From 7e6a7f0397b87b585d18acd8c41d37b9286730ba Mon Sep 17 00:00:00 2001 From: Tom Gamull Date: Tue, 30 Jun 2020 12:59:53 -0400 Subject: [PATCH] Triple S!!! Speed, Systemd and Selinux (#272) --- README.md | 2 + defaults/main/main.yml | 15 +++ defaults/main/systemd.yml | 43 +++++++ files/services/nginx.override.conf | 2 + handlers/main.yml | 14 ++- molecule/common/playbook_default.yml | 5 +- molecule/common/playbook_module.yml | 7 ++ molecule/common/playbook_template.yml | 7 ++ tasks/amplify/install-amplify.yml | 9 +- tasks/keys/setup-keys.yml | 16 +++ tasks/main.yml | 48 ++++---- tasks/modules/install-modules.yml | 14 +-- tasks/opensource/install-oss-linux.yml | 28 +++-- tasks/opensource/install-oss.yml | 4 +- tasks/plus/delete-license.yml | 21 ++-- tasks/plus/install-plus-bsd.yml | 2 +- tasks/plus/install-plus-linux.yml | 21 ++-- tasks/plus/install-plus.yml | 6 +- tasks/prerequisites/install-prerequisites.yml | 8 -- tasks/prerequisites/setup-alpine.yml | 1 + tasks/prerequisites/setup-debian.yml | 2 +- tasks/prerequisites/setup-freebsd.yml | 6 +- tasks/prerequisites/setup-redhat.yml | 6 + tasks/prerequisites/setup-selinux.yml | 105 ++++++++++++++++++ tasks/prerequisites/setup-suse.yml | 6 + tasks/prerequisites/setup-systemd.yml | 38 +++++++ tasks/unit/install-unit.yml | 15 +-- templates/selinux/nginx-plus-module.te.j2 | 20 ++++ .../services/nginx.service.override.conf.j2 | 10 ++ 29 files changed, 370 insertions(+), 111 deletions(-) create mode 100644 defaults/main/systemd.yml create mode 100644 files/services/nginx.override.conf create mode 100644 tasks/keys/setup-keys.yml delete mode 100644 tasks/prerequisites/install-prerequisites.yml create mode 100644 tasks/prerequisites/setup-alpine.yml create mode 100644 tasks/prerequisites/setup-redhat.yml create mode 100644 tasks/prerequisites/setup-selinux.yml create mode 100644 tasks/prerequisites/setup-suse.yml create mode 100644 tasks/prerequisites/setup-systemd.yml create mode 100644 templates/selinux/nginx-plus-module.te.j2 create mode 100644 templates/services/nginx.service.override.conf.j2 diff --git a/README.md b/README.md index 0215c88..9e9aa01 100644 --- a/README.md +++ b/README.md @@ -223,4 +223,6 @@ Author Information [Grzegorz Dzien](https://github.com/gdzien) +[Tom Gamull](https://github.com/magicalyak) + © [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020 diff --git a/defaults/main/main.yml b/defaults/main/main.yml index 3c5a404..7ac9780 100644 --- a/defaults/main/main.yml +++ b/defaults/main/main.yml @@ -94,3 +94,18 @@ nginx_cleanup_config_path: - directory: - /etc/nginx/conf.d recurse: false + +# Set selinux enforcing for nginx (Centos/Redhat only) - you may need to open ports on your own +nginx_selinux: false +# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true) +nginx_selinux_enforcing: true +# List of TCP ports to add to http_port_t type (80 and 443 have this type already) +# nginx_selinux_tcp_ports: +# - 80 +# - 443 +# List of UDP ports to add to http_port_t type +# nginx_selinux_udp_ports: +# - 80 +# - 443 +# Temporary directory to hold selinux modules +nginx_tempdir: /tmp diff --git a/defaults/main/systemd.yml b/defaults/main/systemd.yml new file mode 100644 index 0000000..7d9c006 --- /dev/null +++ b/defaults/main/systemd.yml @@ -0,0 +1,43 @@ +--- +# Enable systemd modifications +# ** ALL of the following variables are ignored unless this is set to true ** +nginx_service_modify: false + +# Remove the override file completely +nginx_service_clean: false + +# Override the systemd directory +# Default is /etc/systemd/system/nginx.service.d +nginx_service_overridepath: /etc/systemd/system/nginx.service.d + +# Override the systemd filename +# Default is override.conf +nginx_service_overridefilename: override.conf + +# Set service timeout