Triple S!!! Speed, Systemd and Selinux (#272)
This commit is contained in:
parent
f3c8bd2b70
commit
7e6a7f0397
@ -223,4 +223,6 @@ Author Information
|
||||
|
||||
[Grzegorz Dzien](https://github.com/gdzien)
|
||||
|
||||
[Tom Gamull](https://github.com/magicalyak)
|
||||
|
||||
© [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020
|
||||
|
@ -94,3 +94,18 @@ nginx_cleanup_config_path:
|
||||
- directory:
|
||||
- /etc/nginx/conf.d
|
||||
recurse: false
|
||||
|
||||
# Set selinux enforcing for nginx (Centos/Redhat only) - you may need to open ports on your own
|
||||
nginx_selinux: false
|
||||
# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
|
||||
nginx_selinux_enforcing: true
|
||||
# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
|
||||
# nginx_selinux_tcp_ports:
|
||||
# - 80
|
||||
# - 443
|
||||
# List of UDP ports to add to http_port_t type
|
||||
# nginx_selinux_udp_ports:
|
||||
# - 80
|
||||
# - 443
|
||||
# Temporary directory to hold selinux modules
|
||||
nginx_tempdir: /tmp
|
||||
|
43
defaults/main/systemd.yml
Normal file
43
defaults/main/systemd.yml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
# Enable systemd modifications
|
||||
# ** ALL of the following variables are ignored unless this is set to true **
|
||||
nginx_service_modify: false
|
||||
|
||||
# Remove the override file completely
|
||||
nginx_service_clean: false
|
||||
|
||||
# Override the systemd directory
|
||||
# Default is /etc/systemd/system/nginx.service.d
|
||||
nginx_service_overridepath: /etc/systemd/system/nginx.service.d
|
||||
|
||||
# Override the systemd filename
|
||||
# Default is override.conf
|
||||
nginx_service_overridefilename: override.conf
|
||||
|
||||
# Set service timeout for systemd systems in seconds (default: 90)
|
||||
# [Service]
|
||||
# TimeoutStopSec=90
|
||||
# Default is to comment this out
|
||||
# nginx_service_timeoutstopsec: 90
|
||||
|
||||
# Set the restart policy for systemd systems
|
||||
# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always
|
||||
# [Service]
|
||||
# Restart=on-failure
|
||||
# Default is to comment this out
|
||||
# nginx_service_restart: on-failure
|
||||
|
||||
# Set the restart timer in seconds
|
||||
# [Service]
|
||||
# RestartSec=5s
|
||||
# Default is to comment this out
|
||||
# nginx_service_restartsec: 5s
|
||||
|
||||
# Enable a custom systemd override file
|
||||
# ** This could break the service **
|
||||
# Setting this to true disables custom values above
|
||||
nginx_service_custom: false
|
||||
|
||||
# Filename and path for systemd override file
|
||||
# Setting this will overwrite existing override file
|
||||
nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf"
|
2
files/services/nginx.override.conf
Normal file
2
files/services/nginx.override.conf
Normal file
@ -0,0 +1,2 @@
|
||||
[Service]
|
||||
TimeoutStopSec=90
|
@ -1,4 +1,14 @@
|
||||
---
|
||||
# handlers file for ansible-role-nginx
|
||||
- name: "(Handler: All OSs) Check NGINX"
|
||||
command: "nginx -t"
|
||||
changed_when: false
|
||||
|
||||
- name: "(Handler: All OSs) systemd daemon-reload"
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
notify: "(Handler: All OSs) Start NGINX"
|
||||
|
||||
- name: "(Handler: All OSs) Run NGINX"
|
||||
block:
|
||||
|
||||
@ -33,7 +43,3 @@
|
||||
name: unitd
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: "(Handler: All OSs) Check NGINX"
|
||||
command: "nginx -t"
