pulibrary · acozine · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023 · Sep 7, 2023
diff --git a/group_vars/nginxplus/main.yml b/group_vars/nginxplus/main.yml
@@ -1,11 +1,19 @@
 ---
+# variables for building nginxplus on our load balancers
 deploy_user_uid: 1003
 slack_alerts_channel:
   - '#infrastructure'
   - '#ansible-alerts'
 nginx_type: plus
+nginx_delete_license: false
+# enable rest API
 nginx_rest_api_enable: true
 nginx_rest_api_write: true
+nginx_rest_api_src: api.conf.j2
+nginx_rest_api_location: /etc/nginx/conf.d/api.conf
+nginx_rest_api_port: 8080
+nginx_rest_api_dashboard: true
+# modules to install
 nginx_modules:
   waf: true
   geoip: true
@@ -14,30 +22,31 @@ nginx_modules:
   image_filter: true
   rtmp: true
   xslt: true
-nginx_status_enable: false
-nginx_status_port: 8080
-nginx_rest_api_src: api.conf.j2
-nginx_rest_api_location: /etc/nginx/conf.d/api.conf
-nginx_rest_api_port: 8080
-nginx_rest_api_dashboard: true
-nginx_delete_license: false
+# the hash table stores server names for fast lookup
+# see PR 3578 on princeton_ansible
+# increase the size first
+# when that stops working, increase the hash buckets
+nginx_server_names_hash_bucket_size: 64
+nginx_server_names_hash_max_size: 1024
+# Upload HTTP NGINX static configuration files.
 nginx_http_upload_enable: true
-nginx_http_upload_src: conf/http/*.conf
-nginx_http_upload_dest: /etc/nginx/conf.d/
-nginx_stream_upload_enable: true
-nginx_stream_upload_src: conf/stream/*.conf
-nginx_stream_upload_dest: /etc/nginx/conf.d/stream/
+nginx_http_upload_src: conf/http/static/*.conf
+nginx_http_upload_dest: /etc/nginx/conf.d
+# Remove previously existing NGINX configuration files.
+# Use a list of paths you wish to remove.
 nginx_cleanup_config: true
-nginx_cleanup_config_path:
-  - /etc/nginx/conf.d
+nginx_cleanup_config_path: "{{nginx_http_upload_dest}}/static/"
+# Upload SSL certificates and keys.
 nginx_ssl_upload_enable: true
 nginx_ssl_crt_upload_src: ssl/*.pem
 nginx_ssl_crt_upload_dest: /etc/nginx/conf.d/ssl/certs/
 nginx_ssl_key_upload_src: ssl/*.key
 nginx_ssl_key_upload_dest: /etc/nginx/conf.d/ssl/private/
+# add template files for library production and staging
 nginx_template_upload_enable: true
 nginx_template_upload_src: conf/http/templates/*.conf
 nginx_template_upload_dest: /etc/nginx/conf.d/templates/
+# configure datadog log collection
 datadog_api_key: "{{vault_datadog_key}}"
 datadog_config:
   tags: "{{nginxplus_tags}}"
@@ -64,146 +73,3 @@ datadog_checks:
         service: adc
         source: adc
         sourcecategory: http_web_access
-nginx_stream_template_enable: false
-nginx_stream_template:
-  default:
-    template_file: stream/default.conf.j2
-    conf_file_name: default.conf
-    conf_file_location: /etc/nginx/conf.d/stream/
-    network_streams:
-      default:
-        listen_address: localhost
-        listen_port: 80
-        udp_enable: false
-        proxy_pass: backend
-        proxy_timeout: 3s
-        proxy_connect_timeout: 1s
-        proxy_protocol: false
-        proxy_ssl:
-          cert: /etc/ssl/certs/proxy_default.crt
-          key: /etc/ssl/private/proxy_default.key
-          trusted_cert: /etc/ssl/certs/proxy_ca.crt
-          server_name: false
-          name: server_name
-          protocols: TLSv1 TLSv1.1 TLSv1.2
-          ciphers: HIGH:!aNULL:!MD5
-          verify: false
-          verify_depth: 1
-          session_reuse: true
-        health_check_plus: false
-    upstreams:
-      upstream1:
-        name: backend
-        lb_method: least_conn
-        zone_name: backend
-        zone_size: 64k
-        sticky_cookie: false
-        servers:
-          server1:
-            address: localhost
-            port: 8080
-            weight: 1
-            health_check: max_fails=1 fail_timeout=10s
-nginx_http_template_enable: false
-nginx_http_template:
-  default:
-    template_file: http/default.conf.j2
-    conf_file_name: default.conf
-    conf_file_location: /etc/nginx/conf.d/
-    port: 8081
-    server_name: localhost
