Does this work with Ansible 2? https://github.com/ansible/ansible/blob/devel/CHANGELOG.md

Please add a simple way to set HPKP-headers for group, host or site. This is just another header-field to be added in the template, much like HSTS.

I think csp_policy is a bad name. csp already means Content Security Policy. So expanded this means "Content Security Policy policy". I plan to implement this differently in debops.apache: debops/ansible-apache#19
This is also designed with a global report-uri in mind.

This can be changed when making the 0.2.0 release.
Related to: #111
Related to: #118
Ping: @carlalexander

I spent some time to analyse why my nginx would not be working as intented. In the end I found the default configuration, which enables ipv6only support in nginx to be the reason.

To me it would make sense to deliver more sensible defaults as ipv6only is not the regular default mode of operation.

I have spotted #86 which helped me to solve my problems

Disabled the default sites but did not add any new this caused the error below. Setting server_welcome to enabled=true and the error is not generated.
vars

nginx_webroot_create: False
nginx_server_welcome:
  enabled: False
nginx_server_localhost:
  enabled: False

ERROR

fatal: [web]: FAILED! => {"failed": true, 
"msg": "the field 'args' has an invalid value, which appears to include a variable that is undefined. The error was: 'dict object' has no attribute 'name'. The error appears to have been in
'/home/andreas/.local/share/debops/debops-playbooks/roles/debops.nginx/tasks/nginx_servers.yml':
line 114, column 3, but maybe elsewhere in the file depending on the exact syntax problem. The offending line appears to be:
- name: Generate nginx server configuration\n  ^ here\n"} 

I am using debops and bootstrapped a single node from my local controll machine.
I have added some host_vars for a specific host in order to add another nginx config, see code below.
The created file for nginx still does redirect to the ssl site. Is there any way to disable this or maybe even another way to add a custom template file? Or, do you suggest to create a separate role? Would that simplify anything?

---
# List of nginx server definitions
nginx_servers: [ '{{ nginx_server_default }}', '{{ nginx_server_super }}']

# additional super nginx server
nginx_server_super:
  enabled: True
  type: 'php5'
  name: ['super.example.com']
  redirect_to_ssl: False

Would be cool to have a config for auth_basic & auth_basic_user_file in nginx.

Putting this two variables in the nginx template is easy, but where store the user_file with login and passwd?

The default try_files list ends with /index.html /index.htm. With these set, requests that should 404 instead show the site’s index.html if there’s one set. This seems undesirable to me; perhaps these two should be removed from the default list, or a note added to the error_page documentation that the error pages won’t be activated if the default list is set and an index.htm[l] file is in the site’s root.

Hi!

I'm wondering why default value of Referrer-Policy is set to no-referrer. Are there any particular reasons for that? Wouldn't it better to use same-origin policy?

Why I'm asking - Django uses Referrer header in it's CSRF protection middleware (https://docs.djangoproject.com/en/1.9/ref/csrf/#how-it-works). I know that I can change the policy in configuration but maybe default value is too strict?

I try to deploy DokuWiki by the tutorial and get the following error in the nginx playbook:

TASK [debops.nginx : Create default welcome page if enabled] ***************************************************************************************************************************************************************************************************************
failed: [10.11.11.11] (item={u'welcome_domain': u'', u'name': [u'welcome'], u'csp_enabled': True, u'welcome': True, u'enabled': True, u'csp': u"default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'"}) => {"failed": true, "item": {"csp": "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'", "csp_enabled": true, "enabled": true, "name": ["welcome"], "welcome": true, "welcome_domain": ""}, "msg": "KeyError: 'undefined variable: 0'"}
ok: [10.11.11.11] => (item={u'name': [u'localhost', u'127.0.0.1', u'[::1]'], u'acme': False, u'welcome': True, u'enabled': True, u'ssl': False, u'welcome_css': False})

Creation of default welcome page seems unnecessary in this case, because I'm deploying a website. Maybe the error happens when calculating the condition – I'm not sure how to determine that.

Please tell if I'm doing something wrong or how I could debug this error.

Details

This happens on Debian 8 and Ubuntu 16.04, fresh deploys with just debops bootstrap and debops with no extra playbooks run on them.
My controller machine is OS X with ansible 2.3.0.0, bash 4.4.12(1).