|
||||
changed_when: false
|
||||
|
@ -25,7 +25,10 @@
|
||||
- role: ansible-role-nginx
|
||||
vars:
|
||||
nginx_debug_output: true
|
||||
|
||||
nginx_selinux: true
|
||||
nginx_selinux_tcp_ports:
|
||||
- 80
|
||||
- 443
|
||||
nginx_version: "{{ version }}"
|
||||
nginx_logrotate_conf_enable: true
|
||||
nginx_logrotate_conf:
|
||||
|
@ -6,6 +6,13 @@
|
||||
vars:
|
||||
nginx_debug_output: true
|
||||
|
||||
nginx_service_modify: true
|
||||
nginx_service_timeout: 95
|
||||
nginx_selinux: true
|
||||
nginx_selinux_tcp_ports:
|
||||
- 80
|
||||
- 443
|
||||
|
||||
nginx_cleanup_config: true
|
||||
nginx_cleanup_config_path:
|
||||
- directory:
|
||||
|
@ -6,6 +6,13 @@
|
||||
vars:
|
||||
nginx_debug_output: true
|
||||
|
||||
nginx_service_modify: true
|
||||
nginx_service_timeout: 95
|
||||
nginx_selinux: true
|
||||
nginx_selinux_tcp_ports:
|
||||
- 80
|
||||
- 443
|
||||
|
||||
nginx_main_template_enable: true
|
||||
nginx_main_template:
|
||||
template_file: nginx.conf.j2
|
||||
|
@ -1,9 +1,8 @@
|
||||
---
|
||||
- import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- import_tasks: setup-redhat.yml
|
||||
when: ansible_os_family == "RedHat"
|
||||
- include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_os_family | lower }}.yml"
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
or ansible_os_family == "Redhat"
|
||||
|
||||
- name: "(Install: All OSs) Install NGINX Amplify Agent"
|
||||
package:
|
||||
|
16
tasks/keys/setup-keys.yml
Normal file
16
tasks/keys/setup-keys.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: "(Setup: Keys) Alpine"
|
||||
include_tasks: "{{ role_path }}/tasks/keys/apk-key.yml"
|
||||
when: ansible_os_family == "Alpine"
|
||||
tags: nginx_apkkey
|
||||
|
||||
- name: "(Setup: Keys) Debian"
|
||||
include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml"
|
||||
when: ansible_os_family == "Debian"
|
||||
tags: nginx_aptkey
|
||||
|
||||
- name: "(Setup: Keys) RedHat/Suse"
|
||||
include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml"
|
||||
when: ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "Suse"
|
||||
tags: nginx_rpmkey
|
@ -1,44 +1,36 @@
|
||||
---
|
||||
- import_tasks: prerequisites/install-prerequisites.yml
|
||||
- name: "(Setup: Prerequisites)"
|
||||
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml"
|
||||
tags: nginx_prerequisites
|
||||
|
||||
- import_tasks: keys/apt-key.yml
|
||||
- name: "(Setup: Keys)"
|
||||
import_tasks: keys/setup-keys.yml
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
- nginx_install_from == "nginx_repository"
|
||||
or nginx_amplify_enable
|
||||
or nginx_unit_enable
|
||||
tags: nginx_aptkey
|
||||
|
||||
- import_tasks: keys/rpm-key.yml
|
||||
when:
|
||||
- ansible_os_family == "RedHat"
|
||||
- ansible_os_family == "Alpine"
|
||||
or ansible_os_family == "Debian"
|
||||
or ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "Suse"
|
||||
- nginx_install_from == "nginx_repository"
|
||||
or nginx_amplify_enable
|
||||
or nginx_unit_enable
|
||||
tags: nginx_rpmkey
|
||||
|
||||
- import_tasks: keys/apk-key.yml
|
||||
when: ansible_os_family == "Alpine"
|
||||
tags: nginx_apkkey
|
||||
tags: nginx_key
|
||||
|
||||
- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX"
|
||||
block:
|
||||
|
||||
- import_tasks: opensource/install-oss.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
|
||||
when: nginx_type == "opensource"
|
||||
