An Ansible role for installing Nginx on Debian servers.
By default this role installs nginx-extras, templates nginx.conf which enables TLSv1.2 and TLSv1.3, generates a Diffie-Hellman parameters file, removes the /etc/nginx/sites-enabled/default symlink and creates and symlinks a default.conf and a localhost.conf.
The configuration of sites-enabled can be done using the nginx_sites_enabled and nginx_sites_disabled lists, after sites are enabled service nginx configtest is run and if the configtest test fails the site is disabled and this role stops.
To only install packages you can run this role using the nginx_install tag.
Once Nginx is installed you can use the nginx_conf tag with --check.
See the defaults/main.yml file for the default variables and meta/argument_specs.yml for the variable specification.
If nginx is true then the tasks in this role will be run, it defaults to false.
A list of TLSv1.2 cipher suites, this defaults to the Mozilla intermediate compatibility list.
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
A list of TLSv1.2 cipher suites, this defaults to the Mozilla modern compatibility list.
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
A URL to redirect port 80 HTTP requests to in the default.conf configuration file, nginx_default_https_redirect defaults to https://$host$request_uri.
An optional URL to redirect port 443 HTTPS requests to in the default.conf configuration file, nginx_default_server_name to. This variable is not set by default.
The default root for HTML files in the default.conf configuration file, this defaults to /var/www/html.
If nginx_default_server is true then the default.conf server configuration file will include default_server in the listen directive, it defaults to true.
A list of file names to be used for the index directive, in the default.conf configuration file, it defaults to:
index.htmlindex.nginx-debian.html
The server_name to use in the default.conf server configuration file, it defaults to {{ inventory_hostname }}.
The port to use in the default.conf server configuration file, it defaults to 80.
An optional path to a TLS certificate for the default.conf server configuration file, set it to an empty string to disable TLS in default.conf.
An optional path to a TLS key for the default.conf server configuration file, set it to an empty string to disable TLS in default.conf.
An optional path to a CA certificate for the default.conf server configuration file, set it to an empty string to disable TLS in default.conf.
The path to the Diffie-Hellman parameters file, this defaults to /etc/nginx/ssl_dhparam.pem.
The size of the Diffie-Hellman parameters TLS key, this defaults to 4096 (smaller ones are quicker to generate).
A list of Debian package to be installed by this role, this defaults to:
nginx-extras
A list of symlinks in /etc/nginx/sites-enabled to delete, this defaults to:
default
A list of files that are present in /etc/nginx/sites-available that should be symlinked from /etc/nginx/sites-enabled, this defaults to:
default.conflocalhost.conf
A boolean, enable TLS, nginx_ssl defaults to true.
A list of TLS protocols for ssl_protocols, this defaults to:
TLSv1.2TLSv1.3
This role no longer supports TLSv1.1 or TLSv1.0.
A boolean, validate all variables strating with nginx_ against the argument spec, nginx_validate defaults to true.
This role requires Ansible 2.13 or newer plus JC and JMESPath to be installed using pip3 on the Ansible controller.
The primary URL of this repo is https://git.coop/webarch/nginx however it is also mirrored to GitHub and available via Ansible Galaxy.
If you use this role please use a tagged release, see the release notes.
This role is released under the same terms as Ansible itself, the GNU GPLv3.