The only non-default variables are the following:

pki_internal: False
pki_authorities: []

Here is the 'unfolded' error message:

{
    u'welcome_domain': u'',
    u'name': [u'welcome'],
    u'csp_enabled': True,
    u'welcome': True,
    u'enabled': True,
    u'csp': u"default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'"
}

{
  "failed": true,
  "item": {
    "csp": "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'",
    "csp_enabled": true,
    "enabled": true,
    "name": [
      "welcome"
    ],
    "welcome": true,
    "welcome_domain": ""
  },
  "msg": "KeyError: 'undefined variable: 0'"
}

Using debops.nginx with Varnish, I created a simple custom template to act as a proxy server.

wordpress_varnish_server:
  by_role: 'wordpress'
  enabled: True
  default: False
  type: 'custom'
  name: [ 'varnish.{{ wordpress_url }}' ]
  custom: |
    server {
      listen 80;
      server_name {{ wordpress_url }};
      access_log /var/log/nginx/varnish.{{ wordpress_url }}_access.log;
      error_log /var/log/nginx/varnish.{{ wordpress_url }}_error.log;
      client_max_body_size  {{ wordpress_php5_upload_size }};
      location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http
        proxy_set_header X-Forwarded-Port 80
        proxy_set_header Host $host;
        proxy_pass http://varnish;
      }
    }

The issue is that it gets more complicated once we want to use SSL. You need two servers to handle HTTP requests. You'd need to support debops.pki although I disabled it.

It'd be great if there was a way to use the default template with fewer defaults. There's a lot of stuff in the default template that isn't necessary when you create a proxy server.

Not sure what your thoughts are to handle that.

Nginx fails to start because the following block is duplicated in generated sites-available files:

root /srv/www/sites/<domain>/public;

include snippets/acme-challenge.conf;

It appears at the very top of the server {} block and also after the server_name directives. It may relate to the recent refactoring of the print_root() macro, but I didn't look too closely.

This is true on the latest released version and I don't believe it's been fixed on master - a misplaced {% endif %} fixed this on the released version, however, I wanted to confirm that the behavior I was expecting was the intended behavior.

From 1f6484134cfc86d8bc1af33603c4175da7facb7c Mon Sep 17 00:00:00 2001
Date: Tue, 11 Apr 2017 13:01:46 -0400
Subject: [PATCH] nginx: Fix wrong location of endifs for security headers.

---
 .../templates/etc/nginx/sites-available/default.conf.j2   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/etc/nginx/sites-available/default.conf.j2 b/templates/etc/nginx/sites-available/default.conf.j2
index 83a8620..371867c 100644
--- a/templates/etc/nginx/sites-available/default.conf.j2
+++ b/templates/etc/nginx/sites-available/default.conf.j2
@@ -1029,6 +1029,7 @@ server {
         resolver                  {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ipwrap | join(" ") }} valid=300s;
         resolver_timeout          5s;
 {% endif %}
+{% endif %}
 {% if item.hsts_enabled is undefined or (item.hsts_enabled is defined and item.hsts_enabled) %}
         add_header                Strict-Transport-Security "max-age={{ nginx_hsts_age | default('15768000') }}{% if nginx_hsts_subdomains|bool %}; includeSubDomains{% endif %}{% if (item.hsts_preload | d(nginx_hsts_preload)) | bool %}; preload{% endif %}";
 {% endif %}
@@ -1069,7 +1070,6 @@ server {
 
 {% endif %}
 {% endif %}
-{% endif %}
 {% if nginx_tpl_ssl | bool %}
 {{ print_root() }}
 {% if nginx_tpl_acme | bool %}

This patch would move the endif to applying to the if nginx_tpl_ssl up so that all the headers from hsts_enabled to permitted_cross_domain_policies are no longer dependent on nginx using ssl. What do you think?

It's not possible to switch off logging.

While it's possible to completely customize global access_log/error_log with nginx_http_access_log/nginx_http_error_log:

There is not way to do it for vhost (as at least .log is always appended):

This might be useful for passing logs to syslog for example.

Though it works the solution to use only one line in listen it is not the best solution.

It would be nice if the listen was set by default as follows:

server {
    listen 80;
    listen [::]:80 ipv6only=on;
}

Reference: https://chrisjean.com/fix-nginx-emerg-bind-to-80-failed-98-address-already-in-use/

A problem with using only one line is that the clients IPs are always converted to IPv6 (::ffff:192.168.0.2) and the systems that control access by IPv4 end up malfunctioning.