tags: nginx_install_oss
|
||||
|
||||
- import_tasks: plus/install-plus.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
|
||||
when: nginx_type == "plus"
|
||||
tags: nginx_install_plus
|
||||
|
||||
- import_tasks: conf/cleanup-config.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
|
||||
when: nginx_cleanup_config | bool
|
||||
tags: nginx_cleanup_config
|
||||
|
||||
- import_tasks: conf/upload-config.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
|
||||
when: nginx_main_upload_enable
|
||||
or nginx_http_upload_enable
|
||||
or nginx_stream_upload_enable
|
||||
@ -46,26 +38,26 @@
|
||||
or nginx_ssl_upload_enable
|
||||
tags: nginx_upload_config
|
||||
|
||||
- import_tasks: conf/template-config.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
|
||||
when: nginx_main_template_enable
|
||||
or nginx_http_template_enable
|
||||
or nginx_stream_template_enable
|
||||
or nginx_rest_api_enable
|
||||
tags: nginx_template_config
|
||||
|
||||
- import_tasks: conf/setup-status.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml"
|
||||
when: nginx_status_enable | bool
|
||||
tags: nginx_setup_status
|
||||
|
||||
- import_tasks: modules/install-modules.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
|
||||
when: true in nginx_modules.values()
|
||||
tags: nginx_install_modules
|
||||
|
||||
- import_tasks: conf/debug-output.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
|
||||
when: nginx_debug_output | bool
|
||||
tags: nginx_debug_output
|
||||
|
||||
- import_tasks: plus/delete-license.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
|
||||
when:
|
||||
- nginx_type == "plus"
|
||||
- nginx_delete_license
|
||||
@ -73,17 +65,17 @@
|
||||
|
||||
when: nginx_enable | bool
|
||||
|
||||
- import_tasks: amplify/install-amplify.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
|
||||
when:
|
||||
- nginx_amplify_enable | bool
|
||||
- nginx_amplify_api_key is defined
|
||||
- nginx_amplify_api_key | length > 0
|
||||
tags: nginx_install_amplify
|
||||
|
||||
- import_tasks: unit/install-unit.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
|
||||
when: nginx_unit_enable | bool
|
||||
tags: nginx_install_unit
|
||||
|
||||
- import_tasks: conf/logrotate.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
|
||||
when: nginx_logrotate_conf_enable | bool
|
||||
tags: nginx_logrotate_config
|
||||
|
@ -1,28 +1,28 @@
|
||||
---
|
||||
- import_tasks: install-njs.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-njs.yml"
|
||||
when: nginx_modules.njs | default(false)
|
||||
|
||||
- import_tasks: install-perl.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-perl.yml"
|
||||
when: nginx_modules.perl | default(false)
|
||||
|
||||
- import_tasks: install-geoip.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-geoip.yml"
|
||||
when:
|
||||
- nginx_modules.geoip | default(false)
|
||||
- ansible_os_family != "RedHat"
|
||||
- ansible_distribution_major_version != "8"
|
||||
|
||||
- import_tasks: install-image-filter.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-image-filter.yml"
|
||||
when: nginx_modules.image_filter | default(false)
|
||||
|
||||
- import_tasks: install-rtmp.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-rtmp.yml"
|
||||
when:
|
||||
- nginx_modules.rtmp | default(false)
|
||||
- nginx_type == "plus"
|
||||
|
||||
- import_tasks: install-xslt.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-xslt.yml"
