-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add molecule configuration for nginx role #58
Merged
Merged
Changes from 42 commits
Commits
Show all changes
45 commits
Select commit
Hold shift + click to select a range
be5d84e
Add molecule setup for nginx
p-j-smith 0089d13
Fix path to verify playbooks
p-j-smith 19df1e5
Use flat naming rather than nested for nignx role
p-j-smith 1a1f1bb
Use flat naming rather than nested for nignx role
p-j-smith 10f502d
use flat variable names in nginx config template
p-j-smith 36b0f4b
Use flat variable names in xnat playbook molecule config
p-j-smith 9e0a55e
publish port 80 in xnat molecule config
p-j-smith d75ae33
add molecule config for nginx role
p-j-smith d58fa8b
run gunicorn on localhost
p-j-smith f4fe7ea
Update nginx role variables
p-j-smith a5e9ce7
Make ansible lint happy
p-j-smith 76b5442
Set permission mode for flask app and gunicorn config
p-j-smith ed7337c
Publish nginx port in xnat playbook molecule configuration
p-j-smith 51c0c4d
use flat variable names for nginx template
p-j-smith a18bfac
remove stream from reverse proxy config
p-j-smith a8d2f8b
use tomcat as default server for nginx reverse proxy in xnat playbook…
p-j-smith 600c0a4
set defaults for nginx role to be consistent with current values
p-j-smith f354329
set nginx variables for xnat playbook molecule setup
p-j-smith e0f9576
Add verify playbook for nginx role
p-j-smith 91e87d1
Fix typo in task description
p-j-smith d370b5e
Add verify file for xnat molecule config
p-j-smith dee847f
Fix vars for nginx role in xnat playbook
p-j-smith 2aef7a1
Move gunicorn nginx template to testing inventory
p-j-smith 9c86fe5
Don't use ssl for nginx in testing the role
p-j-smith 94539a6
Add molecule setup for testing nginx role on rocky 9
p-j-smith 863b812
Add workflow for testing nginx role with molecule
p-j-smith 01672b1
Move gunicorn service file to templates
p-j-smith fc39135
Run xnat tests when molecule config changes
p-j-smith 0861270
remove jinja tempalting from verify assertion
p-j-smith a9865ff
remove exposed and published ports from base molecule configs
p-j-smith e2d2989
Add nginx role readme
p-j-smith 0c62327
rename ipv6_enabled to nginx_ipv6_enabled
p-j-smith 9a56f97
fix typo in nginx readme for https port default
p-j-smith 5dc91c3
Make nginx xnat configs more general
p-j-smith 108d39f
make nginx_root optional in the config
p-j-smith 88351f5
update install_xnat nginx vars
p-j-smith 2ad6fb6
use general nginx config for tests
p-j-smith c077dda
more logical ordering of nginx variables
p-j-smith c7d855d
Update description of variables
p-j-smith c69df49
remove tomcat port from firewall
p-j-smith ac8ca63
fix name of nginx config tempalte to use for testing xnat playbook
p-j-smith 8b0b21e
Merge branch 'main' into tests/nginx
p-j-smith 08ef842
remove unnecessary " from string variables
p-j-smith b8f4dd1
fix typo in name of proxy server in nginx config template
p-j-smith 02ec02c
Add nginx_add_default_server variable
p-j-smith File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ on: | |
- "roles/xnat_container_service/**" | ||
- "playbooks/install_xnat.yml" | ||
- "playbooks/install_container_service.yml" | ||
- "playbooks/molecule/**/xnat/**" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ensure the tests run whenever the molecule molecule configuration or inventory changes |
||
- ".github/workflows/molecule-install-xnat.yml" | ||
release: | ||
types: [published] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: Test nginx | ||
on: | ||
pull_request: | ||
paths: | ||
- "roles/nginx/**" | ||
- ".github/workflows/molecule.yml" | ||
- ".github/workflows/molecule-nginx.yml" | ||
|
||
jobs: | ||
molecule-nginx: | ||
uses: ./.github/workflows/molecule.yml | ||
with: | ||
tests-path: ansible_collections/mirsg/infrastructure/roles/nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 0 additions & 10 deletions
10
playbooks/molecule/resources/xnat/inventory/group_vars/all/all.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
- name: Verify XNAT instance is running | ||
hosts: localhost | ||
tasks: | ||
- name: Get server status | ||
ansible.builtin.uri: | ||
url: http://localhost:8000 | ||
method: GET | ||
validate_certs: false | ||
return_content: true | ||
register: response | ||
|
||
- name: Check server status and response | ||
ansible.builtin.assert: | ||
that: | ||
