Skip to content

Role to setup and configure Nginx server with Phusion Passenger along with HTML 5 Boilerplate's recommended configs

License

Notifications You must be signed in to change notification settings

bbatsche/Ansible-Nginx-Passenger-Role

Repository files navigation

Ansible Nginx Passenger Role

Build Status License Role Name Release Version Downloads

This role will install Nginx server along with Phusion Passenger bindings for serving Node, Python, or Ruby. It can also setup and configure a site for a given domain.

Requirements

This role takes advantage of Linux filesystem ACLs and a group called "web-admin" for granting access configuration directories. You can either configure those steps manually or install the bbatsche.Base role.

Role Variables

  • env_name — Whether this server is in a "development", "production", or other type of environment. Default is "dev"
  • http_root — Where site directores should be created. Default is "/srv/http"
  • public_directory — Publicly visible directory for site, eg "public" or "htdocs". Default is "public"
  • max_upload_size — Maximum upload size in MB. Default is "10"
  • domain — Domain name for site to create. Undefined by default.
  • content_security_policy — Content security policy to add to domain, formatted as a dict of lists or booleans. Appropriate values will automatically have single quotes (') applied. Default: see defaults/main.yml
  • nginx_configs — Additional config files to add to the end of the domain's server block. These files should be copied to /etc/nginx/conf.d. Add configs for your particular application server type here. Default is an empty array
  • passenger_app — Is the current domain a Passenger app (ie, Node, Ruby, Python)? Useful if the app needs to be restarted after updating configs. Default is no
  • copy_index — Copy an index.html stub to the site. Default is no.
  • use_ssl — Whether to serve content via SSL (really TLS). Default is no.
  • use_letsencrypt — Whether to use Let's Encrypt to generate a certificate for a site. Otherwise a server wide self signed certificate will be used. Default is no.
  • privatekey_bits — Number of bits to use when generating a self signed private key. Default is 4096.
  • dhparam_bits — Number of bits to use when generating static DH param certificate. Default is 2048. Going much higher can be very time consuming.
  • cert_valid_days — Number of days the self signed certificate will be valid for. Default is 3650 (~1 year).
  • email_address — Email address to use for self signed certificate and Let's Encrypt. Undefined by default.
  • country_name — Two letter country abbreviation to use when generating self signed certificate. Undefined by default.
  • state_name — State or province name to use when generating self signed certificate. Undefined by default.
  • locality_name — City or locality name to use when generating self signed certificate. Undefined by default.
  • org_name — Organization name to use when generating self signed certificate. Undefined by default.
  • h5bp_commit — Git hash or version number to use for pulling files from HTML5 Boilerplate Server Configs. Default is "3.1.0".
  • setuptools_version — Version of setuptools to install via Pip. Default is 40.6.2.

SSL & Let's Encrypt

Let's Encrypt requires that your web server be externally accessable, therefore you should not use it when generating development sites in Vagrant or Docker. Furthermore, you must make sure your DNS is properly configured before creating your certificate. Once this is done, a fully supported and signed certificate will be issued for your domain, as well as a cron job to make sure it will continue to be renewed in the future. The server and certificate have been optimized for best possible security going forward, gaining an "A+" rating from SSL Labs as of October 2017.

SSL Labs A+ rating

Example Playbook

- hosts: servers
  roles:
     - { role: bbatsche.Nginx, domain: my-test-domain.test }

License

MIT

Testing

Included with this role is a set of specs for testing each task individually or as a whole. To run these tests you will first need to have Vagrant and VirtualBox installed. The spec files are written using Serverspec so you will need Ruby and Bundler.

To run the full suite of specs:

$ gem install bundler
$ bundle install
$ rake

The spec suite will target Ubuntu Trusty Tahr (14.04), Xenial Xerus (16.04), and Bionic Bever (18.04).

To see the available rake tasks (and specs):

$ rake -T

These specs are not meant to test for idempotence. They are meant to check that the specified tasks perform their expected steps. Idempotency is tested independently via integration testing.

About

Role to setup and configure Nginx server with Phusion Passenger along with HTML 5 Boilerplate's recommended configs

Resources

License

Stars

Watchers

Forks

Packages

No packages published