|
||||
when: nginx_modules.xslt | default(false)
|
||||
|
||||
- import_tasks: install-waf.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/modules/install-waf.yml"
|
||||
when:
|
||||
- nginx_modules.waf | default(false)
|
||||
- nginx_type == "plus"
|
||||
|
@ -1,23 +1,21 @@
|
||||
---
|
||||
- name: "(Install: Linux) Configure NGINX repo"
|
||||
block:
|
||||
include_tasks: "{{ role_path }}/tasks/opensource/setup-{{ ansible_os_family | lower }}.yml"
|
||||
when:
|
||||
- ansible_os_family == "Alpine"
|
||||
or ansible_os_family == "Debian"
|
||||
or ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "Suse"
|
||||
- nginx_install_from == "nginx_repository"
|
||||
|
||||
- import_tasks: setup-alpine.yml
|
||||
when: ansible_os_family == "Alpine"
|
||||
|
||||
- import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- import_tasks: setup-redhat.yml
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- import_tasks: setup-suse.yml
|
||||
when: ansible_os_family == "Suse"
|
||||
|
||||
when: nginx_install_from == "nginx_repository"
|
||||
- name: "(Install: Linux) Modify Service for Systemd"
|
||||
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
|
||||
when:
|
||||
- ansible_service_mgr == "systemd"
|
||||
- nginx_service_modify
|
||||
|
||||
- name: "(Install: Linux) Install NGINX from source"
|
||||
import_tasks: setup-source.yml
|
||||
include_tasks: "{{ role_path }}/tasks/opensource/setup-source.yml"
|
||||
when: nginx_install_from == "source"
|
||||
|
||||
- name: "(Install: Linux) Install NGINX package"
|
||||
|
@ -1,8 +1,8 @@
|
||||
---
|
||||
- name: "(Install: OSS Linux)"
|
||||
import_tasks: install-oss-linux.yml
|
||||
include_tasks: "{{ role_path }}/tasks/opensource/install-oss-linux.yml"
|
||||
when: ansible_os_family in nginx_linux_families
|
||||
|
||||
- name: "(Install: OSS BSD)"
|
||||
import_tasks: install-oss-bsd.yml
|
||||
include_tasks: "{{ role_path }}/tasks/opensource/install-oss-bsd.yml"
|
||||
when: ansible_system in nginx_bsd_systems
|
||||
|
@ -18,17 +18,10 @@
|
||||
- /etc/apk/cert.pem
|
||||
when: ansible_distribution == "Alpine"
|
||||
|
||||
- import_tasks: setup-alpine.yml
|
||||
when: ansible_os_family == "Alpine"
|
||||
|
||||
- import_tasks: setup-bsd.yml
|
||||
when: ansible_os_family == "FreeBSD"
|
||||
|
||||
- import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- import_tasks: setup-redhat.yml
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- import_tasks: setup-suse.yml
|
||||
when: ansible_os_family == "Suse"
|
||||
- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
|
||||
when:
|
||||
- ansible_os_family == "Alpine"
|
||||
or ansible_os_family == "FreeBSD"
|
||||
or ansible_os_family == "Debian"
|
||||
or ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "Suse"
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- import_tasks: setup-bsd.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/plus/setup-bsd.yml"
|
||||
when: ansible_os_family == "FreeBSD"
|
||||
|
||||
- name: "(Install: FreeBSD) Install NGINX Plus"
|
||||
|
@ -1,15 +1,16 @@
|
||||
---
|
||||
- import_tasks: setup-alpine.yml
|
||||
when: ansible_os_family == "Alpine"
|
||||
- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
|
||||
when:
|
||||
- ansible_os_family == "Alpine"
|
||||
or ansible_os_family == "Debian"
|
||||
or ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "Suse"
|
||||
|
||||
