Triple S!!! Speed, Systemd and Selinux (#272)

2020-06-30 12:59:53 -04:00 · 2020-06-30 12:59:53 -04:00 · 7e6a7f0397
commit 7e6a7f0397
parent f3c8bd2b70
29 changed files with 370 additions and 111 deletions
--- a/README.md
+++ b/README.md
@ -223,4 +223,6 @@ Author Information

 [Grzegorz Dzien](https://github.com/gdzien)

+[Tom Gamull](https://github.com/magicalyak)
+
 &copy; [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020
--- a/defaults/main/main.yml
+++ b/defaults/main/main.yml
@ -94,3 +94,18 @@ nginx_cleanup_config_path:
  - directory:
      - /etc/nginx/conf.d
    recurse: false
+
+# Set selinux enforcing for nginx (Centos/Redhat only) - you may need to open ports on your own
+nginx_selinux: false
+# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
+nginx_selinux_enforcing: true
+# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
+# nginx_selinux_tcp_ports:
+#   - 80
+#   - 443
+# List of UDP ports to add to http_port_t type
+# nginx_selinux_udp_ports:
+#   - 80
+#   - 443
+# Temporary directory to hold selinux modules
+nginx_tempdir: /tmp
--- a/defaults/main/systemd.yml
+++ b/defaults/main/systemd.yml
@ -0,0 +1,43 @@
+---
+# Enable systemd modifications
+# ** ALL of the following variables are ignored unless this is set to true **
+nginx_service_modify: false
+
+# Remove the override file completely
+nginx_service_clean: false
+
+# Override the systemd directory
+# Default is /etc/systemd/system/nginx.service.d
+nginx_service_overridepath: /etc/systemd/system/nginx.service.d
+
+# Override the systemd filename
+# Default is override.conf
+nginx_service_overridefilename: override.conf
+
+# Set service timeout for systemd systems in seconds (default: 90)
+# [Service]
+# TimeoutStopSec=90
+# Default is to comment this out
+# nginx_service_timeoutstopsec: 90
+
+# Set the restart policy for systemd systems
+# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always
+# [Service]
+# Restart=on-failure
+# Default is to comment this out
+# nginx_service_restart: on-failure
+
+# Set the restart timer in seconds
+# [Service]
+# RestartSec=5s
+# Default is to comment this out
+# nginx_service_restartsec: 5s
+
+# Enable a custom systemd override file
+# ** This could break the service **
+# Setting this to true disables custom values above
+nginx_service_custom: false
+
+# Filename and path for systemd override file
+# Setting this will overwrite existing override file
+nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf"
--- a/files/services/nginx.override.conf
+++ b/files/services/nginx.override.conf
@ -0,0 +1,2 @@
+[Service]
+TimeoutStopSec=90
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,4 +1,14 @@
 ---
+# handlers file for ansible-role-nginx
+- name: "(Handler: All OSs) Check NGINX"
+  command: "nginx -t"
+  changed_when: false
+
+- name: "(Handler: All OSs) systemd daemon-reload"
+  systemd:
+    daemon_reload: yes
+  notify: "(Handler: All OSs) Start NGINX"
+
 - name: "(Handler: All OSs) Run NGINX"
  block:

@ -33,7 +43,3 @@
    name: unitd
    state: started
    enabled: yes
-
- name: "(Handler: All OSs) Check NGINX"
-  command: "nginx -t"
-  changed_when: false
--- a/molecule/common/playbook_default.yml
+++ b/molecule/common/playbook_default.yml
@ -25,7 +25,10 @@
    - role: ansible-role-nginx
  vars:
    nginx_debug_output: true
-
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
    nginx_version: "{{ version }}"
    nginx_logrotate_conf_enable: true
    nginx_logrotate_conf:
--- a/molecule/common/playbook_module.yml
+++ b/molecule/common/playbook_module.yml
@ -6,6 +6,13 @@
  vars:
    nginx_debug_output: true

