๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
ansible-playbooks/roles/nginx/templates/nginx.j2

211 lines
6.6 KiB

{% macro nginx_option(option) -%}
{% if option.value is boolean -%}
{{ option.key | lower }} {{ 'on' if option.value else 'off' }};
{% elif option.value is string -%}
{{ option.key | lower }} {{ option.value }};
{% elif option.value | type_debug == "list" -%}
{% if option.key in nginx_multi_list -%}
{% for suboption in option.value -%}
{{ option.key | lower }} {{ suboption }};
{% endfor -%}
{% else -%}
{{ option.key | lower }} {{ option.value | join(nginx_list_join[option.key] | d(' ')) }};
{% endif -%}
{% endif -%}
{% endmacro -%}
{% macro nginx_option_block(block) -%}
{% if block | type_debug == 'dict' -%}
{% for option in (block | d({}) | dict2items) -%}
{{ nginx_option(option) -}}
{% endfor -%}
{% endif -%}
{% endmacro -%}
{%- macro nginx_include(conf, dir) -%}
include {{ (nginx_cfg.conf_dir ~ '/' ~ (dir | d('custom')) ~ '/' ~ conf ~ '.conf') | quote -}};
{%- endmacro -%}
{% macro nginx_security_headers(source) -%}
{% set nginx_sel_source = (source | d(nginx_cfg)) -%}
{% for header in (nginx_sel_source.security.headers | d({}) | dict2items) -%}
{% if header.value is string -%}
add_header {{ header.key ~ ' "' ~ header.value ~ '"' }} always;
{% endif -%}
{% endfor -%}
{% if (nginx_sel_source.security.csp is mapping) and (nginx_sel_source.security.csp | d({}) | dict2items | length) > 0 -%}
{% set all_csp = [] -%}
{% for csp in (nginx_sel_source.security.csp | d({}) | dict2items) -%}
{% set all_csp = all_csp.append(csp.key ~ ' ' ~ csp.value) -%}
{% endfor -%}
{% if nginx_sel_source.security.csp_in_report_mode | d(false) == true -%}
add_header {{ 'Content-Security-Policy-Report-Only "' ~ (all_csp | join('; ')) ~ '"' }} always;
{% else -%}
add_header {{ 'Content-Security-Policy "' ~ (all_csp | join('; ')) ~ '"' }} always;
{% endif -%}
{% endif -%}
{% if (nginx_sel_source.security.pp is mapping) and (nginx_sel_source.security.pp | d({}) | dict2items | length) > 0 -%}
{% set all_fp = [] -%}
{% set all_pp = [] -%}
{% for pp in (nginx_sel_source.security.pp | d({}) | dict2items) -%}
{% set all_fp = all_fp.append(pp.key ~ ' ' ~ ("'none'" if (pp.value | length == 0) else pp.value)) -%}
{% set all_pp = all_pp.append(pp.key ~ '=(' ~ pp.value ~ ')') -%}
{% endfor -%}
add_header {{ 'Feature-Policy "' ~ (all_fp | join('; ')) ~ '"' }} always;
add_header {{ 'Permissions-Policy "' ~ (all_pp | join(', ')) ~ '"' }} always;
{% endif -%}
{% endmacro -%}
{% macro nginx_allow(combined) -%}
{% if (combined.external_tld | d(false) == true) or (combined.tld is defined and combined.tld == tld) or (combined.int_net | d(true) == false) -%}
allow all;
{% for bogon in (bogons | d([])) -%}
deny {{ bogon }};
{% endfor -%}
{% else -%}
allow {{ int_net }};
{% endif -%}
{% endmacro -%}
{% macro nginx_server_name(combined, srv) -%}
{% if combined.is_root | d(false) == false -%}
{% set nginx_sn_prefix = (srv.name | d(combined.override_server_name | d(inventory_hostname))) ~ '.' -%}
{% else -%}
{% set nginx_sn_prefix = '' -%}
{% endif -%}
{% if combined.tld is string -%}
{% set nginx_sn_tld = combined.tld -%}