I'm struggling to find a way to realize server configurations that are defined in the group vars of multiple groups but where the inventory maps these groups to the same host.

Details

I have 2 groups (frontend-servers, backend-servers) to which the debops.nginx role is applied via the following playbook:

---
- hosts: frontend-servers
  roles:
  - debops.nginx

- hosts: backend-servers
  roles:
  - debops.nginx

Furthermore, I define group variables for both groups:

---
# group_vars/frontend-servers.yaml
nginx_servers:
- '{{ frontend_server }}'
frontend_server:
  enabled: True
  #...

---
# group_vars/backend-servers.yaml
nginx_servers:
- '{{ backend_server }}'
backend_server:
  enabled: True
  #...

However, I have an inventory that maps both groups to the same host

[frontend-servers]
webserver
[backend-servers]
webserver

It seems like only one of the nginx_servers lists from the group_vars is respected. Is there another way to realize servers from multiple groups on the same host?

I need to change logrotate to rotate the nginx logs daily. I know I can do that with debops.logrotate. That said, does it make sense to have the role manage its own logrotate configuration?

I can do a PR for this, but not sure how you want to handle it. There are some extra security headers we can set to harden nginx. They're described here.

Would we want this by default for https configurations?

Currently the only way to override nginx_passenger_ruby is with inventory variables or extra variables on the command line. It would be nice to be able to manually set this variable.

How should other roles check for the available Nginx version? I would propose Ansible facts. The other possibility would be to copy the version detection to the other role.

We started talking about this on IRC. The problem seems to stem from the fact that debops picks an http or https site and stores it in facts. In subsequent runs, using tags, or using roles with debops.nginx as a dependency has issues because the fact is no longer accurate. Nginx can only set ipv6only=off once per listen, so debops has attempted to use the fact to detect the default site for http and https and set this value. I am creating this issue as a placeholder to discuss further.

I created a test environment https://github.com/patrickheeney/ansible-nginx-test which uses my bug fix in #70 because debops.nginx currently does not detect the right site without it. In this version you can run different tags and see what debops.nginx picks as the default, as well as what is stored in the facts. The facts are also cleared on each run. (You can uncomment debops.nginx in the requirements.yml file and comment out my version to test with stock debops and the bug in #70).

Some workarounds:

1. Don't use debops.nginx in the main playbook and include all of your sites in a role with debops.nginx as a dependency. This way debops.nginx only executes once and with the fix in #70 will determine the right defaults. The facts will need to be cleared if any sites change.
2. Include a default site. The default site should support http and https and act as the conf that sets up nginx. I set it up to return 404, but I'd like to improve this by denying the connection.

# group_vars/all

nginx_servers:
  - enabled: True
    name: ['default']
    default_index: ''
    location:
      '/': 'return 404;'
  - enabled: True
    name: ['default_ssl']
    default_index: ''
    listen: False
    ssl: True
    location:
      '/': 'return 404;'

Ideas:

This seems like a difficult issue to solve. The role is not aware of the global state and has no idea the master list of all sites. We can't assume the server will have a default site, any https sites, or any sites in general.

One idea is to set the facts on first run like normal, but then validate those facts on subsequent runs. For example, if a second run of debops.nginx adds an https site, it will need to save that fact. If a third run adds another https site, the fact is no longer default so it will not be set. However, what happens when sites are removed or de-activated in all of these scenarios, how will it know which to pick next and re-configure. So it seems like this will not work with all scenarios.

A second idea is to run a shell or python script at the end of debops.nginx that is responsible for setting the default sites and saving the facts. The script would essentially check if there is an http site, set the first one it finds as default. It would do the same for https perhaps using find and a regex. It would then have to do a shell equivalent of lineinfile to add ipv6only=off which is far from ideal. It would then save the sites in the facts, on subsequent runs if the sites still exists, it would exit immediately.