+    nginx_service_modify: true
+    nginx_service_timeout: 95
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
+
    nginx_cleanup_config: true
    nginx_cleanup_config_path:
      - directory:
--- a/molecule/common/playbook_template.yml
+++ b/molecule/common/playbook_template.yml
@ -6,6 +6,13 @@
  vars:
    nginx_debug_output: true

+    nginx_service_modify: true
+    nginx_service_timeout: 95
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
+
    nginx_main_template_enable: true
    nginx_main_template:
      template_file: nginx.conf.j2
--- a/tasks/amplify/install-amplify.yml
+++ b/tasks/amplify/install-amplify.yml
@ -1,9 +1,8 @@
 ---
- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
+- include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Debian"
+      or ansible_os_family == "Redhat"

 - name: "(Install: All OSs) Install NGINX Amplify Agent"
  package:
--- a/tasks/keys/setup-keys.yml
+++ b/tasks/keys/setup-keys.yml
@ -0,0 +1,16 @@
+---
+- name: "(Setup: Keys) Alpine"
+  include_tasks: "{{ role_path }}/tasks/keys/apk-key.yml"
+  when: ansible_os_family == "Alpine"
+  tags: nginx_apkkey
+
+- name: "(Setup: Keys) Debian"
+  include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml"
+  when: ansible_os_family == "Debian"
+  tags: nginx_aptkey
+
+- name: "(Setup: Keys) RedHat/Suse"
+  include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml"
+  when: ansible_os_family == "RedHat"
+        or ansible_os_family == "Suse"
+  tags: nginx_rpmkey
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,44 +1,36 @@
 ---
- import_tasks: prerequisites/install-prerequisites.yml
+- name: "(Setup: Prerequisites)"
+  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml"
  tags: nginx_prerequisites

- import_tasks: keys/apt-key.yml
+- name: "(Setup: Keys)"
+  import_tasks: keys/setup-keys.yml
  when:
-    - ansible_os_family == "Debian"
-    - nginx_install_from == "nginx_repository"
-      or nginx_amplify_enable
-      or nginx_unit_enable
-  tags: nginx_aptkey
-
- import_tasks: keys/rpm-key.yml
-  when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family == "Alpine"
+      or ansible_os_family == "Debian"
+      or ansible_os_family == "RedHat"
      or ansible_os_family == "Suse"
    - nginx_install_from == "nginx_repository"
      or nginx_amplify_enable
      or nginx_unit_enable
-  tags: nginx_rpmkey
-
- import_tasks: keys/apk-key.yml
-  when: ansible_os_family == "Alpine"
-  tags: nginx_apkkey
+  tags: nginx_key

 - name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX"
  block:

-    - import_tasks: opensource/install-oss.yml
+    - include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
      when: nginx_type == "opensource"
      tags: nginx_install_oss

-    - import_tasks: plus/install-plus.yml
+    - include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
      when: nginx_type == "plus"
      tags: nginx_install_plus

-    - import_tasks: conf/cleanup-config.yml
+    - include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
      when: nginx_cleanup_config | bool
      tags: nginx_cleanup_config

-    - import_tasks: conf/upload-config.yml
+    - include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
      when: nginx_main_upload_enable
            or nginx_http_upload_enable
            or nginx_stream_upload_enable
@ -46,26 +38,26 @@
            or nginx_ssl_upload_enable
      tags: nginx_upload_config

-    - import_tasks: conf/template-config.yml
+    - include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
      when: nginx_main_template_enable
            or nginx_http_template_enable
            or nginx_stream_template_enable
            or nginx_rest_api_enable
      tags: nginx_template_config

-    - import_tasks: conf/setup-status.yml
+    - include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml"
      when: nginx_status_enable | bool
      tags: nginx_setup_status

-    - import_tasks: modules/install-modules.yml
+    - include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
      when: true in nginx_modules.values()
      tags: nginx_install_modules

-    - import_tasks: conf/debug-output.yml
+    - include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
      when: nginx_debug_output | bool
      tags: nginx_debug_output