- import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- import_tasks: setup-redhat.yml
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- import_tasks: setup-suse.yml
|
||||
when: ansible_os_family == "Suse"
|
||||
- name: "(Install: Linux) Modify Service for Systemd"
|
||||
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
|
||||
when:
|
||||
- ansible_service_mgr == "systemd"
|
||||
- nginx_service_modify
|
||||
|
||||
- name: "(Install: Linux) Install NGINX Plus"
|
||||
package:
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
- name: "(Install: All OSs) Setup license"
|
||||
import_tasks: setup-license.yml
|
||||
include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml"
|
||||
|
||||
- name: "(Install: Linux) Install NGINX Plus"
|
||||
import_tasks: install-plus-linux.yml
|
||||
include_tasks: "{{ role_path }}/tasks/plus/install-plus-linux.yml"
|
||||
when: ansible_os_family in nginx_plus_linux_families
|
||||
|
||||
- name: "(Install: FreeBSD) Install NGINX Plus"
|
||||
import_tasks: install-plus-bsd.yml
|
||||
include_tasks: "{{ role_path }}/tasks/plus/install-plus-bsd.yml"
|
||||
when: ansible_system in nginx_plus_bsd_systems
|
||||
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
- name: "(Setup: Debian/Ubuntu) Install Prerequisites"
|
||||
import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: "(Setup: FreeBSD) Install Prerequisites"
|
||||
import_tasks: setup-freebsd.yml
|
||||
when: ansible_system == "FreeBSD"
|
1
tasks/prerequisites/setup-alpine.yml
Normal file
1
tasks/prerequisites/setup-alpine.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: "(Install: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
|
||||
- name: "(Setup: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
|
@ -1,14 +1,14 @@
|
||||
---
|
||||
- name: "(Install: FreeBSD) Install Required Dependencies"
|
||||
- name: "(Setup: FreeBSD) Install Required Dependencies"
|
||||
block:
|
||||
|
||||
- name: "(Install: FreeBSD) Install Extra Package(s)"
|
||||
- name: "(Setup: FreeBSD) Install Extra Package(s)"
|
||||
pkgng:
|
||||
name: "{{ nginx_freebsd_extra_packages }}"
|
||||
state: present
|
||||
when: nginx_bsd_install_packages|bool
|
||||
|
||||
- name: "(Install: FreeBSD) Install Extra Port(s)"
|
||||
- name: "(Setup: FreeBSD) Install Extra Port(s)"
|
||||
portinstall:
|
||||
name: "{{ item }}"
|
||||
use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}"
|
||||
|
6
tasks/prerequisites/setup-redhat.yml
Normal file
6
tasks/prerequisites/setup-redhat.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: "(Setup: RedHat/CentOS) Setup SELinux"
|
||||
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
|
||||
when:
|
||||
- nginx_selinux
|
||||
- ansible_selinux.mode is defined
|
105
tasks/prerequisites/setup-selinux.yml
Normal file
105
tasks/prerequisites/setup-selinux.yml
Normal file
@ -0,0 +1,105 @@
|
||||
---
|
||||
- name: "(Setup: SELinux) Install Required CentOS Dependencies"
|
||||
package:
|
||||
name: policycoreutils-python, setools
|
||||
state: present
|
||||
when:
|
||||
- not ansible_os_family == "RedHat"
|
||||
- not ansible_distribution_major_version == "8"
|
||||
|
||||
- name: "(Setup: SELinux) Install Required RHEL8 Dependencies"
|
||||
package:
|
||||
name:
|
||||
- selinux-policy-targeted
|
||||
- libselinux-utils
|
||||
- policycoreutils
|
||||
state: present
|
||||
when:
|
||||
- ansible_os_family == "RedHat"
|
||||
