From f78bb90017af11f86ee0dd2da8e5e4d26ec1e20c Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 24 Sep 2020 00:05:10 +0200 Subject: [PATCH] Add example playbooks --- CHANGELOG.md | 4 + README.md | 26 +++- galaxy.yml | 2 +- playbooks/.gitkeep | 0 playbooks/deploy-nginx-app-protect.yml | 19 +++ ...ginx-plus-app-protect-web-server-proxy.yml | 137 ++++++++++++++++++ playbooks/deploy-nginx-plus-app-protect.yml | 24 +++ playbooks/deploy-nginx-plus.yml | 11 ++ playbooks/deploy-nginx-web-server-proxy.yml | 110 ++++++++++++++ playbooks/deploy-nginx-web-server.yml | 50 +++++++ playbooks/deploy-nginx.yml | 6 + 11 files changed, 380 insertions(+), 9 deletions(-) delete mode 100644 playbooks/.gitkeep create mode 100644 playbooks/deploy-nginx-app-protect.yml create mode 100644 playbooks/deploy-nginx-plus-app-protect-web-server-proxy.yml create mode 100644 playbooks/deploy-nginx-plus-app-protect.yml create mode 100644 playbooks/deploy-nginx-plus.yml create mode 100644 playbooks/deploy-nginx-web-server-proxy.yml create mode 100644 playbooks/deploy-nginx-web-server.yml create mode 100644 playbooks/deploy-nginx.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 5394305..48cc06f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## 0.2.0 (September 23, 2020) + +Add example playbooks covering a wide range of use cases. + ## 0.1.0 (September 23, 2020) Initial release of the Ansible NGINX collection. diff --git a/README.md b/README.md index 68dbdf8..d2dafc5 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,9 @@ The Ansible NGINX collection includes the following roles: |Name|Description|Version| |----|-----------|-------| -[nginxinc.nginx](https://github.com/nginxinc/ansible-role-nginx)|Install NGINX|0.17.1 -[nginxinc.nginx_config](https://github.com/nginxinc/ansible-role-nginx-config)|Configure NGINX|0.2.0 -[nginxinc.nginx_app_protect](https://github.com/nginxinc/ansible-role-nginx-app-protect)|Install and configure NGINX App Protect|0.3.1 +|[nginxinc.nginx](https://github.com/nginxinc/ansible-role-nginx)|Install NGINX|0.17.1| +|[nginxinc.nginx_config](https://github.com/nginxinc/ansible-role-nginx-config)|Configure NGINX|0.2.0| +|[nginxinc.nginx_app_protect](https://github.com/nginxinc/ansible-role-nginx-app-protect)|Install and configure NGINX App Protect|0.3.1| Requirements ------------ @@ -36,22 +36,32 @@ You can also include the collection in a `requirements.yml` file and install it --- collections: - name: nginxinc.nginx_core - version: 0.1.0 + version: 0.1.1 ``` **Git** Use `git clone https://github.com/nginxinc/ansible-collection-nginx.git` to pull the latest edge commit of the collection from GitHub. -Usage **(WIP)** ---------------- +Usage +----- -Sample playbooks for each use case covered by this collection will be found in the `playbooks/` folder. +Sample playbooks for each use case covered by this collection can be found in the `playbooks/` folder: + +|Name|Description| +|----|-----------| +|[`deploy-nginx.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx.yml)|Install NGINX| +|[`deploy-nginx-plus.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-plus.yml)|Install NGINX Plus| +|[`deploy-nginx-app-protect.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-app-protect.yml)|Install NGINX App Protect| +|[`deploy-nginx-plus-app-protect.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-plus-app-protect.yml)|Install NGINX Plus and NGINX App Protect| +|[`deploy-nginx-web-server.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-web-server.yml)|Install NGINX and configure a simple web server| +|[`deploy-nginx-web-server-proxy.