-    - import_tasks: plus/delete-license.yml
+    - include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
      when:
        - nginx_type == "plus"
        - nginx_delete_license
@ -73,17 +65,17 @@

  when: nginx_enable | bool

- import_tasks: amplify/install-amplify.yml
+- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
  when:
    - nginx_amplify_enable | bool
    - nginx_amplify_api_key is defined
    - nginx_amplify_api_key | length > 0
  tags: nginx_install_amplify

- import_tasks: unit/install-unit.yml
+- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
  when: nginx_unit_enable | bool
  tags: nginx_install_unit

- import_tasks: conf/logrotate.yml
+- include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
  when: nginx_logrotate_conf_enable | bool
  tags: nginx_logrotate_config
--- a/tasks/modules/install-modules.yml
+++ b/tasks/modules/install-modules.yml
@ -1,28 +1,28 @@
 ---
- import_tasks: install-njs.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-njs.yml"
  when: nginx_modules.njs | default(false)

- import_tasks: install-perl.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-perl.yml"
  when: nginx_modules.perl | default(false)

- import_tasks: install-geoip.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-geoip.yml"
  when:
    - nginx_modules.geoip | default(false)
    - ansible_os_family != "RedHat"
    - ansible_distribution_major_version != "8"

- import_tasks: install-image-filter.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-image-filter.yml"
  when: nginx_modules.image_filter | default(false)

- import_tasks: install-rtmp.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-rtmp.yml"
  when:
    - nginx_modules.rtmp | default(false)
    - nginx_type == "plus"

- import_tasks: install-xslt.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-xslt.yml"
  when: nginx_modules.xslt | default(false)

- import_tasks: install-waf.yml
+- include_tasks: "{{ role_path }}/tasks/modules/install-waf.yml"
  when:
    - nginx_modules.waf | default(false)
    - nginx_type == "plus"
--- a/tasks/opensource/install-oss-linux.yml
+++ b/tasks/opensource/install-oss-linux.yml
@ -1,23 +1,21 @@
 ---
 - name: "(Install: Linux) Configure NGINX repo"
-  block:
+  include_tasks: "{{ role_path }}/tasks/opensource/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Alpine"
+      or ansible_os_family == "Debian"
+      or ansible_os_family == "RedHat"
+      or ansible_os_family == "Suse"
+    - nginx_install_from == "nginx_repository"

-    - import_tasks: setup-alpine.yml
-      when: ansible_os_family == "Alpine"
-
-    - import_tasks: setup-debian.yml
-      when: ansible_os_family == "Debian"
-
-    - import_tasks: setup-redhat.yml
-      when: ansible_os_family == "RedHat"
-
-    - import_tasks: setup-suse.yml
-      when: ansible_os_family == "Suse"
-
-  when: nginx_install_from == "nginx_repository"
+- name: "(Install: Linux) Modify Service for Systemd"
+  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
+  when:
+    - ansible_service_mgr == "systemd"
+    - nginx_service_modify

 - name: "(Install: Linux) Install NGINX from source"
-  import_tasks: setup-source.yml
+  include_tasks: "{{ role_path }}/tasks/opensource/setup-source.yml"
  when: nginx_install_from == "source"

 - name: "(Install: Linux) Install NGINX package"
--- a/tasks/opensource/install-oss.yml
+++ b/tasks/opensource/install-oss.yml
@ -1,8 +1,8 @@
 ---
 - name: "(Install: OSS Linux)"
-  import_tasks: install-oss-linux.yml
+  include_tasks: "{{ role_path }}/tasks/opensource/install-oss-linux.yml"
  when: ansible_os_family in nginx_linux_families

 - name: "(Install: OSS BSD)"
-  import_tasks: install-oss-bsd.yml
+  include_tasks: "{{ role_path }}/tasks/opensource/install-oss-bsd.yml"
  when: ansible_system in nginx_bsd_systems
--- a/tasks/plus/delete-license.yml
+++ b/tasks/plus/delete-license.yml
@ -18,17 +18,10 @@
    - /etc/apk/cert.pem
  when: ansible_distribution == "Alpine"