- response.status == 200 | ||
- response.server == "nginx" | ||
- "{{ response.content is search('MIRSG XNAT') }}" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# mirsg.infrastructure.nginx | ||
|
||
This role is for configuring [nginx](https://www.nginx.com/) as a | ||
[reverse proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) | ||
on CentOS 7 or RockyLinux 9. | ||
|
||
## Role Variables | ||
|
||
| Name | Description | | ||
| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| `nginx_owner` | The OS user that will have ownership of the nginx service file and directory. Defaults to `root` | | ||
| `nginx_group` | The OS group that will have ownership of the nginx service file and directory. Defaults to `root` | | ||
| `nginx_log_folder` | The path to the nginx logs. Defaults to `/var/log/nginx` | | ||
| `nginx_access_log` | File in which to write access logs for the default server. Defaults to `/var/log/access.log` | | ||
| `nginx_error_log` | File in which to write error logs for the default server. Defaults to `/var/log/error.log` | | ||
| `nginx_app_access_log` | File in which to write access logs for the application server. Defaults to `/var/log/app.access.log` | | ||
| `nginx_app_error_log` | File in which to write error logs for the application server. Defaults to `/var/log/app.error.log` | | ||
| `nginx_http_port` | The port to listen on for HTTP connections. Defaults to `80` | | ||
| `nginx_https_port` | The port to listen on for HTTPS connections. Defaults to `443` | | ||
| `nginx_proxy_port` | The port to forward requests to. Required variable; no default | | ||
| `nginx_root` | The path to search for static files. Optional variable; no default | | ||
| `nginx_conf_template` | The template to use for generating the NGINX config. See currently available [templates](templates/). Defaults to `nginx_xnat.j2`, which is used to configure NGINX as a reverse proxy for XNAT | | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| `nginx_conf_file` | The path to write the NGINX config to. Defaults to `/etc/nginx/nginx.conf` | | ||
| `nginx_ipv6_enabled` | Whether to enable support for IPv6. Defaults to `false` | | ||
|
||
If you would like to use SSL with NGINX, you will need to have the | ||
certificate and key on your Ansible Controller, and may also need to set | ||
the following variables: | ||
|
||
| Name | Description | | ||
| ------------------------------- | ----------------------------------------------------------------------------------------- | | ||
| `nginx_use_ssl` | Whether to use SSL. Defaults to `true` | | ||
| `nginx_certs_dir` | Where to store the certificates. Defaults to `/etc/nginx/ssl` | | ||
| `nginx_server_cert_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default | | ||
| `nginx_server_key_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default | | ||
| `nginx_ssl_cert_file` | Path to copy the SSL certificate to. Defaults to `/etc/nginx/ssl/server.cert` | | ||
| `nginx_ssl_key_file` | Path to copy the SSL key to. Defaults to `/etc/nginx/ssl/server.key` | | ||
| `nginx_diffie_helman_size_bits` | Bit size for OpenSSL Diffie-Hellman Parameters. Defaults to `4096` | | ||
| `nginx_dh_params_file` | Path to write the Diffie-Hellman Parameters to. Defaults to `"/etc/nginx/ssl/dhparam.pem` | | ||
|
||
## Dependencies | ||
|
||
You will need to install the following collections before using `mirsg.infrastructure.nginx`: | ||
|
||
- `ansible.posix` | ||
- `community.crypto` | ||
- `community.general` | ||
|
||
## Example Playbook | ||
|
||
```yaml | ||
- name: Configure nginx | ||
hosts: all | ||
roles: | ||
- mirsg.infrastructure.nginx | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,30 @@ | ||
--- | ||
nginx: # noqa: var-naming[no-role-prefix] | ||
owner: root | ||
group: root | ||
log_folder: "/var/log/nginx" | ||
http_port: 80 | ||
https_port: 443 | ||
certs_dir: "/etc/nginx/ssl" | ||
dh_params_file: "/etc/nginx/ssl/dhparam.pem" | ||
conf_file: "/etc/nginx/nginx.conf" | ||
ssl_cert_file: "/etc/nginx/ssl/server.cert" | ||
ssl_key_file: "/etc/nginx/ssl/server.key" | ||
nginx_owner: root | ||
nginx_group: root | ||
|
||
nginx_log_folder: "/var/log/nginx" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
nginx_access_log: "{{ nginx_log_folder }}/access.log" | ||
nginx_error_log: "{{ nginx_log_folder }}/error.log" | ||
