commit f231b69ab61f2a9d42d82ed425318f64cbe6d36c
Author: Brian Dant <briandant414@gmail.com>
Date: Fri Aug 12 14:03:03 2016 -0700
Remove the explicit declaration of Ubuntu codename.
We're now relying on Ansible's `ansible_distribution_release`
variable where we need to know the release we're using.
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 00d2b49..86b8c52 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Add nginx repo
- apt_repository: repo="{{ nginx_repo }}" update_cache=yes
+ apt_repository: repo='ppa:nginx/stable' update_cache=yes
tags: ['nginx', 'nginx:install']
- name: Install nginx
commit 7c85338bcb31600ebe967b6d67b5569f11ca7295
Author: Morgan Robertson <robertson.md7@gmail.com>
Date: Tue Aug 9 16:11:24 2016 -0400
Don't hardcode the nginx package repo.
Because variables are good.
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 80ab1ff..00d2b49 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Add nginx repo
- apt_repository: repo="deb http://ppa.launchpad.net/nginx/stable/ubuntu wily main" update_cache=yes
+ apt_repository: repo="{{ nginx_repo }}" update_cache=yes
tags: ['nginx', 'nginx:install']
- name: Install nginx
commit b7105bf73588178cc990b0285161c42b3188da79
Author: Morgan Robertson <robertson.md7@gmail.com>
Date: Fri Jun 17 14:01:02 2016 -0400
Robustify TLS nginx settings.
The updated settings prevent weak Diffie-Hellman key exchanges and the
use of export ciphers. This protects against the Logjam attack. See
https://weakdh.org. Support was dropped for TLS 1.0/1.1, which are
vulnerable to POODLE attacks.
TLS can be tested for vulnerabilities using
https://www.ssllabs.com/ssltest/.
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 5e2726d..80ab1ff 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -19,8 +19,25 @@
when: not nginx_wharf_conf.stat.exists
tags: ['nginx', 'nginx:configuration']
+- name: Update OpenSSL to latest version
+ apt: name=openssl state=latest
+ tags: ['nginx', 'nginx:configuration']
+
+- name: Create Diffie-Hellman parameters to prevent weak key exchange
+ command: >
+ openssl dhparam -out dhparams.pem 2048
+ chdir=/etc/ssl/private
+ creates=/etc/ssl/private/dhparams.pem
+ tags: ['nginx', 'nginx:configuration']
+
+- name: Restrict permissions of DH parameters file
+ file: path=/etc/ssl/private/dhparams.pem owner=root group=root mode=0600
+ tags: ['nginx', 'nginx:configuration']
+
- name: Ensure main Nginx configuration file is up to date
template: src=nginx.conf dest=/etc/nginx/nginx.conf
+ notify:
+ - restart nginx
tags: ['nginx', 'nginx:configuration']
- name: Remove default virtual hosts
commit 0444f3383fe05d6d025ba6f02b46512361fbe207
Author: Deni Bertovic <deni@denibertovic.com>
Date: Thu Jun 2 18:31:01 2016 +0200
Use proper nginx version
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index bb341fb..5e2726d 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Add nginx repo
- apt_repository: repo="deb http://ppa.launchpad.net/nginx/stable/ubuntu vivid main" update_cache=yes
+ apt_repository: repo="deb http://ppa.launchpad.net/nginx/stable/ubuntu wily main" update_cache=yes
tags: ['nginx', 'nginx:install']
- name: Install nginx
commit efe0f2f1a3d30b3d68051c54a01fd28b86d9149d
Author: Morgan Robertson <robertson.md7@gmail.com>
Date: Mon Apr 18 16:01:13 2016 -0400
Upgrade to Ansible 2.0.1.
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 5f5d2b5..bb341fb 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -44,7 +44,7 @@
content: "{{nginx_private_key}}"
dest: /etc/ssl/wharf.key
owner: root
- mode: 600
+ mode: 0600
notify:
- restart nginx
tags: ['nginx', 'nginx:configuration']
@@ -54,7 +54,7 @@
content: "{{nginx_public_cert}}"
dest: /etc/ssl/wharf.crt
owner: root
- mode: 600
+ mode: 0600
notify:
- restart nginx
tags: ['nginx', 'nginx:configuration']
commit 77e2760b50b321b05837c304b0e4df5cfd3bf2ca
Author: Morgan Robertson <robertson.md7@gmail.com>
Date: Wed Jan 13 11:41:42 2016 -0500
Update Ansible tags
This PR implements a tagging system where every task is assigned a tag
matching the name of the role and possibly additional subtags. The
subtags correspond to high-level tasks such as installing or configuring
a piece of software. The goal is that these tags will give us greater
flexibility in running parts of the playbook when doing administrative
tasks.
Tags for common, newrelic, hipache, nginx,
postgresql, pythondev, uwsgi.