for systemd systems in seconds (default: 90) +# [Service] +# TimeoutStopSec=90 +# Default is to comment this out +# nginx_service_timeoutstopsec: 90 + +# Set the restart policy for systemd systems +# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always +# [Service] +# Restart=on-failure +# Default is to comment this out +# nginx_service_restart: on-failure + +# Set the restart timer in seconds +# [Service] +# RestartSec=5s +# Default is to comment this out +# nginx_service_restartsec: 5s + +# Enable a custom systemd override file +# ** This could break the service ** +# Setting this to true disables custom values above +nginx_service_custom: false + +# Filename and path for systemd override file +# Setting this will overwrite existing override file +nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf" diff --git a/files/services/nginx.override.conf b/files/services/nginx.override.conf new file mode 100644 index 0000000..2c99453 --- /dev/null +++ b/files/services/nginx.override.conf @@ -0,0 +1,2 @@ +[Service] +TimeoutStopSec=90 diff --git a/handlers/main.yml b/handlers/main.yml index 5d58b86..19f4de3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,14 @@ --- +# handlers file for ansible-role-nginx +- name: "(Handler: All OSs) Check NGINX" + command: "nginx -t" + changed_when: false + +- name: "(Handler: All OSs) systemd daemon-reload" + systemd: + daemon_reload: yes + notify: "(Handler: All OSs) Start NGINX" + - name: "(Handler: All OSs) Run NGINX" block: @@ -33,7 +43,3 @@ name: unitd state: started enabled: yes - -- name: "(Handler: All OSs) Check NGINX" - command: "nginx -t" - changed_when: false diff --git a/molecule/common/playbook_default.yml b/molecule/common/playbook_default.yml index 5361578..759211c 100644 --- a/molecule/common/playbook_default.yml +++ b/molecule/common/playbook_default.yml @@ -25,7 +25,10 @@ - role: ansible-role-nginx vars: nginx_debug_output: true - + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 nginx_version: "{{ version }}" nginx_logrotate_conf_enable: true nginx_logrotate_conf: diff --git a/molecule/common/playbook_module.yml b/molecule/common/playbook_module.yml index b7b1f3b..2995413 100644 --- a/molecule/common/playbook_module.yml +++ b/molecule/common/playbook_module.yml @@ -6,6 +6,13 @@ vars: nginx_debug_output: true + nginx_service_modify: true + nginx_service_timeout: 95 + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + nginx_cleanup_config: true nginx_cleanup_config_path: - directory: diff --git a/molecule/common/playbook_template.yml b/molecule/common/playbook_template.yml index 2dc667c..ba33cbf 100644 --- a/molecule/common/playbook_template.yml +++ b/molecule/common/playbook_template.yml @@ -6,6 +6,13 @@ vars: nginx_debug_output: true + nginx_service_modify: true + nginx_service_timeout: 95 + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + nginx_main_template_enable: true nginx_main_template: template_file: nginx.conf.j2 diff --git a/tasks/amplify/install-amplify.yml b/tasks/amplify/install-amplify.yml index 9204abf..71ab897 100644 --- a/tasks/amplify/install-amplify.yml +++ b/tasks/amplify/install-amplify.yml @@ -1,9 +1,8 @@ --- -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" +- include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_os_family | lower }}.yml" + when: + - ansible_os_family == "Debian" + or ansible_os_family == "Redhat" - name: "(Install: All OSs) Install NGINX Amplify Agent" package: diff --git a/tasks/keys/setup-keys.yml b/tasks/keys/setup-keys.yml new file mode 100644 index 0000000..07abc97 --- /dev/null +++ b/tasks/keys/setup-keys.yml @@ -0,0 +1,16 @@ +--- +- name: "(Setup: Keys) Alpine" + include_tasks: "{{ role_path }}/tasks/keys/apk-key.yml" + when: ansible_os_family == "Alpine" + tags: nginx_apkkey + +- name: "(Setup: Keys) Debian" + include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml" + when: ansible_os_family == "Debian" + tags: nginx_aptkey + +- name: "(Setup: Keys) RedHat/Suse" + include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml" + when: ansible_os_family == "RedHat" + or ansible_os_family == "Suse" + tags: nginx_rpmkey diff --git a/tasks/main.yml b/tasks/main.yml index 6153517..0f855c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,44 +1,36 @@ --- -- import_tasks: prerequisites/install-prerequisites.yml +- name: "(Setup: Prerequisites)" + include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml" tags: nginx_prerequisites -- import_tasks: keys/apt-key.yml +- name: "(Setup: Keys)" + import_tasks: keys/setup-keys.yml when: - - ansible_os_family == "Debian" - - nginx_install_from == "nginx_repository" - or nginx_amplify_enable - or nginx_unit_enable - tags: nginx_aptkey - -- import_tasks: keys/rpm-key.yml - when: - - ansible_os_family == "RedHat" + - ansible_os_family == "Alpine" + or ansible_os_family == "Debian" + or ansible_os_family == "RedHat" or ansible_os_family == "Suse" - nginx_install_from == "nginx_repository" or nginx_amplify_enable or nginx_unit_enable - tags: nginx_rpmkey - -- import_tasks: keys/apk-key.yml - when: ansible_os_family == "Alpine" - tags: nginx_apkkey + tags: nginx_key - name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX" block: - - import_tasks: opensource/install-oss.yml + - include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml" when: nginx_type == "opensource" tags: nginx_install_oss - - import_tasks: plus/install-plus.yml + - include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml" when: nginx_type == "plus" tags: nginx_install_plus - - import_tasks: conf/cleanup-config.yml + - include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml" when: nginx_cleanup_config | bool tags: nginx_cleanup_config - - import_tasks: conf/upload-config.yml + - include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml" when: nginx_main_upload_enable or nginx_http_upload_enable or nginx_stream_upload_enable @@ -46,26 +38,26 @@ or nginx_ssl_upload_enable tags: nginx_upload_config - - import_tasks: conf/template-config.yml + - include_tasks: "{{ role_path }}/tasks/conf/template-config.yml" when: nginx_main_template_enable or nginx_http_template_enable or nginx_stream_template_enable or nginx_rest_api_enable tags: nginx_template_config - - import_tasks: conf/setup-status.yml + - include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml" when: nginx_status_enable | bool tags: nginx_setup_status - - import_tasks: modules/install-modules.yml + - include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" when: true in nginx_modules.values() tags: nginx_install_modules - - import_tasks: conf/debug-output.yml + - include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml" when: nginx_debug_output | bool tags: nginx_debug_output - - import_tasks: plus/delete-license.yml + - include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml" when: - nginx_type == "plus" - nginx_delete_license @@ -73,17 +65,17 @@ when: nginx_enable | bool -- import_tasks: amplify/install-amplify.yml +- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml" when: - nginx_amplify_enable | bool - nginx_amplify_api_key is defined - nginx_amplify_api_key | length > 0 tags: nginx_install_amplify -- import_tasks: unit/install-unit.yml +- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml" when: nginx_unit_enable | bool tags: nginx_install_unit -- import_tasks: conf/logrotate.yml +- include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml" when: nginx_logrotate_conf_enable | bool tags: nginx_logrotate_config diff --git a/tasks/modules/install-modules.yml b/tasks/modules/install-modules.yml index d055fe4..1441efd 100644 --- a/tasks/modules/install-modules.yml +++ b/tasks/modules/install-modules.yml @@ -1,28 +1,28 @@ --- -- import_tasks: install-njs.