Refactor status templating (#288)

Author: alessfg

CHANGELOG.md

@@ -6,6 +6,7 @@ BREAKING CHANGES:
 
 *   The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
 *   If you use `custom_options` you will now need to manually end each directive with a semicolon.
+*   The `status` directive is no longer supported in NGINX Plus, and the `stub_status` directive has been reworked into a template.
 *   The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need.
 
     Old configuration example

defaults/main/template.yml

@@ -317,20 +317,27 @@ nginx_http_template:
 # Note - 'status' has been deprecated since NGINX Plus R13.
 # Default is false.
 nginx_status_enable: false
-nginx_status_location: /etc/nginx/conf.d/stub_status.conf
-nginx_status_port: 80
+nginx_status_template_file: http/status.conf.j2
+nginx_status_file_location: /etc/nginx/conf.d/status.conf
 nginx_status_log: false
+nginx_status_port: 80
+nginx_status_allow: 127.0.0.1
+nginx_status_deny: all
 
 # Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard.
 # Requires NGINX Plus.
 # Default is false.
 nginx_rest_api_enable: false
 nginx_rest_api_template_file: http/api.conf.j2
 nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf
-nginx_rest_api_port: 80
 nginx_rest_api_log: false
+nginx_rest_api_port: 80
 nginx_rest_api_write: false
 nginx_rest_api_dashboard: false
+nginx_status_rest_api_allow: 127.0.0.1
+nginx_status_rest_api_deny: all
+nginx_status_rest_api_dashboard_allow: 127.0.0.1
+nginx_status_rest_api_dashboard_deny: all
 
 # Enable creating dynamic templated NGINX stream configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase

molecule/common/playbooks/template_converge.yml

@@ -58,7 +58,6 @@
       stream_enable: true
 
     nginx_status_enable: true
-    nginx_status_location: /etc/nginx/conf.d/stub_status.conf
     nginx_status_port: 8080
     nginx_status_log: true
 

tasks/conf/setup-status.yml

@@ -55,6 +55,14 @@
   when: nginx_http_template_enable | bool
   notify: "(Handler: All OSs) Reload NGINX"
 
+- name: "(Setup: All NGINX) Dynamically Generate NGINX Stub Status Configuration File"
+  template:
+    src: "{{ nginx_status_template_file | default('http/status.conf.j2') }}"
+    dest: "{{ nginx_status_file_location | default('/etc/nginx/conf.d/status.conf') }}"
+    backup: yes
+  notify: "(Handler: All OSs) Reload NGINX"
+  when: nginx_status_enable | bool
+
 - name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File"
   template:
     src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}"

tasks/conf/template-config.yml

@@ -1,9 +1,9 @@
 ---
-- name: "(Setup: Prerequisites)"
+- name: "(Setup: All OSs) Setup Prerequisites"
   include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml"
   tags: nginx_prerequisites
 
-- name: "(Setup: Keys)"
+- name: "(Setup: All OSs) Setup Keys"
   import_tasks: keys/setup-keys.yml
   when:
     - ansible_os_family == "Alpine"
@@ -15,73 +15,82 @@
       or nginx_unit_enable
   tags: nginx_key
 
-- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX"
+- name: "(Install/Config: All OSs) Install and Configure NGINX"
   block:
 
-    - block:
-        - include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
+    - name: "(Install: All OSs) Install NGINX"
+      block:
+        - name: "(Install: All OSs) Install NGINX Open Source"
+          include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
           when: nginx_type == "opensource"
           tags: nginx_install_oss
 
-        - include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
+        - name: "(Install: All OSs) Install NGINX Plus"
+          include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
           when: nginx_type == "plus"
           tags: nginx_install_plus
 
-        - include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
+        - name: "(Install: All OSs) Install NGINX Modules"
+          include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
           when: true in nginx_modules.values()
           tags: nginx_install_modules
 
-        - include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
+        - name: "(Install: All OSs) Delete NGINX Plus License"
+          include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
           when:
             - nginx_type == "plus"
             - nginx_delete_license
           tags: nginx_delete_license
       when: nginx_install | bool
 
-    - block:
-        - include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
+    - name: "(Config: All OSs) Configure NGINX"
+      block:
+        - name: "(Config: All OSs) Cleanup NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
           when: nginx_cleanup_config | bool
           tags: nginx_cleanup_config
 
-        - include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
+        - name: "(Config: All OSs) Upload NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
           when: nginx_main_upload_enable
                 or nginx_http_upload_enable
                 or nginx_stream_upload_enable
                 or nginx_html_upload_enable
                 or nginx_ssl_upload_enable
           tags: nginx_upload_config
 
-        - include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
+        - name: "(Config: All OSs) Create NGINX Config"
+          include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
           when: nginx_main_template_enable
                 or nginx_http_template_enable
                 or nginx_stream_template_enable
                 or nginx_rest_api_enable
           tags: nginx_template_config
-
-        - include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml"
-          when: nginx_status_enable | bool
-          tags: nginx_setup_status
       when: nginx_configure | bool
 
     - name: "(Config: All OSs) Ensure NGINX is Running"
       meta: flush_handlers
 
-    - include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
+    - name: "(Config: All OSs) Debug Output"
+      include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
       when: nginx_debug_output | bool
       tags: nginx_debug_output
 
-    - include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
+    - name: "(Config: All OSs): Configure Logrotate"
+      include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
       when: nginx_logrotate_conf_enable | bool
       tags: nginx_logrotate_config
   when: nginx_enable | bool
 
-- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
+- name: "(Install: All OSs) Install NGINX Amplify"
+  include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
   when:
     - nginx_amplify_enable | bool
     - nginx_amplify_api_key is defined
     - nginx_amplify_api_key | length > 0
   tags: nginx_install_amplify
 
-- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
+- name: "(Install: All OSs) Install NGINX Unit"
+  include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
   when: nginx_unit_enable | bool
   tags: nginx_install_unit

tasks/main.yml

@@ -2,17 +2,29 @@
 
 server {
     listen {{ nginx_rest_api_port | default('80') }};
-    access_log {{ nginx_rest_api_log | ternary("on", "off") }};
+    access_log {{ nginx_rest_api_log | ternary('on', 'off') }};
     location /api {
 {% if nginx_rest_api_write %}
         api write=on;
 {% else %}
         api;
+{% endif %}
+{% if nginx_status_rest_api_allow is defined %}
+        allow {{ nginx_status_rest_api_allow }};
+{% endif %}
+{% if nginx_status_rest_api_deny is defined %}
+        deny {{ nginx_status_rest_api_deny }};
 {% endif %}
     }
 {% if nginx_rest_api_dashboard %}
     location = /dashboard.html {
         root /usr/share/nginx/html;
+{% if nginx_status_rest_api_dashboard_allow is defined %}
+        allow {{ nginx_status_rest_api_dashboard_allow }};
+{% endif %}
+{% if nginx_status_rest_api_dashboard_deny is defined %}
+        deny {{ nginx_status_rest_api_dashboard_deny }};
+{% endif %}
     }
 {% endif %}
 }

templates/http/api.conf.j2

@@ -0,0 +1,15 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ nginx_status_port | default('80') }};
+    access_log {{ nginx_status_log | ternary('on', 'off') }};
+    location /nginx_status {
+        stub_status on;
+{% if nginx_status_allow is defined %}
+        allow {{ nginx_status_allow }};
+{% endif %}
+{% if nginx_status_deny is defined %}
+        deny {{ nginx_status_deny }};
+{% endif %}
+    }
+}