A third idea is to just be explicit. Add some documentation that explains that the default ssl site has to be specified in the config default_site_ssl: 'test.com'. Perhaps even on the nginx configuration like item.default_https: True. It would be up to the user to specify this only once, or maybe the first one it comes across gets saved as a fact. This is almost how it works now, but perhaps we can write some troubleshooting information for detecting the issue that comes up when this is not set (connection refused).

trying to work out how to configure debops-nginx with an Elixir / Phoenix app as upstream?

http://www.phoenixframework.org/docs/serving-your-application-behind-a-proxy

Phoenix generally runs on port 4000 but I actually want to have a number of apps and domains running with the same nginx as proxy

apologies if I am missing something super obvious

Not sure if I'm doing it right. I was trying to disable the status page block by setting status: False in the server configuration. That didn't seem to work. I looked at the code and the whole if condition doesn't make sense to me:

{% if item.status is defined and item.status or nginx_status or nginx_status_localhost %}

This is always going to be true. nginx_status and nginx_status_localhost are both global variables which shouldn't be false. On top of that, they're both arrays so I'm not even sure when they'd be false.

I feel like if status: False is there. The if statement shouldn't run at all. Maybe you meant something like:

{% if item.status|d(True) and (nginx_status or nginx_status_localhost) %}

The default sites-available template makes the assumption that custom error pages are internal locations. This may not be the case, I may want to forward the request to an upstream server or script.

For example:

item
  error_pages:
    '403 404': '= /index.php'

This would not work because the internal location block created by the template would prevent the request from being handled by the php location block. It would also cause any other requests that I might be trying to route though index.php to not work correctly.

I can work around this by using item.options to define the custom error pages, but it would be nice if item.error_pages also worked. I'd submit a patch but I'm not sure what would make the most sense.

Hey! I was wondering if it would be a good idea to compile the Nginx Pagespeed version by default: https://github.com/pagespeed/ngx_pagespeed

Is there any drawbacks or would it be a good idea to get more optimized server results for most setups?

Ref: debops/ansible-apache@15a1227
This should probably be done when making the 0.2.0 release.

Maybe this is more an issue for the pki-role?

Please add support for automatically generating keys and getting signed certificates using the EFF's Let’s Encrypt client. https://letsencrypt.org/

Let’s Encrypt allows getting officially signed certificates for free and within minutes.

If then this would automatically be combined it with HPKP (see #83), it'd be awesome :-)

whenever I run the nginx role, it seems to avoid the nginx_servers variable I've set. It looks like this:

nginx_servers:
  -
    enabled: True
    name: [ 'hmsvr' ]
    type: 'custom'
    filename: 'usenet'
    options: |
      location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
      }

Using debops ansible-debug I've confirmed that this variable is set correctly when I run the nginx role. But when the role gets to the "Generate nginx server configuration" task, the output is something like this:

ok: [hmsvr] => (item={'index': 'index.html index.htm index.php doku.php', 'name': [u'wiki.home.leviwheatcroft.com'], 'root': u'/srv/www/dokuwiki/sites/wikihmsvr/public', 'enabled': True, 'by_role': 'debops.dokuwiki', 'options': u'autoindex off;\nclient_max_body_size 30M;\nclient_body_buffer_size 128k;', 'php5_options': 'fastcgi_intercept_errors        on;\nfastcgi_ignore_client_abort     off;\nfastcgi_connect_timeout         60;\nfastcgi_send_timeout            180;\nfastcgi_read_timeout            180;\nfastcgi_buffer_size             128k;\nfastcgi_buffers               4 256k;\nfastcgi_busy_buffers_size       256k;\nfastcgi_temp_file_write_size    256k;\n', 'php5': 'php5_dokuwiki', 'type': 'php5', 'auth_basic_realm': u'Wiki access is restricted', 'access_policy': u'', 'location': {'~ /(data|conf|bin|inc|install.php)/': 'deny all;\n', '~ ^/lib.*\\.(gif|png|ico|jpg)$': 'expires 31536000s;\nadd_header Pragma "public";\nadd_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";\nlog_not_found off;\n', '@dokuwiki': 'rewrite ^/_media/(.*)           /lib/exe/fetch.php?media=$1   last;\nrewrite ^/_detail/(.*)          /lib/exe/detail.php?media=$1  last;\nrewrite ^/_export/([^/]+)/(.*)  /doku.php?do=export_$1&id=$2  last;\nrewrite ^/(.*)                  /doku.php?id=$1               last;\n', '/': 'try_files $uri $uri/ @dokuwiki;\n'}})

This host is a member of the dokuwiki group, and has dokuwiki installed. In trying to figure this out I was thinking that maybe dokuwiki config is overriding my custom nginx config, but I'm having trouble even figuring out how dokuwiki role defines it's nginx config.