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-web-server-proxy.yml)|Install NGINX and configure a simple reverse proxy in front of two web servers| +|[`deploy-nginx-plus-app-protect-web-server-proxy.yml`](https://github.com/nginxinc/ansible-collection-nginx/blob/main/playbooks/deploy-nginx-plus-app-protect-web-server-proxy.yml)|Install NGINX Plus and NGINX App Protect and configure a simple reverse proxy in front of two web servers protected by NGINX App Protect| Development ----------- -Currently, all the NGINX roles (inside `roles/`) are Git submodules, and work on the roles themselves should take place in the upstream Role repository. At some point, the roles might move into this repository for their canonical home. +Currently, all the NGINX roles (inside `roles/`) are Git submodules, and work on the roles themselves should take place in the upstream role repository. To update the roles included in this collection to their latest version, run: diff --git a/galaxy.yml b/galaxy.yml index 08b4c42..16155f5 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -2,7 +2,7 @@ namespace: nginxinc name: nginx_core description: Install and configure NGINX and NGINX App Protect using Ansible -version: 0.1.0 +version: 0.1.1 readme: README.md license_file: LICENSE authors: diff --git a/playbooks/.gitkeep b/playbooks/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/playbooks/deploy-nginx-app-protect.yml b/playbooks/deploy-nginx-app-protect.yml new file mode 100644 index 0000000..ccdf3a7 --- /dev/null +++ b/playbooks/deploy-nginx-app-protect.yml @@ -0,0 +1,19 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx_app_protect + vars: + nginx_app_protect_license: + certificate: + key: + nginx_app_protect_remove_license: false + nginx_app_protect_install_signatures: true + nginx_app_protect_install_threat_campaigns: true + nginx_app_protect_configure: true + nginx_app_protect_security_policy_template_enable: true + nginx_app_protect_security_policy_enforcement_mode: blocking + nginx_app_protect_log_policy_template_enable: true + nginx_app_protect_log_policy_filter_request_type: all + nginx_app_protect_conf_template_enable: false diff --git a/playbooks/deploy-nginx-plus-app-protect-web-server-proxy.yml b/playbooks/deploy-nginx-plus-app-protect-web-server-proxy.yml new file mode 100644 index 0000000..905b0cb --- /dev/null +++ b/playbooks/deploy-nginx-plus-app-protect-web-server-proxy.yml @@ -0,0 +1,137 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx + vars: + nginx_type: plus + nginx_license: + certificate: + key: + nginx_remove_license: false + - role: nginx_app_protect + vars: + nginx_app_protect_setup_license: false + nginx_app_protect_remove_license: false + nginx_app_protect_install_signatures: true + nginx_app_protect_install_threat_campaigns: true + nginx_app_protect_configure: true + nginx_app_protect_security_policy_template_enable: true + nginx_app_protect_security_policy_enforcement_mode: blocking + nginx_app_protect_log_policy_template_enable: true + nginx_app_protect_log_policy_filter_request_type: all + nginx_app_protect_conf_template_enable: false + - role: nginx_config + vars: + nginx_config_modules: + - modules/ngx_http_app_protect_module.so + nginx_config_http_template_enable: true + nginx_config_http_template: + app: + template_file: http/default.conf.j2 + conf_file_name: default.conf + conf_file_location: /etc/nginx/conf.d/ + servers: + main: + app_protect: + enable: true + policy_file: /etc/nginx/app-protect-security-policy.json + security_log_enable: true + security_log: + path: /etc/nginx/app-protect-log-policy.json + dest: /var/log/app_protect/security.log + listen: + listen_localhost: + port: 80 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + reverse_proxy: + locations: + main: + location: / + proxy_pass: http://upstr/ + proxy_set_header: + header_host: + name: Host + value: $host + server_one: + listen: + listen_server_one: + port: 8081 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + web_server: + locations: + server_one: + location: / + html_file_location: /usr/share/nginx/html + html_file_name: server_one.html + sub_filter: + once: false + sub_filters: + - "'server_hostname' '$hostname'" + - "'server_address' '$server_addr:$server_port'" + - "'server_url' '$request_uri'" + - "'remote_addr' '$remote_addr:$remote_port'" + - "'server_date' '$time_local'" + - "'client_browser' '$http_user_agent'" + - "'request_id' '$request_id'" + - "'nginx_version' '$nginx_version'" + - "'document_root' '$document_root'" + - "'proxied_for_ip' '$http_x_forwarded_for'" + server_two: + listen: + listen_server_two: + port: 8082 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + web_server: + locations: + server_two: + location: / + html_file_location: /usr/share/nginx/html + html_file_name: server_two.html + sub_filter: + once: false + sub_filters: + - "'server_hostname' '$hostname'" + - "'server_address' '$server_addr:$server_port'" + - "'server_url' '$request_uri'" + - "'remote_addr' '$remote_addr:$remote_port'" + - "'server_date' '$time_local'" + - "'client_browser' '$http_user_agent'" + - "'request_id' '$request_id'" + - "'nginx_version' '$nginx_version'" + - "'document_root' '$document_root'" + - "'proxied_for_ip' '$http_x_forwarded_for'" + upstreams: + main: + name: upstr + lb_method: least_conn + servers: + server_one: + address: 0.0.0.0 + port: 8081 + server_two: + address: 0.0.0.0 + port: 8082 + + nginx_config_html_demo_template_enable: true + nginx_config_html_demo_template: + server_one: + template_file: www/index.html.j2 + html_file_name: server_one.html + html_file_location: /usr/share/nginx/html + web_server_name: Ansible NGINX collection - Server one + server_two: + template_file: www/index.html.j2 + html_file_name: server_two.html + html_file_location: /usr/share/nginx/html + web_server_name: Ansible NGINX collection - Server two diff --git a/playbooks/deploy-nginx-plus-app-protect.yml b/playbooks/deploy-nginx-plus-app-protect.yml new file mode 100644 index 0000000..3875280 --- /dev/null +++ b/playbooks/deploy-nginx-plus-app-protect.yml @@ -0,0 +1,24 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx + vars: + nginx_type: plus + nginx_license: + certificate: + key: + nginx_remove_license: false + - role: nginx_app_protect + vars: + nginx_app_protect_setup_license: false + nginx_app_protect_remove_license: true + nginx_app_protect_install_signatures: true + nginx_app_protect_install_threat_campaigns: true + nginx_app_protect_configure: true + nginx_app_protect_security_policy_template_enable: true + nginx_app_protect_security_policy_enforcement_mode: blocking + nginx_app_protect_log_policy_template_enable: true + nginx_app_protect_log_policy_filter_request_type: all + nginx_app_protect_conf_template_enable: false diff --git a/playbooks/deploy-nginx-plus.yml b/playbooks/deploy-nginx-plus.yml new file mode 100644 index 0000000..6a8d456 --- /dev/null +++ b/playbooks/deploy-nginx-plus.yml @@ -0,0 +1,11 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx + vars: + nginx_type: plus + nginx_license: + certificate: + key: diff --git a/playbooks/deploy-nginx-web-server-proxy.yml b/playbooks/deploy-nginx-web-server-proxy.yml new file mode 100644 index 0000000..e311261 --- /dev/null +++ b/playbooks/deploy-nginx-web-server-proxy.yml @@ -0,0 +1,110 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx + - role: nginx_config + vars: + nginx_config_http_template_enable: true + nginx_config_http_template: + app: + template_file: http/default.conf.j2 + conf_file_name: default.conf + conf_file_location: /etc/nginx/conf.d/ + servers: + main: + listen: + listen_localhost: + port: 80 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + reverse_proxy: + locations: + main: + location: / + proxy_pass: http://upstr/ + proxy_set_header: + header_host: + name: Host + value: $host + server_one: + listen: + listen_server_one: + port: 8081 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + web_server: + locations: + server_one: + location: / + html_file_location: /usr/share/nginx/html + html_file_name: server_one.html + sub_filter: + once: false + sub_filters: + - "'server_hostname' '$hostname'" + - "'server_address' '$server_addr:$server_port'" + - "'server_url' '$request_uri'" + - "'remote_addr' '$remote_addr:$remote_port'" + - "'server_date' '$time_local'" + - "'client_browser' '$http_user_agent'" + - "'request_id' '$request_id'" + - "'nginx_version' '$nginx_version'" + - "'document_root' '$document_root'" + - "'proxied_for_ip' '$http_x_forwarded_for'" + server_two: + listen: + listen_server_two: + port: 8082 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + web_server: + locations: + server_two: + location: / + html_file_location: /usr/share/nginx/html + html_file_name: server_two.html + sub_filter: + once: false + sub_filters: + - "'server_hostname' '$hostname'" + - "'server_address' '$server_addr:$server_port'" + - "'server_url' '$request_uri'" + - "'remote_addr' '$remote_addr:$remote_port'" + - "'server_date' '$time_local'" + - "'client_browser' '$http_user_agent'" + - "'request_id' '$request_id'" + - "'nginx_version' '$nginx_version'" + - "'document_root' '$document_root'" + - "'proxied_for_ip' '$http_x_forwarded_for'" + upstreams: + main: + name: upstr + lb_method: least_conn + servers: + server_one: + address: 0.0.0.0 + port: 8081 + server_two: + address: 0.0.0.0 + port: 8082 + + nginx_config_html_demo_template_enable: true + nginx_config_html_demo_template: + server_one: + template_file: www/index.html.j2 + html_file_name: server_one.html + html_file_location: /usr/share/nginx/html + web_server_name: Ansible NGINX collection - Server one + server_two: + template_file: www/index.html.j2 + html_file_name: server_two.html + html_file_location: /usr/share/nginx/html + web_server_name: Ansible NGINX collection - Server two diff --git a/playbooks/deploy-nginx-web-server.yml b/playbooks/deploy-nginx-web-server.yml new file mode 100644 index 0000000..464c5d9 --- /dev/null +++ b/playbooks/deploy-nginx-web-server.yml @@ -0,0 +1,50 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx + - role: nginx_config + vars: + nginx_config_http_template_enable: true + nginx_config_http_template: + app: + template_file: http/default.conf.j2 + conf_file_name: default.conf + conf_file_location: /etc/nginx/conf.d/ + servers: + server1: + listen: + listen_localhost: + port: 80 + server_name: localhost + access_log: + - name: main + location: /var/log/nginx/access.log + sub_filter: + once: false + sub_filters: + - "'server_hostname' '$hostname'" + - "'server_address' '$server_addr:$server_port'" + - "'server_url' '$request_uri'" + - "'remote_addr' '$remote_addr:$remote_port'" + - "'server_date' '$time_local'" + - "'client_browser' '$http_user_agent'" + - "'request_id' '$request_id'" + - "'nginx_version' '$nginx_version'" + - "'document_root' '$document_root'" + - "'proxied_for_ip' '$http_x_forwarded_for'" + web_server: + locations: + main_site: + location: / + html_file_location: /usr/share/nginx/html + html_file_name: index.html + + nginx_config_html_demo_template_enable: true + nginx_config_html_demo_template: + main: + template_file: www/index.html.j2 + html_file_name: index.html + html_file_location: /usr/share/nginx/html + web_server_name: Ansible NGINX collection diff --git a/playbooks/deploy-nginx.yml b/playbooks/deploy-nginx.yml new file mode 100644 index 0000000..ad1895c --- /dev/null +++ b/playbooks/deploy-nginx.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + collections: + - nginxinc.nginx_core + roles: + - role: nginx