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 4820a35..5f5d2b5 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -2,21 +2,26 @@
- name: Add nginx repo
apt_repository: repo="deb http://ppa.launchpad.net/nginx/stable/ubuntu vivid main" update_cache=yes
+ tags: ['nginx', 'nginx:install']
- name: Install nginx
apt: name=nginx state=latest
+ tags: ['nginx', 'nginx:install']
- name: Check if Wharf config is already there
stat: path=/etc/nginx/sites-available/{{app_name}}.conf
register: nginx_wharf_conf
+ tags: ['nginx', 'nginx:configuration']
# needed so nginx doesn't take the port 80 by default
- name: Stop nginx if Wharf config is not installed
service: name=nginx state=stopped
when: not nginx_wharf_conf.stat.exists
+ tags: ['nginx', 'nginx:configuration']
- name: Ensure main Nginx configuration file is up to date
template: src=nginx.conf dest=/etc/nginx/nginx.conf
+ tags: ['nginx', 'nginx:configuration']
- name: Remove default virtual hosts
file: path=/etc/nginx/sites-enabled/{{item}} state=absent
@@ -25,12 +30,14 @@
- example_ssl
- default.conf
- example_ssl.conf
+ tags: ['nginx', 'nginx:configuration']
- name: Create virtual hosts folders
file: path=/etc/nginx/{{item}} state=directory
with_items:
- sites-available
- sites-enabled
+ tags: ['nginx', 'nginx:configuration']
- name: Copy the SSL certificate (1)
copy:
@@ -40,6 +47,7 @@
mode: 600
notify:
- restart nginx
+ tags: ['nginx', 'nginx:configuration']
- name: Copy the SSL certificate (2)
copy:
@@ -49,16 +57,20 @@
mode: 600
notify:
- restart nginx
+ tags: ['nginx', 'nginx:configuration']
- name: Copy the virtual host config file
template: src=nginx_uwsgi.conf dest=/etc/nginx/sites-available/{{app_name}}.conf
notify:
- restart nginx
+ tags: ['nginx', 'nginx:configuration']
- name: Enable the virtual host
file: path=/etc/nginx/sites-enabled/{{app_name}}.conf src=/etc/nginx/sites-available/{{app_name}}.conf state=link
notify:
- restart nginx
+ tags: ['nginx', 'nginx:configuration']
- name: Increase the TCP buffer
sysctl: name="net.ipv4.tcp_max_syn_backlog" value=2048 reload=yes
+ tags: ['nginx', 'nginx:configuration']
commit 8404a04681c94007e82db1a7ca0fab0a08da2f46
Author: Brian Dant <briandant414@gmail.com>
Date: Thu Dec 17 10:26:19 2015 -0500
Revert to using nginx ppa per Morgan's recommendation
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index c58885f..4820a35 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,5 +1,8 @@
---
+- name: Add nginx repo
+ apt_repository: repo="deb http://ppa.launchpad.net/nginx/stable/ubuntu vivid main" update_cache=yes
+
- name: Install nginx
apt: name=nginx state=latest
commit fb59d622665582b026b359113fd0567091261605
Author: Brian Dant <briandant414@gmail.com>
Date: Wed Dec 16 21:02:19 2015 -0500
Don't rely on nginx ppa; use apt repo instead
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 0d3432b..c58885f 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,8 +1,5 @@
---
-- name: Add nginx repo
- apt_repository: repo="ppa:nginx/stable" update_cache=yes
-
- name: Install nginx
apt: name=nginx state=latest
commit 62979d013c4f8b53aaf903c7262e2b1ad65a3c7f
Author: Brian Dant <briandant414@gmail.com>
Date: Thu Nov 5 19:27:51 2015 -0800
Finish rest of deploy directory
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index cb094b1..0d3432b 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -6,14 +6,14 @@
- name: Install nginx
apt: name=nginx state=latest
-- name: Check if Launcher config is already there
+- name: Check if Wharf config is already there
stat: path=/etc/nginx/sites-available/{{app_name}}.conf
- register: nginx_launcher_conf
+ register: nginx_wharf_conf
# needed so nginx doesn't take the port 80 by default
-- name: Stop nginx if Launcher config is not installed
+- name: Stop nginx if Wharf config is not installed
service: name=nginx state=stopped
- when: not nginx_launcher_conf.stat.exists
+ when: not nginx_wharf_conf.stat.exists
- name: Ensure main Nginx configuration file is up to date
template: src=nginx.conf dest=/etc/nginx/nginx.conf
@@ -35,7 +35,7 @@
- name: Copy the SSL certificate (1)
copy:
content: "{{nginx_private_key}}"
- dest: /etc/ssl/launcher.key
+ dest: /etc/ssl/wharf.key
owner: root
mode: 600