Sorry to bother you with something so silly, but I'm stuck.. sorry!

Hello @drybjed

When you have the time, take a look at this project: https://github.com/h5bp/server-configs-nginx

What do you think the role debops.nginx be based (usign your snippets) in this excellent project?

Cheers!

We should download nginx via https instead of http

https://github.com/debops/ansible-nginx/blob/master/defaults/main.yml#L55

PR coming

Maybe I'm implementing this incorrectly. I'm using the ansible-nginx playbook through a secondary playbook for Kibana. In the Kibana playbook I'm adding debops.nginx as a dependency role and I specify the nginx_server and options there. I noticed when doing so if I change the name Ansible does not clean up the prior config. I'm not sure if this is easily achievable.

Hi,
if I have a certificate for domain.tld and www.domain.tld and want to redirect
https://domain.tld to https://www.domain.tld
How could I do this without using a full custom template?

I would like to have a new possibility to redirect these ssl stuff, too.
For that to work we have to listen to SSL port and include the certificates and return the new redirect location.

Do you have an idea to support that or is there a trick, that it could work with the current templates?

W: GPG error: http://nginx.org jessie Release: The following signatures were invalid: KEYEXPIRED 1471427554

If i delete the key, i get:

W: GPG error: http://nginx.org jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62

As of nginx 1.9.5 the spdy protocol has been replaced with http2.

Using the current templates Nginx gives a warning about:

invalid parameter "spdy": ngx_http_spdy_module was superseded by ngx_http_v2_module

I think an additional check on line 798 of templates/etc/nginx/sites-available/default.conf.j2 would fix it but I have not tested that yet.

I believe nginx_flavor should be light by default, not full.

nginx-light:

This package provides a very light version of nginx with only the
minimal set of features and modules.

STANDARD HTTP MODULES: Core, Access, Auth Basic, Auto Index, Empty GIF,
FastCGI, Map, Proxy, Rewrite, SCGI, uWSGI.

OPTIONAL HTTP MODULES: Auth Request, Charset, Gzip, Gzip Precompression,
Headers, HTTP/2, Index, Log, Real IP, Slice, SSI, SSL, Stub Status, Thread
Pool, WebDAV, Upstream.

THIRD PARTY MODULES: Echo.

nginx-full:

This metapackage provides a version of nginx with the complete set of
standard modules included (but omitting some of those included in
nginx-extras).

STANDARD HTTP MODULES: Core, Access, Auth Basic, Auto Index, Browser, Empty
GIF, FastCGI, Geo, Limit Connections, Limit Requests, Map, Memcached, Proxy,
Referer, Rewrite, SCGI, Split Clients, UWSGI.

OPTIONAL HTTP MODULES: Addition, Auth Request, Charset, WebDAV, GeoIP, Gunzip,
Gzip, Gzip Precompression, Headers, HTTP/2, Image Filter, Index, Log, Real IP,
Slice, SSI, SSL, Stream, SSL Preread, Stub Status, Substitution, Thread Pool,
Upstream, User ID, XSLT.

OPTIONAL MAIL MODULES: Mail Core, Auth HTTP, Proxy, SSL, IMAP, POP3, SMTP.

OPTIONAL STREAM MODULES: Stream Core, GeoIP, GeoIP2

THIRD PARTY MODULES: Auth PAM, DAV Ext, Echo, GeoIP2, HTTP Substitutions
Upstream Fair Queue.

When running der nginx Role I receive an Error in section "Remove all configuration symlinks during config reset"

with Error Message:

fatal: [.....]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "_raw_params": "rm -f /etc/nginx/sites-enabled/*",
            "_uses_shell": true,
            "argv": null,
            "chdir": null,
            "creates": "/etc/ansible/facts.d/nginx.fact",
            "executable": "sh",
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": false
        }
    },
    "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: creates, executable, chdir, strip_empty_ends, _uses_shell, argv, stdin, _raw_params, stdin_add_newline, removes."
}

I use the versions:

ansible --version
ansible [core 2.14.1]
  config file = None
  configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = ~/.local/lib/python3.9/site-packages/ansible
  ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
  executable location = ~/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

debops --version
debops 3.0.3

File causing the error:
debops/roles01/roles/nginx/tasks/main.yml
line 202..