-    error_page: /usr/share/nginx/html
-    root: /usr/share/nginx/html
-    https_redirect: false
-    autoindex: false
-    ssl:
-      cert: /etc/ssl/certs/default.crt
-      key: /etc/ssl/private/default.key
-      protocols: TLSv1 TLSv1.1 TLSv1.2
-      ciphers: HIGH:!aNULL:!MD5
-      session_cache: none
-      session_timeout: 5m
-    web_server:
-      locations:
-        default:
-          location: /home
-          html_file_location: /usr/share/nginx/html
-          html_file_name: index.html
-          autoindex: false
-          auth_basic: null
-          auth_basic_file: null
-      http_demo_conf: false
-    reverse_proxy:
-      proxy_cache_path:
-        - path: /var/cache/nginx/proxy/backend
-          keys_zone:
-            name: backend_proxy_cache
-            size: 10m
-          levels: "1:2"
-          max_size: 10g
-          inactive: 60m
-          use_temp_path: true
-      proxy_temp_path:
-        path: /var/cache/nginx/proxy/temp
-      proxy_cache_lock: true
-      proxy_cache_min_uses: 5
-      proxy_cache_revalidate: true
-      proxy_cache_use_stale:
-        - error
-        - timeout
-      proxy_ignore_headers:
-        - Expires
-      locations:
-        backend:
-          location: /
-          proxy_connect_timeout: null
-          proxy_pass: http://backend
-          proxy_read_timeout: null
-          proxy_ssl:
-            cert: /etc/ssl/certs/proxy_default.crt
-            key: /etc/ssl/private/proxy_default.key
-            trusted_cert: /etc/ssl/certs/proxy_ca.crt
-            server_name: false
-            name: server_name
-            protocols: TLSv1 TLSv1.1 TLSv1.2
-            ciphers: HIGH:!aNULL:!MD5
-            verify: false
-            verify_depth: 1
-            session_reuse: true
-          proxy_temp_path:
-            path: /var/cache/nginx/proxy/backend/temp
-          proxy_cache_lock: false
-          proxy_cache_min_uses: 3
-          proxy_cache_revalidate: false
-          proxy_cache_use_stale:
-            - http_403
-            - http_404
-          proxy_ignore_headers:
-            - Vary
-            - Cache-Control
-          proxy_redirect: false
-          websocket: false
-          auth_basic: null
-          auth_basic_file: null
-      health_check_plus: false
-    proxy_cache:
-      proxy_cache_path:
-        path: /var/cache/nginx
-        keys_zone:
-          name: one
-          size: 10m
-      proxy_temp_path:
-        path: /var/cache/nginx/proxy
-    upstreams:
-      upstream1:
-        name: backend
-        lb_method: least_conn
-        zone_name: backend_mem_zone
-        zone_size: 64k
-        sticky_cookie: false
-        servers:
-          server1:
-            address: localhost
-            port: 8081
-            weight: 1
-            health_check: max_fails=1 fail_timeout=10s
diff --git a/playbooks/nginxplus.yml b/playbooks/nginxplus.yml
@@ -19,36 +19,7 @@
     when: ansible_limit is not defined
     run_once: true
 
-  - name: tell infrastructure and ansible-alerts the playbook is starting
-    community.general.slack:
-      token: "{{ vault_tower_slack_token }}"
-      msg: "Ansible is now running `{{ ansible_play_name }}` with the `{{ ansible_run_tags }}` tag on {{ inventory_hostname }}"
-      channel: {{ item }}
-    loop: "{{ slack_alerts_channel }}"
-    tags: always
-
   # updates existing load balancer
   roles:
     - role: ../roles/nginxplus
 
-- name: restart nginx with updated loadbalancer configuration
-  hosts: nginxplus_production
-  remote_user: pulsys
-  strategy: linear
-  become: true
-
-  tasks:
-    - name: nginxplus | restart nginx for realsies
-      service:
-        name: nginx
-        state: restarted
-      tags: always
-
-  post_tasks:
-    - name: tell everyone on slack you ran an ansible playbook
-      community.general.slack:
-        token: "{{ vault_pul_slack_token }}"
-        msg: "Ansible ran `{{ ansible_play_name }}` on {{ inventory_hostname }}"
-        channel: {{ item }}
-      loop: "{{ slack_alerts_channel }}"