{% else -%}
{% set nginx_sn_tld = host_tld -%}
{% endif -%}
{% if srv.no_tld | d(false) == true -%}
server_name {{ srv.name }};
{% else -%}
server_name {{ nginx_sn_prefix ~ nginx_sn_tld }};
{% endif -%}
{% endmacro -%}
{% macro nginx_stapling() -%}
{% if nginx_cfg.enable_stapling | d(false) == true -%}
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1;
{% else -%}
ssl_stapling off;
{% endif -%}
{% endmacro -%}
user {{ nginx_cfg.user }} {{ nginx_cfg.group }};
error_log syslog:server=unix:/dev/log,facility=local2 {{ nginx_cfg.log_level | d('notice') }};
{{ nginx_option_block(nginx_cfg.conf.root) }}
{{ nginx_include('*', 'modules') }}
{{ nginx_include('main*') }}
events {
{{ nginx_option_block(nginx_cfg.conf.events) }}
}
http {
{{ nginx_option_block(nginx_cfg.conf.http) }}
include {{ (nginx_cfg.conf_dir ~ '/mime.types') | quote }};
{# ssl_dhparam {{ (nginx_cfg.conf_dir ~ '/tls/' ~ nginx_cfg.dhparam_file) | quote }}; #}
{% if nginx_cfg.security_headers | d(false) == true -%}
{{ nginx_security_headers(nginx_cfg) }}
{% endif %}
{{ nginx_include('http*') }}
{% set nginx_http = (nginx_cfg.servers | d([]) | selectattr('http', 'defined') | selectattr('http', 'equalto', true) | list) -%}
{% set nginx_https = (nginx_cfg.servers | d([]) | rejectattr('http', 'defined') | list) -%}
{# custom HTTP servers -#}
{% for srv in nginx_http -%}
{% set combined = (nginx_cfg | combine(srv, recursive=true)) -%}
server {
listen 80;
{% if srv.ipv6 | d(true) == true %}listen [::]:80;{% endif %}
{{ nginx_allow(combined) }}
{{ nginx_server_name(combined, srv) }}
{% if (srv.security_headers | d(false) == true) and (nginx_cfg.security_headers | d(false) == false) %}
{{ nginx_security_headers(srv) }}
{% endif %}
{{ nginx_include(srv.conf) }}
}
{% endfor %}
{# default HTTP server -#}
{% if nginx_cfg.add_default_http_server | d(true) == true -%}
server {
listen 80 default_server;
listen [::]:80 default_server;
{{ nginx_allow(combined) }}
{{ nginx_server_name(combined, {}) }}
{% if nginx_cfg.default_http_config is not defined -%}
location / {
return 301 https://$host$request_uri;
}
{% else -%}
{{ nginx_include(nginx_cfg.default_http_config) }}
{% endif -%}
}
{% endif -%}
{# custom HTTPS servers #}
{% for srv in nginx_https -%}
{% set combined = (nginx_cfg | combine(srv, recursive=true)) -%}
server {
listen 443 ssl http2;
{% if srv.ipv6 | d(true) == true %}listen [::]:443 ssl http2;{% endif %}
{% if combined.certs | d(true) == true -%}
ssl_certificate {{ (nginx_cfg.conf_dir ~ '/tls/' ~ nginx_cfg.cert_rsa_name ~ '.crt') | quote }};
ssl_certificate_key {{ (nginx_cfg.conf_dir ~ '/tls/' ~ nginx_cfg.cert_rsa_name ~ '.key') | quote }};
ssl_certificate {{ (nginx_cfg.conf_dir ~ '/tls/' ~ nginx_cfg.cert_ecc_name ~ '.crt') | quote }};
ssl_certificate_key {{ (nginx_cfg.conf_dir ~ '/tls/' ~ nginx_cfg.cert_ecc_name ~ '.key') | quote }};
{%- endif %}
{{ nginx_allow(combined) }}
{{ nginx_server_name(combined, srv) }}
{{ nginx_stapling() }}
{% if (srv.security_headers | d(false) == true) and (nginx_cfg.security_headers | d(false) == false) %}
{{ nginx_security_headers(srv) }}
{% endif %}
{{ nginx_include(srv.conf) }}
}
{% endfor %}
}