Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

118 lines
3.7 KiB

---
nginx_ports:
- 80
nginx_ssl_ports:
- 443
nginx_src_ip:
- 0.0.0.0/0
# If true, will install openresty as an nginx replacement
nginx_openresty: False
nginx_modules:
- stream
- http_image_filter
- http_perl
nginx_log_format: combined_virtual
# The root domaine.
# Some special vhost names can be derived from it. Eg downtime.{{ nginx_primary_domain }}
nginx_primary_domain: "{{ ansible_domain }}"
nginx_cert_path: /etc/nginx/ssl/cert.pem
nginx_key_path: /etc/nginx/ssl/key.pem
# OR
#
# nginx_letsencrypt_cert:
nginx_vhosts: []
nginx_default_vhost_base:
aliases: []
port: 80 # can also be a list of ports
ssl:
enabled: True
forced: True
compat: False
port: 443 # can also be a list of ports
auth: none
# htpasswd_file:
maintenance: False
acme_http: False
redirect_aliases: True
document_root: /var/www/html
csp: "default-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'"
perf: True
limits: True
naxsi: True
naxsi_learn: True
naxsi_wl: "# No naxsi whitelist defined"
max_body_size: 10m
location: /
proxy:
backend: False
websocket: True
cache: False
timeout: 60s
headers:
X-Forwarded-For: '$proxy_add_x_forwarded_for'
X-Real-IP: '$remote_addr'
X-Forwarded-Proto: '$scheme'
X-Forwarded-Host: '$host'
X-Forwarded-Port: '$server_port'
Host: '$host'
allowed_methods:
- GET
- HEAD
- POST
headers:
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: $hsts_header
logs:
gelf: True
src_ip: []
deny_ip: []
custom_pre: '# No custom configuration defined'
custom_begin: '# No custom configuration defined'
custom_end: '# No custom configuration defined'
custom_location_begin: '# No custom configuration defined'
custom_location_end: '# No custom configuration defined'
nginx_default_vhost_extra: {}
nginx_default_vhost: "{{ nginx_default_vhost_base | combine(nginx_default_vhost_extra,recursive=True) }}"
# List of IP addresses which won't be affected by maintenance redirections
nginx_maintenance_ip: []
nginx_ssl_ciphers_modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
nginx_ssl_ciphers_compat: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
nginx_ssl_protocols:
- TLSv1.2
- TLSv1.3
# List of ip/cidr which won't have any DOS limit
nginx_dos_whitelisted_ip: []
# Max number of request per second, per IP address for non whitelisted IP
nginx_req_per_sec: 25
# Max size of the cache on disk
nginx_cache_size: 2g
# If true, a letsencrypt cert will be created for every vhost, automatically
nginx_auto_letsencrypt_cert: False
# Can be used to deploy htpasswd files
nginx_htpasswd: []
# nginx_htpasswd:
# - path: /etc/nginx/customers.htpasswd
# users:
# - login: client1
# password: s3crEt.
# state: present
# - login: client2
# state: absent