An Ansible role for installing Nginx on Debian servers.
By default this role installs nginx-extras
, templates nginx.conf which enables TLSv1.2 and TLSv1.3, generates a Diffie-Hellman parameters file, removes the /etc/nginx/sites-enabled/default
symlink and creates and symlinks a default.conf and a localhost.conf.
The configuration of sites-enabled
can be done using the nginx_sites_enabled
and nginx_sites_disabled
lists, after sites are enabled service nginx configtest
is run and if the configtest test fails the site is disabled and this role stops.
To only install packages you can run this role using the nginx_install
tag.
Once Nginx is installed you can use the nginx_conf
tag with --check
.
See the defaults/main.yml file for the default variables and meta/argument_specs.yml for the variable specification.
If nginx
is true
then the tasks in this role will be run, it defaults to false
.
A list of TLSv1.2 cipher suites, this defaults to the Mozilla intermediate compatibility list.
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
A list of TLSv1.2 cipher suites, this defaults to the Mozilla modern compatibility list.
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
A URL to redirect port 80 HTTP requests to in the default.conf
configuration file, nginx_default_https_redirect
defaults to https://$host$request_uri
.
An optional URL to redirect port 443 HTTPS requests to in the default.conf
configuration file, nginx_default_server_name
to. This variable is not set by default.
The default root
for HTML files in the default.conf
configuration file, this defaults to /var/www/html
.
If nginx_default_server
is true
then the default.conf
server configuration file will include default_server
in the listen
directive, it defaults to true
.
A list of file names to be used for the index
directive, in the default.conf
configuration file, it defaults to:
index.html
index.nginx-debian.html
The server_name
to use in the default.conf
server configuration file, it defaults to {{ inventory_hostname }}
.
The port to use in the default.conf
server configuration file, it defaults to 80
.
An optional path to a TLS certificate for the default.conf
server configuration file, set it to an empty string to disable TLS in default.conf
.
An optional path to a TLS key for the default.conf
server configuration file, set it to an empty string to disable TLS in default.conf
.
An optional path to a CA certificate for the default.conf
server configuration file, set it to an empty string to disable TLS in default.conf
.
The path to the Diffie-Hellman parameters file, this defaults to /etc/nginx/ssl_dhparam.pem
.
The size of the Diffie-Hellman parameters TLS key, this defaults to 4096
(smaller ones are quicker to generate).
A list of Debian package to be installed by this role, this defaults to:
nginx-extras
A list of symlinks in /etc/nginx/sites-enabled
to delete, this defaults to:
default
A list of files that are present in /etc/nginx/sites-available
that should be symlinked from /etc/nginx/sites-enabled
, this defaults to:
default.conf
localhost.conf
A boolean, enable TLS, nginx_ssl
defaults to true
.
A list of TLS protocols for ssl_protocols, this defaults to:
TLSv1.2
TLSv1.3
This role no longer supports TLSv1.1
or TLSv1.0
.
A boolean, validate all variables strating with nginx_
against the argument spec, nginx_validate
defaults to true
.
This role requires Ansible 2.13
or newer plus JC and JMESPath to be installed using pip3
on the Ansible controller.
The primary URL of this repo is https://git.coop/webarch/nginx
however it is also mirrored to GitHub and available via Ansible Galaxy.
If you use this role please use a tagged release, see the release notes.
This role is released under the same terms as Ansible itself, the GNU GPLv3.