- import_tasks: setup-alpine.yml
-  when: ansible_os_family == "Alpine"
-
- import_tasks: setup-bsd.yml
-  when: ansible_os_family == "FreeBSD"
-
- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
-
- import_tasks: setup-suse.yml
-  when: ansible_os_family == "Suse"
+- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Alpine"
+      or ansible_os_family == "FreeBSD"
+      or ansible_os_family == "Debian"
+      or ansible_os_family == "RedHat"
+      or ansible_os_family == "Suse"
--- a/tasks/plus/install-plus-bsd.yml
+++ b/tasks/plus/install-plus-bsd.yml
@ -1,5 +1,5 @@
 ---
- import_tasks: setup-bsd.yml
+- include_tasks: "{{ role_path }}/tasks/plus/setup-bsd.yml"
  when: ansible_os_family == "FreeBSD"

 - name: "(Install: FreeBSD) Install NGINX Plus"
--- a/tasks/plus/install-plus-linux.yml
+++ b/tasks/plus/install-plus-linux.yml
@ -1,15 +1,16 @@
 ---
- import_tasks: setup-alpine.yml
-  when: ansible_os_family == "Alpine"
+- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Alpine"
+      or ansible_os_family == "Debian"
+      or ansible_os_family == "RedHat"
+      or ansible_os_family == "Suse"

- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
-
- import_tasks: setup-suse.yml
-  when: ansible_os_family == "Suse"
+- name: "(Install: Linux) Modify Service for Systemd"
+  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
+  when:
+    - ansible_service_mgr == "systemd"
+    - nginx_service_modify

 - name: "(Install: Linux) Install NGINX Plus"
  package:
--- a/tasks/plus/install-plus.yml
+++ b/tasks/plus/install-plus.yml
@ -1,11 +1,11 @@
 ---
 - name: "(Install: All OSs) Setup license"
-  import_tasks: setup-license.yml
+  include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml"

 - name: "(Install: Linux) Install NGINX Plus"
-  import_tasks: install-plus-linux.yml
+  include_tasks: "{{ role_path }}/tasks/plus/install-plus-linux.yml"
  when: ansible_os_family in nginx_plus_linux_families

 - name: "(Install: FreeBSD) Install NGINX Plus"
-  import_tasks: install-plus-bsd.yml
+  include_tasks: "{{ role_path }}/tasks/plus/install-plus-bsd.yml"
  when: ansible_system in nginx_plus_bsd_systems
--- a/tasks/prerequisites/install-prerequisites.yml
+++ b/tasks/prerequisites/install-prerequisites.yml
@ -1,8 +0,0 @@
---
- name: "(Setup: Debian/Ubuntu) Install Prerequisites"
-  import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
- name: "(Setup: FreeBSD) Install Prerequisites"
-  import_tasks: setup-freebsd.yml
-  when: ansible_system == "FreeBSD"
--- a/tasks/prerequisites/setup-alpine.yml
+++ b/tasks/prerequisites/setup-alpine.yml
@ -0,0 +1 @@
+---
--- a/tasks/prerequisites/setup-debian.yml
+++ b/tasks/prerequisites/setup-debian.yml
@ -1,5 +1,5 @@
 ---
- name: "(Install: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
+- name: "(Setup: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
  apt:
    name:
      - apt-transport-https
--- a/tasks/prerequisites/setup-freebsd.yml
+++ b/tasks/prerequisites/setup-freebsd.yml
@ -1,14 +1,14 @@
 ---
- name: "(Install: FreeBSD) Install Required Dependencies"
+- name: "(Setup: FreeBSD) Install Required Dependencies"
  block:

-    - name: "(Install: FreeBSD) Install Extra Package(s)"
+    - name: "(Setup: FreeBSD) Install Extra Package(s)"
      pkgng:
        name: "{{ nginx_freebsd_extra_packages }}"
        state: present
      when: nginx_bsd_install_packages|bool

