From b7e25961d645b7a1e1610c749e83f1d612a86a6f Mon Sep 17 00:00:00 2001
From: Alessandro Fael Garcia <alessfg@hotmail.com>
Date: Wed, 22 Jul 2020 16:19:43 +0200
Subject: [PATCH] Refactor status templating (#288)

---
 CHANGELOG.md                                  |  1 +
 defaults/main/template.yml                    | 13 +++--
 .../common/playbooks/template_converge.yml    |  1 -
 tasks/conf/setup-status.yml                   | 34 -------------
 tasks/conf/template-config.yml                |  8 +++
 tasks/main.yml                                | 49 +++++++++++--------
 templates/http/api.conf.j2                    | 14 +++++-
 templates/http/status.conf.j2                 | 15 ++++++
 8 files changed, 76 insertions(+), 59 deletions(-)
 delete mode 100644 tasks/conf/setup-status.yml
 create mode 100644 templates/http/status.conf.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2415f5..0544850 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ BREAKING CHANGES:
 
 *   The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
 *   If you use `custom_options` you will now need to manually end each directive with a semicolon.
+*   The `status` directive is no longer supported in NGINX Plus, and the `stub_status` directive has been reworked into a template.
 *   The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
 
     Old configuration example
diff --git a/defaults/main/template.yml b/defaults/main/template.yml
index f2cc378..b622272 100644
--- a/defaults/main/template.yml
+++ b/defaults/main/template.yml
@@ -317,9 +317,12 @@ nginx_http_template:
 # Note - 'status' has been deprecated since NGINX Plus R13.
 # Default is false.
 nginx_status_enable: false
-nginx_status_location: /etc/nginx/conf.d/stub_status.conf
-nginx_status_port: 80
+nginx_status_template_file: http/status.conf.j2
+nginx_status_file_location: /etc/nginx/conf.d/status.conf
 nginx_status_log: false
+nginx_status_port: 80
+nginx_status_allow: 127.0.0.1
+nginx_status_deny: all
 
 # Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard.
 # Requires NGINX Plus.
@@ -327,10 +330,14 @@ nginx_status_log: false
 nginx_rest_api_enable: false
 nginx_rest_api_template_file: http/api.conf.j2
 nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf
-nginx_rest_api_port: 80
 nginx_rest_api_log: false
+nginx_rest_api_port: 80
 nginx_rest_api_write: false
 nginx_rest_api_dashboard: false
+nginx_status_rest_api_allow: 127.0.0.1
+nginx_status_rest_api_deny: all
+nginx_status_rest_api_dashboard_allow: 127.0.0.1
+nginx_status_rest_api_dashboard_deny: all
 
 # Enable creating dynamic templated NGINX stream configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
diff --git a/molecule/common/playbooks/template_converge.yml b/molecule/common/playbooks/template_converge.yml
index 1e8a8a1..2194445 100644
--- a/molecule/common/playbooks/template_converge.yml
+++ b/molecule/common/playbooks/template_converge.yml
@@ -58,7 +58,6 @@
       stream_enable: true
 
     nginx_status_enable: true
-    nginx_status_location: /etc/nginx/conf.d/stub_status.conf
     nginx_status_port: 8080
     nginx_status_log: true
 
diff --git a/tasks/conf/setup-status.yml b/tasks/conf/setup-status.yml
deleted file mode 100644
index 74b43b4..0000000
--- a/tasks/conf/setup-status.yml
+++ /dev/null
@@ -1,34 +0,0 @@
----
-- name: "(Setup: NGINX Open Source) Enable NGINX Open Source Status"
-  blockinfile:
-    path: "{{ nginx_status_location }}"
-    create: yes
-    block: |
-      server {
-          listen 127.0.0.1:{{ nginx_status_port | default('80') }};
-          location /nginx_status {
-              stub_status on;
-              access_log {{ nginx_status_log | ternary("on", "off") }};
-              allow 127.0.0.1;
-              deny all;
-          }
-      }
-  when: nginx_type == "opensource"
-  notify: "(Handler: All OSs) Reload NGINX"
-
-- name: "(Setup: NGINX Plus) Enable NGINX Plus Status"
-  blockinfile:
-    path: "{{ nginx_status_location }}"
-    create: yes
-    block: |
-      server {
-          listen 127.0.0.1:{{ nginx_status_port | default('80') }};
-          location /status {
-              status;
-              access_log {{ nginx_status_log | ternary("on", "off") }};
-              allow 127.0.0.1;
-              deny all;
-          }
-      }
-  when: nginx_type == "plus"
-  notify: "(Handler: All OSs) Reload NGINX"
diff --git a/tasks/conf/template-config.yml b/tasks/conf/template-config.yml
index da25187..17b1f83 100644
--- a/tasks/conf/template-config.yml
+++ b/tasks/conf/template-config.yml
@@ -55,6 +55,14 @@
   when: nginx_http_template_enable | bool
   notify: "(Handler: All OSs) Reload NGINX"
 
+- name: "(Setup: All NGINX) Dynamically Generate NGINX Stub Status Configuration File"
+  template:
+    src: "{{ nginx_status_template_file | default('http/status.conf.j2') }}"
+    dest: "{{ nginx_status_file_location | default('/etc/nginx/conf.d/status.conf') }}"
+    backup: yes
+  notify: "(Handler: All OSs) Reload NGINX"
+  when: nginx_status_enable | bool
+
 - name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File"
   template:
     src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index d2e5af7..70fb865 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,9 +1,9 @@
 ---
-- name: "(Setup: Prerequisites)"
+- name: "(Setup: All OSs) Setup Prerequisites"
   include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml"
   tags: nginx_prerequisites
 
