NGINX

Advanced Load Balancer, Web Server, Reverse Proxy, and Streaming. Started as a web server designed for maximum performance and stability.

Ansible Role: nginx

Role handles all steps that are provided in this documentation. You must provide your own NGINX configuration files.

BLOCKING OS Distribution upgrades REQUIRE: Requires upstream source repo update.

Role Details: Updated: 2022-10-10 service docs Reference PRIVATE

Ports

---
###############################################################################
# Ports Configuration
###############################################################################
# Ports should be managed externally via an OS role.
#
# Reference:
# * https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html

ports:
  - {proto: 'tcp', from_ip: 'any', to_port: 80,  direction: 'in', comment: 'nginx http'}
  - {proto: 'tcp', from_ip: 'any', to_port: 443, direction: 'in', comment: 'nginx https'}

Defaults

---
###############################################################################
# NGINX Role Configuration
###############################################################################
# See stream.yml for stream (port forwarding) configuration.
#
# NGINX configuration in _source are copied as templates; meaning FULL ansible
# vars can be used in these files for configuration based on inventory.

# User that paperlessng will run under. Assumes externally managed.
nginx_user:  'nginx'
nginx_group: 'nginx'

# Create 'nginx' user if not detected? See: vars/main.yml.
nginx_create_user: false

# Root NGINX configuration directory. Required.
nginx_root: '/etc/nginx'

###############################################################################
# NGINX Basic Authentication Configuration
###############################################################################
# Basic authentication is automatically managed, automatically encrypting user
# logins in an htpasswd file. nginx_auth is required even if basic auth is
# disabled / no basic auth users.

# Authentication location (htpasswd files, etc). Required.
nginx_auth: '{{ nginx_root }}/auth'

# Basic auth users will be created automatically as an htpasswd file and placed
# in nginx_root/auth/users. List of dicts [{user: '', pass: ''},].
# Default: [] (disabled).
nginx_basic_auth_users: []

###############################################################################
# NGINX CA Configuration
###############################################################################
# Server CA location. nginx_ca is required to be defined even if static is
# disabled.

# Custom certificate storage location. Required.
nginx_ca: '{{ nginx_confd }}/ca'

# Source certificates from nginx_ca_source to nginx_ca with appropriate
# permissions; otherwise assume certificates are mounted/available on the local
# system. Default: false.
nginx_ca_static: false

# Source files for ca-chain. These are copied to nginx_ca with appropriate
# permissions. Source from host or group files. Only copied if nginx_ca_static
# is set. Ensure trailing slash.
nginx_ca_source: 'group_vars/nginx/ca/'

###############################################################################
# NGINX conf.d Configuration
###############################################################################
# Server configuration directory.

# User configuration location. Required.
nginx_confd: '{{ nginx_root }}/conf.d'

# Source files for nginx_confd. These are copied as templates with appropriate
# permissions; meaning FULL ansible vars can be used in them. Source from host
# or group files. Ensure trailing slash.
nginx_confd_source: 'group_vars/nginx/conf.d/'

# Optional source file for default.conf site configuration if not included in
# nginx_confd_source (e.g. using a per server default.conf with standard conf.d
# in group_vars). This is copied as template with appropriate permissions;
# meaning FULL ansible vars can be used in it. Source from host or group files.
# Empty disables.
nginx_confd_default: ''

###############################################################################
# NGINX stream.d Configuration
###############################################################################
# Streaming module configurttion. Disabling will remove 'stream' declaration
# from nginx.conf.

# User stream configuration location. Optional, empty disables.
nginx_streamd: '{{ nginx_root }}/stream.d'

# Source files for nginx_streamd. These are copied as templates with
# appropriate permissions; meaning FULL ansible vars can be used in them.
# Source from host or group files. Ensure trailing slash.
nginx_streamd_source: 'host_vars/host/files/stream.d/'

# Optional source file for default.conf stream configuration if not included in
# nginx_streamd_source (e.g. using a per server default.conf with standard conf.d
# in group_vars). This is copied as template with appropriate permissions;
# meaning FULL ansible vars can be used in it. Source from host or group files.
# Empty disables.
nginx_streamd_default: ''

###############################################################################
# NGINX Serve Location Configuration
###############################################################################
# Manages files in webserver serving location. Only files defined in source are
# kept and the rest are deleted. Disabling will stop enforcemnt.

# Webserver serving location. Optional, empty disables.
nginx_srv: '/usr/share/nginx'

# Source files for nginx_srv. These are copied as templates with appropriate
# permissions; meaning FULL ansible vars can be used in them. Source from host
# or group files. Ensure trailing slash.
nginx_srv_source: 'host_vars/host/files/srv/'

###############################################################################
# NGINX Additional Modules
###############################################################################

# Use debian (OS) or NGINX (source) release. Use NGINX source release for
# latest patches unless specific modules are required. Default: false.
nginx_os_release: false

# NGINX modules to install (overrides default modules). Names depend on
# nginx_os_release. Default: []. See: vars/main.yml
nginx_module_packages: []

# Explicitly load static modules in nginx.conf. Only required when using
# specific modules with nginx_os_release. Use path only. Default: [].
# See: vars/main.yml
nginx_load_modules: []

###############################################################################
# NGINX nginx.conf Core Configuration
###############################################################################
# This sets up core NGINX configuration and loads additional configuration
# from source directories. Your primary configuration should be done in source
# directories (see above).
#
# stream directive will automatically load all .conf files from nginx_streamd.
# http directive will automatically load all .conf files from nginx_confd.
#
# http/https connections should be setup in user-defined configuration with
# forced redirects.

# Number of worker processes. 'auto' to autodetect. Default: 'auto'.
nginx_worker_processes: 'auto'

# Maximum number of simultaneous connections that can be opened by a worker
# process. Default: 1024.
nginx_worker_connections: 1024

# Enable the use of sendfile. Default: true (enabled).
nginx_sendfile: true

# Use TCP_CORK socket option on Linux. Default: false (disabled).
nginx_tcp_nopush: false

# How long a client connection will stay open on the server side in seconds.
# Default: 65.
nginx_keepalive_timeout: 65

# Enable gzipping of responses. Default: false (disabled).
nginx_gzip: false

Stream

---
###############################################################################
# NGINX Stream (port forwarding) Configuration
###############################################################################
# Streaming enables specific connections to be forwarded through the proxy,
# bypassing proxy configuration (generally, this removes a layer of security).
#
# Only services EXPECTING incoming connections that cannot be proxied via https
# should use this (deluge, plex, mail). These are applied on the proxy and not
# on the host machine (hence a different UFW config).
#
# Setup appropriate stream config in files/stream.d
#
# UFW can handle IP and CIDR notation. Use 'any' for no restriction on specific
# direction. Default is to allow SSH connections.
#
# Set ip to force connections through a proxy.
#
# All rules use: {proto: '{PROTO}', ip: 'any|{IP}', port: {PORT}, comment: ''}
# see reference for all supported UFW values.
#
# nginx_stream_in:
#   - {proto: 'tcp', ip: 'any', port: 49160, comment: 'deluge torrent service'}
#
# nginx_stream_out:
#   - {proto: 'tcp', ip: '10.5.5.230', port: 49160, comment: 'deluge torrent service'}
#
# Reference:
# * https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/
# * http://nginx.org/en/docs/stream/ngx_stream_core_module.html
# * https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html

nginx_stream_in: []
nginx_stream_out: []