-    - name: "(Install: FreeBSD) Install Extra Port(s)"
+    - name: "(Setup: FreeBSD) Install Extra Port(s)"
      portinstall:
        name: "{{ item }}"
        use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}"
--- a/tasks/prerequisites/setup-redhat.yml
+++ b/tasks/prerequisites/setup-redhat.yml
@ -0,0 +1,6 @@
+---
+- name: "(Setup: RedHat/CentOS) Setup SELinux"
+  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
+  when:
+    - nginx_selinux
+    - ansible_selinux.mode is defined
--- a/tasks/prerequisites/setup-selinux.yml
+++ b/tasks/prerequisites/setup-selinux.yml
@ -0,0 +1,105 @@
+---
+- name: "(Setup: SELinux) Install Required CentOS Dependencies"
+  package:
+    name: policycoreutils-python, setools
+    state: present
+  when:
+    - not ansible_os_family == "RedHat"
+    - not ansible_distribution_major_version == "8"
+
+- name: "(Setup: SELinux) Install Required RHEL8 Dependencies"
+  package:
+    name:
+      - selinux-policy-targeted
+      - libselinux-utils
+      - policycoreutils
+    state: present
+  when:
+    - ansible_os_family == "RedHat"
+    - ansible_distribution_major_version == "8"
+
+- name: "(Setup: SELinux) Check for SELinux enabled"
+  debug:
+    msg: "You need to enable selinux, if it was disabled you need to reboot"
+  when: ansible_selinux is undefined
+
+- name: "(Setup: SELinux) Permissive SELinux"
+  selinux:
+    state: permissive
+    policy: targeted
+  changed_when: false
+  when: ansible_selinux.mode == "enforcing"
+
+- name: "(Setup: SELinux: Booleans) Allow HTTP network connection"
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+
+- name: "(Setup: SELinux: Booleans) Allow HTTP relay connection"
+  seboolean:
+    name: httpd_can_network_relay
+    state: yes
+    persistent: yes
+
+- name: "(Setup: SELinux: Ports) Allow status ports"
+  seport:
+    ports: "{{ nginx_status_port }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when: nginx_status_port is defined
+
+- name: "(Setup: SELinux: Ports) Allow Rest API ports"
+  seport:
+    ports: "{{ nginx_rest_api_port }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when: nginx_rest_api_port is defined"
+
+- name: "(Setup: SELinux: Ports) Allow Specific TCP Ports"
+  seport:
+    ports: "{{ nginx_selinux_tcp_ports }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when: nginx_selinux_tcp_ports is defined
+
+- name: "(Setup: SELinux: Ports) Allow Specific UDP Ports"
+  seport:
+    ports: "{{ nginx_selinux_udp_ports }}"
+    proto: udp
+    setype: http_port_t
+    state: present
+  when: nginx_selinux_udp_ports is defined
+
+- name: "(Setup: SELinux: Module) Create NGINX Plus Module"
+  template:
+    src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
+    dest: "{{ nginx_tempdir }}/nginx-plus-module.te"
+  register: nginx_selinux_module
+
+- name: "(Setup: SELinux: Module) Check NGINX Plus Module"
+  command: "checkmodule -M -m -o {{ nginx_tempdir }}/nginx-plus-module.mod {{ nginx_tempdir }}/nginx-plus-module.te"
+  args:
+    creates: "{{ nginx_tempdir }}/nginx-plus-module.mod"
+  changed_when: false
+
+- name: "(Setup: SELinux: Module) Compile NGINX Plus Module"
+  command: "semodule_package -o {{ nginx_tempdir }}/nginx-plus-module.pp -m {{ nginx_tempdir }}/nginx-plus-module.mod"
+  args:
+    creates: "{{ nginx_tempdir }}/nginx-plus-module.pp"
+  changed_when: false
+
+- name: "(Setup: SELinux: Module) Import NGINX Plus Module"  # noqa 503
+  command: "semodule -i {{ nginx_tempdir }}/nginx-plus-module.pp"
+  changed_when: false
+  when: nginx_selinux_module.changed
+
+- name: "(Setup: SELinux) Enforce SELinux"
+  selinux:
+    state: enforcing
+    policy: targeted
+  changed_when: false
+  when: nginx_selinux_enforcing and ansible_selinux.mode == "permissive"
--- a/tasks/prerequisites/setup-suse.yml
+++ b/tasks/prerequisites/setup-suse.yml
@ -0,0 +1,6 @@
+---
+- name: "(Setup: Suse) Setup SELinux"
+  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
+  when:
+    - nginx_selinux
+    - ansible_selinux.mode is defined
--- a/tasks/prerequisites/setup-systemd.yml
+++ b/tasks/prerequisites/setup-systemd.yml
@ -0,0 +1,38 @@
+---
+- name: "(Setup: Linux) Create override directory for NGINX systemd Service"
+  file:
+    path: "{{ nginx_service_overridepath }}"
+    state: directory
+    mode: '0755'
+
+- name: "(Setup: Linux) Create override for NGINX systemd Service"
+  template:
+    src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2"
+    dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: "(Handler: All OSs) systemd daemon-reload"
+  when:
+    - not nginx_service_custom
+    - not nginx_service_clean
+
+- name: "(Setup: Linux) Customize override for NGINX systemd Service"
+  copy:
+    src: "{{ nginx_service_custom_file }}"
+    dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: "(Handler: All OSs) systemd daemon-reload"
+  when:
+    - nginx_service_custom
+    - not nginx_service_clean
+
+- name: "(Setup: Linux) Remove override for NGINX systemd Service"
+  file:
+    path: "{{ nginx_service_overridepath }}"
+    state: absent
+  notify: "(Handler: All OSs) systemd daemon-reload"
+  when:
+    - nginx_service_clean
--- a/tasks/unit/install-unit.yml
+++ b/tasks/unit/install-unit.yml
@ -1,12 +1,9 @@
 ---
- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
-
- import_tasks: setup-freebsd.yml
-  when: ansible_os_family == "FreeBSD"
+- include_tasks: "{{ role_path }}/tasks/unit/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Debian"
+      or ansible_os_family == "RedHat"
+      or ansible_os_family == "FreeBSD"