-- name: "(Setup: Keys)"
+- name: "(Setup: All OSs) Setup Keys"
   import_tasks: keys/setup-keys.yml
   when:
     - ansible_os_family == "Alpine"
@@ -15,35 +15,43 @@
       or nginx_unit_enable
   tags: nginx_key
 
-- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX"
+- name: "(Install/Config: All OSs) Install and Configure NGINX"
   block:
 
-    - block:
-        - include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
+    - name: "(Install: All OSs) Install NGINX"
+      block:
+        - name: "(Install: All OSs) Install NGINX Open Source"
+          include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
           when: nginx_type == "opensource"
           tags: nginx_install_oss
 
-        - include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
+        - name: "(Install: All OSs) Install NGINX Plus"
+          include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
           when: nginx_type == "plus"
           tags: nginx_install_plus
 
-        - include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
+        - name: "(Install: All OSs) Install NGINX Modules"
+          include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
           when: true in nginx_modules.values()
           tags: nginx_install_modules
 
-        - include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
+        - name: "(Install: All OSs) Delete NGINX Plus License"
+          include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
           when:
             - nginx_type == "plus"
             - nginx_delete_license
           tags: nginx_delete_license
       when: nginx_install | bool
 
-    - block:
-        - include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
+    - name: "(Config: All OSs) Configure NGINX"
+      block:
+        - name: "(Config: All OSs) Cleanup NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
           when: nginx_cleanup_config | bool
           tags: nginx_cleanup_config
 
-        - include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
+        - name: "(Config: All OSs) Upload NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
           when: nginx_main_upload_enable
                 or nginx_http_upload_enable
                 or nginx_stream_upload_enable
@@ -51,37 +59,38 @@
                 or nginx_ssl_upload_enable
           tags: nginx_upload_config
 
-        - include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
+        - name: "(Config: All OSs) Create NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
           when: nginx_main_template_enable
                 or nginx_http_template_enable
                 or nginx_stream_template_enable
                 or nginx_rest_api_enable
           tags: nginx_template_config
-
-        - include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml"
-          when: nginx_status_enable | bool
-          tags: nginx_setup_status
       when: nginx_configure | bool
 
     - name: "(Config: All OSs) Ensure NGINX is Running"
       meta: flush_handlers
 
-    - include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
+    - name: "(Config: All OSs) Debug Output"
+      include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
       when: nginx_debug_output | bool
       tags: nginx_debug_output
 
-    - include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
+    - name: "(Config: All OSs): Configure Logrotate"
+      include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
       when: nginx_logrotate_conf_enable | bool
       tags: nginx_logrotate_config
   when: nginx_enable | bool
 
-- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
+- name: "(Install: All OSs) Install NGINX Amplify"
+  include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
   when:
     - nginx_amplify_enable | bool
     - nginx_amplify_api_key is defined
     - nginx_amplify_api_key | length > 0
   tags: nginx_install_amplify
 
-- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
+- name: "(Install: All OSs) Install NGINX Unit"
+  include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
   when: nginx_unit_enable | bool
   tags: nginx_install_unit
diff --git a/templates/http/api.conf.j2 b/templates/http/api.conf.j2
index 9d3465c..3d62348 100644
--- a/templates/http/api.conf.j2
+++ b/templates/http/api.conf.j2
@@ -2,17 +2,29 @@
 
 server {
     listen {{ nginx_rest_api_port | default('80') }};
-    access_log {{ nginx_rest_api_log | ternary("on", "off") }};
+    access_log {{ nginx_rest_api_log | ternary('on', 'off') }};
     location /api {
 {% if nginx_rest_api_write %}
         api write=on;
 {% else %}
         api;
+{% endif %}
+{% if nginx_status_rest_api_allow is defined %}
+        allow {{ nginx_status_rest_api_allow }};
+{% endif %}
+{% if nginx_status_rest_api_deny is defined %}
+        deny {{ nginx_status_rest_api_deny }};
 {% endif %}
     }
 {% if nginx_rest_api_dashboard %}
     location = /dashboard.html {
         root /usr/share/nginx/html;
+{% if nginx_status_rest_api_dashboard_allow is defined %}
+        allow {{ nginx_status_rest_api_dashboard_allow }};
+{% endif %}
+{% if nginx_status_rest_api_dashboard_deny is defined %}
+        deny {{ nginx_status_rest_api_dashboard_deny }};
+{% endif %}
     }
 {% endif %}
 }
diff --git a/templates/http/status.conf.j2 b/templates/http/status.conf.j2
new file mode 100644
index 0000000..408e921
--- /dev/null
+++ b/templates/http/status.conf.j2
@@ -0,0 +1,15 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ nginx_status_port | default('80') }};
+    access_log {{ nginx_status_log | ternary('on', 'off') }};
+    location /nginx_status {
+        stub_status on;
+{% if nginx_status_allow is defined %}
+        allow {{ nginx_status_allow }};
+{% endif %}
+{% if nginx_status_deny is defined %}
+        deny {{ nginx_status_deny }};
+{% endif %}
+    }
+}