  # If nginx local facts are not present, assume that configuration
  # is being reset and move all symlinks out of the way to prevent
  # accidental failures because of old wrong configuration files
- name: Remove all configuration symlinks during config reset
  shell: rm -f /etc/nginx/sites-enabled/*
  args:
    executable: '/bin/sh'
    creates: '/etc/ansible/facts.d/nginx.fact'
    warn: False
  when: (nginx__deploy_state in [ 'present' ])

When I remove the "warn: False" it works.

Is it save to just remove it and create a pull request or would the changes go to a different direction? I'm rather new to ansible & debops.

Thanks!

Hello and thanks for the work on this! What are your thoughts on adding the installation of modsecurity-nignx to this package?

nginx configuration fails, when there's an IPv6-Address present in /etc/resolv.conf:

nameserver fe80::1%ens192
nameserver 192.168.0.1

leads to resolver 192.168.0.1 fe80::1%ens192 valid=300s;
and this in turn causes nginx startup to fail:

Jul 15 16:52:03 hostname systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 15 16:52:03 hostname nginx[4206]: nginx: [emerg] invalid port in resolver "fe80::1%ens192" in /etc/nginx/sites-enabled/welcome.conf:37
Jul 15 16:52:03 hostname nginx[4206]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 15 16:52:03 hostname systemd[1]: nginx.service: Control process exited, code=exited status=1
Jul 15 16:52:03 hostname systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Jul 15 16:52:03 hostname systemd[1]: nginx.service: Unit entered failed state.
Jul 15 16:52:03 hostname systemd[1]: nginx.service: Failed with result 'exit-code'

In my case this happens on Debian Stretch, but I assume it will be the same for any other version of Debian/Ubuntu.

A simple fix would be to exclude v6-Addresses from being imported, but this is likely to cause trouble for an IPv6-only host. The better solution should be encapsulating IPv6s in brackets (like resolver 192.168.0.1 [fe80::1%ens192] valid=300s;), this should work according to nginx documentation.
I'll do some research and testing before sending you a PR.

I'm getting the following in my public/index.html:

  <body>
    <div id="content">

      <h2><a href="{{ item.welcome_url_scheme|d("https") }}://myurl.com/">myurl.com</a></h2>

      <p id="http-status"><strong>418 I'm a teapot</strong></p>

    </div>
  </body>
</html>

Clearly the following section of .j2 code is not being parsed how it was intended, but not sure why:

{% if nginx_tpl_domain %}
{%   set nginx_tpl_welcome_title = '<a href="{{ item.welcome_url_scheme|d("https") }}://' + nginx_tpl_domain + '/">' + nginx_tpl_domain + '</a>' %}
{% elif not nginx_tpl_domain %}
{%   set nginx_tpl_welcome_title = '<a href="http://companyname.website/">CompanyName.website</a>' %}
{% endif %}

When you have multiple locations with regexp match the order is important. Right now locations are sorted alphabetically and it sometimes breaks configuration.

If you have:

location:
  '~ b': |
    try_files $uri;
  '~ a': |
    try_files $uri;

The result will be:

server {
    [...]
    location ~ a {
        try_files $uri;
    }

    location ~ b {
        try_files $uri;
    }
    [...]
}

The default template for the vhosts (/etc/nginx/sites-available/default.conf.j2) has the option to change the log file name of each vhost. It would be great to also be able to change the directory of the log files. This would help if someone only had sftp access to the machine and would like to see the logs.

Example Sceme:

/srv/sftpusers
├── sftp_user
│   ├── files
│   └── sites
│       └── foo.bar
│           ├── logs
│           └── public

Hi guys,

The latest commit isn't working for me getting this error:

TASK: [debops.nginx | Generate nginx server configuration] ******************** 
fatal: [web01] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'dict object' has no attribute 'pki'", 'failed': True}
fatal: [web01] => {'msg': 'One or more items failed.', 'failed': True, 'changed': False, 'results': [{'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'dict object' has no attribute 'pki'", 'failed': True}]}

FATAL: all hosts have already failed -- aborting

I tried some obvious things but for the life of me I couldn't figure out which object is missing the .pki variable. Rolling back to the commit before the PKI stuff all worked.