- ansible_distribution_major_version == "8"
|
||||
|
||||
- name: "(Setup: SELinux) Check for SELinux enabled"
|
||||
debug:
|
||||
msg: "You need to enable selinux, if it was disabled you need to reboot"
|
||||
when: ansible_selinux is undefined
|
||||
|
||||
- name: "(Setup: SELinux) Permissive SELinux"
|
||||
selinux:
|
||||
state: permissive
|
||||
policy: targeted
|
||||
changed_when: false
|
||||
when: ansible_selinux.mode == "enforcing"
|
||||
|
||||
- name: "(Setup: SELinux: Booleans) Allow HTTP network connection"
|
||||
seboolean:
|
||||
name: httpd_can_network_connect
|
||||
state: yes
|
||||
persistent: yes
|
||||
|
||||
- name: "(Setup: SELinux: Booleans) Allow HTTP relay connection"
|
||||
seboolean:
|
||||
name: httpd_can_network_relay
|
||||
state: yes
|
||||
persistent: yes
|
||||
|
||||
- name: "(Setup: SELinux: Ports) Allow status ports"
|
||||
seport:
|
||||
ports: "{{ nginx_status_port }}"
|
||||
proto: tcp
|
||||
setype: http_port_t
|
||||
state: present
|
||||
when: nginx_status_port is defined
|
||||
|
||||
- name: "(Setup: SELinux: Ports) Allow Rest API ports"
|
||||
seport:
|
||||
ports: "{{ nginx_rest_api_port }}"
|
||||
proto: tcp
|
||||
setype: http_port_t
|
||||
state: present
|
||||
when: nginx_rest_api_port is defined"
|
||||
|
||||
- name: "(Setup: SELinux: Ports) Allow Specific TCP Ports"
|
||||
seport:
|
||||
ports: "{{ nginx_selinux_tcp_ports }}"
|
||||
proto: tcp
|
||||
setype: http_port_t
|
||||
state: present
|
||||
when: nginx_selinux_tcp_ports is defined
|
||||
|
||||
- name: "(Setup: SELinux: Ports) Allow Specific UDP Ports"
|
||||
seport:
|
||||
ports: "{{ nginx_selinux_udp_ports }}"
|
||||
proto: udp
|
||||
setype: http_port_t
|
||||
state: present
|
||||
when: nginx_selinux_udp_ports is defined
|
||||
|
||||
- name: "(Setup: SELinux: Module) Create NGINX Plus Module"
|
||||
template:
|
||||
src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
|
||||
dest: "{{ nginx_tempdir }}/nginx-plus-module.te"
|
||||
register: nginx_selinux_module
|
||||
|
||||
- name: "(Setup: SELinux: Module) Check NGINX Plus Module"
|
||||
command: "checkmodule -M -m -o {{ nginx_tempdir }}/nginx-plus-module.mod {{ nginx_tempdir }}/nginx-plus-module.te"
|
||||
args:
|
||||
creates: "{{ nginx_tempdir }}/nginx-plus-module.mod"
|
||||
changed_when: false
|
||||
|
||||
- name: "(Setup: SELinux: Module) Compile NGINX Plus Module"
|
||||
command: "semodule_package -o {{ nginx_tempdir }}/nginx-plus-module.pp -m {{ nginx_tempdir }}/nginx-plus-module.mod"
|
||||
args:
|
||||
creates: "{{ nginx_tempdir }}/nginx-plus-module.pp"
|
||||
changed_when: false
|
||||
|
||||
- name: "(Setup: SELinux: Module) Import NGINX Plus Module" # noqa 503
|
||||
command: "semodule -i {{ nginx_tempdir }}/nginx-plus-module.pp"
|
||||
changed_when: false
|
||||
when: nginx_selinux_module.changed
|
||||
|
||||
- name: "(Setup: SELinux) Enforce SELinux"
|
||||
selinux:
|
||||
state: enforcing
|
||||
policy: targeted
|
||||
changed_when: false
|
||||
when: nginx_selinux_enforcing and ansible_selinux.mode == "permissive"
|
6
tasks/prerequisites/setup-suse.yml
Normal file
6
tasks/prerequisites/setup-suse.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: "(Setup: Suse) Setup SELinux"
|
||||
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
|
||||
when:
|
||||
- nginx_selinux
|
||||
- ansible_selinux.mode is defined
|
38
tasks/prerequisites/setup-systemd.yml
Normal file
38