nginx_app_access_log: "{{ nginx_log_folder }}/app.access.log" | ||
nginx_app_error_log: "{{ nginx_log_folder }}/app.error.log" | ||
|
||
nginx_http_port: 80 | ||
nginx_https_port: 443 | ||
|
||
nginx_conf_template: "nginx_reverse_proxy.j2" # check the template file for the variables it requires | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
nginx_conf_file: "/etc/nginx/nginx.conf" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
nginx_ipv6_enabled: false | ||
|
||
nginx_use_ssl: true | ||
nginx_certs_dir: "/etc/nginx/ssl" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
nginx_ssl_cert_file: "/etc/nginx/ssl/server.cert" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
nginx_ssl_key_file: "/etc/nginx/ssl/server.key" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
# Bit size for OpenSSL Diffie-Hellman Parameters. Higher bit sizes are more | ||
# secure, but require exponentially larger times for the one-off parameter | ||
# generation. Use 4096 for production. These may take 10mins+ to generate but | ||
# are only generated once per server. | ||
# For local testing (non-production), use 2048 to speed up deployment. | ||
nginx_diffie_helman_size_bits: 4096 | ||
nginx_dh_params_file: "/etc/nginx/ssl/dhparam.pem" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
# test this scenario from the roles/provision directory with the command | ||
# molecule --base-config ../../molecule_configs/centos7_base_config.yml test --scenario centos7 | ||
platforms: | ||
- name: instance | ||
hostname: molecule.instance.local | ||
image: ${MOLECULE_DOCKER_IMAGE:-geerlingguy/docker-centos7-ansible:latest} | ||
required: true | ||
command: "" | ||
cgroupns_mode: host | ||
privileged: true | ||
pre_build_image: ${MOLECULE_PRE_BUILD_IMAGE:-true} | ||
volumes: | ||
- ./molecule-data:/storage/molecule | ||
keep_volumes: false | ||
groups: | ||
- all | ||
- molecule | ||
- centos7 | ||
docker_networks: | ||
- name: molecule | ||
ipam_config: | ||
- subnet: 192.168.56.0/24 | ||
gateway: 192.168.56.1 | ||
networks: | ||
- name: molecule | ||
ipv4_address: 192.168.56.2 | ||
exposed_ports: | ||
- 80 | ||
- 443 | ||
- 8000 | ||
published_ports: | ||
- 127.0.0.1:8080:80 | ||
etc_hosts: | ||
molecule.instance.local: 192.168.56.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
- name: Configure nginx as a reverse proxy | ||
hosts: all | ||
become: true | ||
gather_facts: true | ||
roles: | ||
- role: mirsg.infrastructure.nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
from flask import Flask | ||
|
||
app = Flask(__name__) | ||
|
||
@app.route("/") | ||
def index(): | ||
return "<h1>Hello World!</h1>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
nginx_conf_template: "nginx_reverse_proxy_as_default.j2" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
nginx_server_name: molecule.instance.local | ||
nginx_proxy_port: 8000 | ||
nginx_diffie_helman_size_bits: 2048 | ||
nginx_root: "/home/" | ||
nginx_use_ssl: false |
17 changes: 17 additions & 0 deletions
17
roles/nginx/molecule/resources/inventory/group_vars/centos7.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
--- | ||
# mirsg.infrastructure.install_python | ||
install_python: | ||
version: "2" | ||
pip_version: "20.3.4" | ||
pip_executable: "pip" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
system_packages: | ||
- python | ||
- python-pip | ||
- python-setuptools | ||
- libselinux-python | ||
- policycoreutils-python | ||
pip_packages: | ||
- gunicorn | ||
- Flask | ||
|
||
gunicorn_executable: /usr/bin/gunicorn |
17 changes: 17 additions & 0 deletions
17
roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
--- | ||
# mirsg.infrastructure.install_python | ||
install_python: | ||
version: "3" | ||
pip_version: "21.3.1" | ||
pip_executable: "/usr/local/bin/pip3" | ||
p-j-smith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
system_packages: | ||
- python3 | ||
- python3-pip | ||
- python3-setuptools | ||
- python3-libselinux | ||
- policycoreutils-python-utils | ||
pip_packages: | ||
- gunicorn | ||
- flask | ||
|
||
gunicorn_executable: /usr/local/bin/gunicorn |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need the above to catch changes to the molecule configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the molecule config changes should be included with the line below (
- "playbooks/molecule/**/xnat/**"
)