Import

6 files changed, 117 insertions, 0 deletions

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..44ba636
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,9 @@
+nginx_worker_processes: 1
+nginx_worker_connections: 1024
+
+# These need to be strings to be parsed properly
+nginx_conf_dir_mode: '0770'
+nginx_conf_file_mode: '0640'
+
+nginx_conf_owner: root
+nginx_conf_group: adm
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..01a6c2e
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Restart Nginx
+  runit:
+    name: nginx
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..fb3047e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# - name: Install Nginx
+#   xbps:
+#     name: nginx
+#     state: present
+- name: Enable Nginx
+  file:
+    src: /etc/sv/nginx
+    dest: /var/service/nginx
+    owner: root
+    group: root
+    state: link
+- name: Lock down and setup configuration directories
+  file:
+    path: '{{item}}'
+    state: directory
+    owner: "{{nginx_conf_owner}}"
+    group: "{{nginx_conf_group}}"
+    mode: "{{nginx_conf_dir_mode}}"
+  loop:
+    - /etc/nginx
+    - /etc/nginx/conf.d
+- name: Create Acme Challenge directory
+  file:
+    path: /var/lib/acme-challenge
+    state: directory
+    owner: "{{nginx_conf_owner}}"
+    group: "{{nginx_conf_group}}"
+    mode: "0755"
+- name: Install Main 'nginx.conf'
+  template:
+    src: nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: "{{nginx_conf_owner}}"
+    group: "{{nginx_conf_group}}"
+    mode: "{{nginx_conf_file_mode}}"
+  notify:
+    - Restart Nginx
+- name: Install Other Nginx templates
+  template:
+    src: "nginx/{{item}}"
+    dest: "/etc/nginx/{{item}}"
+    owner: "{{nginx_conf_owner}}"
+    group: "{{nginx_conf_group}}"
+    mode: "{{nginx_conf_file_mode}}"
+  loop:
+    - acme-challenge
+    - acl
+  notify:
+  - Restart Nginx
diff --git a/templates/nginx/acl b/templates/nginx/acl
new file mode 100644
index 0000000..ad33e0a
--- /dev/null
+++ b/templates/nginx/acl
@@ -0,0 +1,9 @@
+# RFC 1918 addresses
+allow 172.16.0.0/12;
+allow 192.168.0.0/16;
+allow 10.0.0.0/8;
+
+{{nginx_acl_block}}
+
+deny all;
+
diff --git a/templates/nginx/acme-challenge b/templates/nginx/acme-challenge
new file mode 100644
index 0000000..934999f
--- /dev/null
+++ b/templates/nginx/acme-challenge
@@ -0,0 +1,4 @@
+	location /.well-known/acme-challenge {
+		# This works for acmetool. If using letsencrypt change 'alias' to 'root'
+		alias /var/lib/acme-challenge;
+	}
diff --git a/templates/nginx/nginx.conf b/templates/nginx/nginx.conf
new file mode 100644
index 0000000..3bf546f
--- /dev/null
+++ b/templates/nginx/nginx.conf
@@ -0,0 +1,41 @@
+worker_processes  {{nginx_worker_processes}};
+
+events {
+	worker_connections  {{nginx_worker_connections}};
+}
+
+
+http {
+	include	   mime.types;
+	default_type  application/octet-stream;
+
+	sendfile		on;
+	#tcp_nopush	 on;
+
+	#keepalive_timeout  0;
+	keepalive_timeout  65;
+
+	gzip  on;
+
+	server_tokens off;
+
+	server {
+		listen	   80;
+		listen	   [::]:80;
+		server_name  localhost;
+
+		location / {
+			root   /usr/share/nginx/html;
+			index  index.html index.htm;
+		}
+
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/share/nginx/html;
+		}
+	}
+
+	include conf.d/*.conf;
+
+}
+