tasks/prerequisites/setup-systemd.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
- name: "(Setup: Linux) Create override directory for NGINX systemd Service"
|
||||
file:
|
||||
path: "{{ nginx_service_overridepath }}"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
|
||||
- name: "(Setup: Linux) Create override for NGINX systemd Service"
|
||||
template:
|
||||
src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2"
|
||||
dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: "(Handler: All OSs) systemd daemon-reload"
|
||||
when:
|
||||
- not nginx_service_custom
|
||||
- not nginx_service_clean
|
||||
|
||||
- name: "(Setup: Linux) Customize override for NGINX systemd Service"
|
||||
copy:
|
||||
src: "{{ nginx_service_custom_file }}"
|
||||
dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: "(Handler: All OSs) systemd daemon-reload"
|
||||
when:
|
||||
- nginx_service_custom
|
||||
- not nginx_service_clean
|
||||
|
||||
- name: "(Setup: Linux) Remove override for NGINX systemd Service"
|
||||
file:
|
||||
path: "{{ nginx_service_overridepath }}"
|
||||
state: absent
|
||||
notify: "(Handler: All OSs) systemd daemon-reload"
|
||||
when:
|
||||
- nginx_service_clean
|
@ -1,12 +1,9 @@
|
||||
---
|
||||
- import_tasks: setup-debian.yml
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- import_tasks: setup-redhat.yml
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- import_tasks: setup-freebsd.yml
|
||||
when: ansible_os_family == "FreeBSD"
|
||||
- include_tasks: "{{ role_path }}/tasks/unit/setup-{{ ansible_os_family | lower }}.yml"
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
or ansible_os_family == "RedHat"
|
||||
or ansible_os_family == "FreeBSD"
|
||||
|
||||
- name: "(Install: Debian/Ubuntu/CentOS/RedHat) Install NGINX Unit"
|
||||
package:
|
||||
@ -22,5 +19,5 @@
|
||||
when: ansible_os_family == "FreeBSD"
|
||||
notify: "(Handler: FreeBSD) Start NGINX Unit"
|
||||
|
||||
- import_tasks: install-modules.yml
|
||||
- include_tasks: "{{ role_path }}/tasks/unit/install-modules.yml"
|
||||
when: nginx_unit_modules is defined and nginx_unit_modules
|
||||
|
20
templates/selinux/nginx-plus-module.te.j2
Normal file
20
templates/selinux/nginx-plus-module.te.j2
Normal file
@ -0,0 +1,20 @@
|
||||
module nginx-plus-module 1.0;
|
||||
|
||||
require {
|
||||
type httpd_t;
|
||||
type usr_t;
|
||||
type initrc_t;
|
||||
type http_cache_port_t;
|
||||
class sock_file write;
|
||||
class unix_stream_socket connectto;
|
||||
class file { create write };
|
||||
class tcp_socket name_connect;
|
||||
}
|
||||
|
||||
#============= httpd_t ==============
|
||||
allow httpd_t http_cache_port_t:tcp_socket name_connect;
|
||||
|
||||
allow httpd_t initrc_t:unix_stream_socket connectto;
|
||||
|
||||
allow httpd_t usr_t:file { create write };
|
||||
allow httpd_t usr_t:sock_file write;
|
10
templates/services/nginx.service.override.conf.j2
Normal file
10
templates/services/nginx.service.override.conf.j2
Normal file
@ -0,0 +1,10 @@
|
||||
[Service]
|
||||
{% if nginx_service_timeoutstopsec is defined %}
|
||||
TimeoutStopSec={{ nginx_service_timeoutstopsec | default(90) }}
|
||||
{% endif %}
|
||||
{% if nginx_service_restartonfailure is defined %}
|
||||
Restart=on-failure
|
||||
{% endif %}
|
||||
{% if nginx_service_restartsec is defined %}
|
||||
RestartSec={{ nginx_service_restartsec }}
|
||||
{% endif %}
|
Loading…
Reference in New Issue
Block a user