/tasks/plus/setup-license.yml +++ b/tasks/plus/setup-license.yml @@ -40,3 +40,10 @@ decrypt: true mode: 0444 when: ansible_facts['os_family'] == "Alpine" + +- name: (SLES) Combine NGINX Plus certificate and license key + assemble: + src: /etc/ssl/nginx + dest: /etc/ssl/nginx/nginx-repo-bundle.crt + mode: 0444 + when: ansible_facts['os_family'] == "Suse" diff --git a/vars/main.yml b/vars/main.yml index 168e7d4..9919e9b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,17 @@ --- +nginx_setup_vars: [ + 'install', 'uninstall', 'upgrade', +] + +nginx_default_setup: install + +nginx_state_vals: + install: present + uninstall: absent + upgrade: latest + +nginx_state: "{{ nginx_state_vals[nginx_setup] | default(nginx_state_vals[nginx_default_setup]) }}" + # Supported NGINX Open Source distributions # https://nginx.org/en/docs/install.html nginx_distributions: [