Triple S!!! Speed, Systemd and Selinux (#272)

Author: magicalyak

README.md

@@ -223,4 +223,6 @@ Author Information
 
 [Grzegorz Dzien](https://github.com/gdzien)
 
+[Tom Gamull](https://github.com/magicalyak)
+
 © [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020

defaults/main/main.yml

@@ -94,3 +94,18 @@ nginx_cleanup_config_path:
   - directory:
       - /etc/nginx/conf.d
     recurse: false
+
+# Set selinux enforcing for nginx (Centos/Redhat only) - you may need to open ports on your own
+nginx_selinux: false
+# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
+nginx_selinux_enforcing: true
+# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
+# nginx_selinux_tcp_ports:
+#   - 80
+#   - 443
+# List of UDP ports to add to http_port_t type
+# nginx_selinux_udp_ports:
+#   - 80
+#   - 443
+# Temporary directory to hold selinux modules
+nginx_tempdir: /tmp

defaults/main/systemd.yml

@@ -0,0 +1,43 @@
+---
+# Enable systemd modifications
+# ** ALL of the following variables are ignored unless this is set to true **
+nginx_service_modify: false
+
+# Remove the override file completely
+nginx_service_clean: false
+
+# Override the systemd directory
+# Default is /etc/systemd/system/nginx.service.d
+nginx_service_overridepath: /etc/systemd/system/nginx.service.d
+
+# Override the systemd filename
+# Default is override.conf
+nginx_service_overridefilename: override.conf
+
+# Set service timeout for systemd systems in seconds (default: 90)
+# [Service]
+# TimeoutStopSec=90
+# Default is to comment this out
+# nginx_service_timeoutstopsec: 90
+
+# Set the restart policy for systemd systems
+# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always
+# [Service]
+# Restart=on-failure
+# Default is to comment this out
+# nginx_service_restart: on-failure
+
+# Set the restart timer in seconds
+# [Service]
+# RestartSec=5s
+# Default is to comment this out
+# nginx_service_restartsec: 5s
+
+# Enable a custom systemd override file
+# ** This could break the service **
+# Setting this to true disables custom values above
+nginx_service_custom: false
+
+# Filename and path for systemd override file
+# Setting this will overwrite existing override file
+nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf"

files/services/nginx.override.conf

@@ -0,0 +1,2 @@
+[Service]
+TimeoutStopSec=90

handlers/main.yml

@@ -1,4 +1,14 @@
 ---
+# handlers file for ansible-role-nginx
+- name: "(Handler: All OSs) Check NGINX"
+  command: "nginx -t"
+  changed_when: false
+
+- name: "(Handler: All OSs) systemd daemon-reload"
+  systemd:
+    daemon_reload: yes
+  notify: "(Handler: All OSs) Start NGINX"
+
 - name: "(Handler: All OSs) Run NGINX"
   block:
 
@@ -33,7 +43,3 @@
     name: unitd
     state: started
     enabled: yes
-
-- name: "(Handler: All OSs) Check NGINX"
-  command: "nginx -t"
-  changed_when: false

molecule/common/playbook_default.yml

@@ -25,7 +25,10 @@
     - role: ansible-role-nginx
   vars:
     nginx_debug_output: true
-
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
     nginx_version: "{{ version }}"
     nginx_logrotate_conf_enable: true
     nginx_logrotate_conf:

molecule/common/playbook_module.yml

@@ -6,6 +6,13 @@
   vars:
     nginx_debug_output: true
 
+    nginx_service_modify: true
+    nginx_service_timeout: 95
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
+
     nginx_cleanup_config: true
     nginx_cleanup_config_path:
       - directory:

molecule/common/playbook_template.yml

@@ -6,6 +6,13 @@
   vars:
     nginx_debug_output: true
 
+    nginx_service_modify: true
+    nginx_service_timeout: 95
+    nginx_selinux: true
+    nginx_selinux_tcp_ports:
+      - 80
+      - 443
+
     nginx_main_template_enable: true
     nginx_main_template:
       template_file: nginx.conf.j2

tasks/amplify/install-amplify.yml

@@ -1,9 +1,8 @@
 ---
-- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
-
-- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
+- include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_os_family | lower }}.yml"
+  when:
+    - ansible_os_family == "Debian"
+      or ansible_os_family == "Redhat"
 
 - name: "(Install: All OSs) Install NGINX Amplify Agent"
   package:

tasks/keys/setup-keys.yml

@@ -0,0 +1,16 @@
+---
+- name: "(Setup: Keys) Alpine"
+  include_tasks: "{{ role_path }}/tasks/keys/apk-key.yml"
+  when: ansible_os_family == "Alpine"
+  tags: nginx_apkkey
+
+- name: "(Setup: Keys) Debian"
+  include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml"
+  when: ansible_os_family == "Debian"
+  tags: nginx_aptkey
+
+- name: "(Setup: Keys) RedHat/Suse"
+  include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml"
+  when: ansible_os_family == "RedHat"
+        or ansible_os_family == "Suse"
+  tags: nginx_rpmkey