 - name: "(Install: Debian/Ubuntu/CentOS/RedHat) Install NGINX Unit"
  package:
@ -22,5 +19,5 @@
  when: ansible_os_family == "FreeBSD"
  notify: "(Handler: FreeBSD) Start NGINX Unit"

- import_tasks: install-modules.yml
+- include_tasks: "{{ role_path }}/tasks/unit/install-modules.yml"
  when: nginx_unit_modules is defined and nginx_unit_modules
--- a/templates/selinux/nginx-plus-module.te.j2
+++ b/templates/selinux/nginx-plus-module.te.j2
@ -0,0 +1,20 @@
+module nginx-plus-module 1.0;
+
+require {
+        type httpd_t;
+        type usr_t;
+        type initrc_t;
+        type http_cache_port_t;
+        class sock_file write;
+        class unix_stream_socket connectto;
+        class file { create write };
+        class tcp_socket name_connect;
+}
+
+#============= httpd_t ==============
+allow httpd_t http_cache_port_t:tcp_socket name_connect;
+
+allow httpd_t initrc_t:unix_stream_socket connectto;
+
+allow httpd_t usr_t:file { create write };
+allow httpd_t usr_t:sock_file write;
--- a/templates/services/nginx.service.override.conf.j2
+++ b/templates/services/nginx.service.override.conf.j2
@ -0,0 +1,10 @@
+[Service]
+{% if nginx_service_timeoutstopsec is defined %}
+TimeoutStopSec={{ nginx_service_timeoutstopsec | default(90) }}
+{% endif %}
+{% if nginx_service_restartonfailure is defined %}
+Restart=on-failure
+{% endif %}
+{% if nginx_service_restartsec is defined %}
+RestartSec={{ nginx_service_restartsec }}
+{% endif %}