-      tags: always
diff --git a/roles/nginxplus/README.md b/roles/nginxplus/README.md
@@ -159,7 +159,7 @@ nginx_main_upload_dest: /etc/nginx/
 # Upload HTTP NGINX configuration files.
 nginx_http_upload_enable: false
 nginx_http_upload_src: conf/http/*.conf
-nginx_http_upload_dest: /etc/nginx/conf.d/
+nginx_http_upload_dest: /etc/nginx/conf.d
 # Upload Stream NGINX configuration files.
 nginx_stream_upload_enable: false
 nginx_stream_upload_src: conf/stream/*.conf

diff --git a/roles/nginxplus/defaults/main.yml b/roles/nginxplus/defaults/main.yml
@@ -95,44 +95,14 @@ nginx_controller_api_endpoint: null
 # Default is false.
 nginx_unit_enable: false
 nginx_unit_modules: null
-
-# Remove previously existing NGINX configuration files.
-# Use a list of paths you wish to remove.
-# Default is false.
-nginx_cleanup_config: false
-nginx_cleanup_config_path:
-  - /etc/nginx/conf.d
-
-# add template files for library production and staging
-nginx_template_upload_enable: false
-nginx_template_upload_src: conf/http/templates/*.conf
-nginx_template_upload_dest: /etc/nginx/conf.d/templates/
-# Enable uploading NGINX configuration files to your system.
-# Default for uploading files is false.
-# Default location of files is the files folder within the NGINX Ansible role.
 # Upload the main NGINX configuration file.
 nginx_main_upload_enable: false
 nginx_main_upload_src: conf/nginx.conf
 nginx_main_upload_dest: /etc/nginx/
-# Upload HTTP NGINX configuration files.
-nginx_http_upload_enable: false
-nginx_http_upload_src: conf/http/*.conf
-nginx_http_upload_dest: /etc/nginx/conf.d/
-# Upload Stream NGINX configuration files.
-nginx_stream_upload_enable: false
-nginx_stream_upload_src: conf/stream/*.conf
-nginx_stream_upload_dest: /etc/nginx/conf.d/
 # Upload HTML files.
 nginx_html_upload_enable: false
 nginx_html_upload_src: www/*
 nginx_html_upload_dest: /usr/share/nginx/html
-# Upload SSL certificates and keys.
-nginx_ssl_upload_enable: false
-nginx_ssl_crt_upload_src: ssl/*.crt
-nginx_ssl_crt_upload_dest: /etc/ssl/certs/
-nginx_ssl_key_upload_src: ssl/*.key
-nginx_ssl_key_upload_dest: /etc/ssl/private/
-
 # Enable creating dynamic templated NGINX HTML demo websites.
 nginx_html_demo_template_enable: false
 nginx_html_demo_template:
@@ -397,7 +367,13 @@ nginx_rest_api_dashboard: false
 # Enable creating dynamic templated NGINX stream configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
 # the options available for templating. Each key represents a new configuration file.
+# Upload Stream NGINX configuration files.
+# was set to 'true' in the group_vars for nginxplus
+# but we do not have any files in conf/stream/
+# nginx_stream_upload_enable: true
 nginx_stream_template_enable: false
+nginx_stream_upload_src: conf/stream/*.conf
+nginx_stream_upload_dest: /etc/nginx/conf.d/stream/
 nginx_stream_template:
   default:
     template_file: stream/default.conf.j2
@@ -417,6 +393,8 @@ nginx_stream_template:
           cert: /etc/ssl/certs/proxy_default.crt
           key: /etc/ssl/private/proxy_default.key
           trusted_cert: /etc/ssl/certs/proxy_ca.crt
+          server_name: false
+          name: server_name
           protocols: TLSv1 TLSv1.1 TLSv1.2
           ciphers: HIGH:!aNULL:!MD5
           verify: false
@@ -436,8 +414,3 @@ nginx_stream_template:
             port: 8080
             weight: 1
             health_check: max_fails=1 fail_timeout=10s
-
-# manage the hash table that stores server names for fast lookup
-# increase the size first, when that stops working, increase the number of hash buckets in the table
-nginx_server_names_hash_bucket_size: 64
-nginx_server_names_hash_max_size: 1024
diff --git a/roles/nginxplus/files/conf/http/abid-staging.conf b/roles/nginxplus/files/conf/http/abid-staging.conf