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-njs.yml" when: nginx_modules.njs | default(false) -- import_tasks: install-perl.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-perl.yml" when: nginx_modules.perl | default(false) -- import_tasks: install-geoip.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-geoip.yml" when: - nginx_modules.geoip | default(false) - ansible_os_family != "RedHat" - ansible_distribution_major_version != "8" -- import_tasks: install-image-filter.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-image-filter.yml" when: nginx_modules.image_filter | default(false) -- import_tasks: install-rtmp.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-rtmp.yml" when: - nginx_modules.rtmp | default(false) - nginx_type == "plus" -- import_tasks: install-xslt.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-xslt.yml" when: nginx_modules.xslt | default(false) -- import_tasks: install-waf.yml +- include_tasks: "{{ role_path }}/tasks/modules/install-waf.yml" when: - nginx_modules.waf | default(false) - nginx_type == "plus" diff --git a/tasks/opensource/install-oss-linux.yml b/tasks/opensource/install-oss-linux.yml index 3525e63..23c8c4e 100644 --- a/tasks/opensource/install-oss-linux.yml +++ b/tasks/opensource/install-oss-linux.yml @@ -1,23 +1,21 @@ --- - name: "(Install: Linux) Configure NGINX repo" - block: + include_tasks: "{{ role_path }}/tasks/opensource/setup-{{ ansible_os_family | lower }}.yml" + when: + - ansible_os_family == "Alpine" + or ansible_os_family == "Debian" + or ansible_os_family == "RedHat" + or ansible_os_family == "Suse" + - nginx_install_from == "nginx_repository" - - import_tasks: setup-alpine.yml - when: ansible_os_family == "Alpine" - - - import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - - - import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - - - import_tasks: setup-suse.yml - when: ansible_os_family == "Suse" - - when: nginx_install_from == "nginx_repository" +- name: "(Install: Linux) Modify Service for Systemd" + include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml" + when: + - ansible_service_mgr == "systemd" + - nginx_service_modify - name: "(Install: Linux) Install NGINX from source" - import_tasks: setup-source.yml + include_tasks: "{{ role_path }}/tasks/opensource/setup-source.yml" when: nginx_install_from == "source" - name: "(Install: Linux) Install NGINX package" diff --git a/tasks/opensource/install-oss.yml b/tasks/opensource/install-oss.yml index a2b8584..8139d55 100644 --- a/tasks/opensource/install-oss.yml +++ b/tasks/opensource/install-oss.yml @@ -1,8 +1,8 @@ --- - name: "(Install: OSS Linux)" - import_tasks: install-oss-linux.yml + include_tasks: "{{ role_path }}/tasks/opensource/install-oss-linux.yml" when: ansible_os_family in nginx_linux_families - name: "(Install: OSS BSD)" - import_tasks: install-oss-bsd.yml + include_tasks: "{{ role_path }}/tasks/opensource/install-oss-bsd.yml" when: ansible_system in nginx_bsd_systems diff --git a/tasks/plus/delete-license.yml b/tasks/plus/delete-license.yml index 8fc1946..613dc83 100644 --- a/tasks/plus/delete-license.yml +++ b/tasks/plus/delete-license.yml @@ -18,17 +18,10 @@ - /etc/apk/cert.pem when: ansible_distribution == "Alpine" -- import_tasks: setup-alpine.yml - when: ansible_os_family == "Alpine" - -- import_tasks: setup-bsd.yml - when: ansible_os_family == "FreeBSD" - -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - -- import_tasks: setup-suse.yml - when: ansible_os_family == "Suse" +- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml" + when: + - ansible_os_family == "Alpine" + or ansible_os_family == "FreeBSD" + or ansible_os_family == "Debian" + or ansible_os_family == "RedHat" + or ansible_os_family == "Suse" diff --git a/tasks/plus/install-plus-bsd.yml b/tasks/plus/install-plus-bsd.yml index a85eb66..753bf94 100644 --- a/tasks/plus/install-plus-bsd.yml +++ b/tasks/plus/install-plus-bsd.yml @@ -1,5 +1,5 @@ --- -- import_tasks: setup-bsd.yml +- include_tasks: "{{ role_path }}/tasks/plus/setup-bsd.yml" when: ansible_os_family == "FreeBSD" - name: "(Install: FreeBSD) Install NGINX Plus" diff --git a/tasks/plus/install-plus-linux.yml b/tasks/plus/install-plus-linux.yml index f2cb686..d6f1464 100644 --- a/tasks/plus/install-plus-linux.yml +++ b/tasks/plus/install-plus-linux.yml @@ -1,15 +1,16 @@ --- -- import_tasks: setup-alpine.yml - when: ansible_os_family == "Alpine" +- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml" + when: + - ansible_os_family == "Alpine" + or ansible_os_family == "Debian" + or ansible_os_family == "RedHat" + or ansible_os_family == "Suse" -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - -- import_tasks: setup-suse.yml - when: ansible_os_family == "Suse" +- name: "(Install: Linux) Modify Service for Systemd" + include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml" + when: + - ansible_service_mgr == "systemd" + - nginx_service_modify - name: "(Install: Linux) Install NGINX Plus" package: diff --git a/tasks/plus/install-plus.yml b/tasks/plus/install-plus.yml index 94152bd..28dd4f3 100644 --- a/tasks/plus/install-plus.yml +++ b/tasks/plus/install-plus.yml @@ -1,11 +1,11 @@ --- - name: "(Install: All OSs) Setup license" - import_tasks: setup-license.yml + include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml" - name: "(Install: Linux) Install NGINX Plus" - import_tasks: install-plus-linux.yml + include_tasks: "{{ role_path }}/tasks/plus/install-plus-linux.yml" when: ansible_os_family in nginx_plus_linux_families - name: "(Install: FreeBSD) Install NGINX Plus" - import_tasks: install-plus-bsd.yml + include_tasks: "{{ role_path }}/tasks/plus/install-plus-bsd.yml" when: ansible_system in nginx_plus_bsd_systems diff --git a/tasks/prerequisites/install-prerequisites.yml b/tasks/prerequisites/install-prerequisites.yml deleted file mode 100644 index 90041c8..0000000 --- a/tasks/prerequisites/install-prerequisites.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: "(Setup: Debian/Ubuntu) Install Prerequisites" - import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - -- name: "(Setup: FreeBSD) Install Prerequisites" - import_tasks: setup-freebsd.yml - when: ansible_system == "FreeBSD" diff --git a/tasks/prerequisites/setup-alpine.yml b/tasks/prerequisites/setup-alpine.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/tasks/prerequisites/setup-alpine.yml @@ -0,0 +1 @@ +--- diff --git a/tasks/prerequisites/setup-debian.yml b/tasks/prerequisites/setup-debian.yml index cef35e6..c668586 100644 --- a/tasks/prerequisites/setup-debian.yml +++ b/tasks/prerequisites/setup-debian.yml @@ -1,5 +1,5 @@ --- -- name: "(Install: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies" +- name: "(Setup: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies" apt: name: - apt-transport-https diff --git a/tasks/prerequisites/setup-freebsd.yml b/tasks/prerequisites/setup-freebsd.yml index 75918bc..e5ab238 100644 --- a/tasks/prerequisites/setup-freebsd.yml +++ b/tasks/prerequisites/setup-freebsd.yml @@ -1,14 +1,14 @@ --- -- name: "(Install: FreeBSD) Install Required Dependencies" +- name: "(Setup: FreeBSD) Install Required Dependencies" block: - - name: "(Install: FreeBSD) Install Extra Package(s)" + - name: "(Setup: FreeBSD) Install Extra Package(s)" pkgng: name: "{{ nginx_freebsd_extra_packages }}" state: present when: nginx_bsd_install_packages|bool - - name: "(Install: FreeBSD) Install Extra Port(s)" + - name: "(Setup: FreeBSD) Install Extra Port(s)" portinstall: name: "{{ item }}" use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" diff --git a/tasks/prerequisites/setup-redhat.yml b/tasks/prerequisites/setup-redhat.yml new file mode 100644 index 0000000..a285db6 --- /dev/null +++ b/tasks/prerequisites/setup-redhat.yml @@ -0,0 +1,6 @@ +--- +- name: "(Setup: RedHat/CentOS) Setup SELinux" + include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml" + when: + - nginx_selinux + - ansible_selinux.mode is defined diff --git a/tasks/prerequisites/setup-selinux.yml b/tasks/prerequisites/setup-selinux.yml new file mode 100644 index 0000000..20cbda2 --- /dev/null +++ b/tasks/prerequisites/setup-selinux.yml @@ -0,0 +1,105 @@ +--- +- name: "(Setup: SELinux) Install Required CentOS Dependencies" + package: + name: policycoreutils-python, setools + state: present + when: + - not ansible_os_family == "RedHat" + - not ansible_distribution_major_version == "8" + +- name: "(Setup: SELinux) Install Required RHEL8 Dependencies" + package: + name: + - selinux-policy-targeted + - libselinux-utils + - policycoreutils + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version == "8" + +- name: "(Setup: SELinux) Check for SELinux enabled" + debug: + msg: "You need to enable selinux, if it was disabled you need to reboot" + when: ansible_selinux is undefined + +- name: "(Setup: SELinux) Permissive SELinux" + selinux: + state: permissive + policy: targeted + changed_when: false + when: ansible_selinux.mode == "enforcing" + +- name: "(Setup: SELinux: Booleans) Allow HTTP network connection" + seboolean: + name: httpd_can_network_connect + state: yes + persistent: yes + +- name: "(Setup: SELinux: Booleans) Allow HTTP relay connection" + seboolean: + name: httpd_can_network_relay + state: yes + persistent: yes + +- name: "(Setup: SELinux: Ports) Allow status ports" + seport: + ports: "{{ nginx_status_port }}" + proto: tcp + setype: http_port_t + state: present + when: nginx_status_port is defined + +- name: "(Setup: SELinux: Ports) Allow Rest API ports" + seport: + ports: "{{ nginx_rest_api_port }}" + proto: tcp + setype: http_port_t + state: present + when: nginx_rest_api_port is defined" + +- name: "(Setup: SELinux: Ports) Allow Specific TCP Ports" + seport: + ports: "{{ nginx_selinux_tcp_ports }}" + proto: tcp + setype: http_port_t + state: present + when: nginx_selinux_tcp_ports is defined + +- name: "(Setup: SELinux: Ports) Allow Specific UDP Ports" + seport: + ports: "{{ nginx_selinux_udp_ports }}" + proto: udp + setype: http_port_t + state: present + when: nginx_selinux_udp_ports is defined + +- name: "(Setup: SELinux: Module) Create NGINX Plus Module" + template: + src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2" + dest: "{{ nginx_tempdir }}/nginx-plus-module.te" + register: nginx_selinux_module + +- name: "(Setup: SELinux: Module) Check NGINX Plus Module" + command: "checkmodule -M -m -o {{ nginx_tempdir }}/nginx-plus-module.mod {{ nginx_tempdir }}/nginx-plus-module.te" + args: + creates: "{{ nginx_tempdir }}/nginx-plus-module.mod" + changed_when: false + +- name: "(Setup: SELinux: Module) Compile NGINX Plus Module" + command: "semodule_package -o {{ nginx_tempdir }}/nginx-plus-module.pp -m {{ nginx_tempdir }}/nginx-plus-module.mod" + args: + creates: "{{ nginx_tempdir }}/nginx-plus-module.pp" + changed_when: false + +- name: "(Setup: SELinux: Module) Import NGINX Plus Module" # noqa 503 + command: "semodule -i {{ nginx_tempdir }}/nginx-plus-module.pp" + changed_when: false + when: nginx_selinux_module.changed + +- name: "(Setup: SELinux) Enforce SELinux" + selinux: + state: enforcing + policy: targeted + changed_when: false + when: nginx_selinux_enforcing and ansible_selinux.mode == "permissive" diff --git a/tasks/prerequisites/setup-suse.yml b/tasks/prerequisites/setup-suse.yml new file mode 100644 index 0000000..079e3c9 --- /dev/null +++ b/tasks/prerequisites/setup-suse.yml @@ -0,0 +1,6 @@ +--- +- name: "(Setup: Suse) Setup SELinux" + include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml" + when: + - nginx_selinux + - ansible_selinux.mode is defined diff --git a/tasks/prerequisites/setup-systemd.yml b/tasks/prerequisites/setup-systemd.yml new file mode 100644 index 0000000..d94e839 --- /dev/null +++ b/tasks/prerequisites/setup-systemd.yml @@ -0,0 +1,38 @@ +--- +- name: "(Setup: Linux) Create override directory for NGINX systemd Service" + file: + path: "{{ nginx_service_overridepath }}" + state: directory + mode: '0755' + +- name: "(Setup: Linux) Create override for NGINX systemd Service" + template: + src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: '0644' + notify: "(Handler: All OSs) systemd daemon-reload" + when: + - not nginx_service_custom + - not nginx_service_clean + +- name: "(Setup: Linux) Customize override for NGINX systemd Service" + copy: + src: "{{ nginx_service_custom_file }}" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: '0644' + notify: "(Handler: All OSs) systemd daemon-reload" + when: + - nginx_service_custom + - not nginx_service_clean + +- name: "(Setup: Linux) Remove override for NGINX systemd Service" + file: + path: "{{ nginx_service_overridepath }}" + state: absent + notify: "(Handler: All OSs) systemd daemon-reload" + when: + - nginx_service_clean diff --git a/tasks/unit/install-unit.yml b/tasks/unit/install-unit.yml index 4093fe8..85bb0a0 100644 --- a/tasks/unit/install-unit.yml +++ b/tasks/unit/install-unit.yml @@ -1,12 +1,9 @@ --- -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - -- import_tasks: setup-freebsd.yml - when: ansible_os_family == "FreeBSD" +- include_tasks: "{{ role_path }}/tasks/unit/setup-{{ ansible_os_family | lower }}.yml" + when: + - ansible_os_family == "Debian" + or ansible_os_family == "RedHat" + or ansible_os_family == "FreeBSD" - name: "(Install: Debian/Ubuntu/CentOS/RedHat) Install NGINX Unit" package: @@ -22,5 +19,5 @@ when: ansible_os_family == "FreeBSD" notify: "(Handler: FreeBSD) Start NGINX Unit" -- import_tasks: install-modules.yml +- include_tasks: "{{ role_path }}/tasks/unit/install-modules.yml" when: nginx_unit_modules is defined and nginx_unit_modules diff --git a/templates/selinux/nginx-plus-module.te.j2 b/templates/selinux/nginx-plus-module.te.j2 new file mode 100644 index 0000000..c46d5eb --- /dev/null +++ b/templates/selinux/nginx-plus-module.te.j2 @@ -0,0 +1,20 @@ +module nginx-plus-module 1.0; + +require { + type httpd_t; + type usr_t; + type initrc_t; + type http_cache_port_t; + class sock_file write; + class unix_stream_socket connectto; + class file { create write }; + class tcp_socket name_connect; +} + +#============= httpd_t ============== +allow httpd_t http_cache_port_t:tcp_socket name_connect; + +allow httpd_t initrc_t:unix_stream_socket connectto; + +allow httpd_t usr_t:file { create write }; +allow httpd_t usr_t:sock_file write; diff --git a/templates/services/nginx.service.override.conf.j2 b/templates/services/nginx.service.override.conf.j2 new file mode 100644 index 0000000..deea6d9 --- /dev/null +++ b/templates/services/nginx.service.override.conf.j2 @@ -0,0 +1,10 @@ +[Service] +{% if nginx_service_timeoutstopsec is defined %} +TimeoutStopSec={{ nginx_service_timeoutstopsec | default(90) }} +{% endif %} +{% if nginx_service_restartonfailure is defined %} +Restart=on-failure +{% endif %} +{% if nginx_service_restartsec is defined %} +RestartSec={{ nginx_service_restartsec }} +{% endif %}