notify:
@@ -44,7 +44,7 @@
- name: Copy the SSL certificate (2)
copy:
content: "{{nginx_public_cert}}"
- dest: /etc/ssl/launcher.crt
+ dest: /etc/ssl/wharf.crt
owner: root
mode: 600
notify:
commit a10240fccb3b7992da00ee7022ca8b24cf3ea65e
Author: Tomasz Zieliński <tomasz.zielinski@pyconsultant.eu>
Date: Thu May 28 12:27:15 2015 +0200
Playbook tweaks & fixes (2)
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index fa0324f..cb094b1 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -19,10 +19,12 @@
template: src=nginx.conf dest=/etc/nginx/nginx.conf
- name: Remove default virtual hosts
- file: path=/etc/nginx/conf.d/{{item}}.conf state=absent
+ file: path=/etc/nginx/sites-enabled/{{item}} state=absent
with_items:
- default
- example_ssl
+ - default.conf
+ - example_ssl.conf
- name: Create virtual hosts folders
file: path=/etc/nginx/{{item}} state=directory
commit e271d45fa3ca24b143ceb946623e982c37886f46
Author: Filip Jukic <filip@jukic.me>
Date: Wed May 20 13:43:13 2015 +0200
update the playbook to 15.04 (WIP)
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index d7bc370..fa0324f 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,13 +1,7 @@
---
-#- name: Add nginx repo key
-# apt_key: url=http://nginx.org/keys/nginx_signing.key
-#
-#- name: Add nginx repo
-# apt_repository: repo="{{item}}"
-# with_items:
-# - deb http://nginx.org/packages/ubuntu/ precise nginx
-# - deb-src http://nginx.org/packages/ubuntu/ precise nginx
+- name: Add nginx repo
+ apt_repository: repo="ppa:nginx/stable" update_cache=yes
- name: Install nginx
apt: name=nginx state=latest
commit d89cbe3c49005b8383374eb883ee38b4135c26f3
Author: Tomasz Zieliński <tomasz.zielinski@pyconsultant.eu>
Date: Fri May 15 02:54:50 2015 +0200
Last minute changes to make things roughly work on Ubuntu 15.04
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 97c9136..d7bc370 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -1,13 +1,13 @@
---
-- name: Add nginx repo key
- apt_key: url=http://nginx.org/keys/nginx_signing.key
-
-- name: Add nginx repo
- apt_repository: repo="{{item}}"
- with_items:
- - deb http://nginx.org/packages/ubuntu/ precise nginx
- - deb-src http://nginx.org/packages/ubuntu/ precise nginx
+#- name: Add nginx repo key
+# apt_key: url=http://nginx.org/keys/nginx_signing.key
+#
+#- name: Add nginx repo
+# apt_repository: repo="{{item}}"
+# with_items:
+# - deb http://nginx.org/packages/ubuntu/ precise nginx
+# - deb-src http://nginx.org/packages/ubuntu/ precise nginx
- name: Install nginx
apt: name=nginx state=latest
commit efc4f2fcb6e7abce8ffec61503b052a83b3892e0
Author: Tomasz Zieliński <tomasz.zielinski@pyconsultant.eu>
Date: Sun Mar 15 21:34:59 2015 +0100
Updated playbook to read the SSL cert from the vault
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 22a76cb..97c9136 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -36,11 +36,21 @@
- sites-available
- sites-enabled
-- name: Copy the SSL certificate
- copy: src={{inventory_dir}}/{{item}} dest=/etc/ssl/ mode=0600
- with_items:
- - appsembler.key
- - appsembler.crt
+- name: Copy the SSL certificate (1)
+ copy:
+ content: "{{nginx_private_key}}"
+ dest: /etc/ssl/launcher.key
+ owner: root
+ mode: 600
+ notify:
+ - restart nginx
+
+- name: Copy the SSL certificate (2)
+ copy:
+ content: "{{nginx_public_cert}}"
+ dest: /etc/ssl/launcher.crt
+ owner: root
+ mode: 600
notify:
- restart nginx
commit 603a6f76f8ea26cba3bf5f7763f5f7564cea3beb
Author: Tomasz Zieliński <tomasz.zielinski@pyconsultant.eu>
Date: Fri Mar 6 02:03:14 2015 +0100
Added missing env vars to secret_vars and fixed SSL chmod
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 8012daf..22a76cb 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -37,7 +37,7 @@
- sites-enabled
- name: Copy the SSL certificate
- copy: src={{inventory_dir}}/{{item}} dest=/etc/ssl/ mode=go-rwx
+ copy: src={{inventory_dir}}/{{item}} dest=/etc/ssl/ mode=0600
with_items:
- appsembler.key
- appsembler.crt
commit e4ab79c3f448277de4a07828e458ee6cc24623b5
Author: Tomasz Zieliński <tomasz.zielinski@pyconsultant.eu>
Date: Thu Mar 5 20:37:19 2015 +0100
Added launcher SSL cert setup to the playbook
