first commit

.githooks/pre-commit

@@ -0,0 +1,49 @@
+#!/bin/bash
+#
+# Pre-commit script which checks the playbook for syntax errors
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+	against=HEAD
+else
+	# Initial commit: diff against an empty tree object
+	against=$(git hash-object -t tree /dev/null)
+fi
+
+# If you want to allow non-ASCII filenames set this variable to true.
+allownonascii=$(git config --type=bool hooks.allownonascii)
+
+# Redirect output to stderr.
+exec 1>&2
+
+# Cross platform projects tend to avoid non-ASCII filenames; prevent
+# them from being added to the repository. We exploit the fact that the
+# printable range starts at the space character and ends with tilde.
+if [ "$allownonascii" != "true" ] &&
+	# Note that the use of brackets around a tr range is ok here, (it's
+	# even required, for portability to Solaris 10's /usr/bin/tr), since
+	# the square bracket bytes happen to fall in the designated range.
+	test $(git diff --cached --name-only --diff-filter=A -z $against |
+	  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+then
+	cat <<\EOF
+Error: Attempt to add a non-ASCII file name.
+
+This can cause problems if you want to work with people on other platforms.
+
+To be portable it is advisable to rename the file.
+
+If you know what you are doing you can disable this check using:
+
+  git config hooks.allownonascii true
+EOF
+	exit 1
+fi
+
+set -e
+
+# If there are whitespace errors, print the offending file names and fail.
+git diff-index --check --cached $against --
+
+# Run yamllint on yaml files
+yamllint defaults/*.yml handlers/*.yml meta/*.yml tasks/*.yml vars/*.yml

.gitignore

@@ -0,0 +1,2 @@
+# Python cache
+__pycache__

README.md

@@ -0,0 +1,61 @@
+# geekoops-nginx
+
+Configurable ansible role for setting up a nginx webserver on a Linux server. Works with
+
+- openSUSE Leap 15.2
+- Debian Buster
+
+## Role Variables
+--------------
+
+You can set the following variables to configure the role. Here listed are the variables and their default settings.
+
+Firewall configuration (disable by default)
+
+	config_firewall: false               # Enable firewall configuration
+	firewall_zone: "public"              # Firewall zone to configure
+    open_http: true                      # Enable http on the firewall_zone
+    open_https: true                     # Enable https on the firewall_zone
+
+Custom `nginx` settings
+
+	nginx_user: "nginx"                  # Default nginx user (for permission ecc.)
+	nginx_group: "nginx"                 # Default nginx group (for permission ecc.)
+
+
+## Example Playbook
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: geekoops-nginx, config_firewall: true }
+
+A bit more advanced example for the imaginary `jellyfish` test server
+
+    - hosts: jellyfish
+      roles:
+         - role: geekoops-nginx
+           vars:
+             setup_default_page: true
+             default_page_hostname: "{{ansible_host}}"
+             config_firewall: true
+             firewall_zone: "public"
+
+## License
+
+MIT
+
+## Author Information
+
+phoenix
+
+Have a lot of fun!
+
+# Development
+
+## Add githooks
+
+This repository ships pre-commit git hooks that will check the yaml syntax. To configure them do
+
+    git config --local core.hooksPath .githooks/

defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# defaults file for geekoops-nginx
+
+# Don't install default page by default
+setup_default_page: false
+default_page_hostname: "localhost"
+
+# firewall configuration
+config_firewall: false
+firewall_zone: "public"
+open_http: true
+open_https: true
+
+# nginx settings
+nginx_user: "nginx"
+nginx_group: "nginx"

handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# handlers file for geekoops-nginx
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted

meta/main.yml

@@ -0,0 +1,30 @@
+---
+galaxy_info:
+  author: Felix Niederwanger
+  description: Configurable nginx setup role
+  company: SUSE
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: license MIT
+
+  min_ansible_version: 2.9
+
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: opensuse
+      versions:
+        - 15.2
+    - name: debian
+      versions:
+        - buster
+
+  galaxy_tags:
+    - nginx
+    - lemp
+
+dependencies: []

molecule/default/converge.yml

@@ -0,0 +1,42 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include geekoops-nginx"
+      include_role:
+        name: "geekoops-nginx"
+    ## Setup test enviroment
+    # Deploy a test site and serve it
+    - name: Deploy test page
+      copy:
+        content: |
+          <html>Success! The test page is displayed correctly</html>
+        dest: "{{www_dir}}/index.html"
+        group: "{{nginxuser}}"
+        owner: "{{nginxgroup}}"
+        mode: 0754
+    - name: Deploy nginx configuration
+      copy:
+        content: |
+              server {
+                  listen 80 default_server;
+                  listen [::]:80 default_server;
+                  root {{ www_dir }};
+                  index index.html index.htm;
+                  location / {
+                      try_files $uri $uri/ =404;
+                  }
+              }
+        dest: "{{vhosts_dir}}/default.conf"
+        owner: root
+        group: root
+        mode: 0644
+      when: deploy_nginx_config == true
+    - name: Rung nginx check
+      shell: nginx -t
+
+    # Restart of nginx is required for the new configuration
+    - name: Restart nginx
+      systemd:
+        name: nginx
+        state: restarted