Helped greatly appreciated :)

Cheers

Alan

On debian wheezy (nginx 1.2) nginx was listening by default on ipv4 as well as ipv6. This is in later nginx versions turned off (see http://trac.nginx.org/nginx/ticket/345).

An easy fix is to set the flag ipv6only to off. Otherwise the ipv4 address could be added explicitly as well.

Hello,

It would be good if we could set client_max_body_size at the playbook.

Could be good idea to pull from php_max_upload_size for php type servers.

Using the following variables in the mailman roles creates error in nginx configuraton file.

The culprit sees to be the string ".", which I suspect should have been ".example.org", however dumping the fact reveals that the ansible_domain is empty.

Logging in in the virtual machine and running "hostname -f" only gives the hostname "medusa2".

The mailmain/postfix component seems to work. Logging in and manually adding a member to a mailing list will produce a mail to the subscriber send with postfix.

Is there a standard way to assign the domain to the virtual machine?

Do you have a simple working Vagrant configuration and playbook, which demonstrates the debops.mailman role, and which could be part of the debops.mailman documentation?

I am currently not sure, if I need to configure variables in the roles mailman dependens on.

Vars included in playbook (which uses the deboos.mailman role)

mailman_domains: ['medusa2.example.org']
mailman_site_admin: '[email protected]'
mailman_lists: [{name: 'archcat', domain: 'example.org', owner: '[email protected]', state: 'present', language: 'en', purge: 'false'}]

Provisioning with ansible from Vagrant almost succeeds (1 task fails)

NOTIFIED: [debops.nginx | Test nginx and restart] ****************************
failed: [default] => {"changed": true, "cmd": ["nginx", "-t"], "delta": "0:00:00.010620", "end": "2015-11-12 13:18:40.032475", "rc": 1, "start": "2015-11-12 13:18:40.021855", "warnings": []}
stderr: nginx: [emerg] invalid hostname or wildcard "." in /etc/nginx/sites-enabled/medusa2.example.org.conf:49
nginx: configuration file /etc/nginx/nginx.conf test failed

The generated medusa2.example.org.conf looks like this (line 49 contains the string valid_"referers".

Ansible managed: /etc/ansible/roles/debops.nginx/templates/etc/nginx/sites-available/default.conf.j2 modified on 2015-09-24 20:23:32 by root on ares

nginx server configuration for:

- http://medusa2.example.org/

generated by Ansible role: debops.mailman

server {
listen [::]:80 default_server ipv6only=off;

   server_name medusa2.example.org; 

   keepalive_timeout 60; 

   root /usr/lib/cgi-bin/mailman; 

   access_log /var/log/nginx/medusa2.example.org_access.log; 
   error_log /var/log/nginx/medusa2.example.org_error.log; 

   index index.html index.htm; 

   # Disallow access to hidden files and directories 
   location ~ /\. { 
           return 404; 
   } 

   location = /favicon.ico { 
           try_files /favicon.ico =204; 
           access_log off; 
           log_not_found off; 
   } 

   location = /nginx_status { 
           stub_status on; 
           access_log off; 
           allow 127.0.0.1/32; 
           allow ::1/128; 
           allow 10.0.2.15; 
           allow 192.168.33.10; 
           deny all; 
   } 

   include /etc/nginx/site-default.d/*.conf; 

   location /images/mailman { 
           alias /var/lib/mailman/icons; 
   } 

   location ~ ^/mailman/. { 
           valid_referers none blocked medusa2.example.org medusa2 *.; 
           if ($invalid_referer) { 
                   return 403; 
           } 
           gzip off; 
           root /usr/lib/cgi-bin/mailman; 
           fastcgi_split_path_info       ^/mailman(/[^/]*)(.*)$; 
           include       fastcgi_params; 
           fastcgi_param PATH_INFO       $fastcgi_path_info; 
           fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; 
           fastcgi_pass  unix:/var/run/fcgiwrap-mailman.socket; 
   } 

   location /pipermail { 
           alias /var/lib/mailman/archives/public; 
           autoindex on; 
   } 

   location ~ ^/(mailman/?)?$ { 
           rewrite ^ /mailman/listinfo permanent; 
   } 

}