This is a demonstration on how to deploy and configure NGINX Plus as a load balancer, a webserver and to terminate tls on CentOS7 using Ansible. It's based on kmjones1979's work. I have updated it if necessary and added the tls termination part.

Tested using...

[cleygraf@tls01 ~]$ cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[cleygraf@tls01 ~]$

git clone [email protected]:cleygraf/ansible-demo.git

Setup ssh login with keys for all servers. You might use ssh-add to add your private key to the ssh agent.

I prefer to include as much as possible in the git repository. So I have added an inventory.yml file to hold all the details about the servers:

...
nginxplus-tls:
  hosts:
    tls01:
      new_hostname: tls01.home.local
      ansible_ssh_host: 192.168.1.112
    tls02:
      new_hostname: tls02.home.local
      ansible_ssh_host: 192.168.1.113
  vars:
    ansible_become: yes
    ansible_become_user: root
    ansible_become_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31323961353662633632306166663033643436313135366430666434313862656666393536323265
          6635316339353537313736643163613439666134623733350a383461393638643762626630383232
          62626435656239336135666562373961346664326239653166653866663639303461636238346662
          6165366364663034650a323966373830316237646330386263613165663034656364653737363466
          3632
    nginxplus_cert_key_path: ~/nginx/certs/
    server_cert_key_path: ~/nginx/ssl/
...

Ansible will use the ip in ansible_ssh_host to connect to the target server. The hostname will be changed to "new_hostname". sudo will be used to become roor. If sudo needs a password, please encrypt and stored in ansible_become_password.

In order to install NGINX Plus using this playbook from the Ansible server you need to copy both your nginx-repo cert and key to your /etc/ssl/nginx directory.

The /etc/ssl/nginx directory on your Ansible server should contain both files like so...

[kjones@zion-development ~]# ls -l /etc/ssl/nginx/
total 12
-rwx------ 1 root root 1334 Sep  2 21:59 nginx-repo.crt
-rwx------ 1 root root 1704 Sep  2 21:59 nginx-repo.key

From your ansible server generate an ssh-key for your root account...

su -c 'ssh-keygen'
sudo cat /root/.ssh/id_rsa.pub

...and copy the ssh key to your destination servers 'authorized_keys' file that you defined in the ansible hosts file.

sudo vim /root/.ssh/authorized_keys

Note: You might need to create the ssh directory by running 'ssh-keygen' as root on the destination servers.

Deploy NGINX Plus Load Balancer

ansible-playbook ansible-nginxplus-lb/deploy.yml

Deploy NGINX Plus Web Servers

ansible-playbook ansible-nginxplus-lb/deploy.yml

• Additional firewall configuration might be required on your servers.

To disable and stop your firewall on CentOS 7.1:

sudo systemctl disable firewalld
sudo systemctl stop firewalld

• Running the nginxplus-ws playbook twice will result in duplicate upstreams.

Upstreams can be managed via the NGINX Plus API on the fly: Visit http://nginx.org/en/docs/http/ngx_http_upstream_conf_module.html for more information.

List upsteam servers for backend by id# :

curl 'http://127.0.0.1/upstream_conf?upstream=backend'

Remove a specific upstream by id# :

curl '127.0.0.1/upstream_conf?remove=&upstream=backend&id=0'