molecule/default/molecule.yml

@@ -0,0 +1,48 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: leap15_2
+    image: grisu48/leap-ansible
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    capabilities:
+      - SYS_ADMIN
+    tmpfs:
+      - /run
+      - /tmp
+  - name: buster
+    image: grisu48/buster-ansible
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    capabilities:
+      - SYS_ADMIN
+    privileged: true
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+  inventory:
+    host_vars:
+      leap15_2:
+        vhosts_dir: "/etc/nginx/vhosts.d"
+        nginxuser: nginx
+        nginxgroup: nginx
+        deploy_nginx_config: true
+      buster:
+        vhosts_dir: "/etc/nginx/sites-enabled"
+        nginxuser: www-data
+        nginxgroup: www-data
+        deploy_nginx_config: false
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
+lint: |
+  set -e
+  yamllint .

molecule/default/tests/test_default.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+
+
+import testinfra.utils.ansible_runner
+import os
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+def test_phpinfo(host):
+	cmd = host.run("curl -v http://127.0.0.1/index.html")
+	print(cmd.stdout)
+	assert 'HTTP/1.1 200 OK' in cmd.stderr
+	assert "Success" in cmd.stdout
+	assert "The test page is displayed correctly" in cmd.stdout

molecule/default/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true

tasks/default-page.yml

@@ -0,0 +1,30 @@
+---
+# setup a default page
+
+- name: Ensure default page directory exists
+  file:
+    path: /srv/www/default
+    owner: "{{nginx_user}}"
+    group: "{{nginx_group}}"
+    mode: 0755
+    state: directory
+  tags: ['nginx']
+- name: Ensure default page exists
+  template:
+    src: index.html.j2
+    dest: "{{www_dir}}/default/index.html"
+    owner: "{{nginx_user}}"
+    group: "{{nginx_group}}"
+    mode: 0755
+    force: false
+  tags: ['nginx']
+- name: Ensure default page nginx template exists
+  template:
+    src: default-www.j2
+    dest: "{{vhosts_dir}}/default-www.conf"
+    owner: root
+    group: root
+    mode: 0644
+    force: false
+  notify: restart nginx
+  tags: ['nginx']

tasks/firewall.yml

@@ -0,0 +1,22 @@
+---
+# Configure firewall
+
+- name: Ensure http port is open
+  firewalld:
+    zone: "{{firewall_zone}}"
+    service: http
+    permanent: true
+    state: enabled
+  notify: reload firewalld
+  tags: ['nginx', 'firewall']
+  when: open_http == true
+
+- name: Ensure https port is open
+  firewalld:
+    zone: "{{firewall_zone}}"
+    service: https
+    permanent: true
+    state: enabled
+  notify: reload firewalld
+  tags: ['nginx', 'firewall']
+  when: open_https == true

tasks/main.yml

@@ -0,0 +1,13 @@
+---
+# tasks file for geekoops-nginx
+
+# Distribution specific vars are ALWAYS needed, so don't forget the tags here
+- name: include distribution specific vars
+  include_vars: "{{ansible_distribution}}_{{ansible_distribution_version}}.yml"
+  tags: ['nginx', 'firewall', 'systemd']
+
+- include: software.yml
+- include: firewall.yml
+  when: config_firewall == true
+- include: default-page.yml
+  when: setup_default_page == true

tasks/software.yml

@@ -0,0 +1,14 @@
+---
+# Install and configure nginx
+
+- name: Ensure nginx is installed
+  package:
+    name: "{{ packages }}"
+    state: present
+  tags: ['nginx']
+- name: Ensure nginx service is enabled
+  systemd:
+    name: "{{ nginx_service }}"
+    state: started
+    enabled: true
+  tags: ['nginx', 'systemd']

templates/default-www.j2

@@ -0,0 +1,22 @@
+## Default page handling for nginx
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    root /srv/www/default;
+    index index.php index.html index.htm;
+
+    server_name {{default_page_hostname}};
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location ~ \.php$ {
+        fastcgi_pass   unix:{{php_socket}};
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include        fastcgi_params;
+    }
+}

templates/index.html.j2

@@ -0,0 +1,13 @@
+<!doctype html>
+<html>
+<head>
+<title>Lempo</title>
+</head>
+<body>
+<h1>Default page for lempo</h1>
+<p>Congratulations! Your LEMPO role has been successfully installed on this server</p>
+<ul>
+<li>Visit <a href="phpinfo.php">phpinfo.php</a>
+</ul>
+</body>
+</html>

tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - lempo

vars/Debian_10.yml

@@ -0,0 +1,12 @@
+---
+# Debian Buster specific variables
+
+## Software packages
+
+packages: ['nginx', 'nginx-full']
+nginx_service: "nginx"
+
+## OS-Specific directories
+
+www_dir: "/var/www/html"
+vhosts_dir: "/etc/nginx/sites-enabled"

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for lemp

vars/openSUSE Leap_15.2.yml

@@ -0,0 +1,12 @@
+---
+# openSUSE Leap 15.2 specific variables
+
+## Software packages
+
+packages: ['nginx', 'nginx-module-brotli']
+nginx_service: "nginx"
+
+## OS-Specific directories
+
+www_dir: "/srv/www/htdocs"
+vhosts_dir: "/etc/nginx/vhosts.d"