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 6293ac1..8012daf 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -36,6 +36,14 @@
- sites-available
- sites-enabled
+- name: Copy the SSL certificate
+ copy: src={{inventory_dir}}/{{item}} dest=/etc/ssl/ mode=go-rwx
+ with_items:
+ - appsembler.key
+ - appsembler.crt
+ notify:
+ - restart nginx
+
- name: Copy the virtual host config file
template: src=nginx_uwsgi.conf dest=/etc/nginx/sites-available/{{app_name}}.conf
notify:
commit f9c3ca4c4a02089de11aae51a14530754948f400
Author: Filip Jukic <filip@jukic.me>
Date: Fri Jan 2 13:00:58 2015 +0100
restart nginx where needed
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 8513fea..6293ac1 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -39,10 +39,12 @@
- name: Copy the virtual host config file
template: src=nginx_uwsgi.conf dest=/etc/nginx/sites-available/{{app_name}}.conf
notify:
- - reload nginx
+ - restart nginx
- name: Enable the virtual host
file: path=/etc/nginx/sites-enabled/{{app_name}}.conf src=/etc/nginx/sites-available/{{app_name}}.conf state=link
+ notify:
+ - restart nginx
- name: Increase the TCP buffer
sysctl: name="net.ipv4.tcp_max_syn_backlog" value=2048 reload=yes
commit 8dff8633315327afe61ad76a5bf96ed653bd2169
Author: Filip Jukic <filip@jukic.me>
Date: Fri Nov 14 17:56:31 2014 +0100
updated playbook syntax
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 2f67661..8513fea 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -10,7 +10,7 @@
- deb-src http://nginx.org/packages/ubuntu/ precise nginx
- name: Install nginx
- apt: pkg=nginx state=latest
+ apt: name=nginx state=latest
- name: Check if Launcher config is already there
stat: path=/etc/nginx/sites-available/{{app_name}}.conf
commit d26113f4fe093d1e34480f2377a7d70834e78c53
Author: Filip Jukic <filip@jukic.me>
Date: Fri Nov 7 00:54:29 2014 +0100
needed fixes for production deploy
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
index 61e297c..2f67661 100644
--- a/deploy/roles/nginx/tasks/main.yml
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -12,6 +12,15 @@
- name: Install nginx
apt: pkg=nginx state=latest
+- name: Check if Launcher config is already there
+ stat: path=/etc/nginx/sites-available/{{app_name}}.conf
+ register: nginx_launcher_conf
+
+# needed so nginx doesn't take the port 80 by default
+- name: Stop nginx if Launcher config is not installed
+ service: name=nginx state=stopped
+ when: not nginx_launcher_conf.stat.exists
+
- name: Ensure main Nginx configuration file is up to date
template: src=nginx.conf dest=/etc/nginx/nginx.conf
commit f00419f8220e01cbf171dfdaee2404914f4db460
Author: Filip Jukic <filip@jukic.me>
Date: Wed Feb 19 11:50:39 2014 +0100
Initial commit for the new Launcher stripped of OpenShift stuff
diff --git a/deploy/roles/nginx/tasks/main.yml b/deploy/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..61e297c
--- /dev/null
+++ b/deploy/roles/nginx/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+
+- name: Add nginx repo key
+ apt_key: url=http://nginx.org/keys/nginx_signing.key
+
+- name: Add nginx repo
+ apt_repository: repo="{{item}}"
+ with_items:
+ - deb http://nginx.org/packages/ubuntu/ precise nginx
+ - deb-src http://nginx.org/packages/ubuntu/ precise nginx
+
+- name: Install nginx
+ apt: pkg=nginx state=latest
+
+- name: Ensure main Nginx configuration file is up to date
+ template: src=nginx.conf dest=/etc/nginx/nginx.conf
+
+- name: Remove default virtual hosts
+ file: path=/etc/nginx/conf.d/{{item}}.conf state=absent
+ with_items:
+ - default
+ - example_ssl
+
+- name: Create virtual hosts folders
+ file: path=/etc/nginx/{{item}} state=directory
+ with_items:
+ - sites-available
+ - sites-enabled
+
+- name: Copy the virtual host config file
+ template: src=nginx_uwsgi.conf dest=/etc/nginx/sites-available/{{app_name}}.conf
+ notify:
+ - reload nginx
+
+- name: Enable the virtual host
+ file: path=/etc/nginx/sites-enabled/{{app_name}}.conf src=/etc/nginx/sites-available/{{app_name}}.conf state=link
+
+- name: Increase the TCP buffer
+ sysctl: name="net.ipv4.tcp_max_syn_backlog" value=2048 reload=yes
Last active
August 16, 2016 23:35
-
-
Save briandant/22e76976e53c305ba1891b26ff349b11 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment