Merge pull request #4 from crushlovely/dev

adding passenger log file to conform with new passenger update

circle.yml

@@ -31,4 +31,4 @@ test:
         timeout: 900
 
     # Idempotence Test
-    - "ansible-playbook -i tests/inventory tests/test.yml | grep -q 'changed=3.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)"
+    - "ansible-playbook -i tests/inventory tests/test.yml | grep -q 'changed=6.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)"

defaults/main.yml

@@ -1,21 +1,19 @@
 ---
 app_name: test
 app_path: /srv/test/public
+app_user: ubuntu
+app_group: ubuntu
+server_env: production
 ssl: 'false'
 passenger: 'true'
 updates: 'true'
 custom: 'true'
-nginx:
-  version: 1.6.2
-  upstream_port: 5000
-  ssl_cert:
-    crt: ""
-    key: ""
-  passenger:
-    version: 5.0.6
-    prestart: http://test.com
-app:
-  user: ubuntu
-  group: ubuntu
+nginx_version: 1.6.2
+nginx_upstream_port: 5000
+nginx_ssl_cert:
+nginx_crt: ""
+nginx_key: ""
+nginx_passenger_version: 5.0.6
+nginx_passenger_prestart: http://test.com
+nginx_passenger_log_file: "{{ app_path }}/log.log"
 domains: test.com
-server_env: production

meta/main.yml

@@ -15,4 +15,4 @@ galaxy_info:
     - web
     - system
 dependencies: []
-version: 1.0.0
+version: 2.0.0

tasks/custom.yml

@@ -1,23 +1,23 @@
 ---
-- name: Create Sites Enabled Directory
+- name: Custom | Create Sites Enabled Directory
   file: path=/etc/nginx/sites-enabled state=directory owner=root group=root
   sudo: yes
 
-- name: Apply defaultserver conf file
+- name: Custom | Apply defaultserver conf file
   template: src=defaultserver.j2 dest=/etc/nginx/sites-enabled/zzzzzdefaultserver owner=root group=root
   sudo: yes
 
-- name: Apply site conf file
+- name: Custom | Apply site conf file
   template: src=site.com.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root
   sudo: yes
   when: passenger == "false"
 
-- name: Apply Passenger site conf file
+- name: Custom | Apply Passenger site conf file
   template: src=passenger.site.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root
   sudo: yes
   when: passenger == "true"
 
-- name:  Custom Config template placement
+- name: Custom |  Custom Config template placement
   template: src=passenger.conf.j2 dest=/etc/nginx/conf.d/passenger.conf  owner=root group=root
   sudo: yes
   when: passenger == "true"

tasks/main.yml

@@ -1,15 +1,15 @@
 ---
 - name: Check if installed
-  shell: /usr/bin/test `nginx -v 2>&1 | grep "nginx" | awk '{gsub("nginx/","",$3); print $3}'` = {{ nginx.version }} && echo True
+  shell: /usr/bin/test `nginx -v 2>&1 | grep "nginx" | awk '{gsub("nginx/","",$3); print $3}'` = {{ nginx_version }} && echo True
   register: result
   ignore_errors: yes
 
 - name: Take Ownership of /opt
-  file: path=/opt/ owner={{ app.user }} group={{ app.group }} recurse=yes state=directory
+  file: path=/opt/ owner={{ app_user }} group={{ app_group }} recurse=yes state=directory
   sudo: yes
   when: result|failed
 
-- name: Install dependancies
+- name: Install Dependancies
   action: apt pkg={{ item }} state=present
   sudo: yes
   when: result|failed
@@ -25,61 +25,65 @@
     - zlib1g-dev
 
 - name: Download Source
-  get_url: url=http://nginx.org/download/nginx-{{ nginx.version }}.tar.gz dest=/opt/
+  get_url: url=http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz dest=/opt/
   when: result|failed
 
 - name: Unzip Nginx Tar
-  unarchive: src=/opt/nginx-{{ nginx.version }}.tar.gz dest=/opt copy=no group={{ app.group }} owner={{ app.user }}
+  unarchive: src=/opt/nginx-{{ nginx_version }}.tar.gz dest=/opt copy=no group={{ app_group }} owner={{ app_user }}
   when: result|failed
 
 - name: Download Third Party modules
-  get_url: url=http://www.dropbox.com/s/e3n2lin6dvqlaos/modules.tar.gz?dl=1 dest=/opt/nginx-{{ nginx.version }}
+  get_url: url=http://www.dropbox.com/s/e3n2lin6dvqlaos/modules.tar.gz?dl=1 dest=/opt/nginx-{{ nginx_version }}
   when: result|failed
 
 - name: Unzip Modules
-  unarchive: src=/opt/nginx-{{ nginx.version }}/modules.tar.gz dest=/opt/nginx-{{ nginx.version }} copy=no group={{ app.group }} owner={{ app.user }}
+  unarchive: src=/opt/nginx-{{ nginx_version }}/modules.tar.gz dest=/opt/nginx-{{ nginx_version }} copy=no group={{ app_group }} owner={{ app_user }}
   when: result|failed
 
 - include: passenger.yml
   when: passenger == "true"
 
 - name: Change Directory & Configure
-  shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 chdir=/opt/nginx-{{ nginx.version }}
+  shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 chdir=/opt/nginx-{{ nginx_version }}
   when: result|failed
   when: passenger == "false"
 
 - name: Make
-  shell: /usr/bin/make chdir=/opt/nginx-{{ nginx.version }}/
+  shell: /usr/bin/make chdir=/opt/nginx-{{ nginx_version }}/
   sudo: yes
   when: result|failed
 
 - name: Make Install
-  shell: /usr/bin/make install chdir=/opt/nginx-{{ nginx.version }}/
+  shell: /usr/bin/make install chdir=/opt/nginx-{{ nginx_version }}/
   sudo: yes
   when: result|failed
 
-- name: copy init.d configuration file
+- name: Copy Upstart Configuration File
   copy: src=nginx_upstart.conf dest=/etc/init/nginx.conf
   sudo: yes
   when: result|failed
 
-- name: Create conf.d Directory
+- name: Create Conf.d Directory
   file: path=/etc/nginx/conf.d state=directory owner=root group=root
   sudo: yes
-  when: result|failed
 
-- name:  Custom Config template placement
+- include: ssl.yml
+  when: ssl == "true"
+
+- name:  Copy Nginx Configuration Template
   template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf  owner=root group=root
   sudo: yes
-  when: result|failed
 
-- name: Move config files to server
+- name: Copy Logrotate Configuration File
   copy: src=nginx dest=/etc/logrotate.d/nginx
   sudo: yes
-  when: result|failed
 
 - include: custom.yml
   when: custom == "true"
 
+- name: restart nginx
+  service: name=nginx state=restarted
+  sudo: yes
+
 - include: ssl.yml
-  when: ssl == "true"
+  when: ssl == "true"

tasks/passenger.yml

@@ -1,15 +1,18 @@
 ---
-- name: Download Passenger modules
-  get_url: url=https://codeload.github.com/phusion/passenger/tar.gz/release-{{ nginx.passenger.version }} dest=/opt/passenger.tar.gz
+- name: Passenger | Download Passenger modules
+  get_url: url=https://codeload.github.com/phusion/passenger/tar.gz/release-{{ nginx_passenger_version }} dest=/opt/passenger.tar.gz
 
-- name: Unzip Passenger Tar
+- name: Passenger | Unzip Passenger Tar
   unarchive: src=/opt/passenger.tar.gz dest=/opt/ copy=no
 
 - include: sudoers.yml
 
-- name: Change Directory & Configure Passenger
-  shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 --add-module=/opt/passenger/ext/nginx chdir=/opt/nginx-{{ nginx.version }}
+- name: Passenger | Change Directory & Configure Passenger
+  shell: ./configure --user=www-data --group=www-data --prefix=/opt/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/run/nginx.lock --pid-path=/var/run/nginx.pid --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=modules/ngx_http_auth_pam_module-1.2 --add-module=modules/echo-nginx-module-0.51 --add-module=modules/nginx-upstream-fair --add-module=modules/nginx-dav-ext-module-0.0.3 --add-module=/opt/passenger/ext/nginx chdir=/opt/nginx-{{ nginx_version }}
 
-- name: Create Sites Enabled Directory
+- name: Passenger | Create Sites Enabled Directory
   file: path=/etc/nginx/sites-enabled state=directory owner=root group=root
-  sudo: yes
+  sudo: yes
+
+- name: Passenger | Build Native Support
+  command: /opt/passenger/bin/passenger-config build-native-support

tasks/ssl.yml

@@ -1,17 +1,21 @@
 ---
-- name: Create SSL directory
+- name: SSL | Create SSL directory
   file: path=/etc/nginx/ssl/ state=directory owner=root group=root
   sudo: yes
 
-- name: Apply ssl site conf file
+- name: SSL | Apply SSL VHOST file
   template: src=passenger.ssl.site.j2 dest=/etc/nginx/sites-enabled/{{ app_name }} owner=root group=root
   sudo: yes
   when: passenger == "true"
 
-- name: Copy SSL Certs to server
-  copy: src={{ nginx.ssl_cert.crt }} dest=/etc/nginx/ssl/ owner=root group=root force=yes
+- name: SSL | Copy SSL Certs to server
+  copy: src={{ nginx_ssl_crt }} dest=/etc/nginx/ssl/ owner=root group=root force=yes
   sudo: yes
 
-- name: Copy SSL Certs to server
-  copy: src={{ nginx.ssl_cert.key }} dest=/etc/nginx/ssl/ owner=root group=root force=yes
+- name: SSL | Copy SSL Certs to server
+  copy: src={{ nginx_ssl_key }} dest=/etc/nginx/ssl/ owner=root group=root force=yes
+  sudo: yes
+
+- name: SSL | Create DHPARAM cert
+  command: openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
   sudo: yes

tasks/sudoers.yml

@@ -1,11 +1,15 @@
 ---
 - name: Symlink Passenger directory
-  file: src=/opt/passenger-release-{{ nginx.passenger.version }} path=/opt/passenger state=link
+  file: src=/opt/passenger-release-{{ nginx_passenger_version }} path=/opt/passenger state=link
 
-- name: Copy passenger-path file
+- name: Sudoers | Copy passenger-path file
   copy: src=passenger-path.sh dest=/etc/profile.d/passenger-path.sh owner=root group=root
   sudo: yes
 
-- name: Copy Sudoers template
+- name: Sudoers | Copy Sudoers template
   copy: src=sudoers dest=/etc/sudoers owner=root group=root validate='visudo -cf %s'
-  sudo: yes
+  sudo: yes
+
+- name: Restart ssh
+  service: name=ssh state=restarted
+  sudo: yes

templates/nginx.conf.j2

@@ -56,14 +56,23 @@ http {
   # don’t use SSLv3 ref: POODLE
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
-  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
-  ssl_session_cache   shared:SSL:10m;
+  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
+  ssl_session_cache builtin:1000  shared:SSL:10m;
   ssl_session_timeout   10m;
+  ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
+  ssl_stapling on;
 
+  ##
+  # Additional Headers
+  ##
+
+  add_header "X-UA-Compatible" "IE=Edge";
+  add_header "X-SSL-Protocol" $ssl_protocol;
+  add_header Strict-Transport-Security "max-age=31536000;";
   ##
   # Virtual Host Configs & Extra NGINX features
   ##
 
   include /etc/nginx/conf.d/*.conf;
   include /etc/nginx/sites-enabled/*;
-}
+}

templates/passenger.conf.j2

@@ -7,10 +7,11 @@
   passenger_max_pool_size 15;
   passenger_min_instances 1;
   passenger_pool_idle_time 300;
-  passenger_log_level 2;
+  passenger_log_level 3;
+  passenger_log_file {{ nginx_passenger_log_file }};
   passenger_user deploy;
   passenger_group deploy;
-  passenger_user_switching off;
-  passenger_pre_start {{ nginx.passenger.prestart }};
+  passenger_user_switching on;
+  passenger_pre_start {{ nginx_passenger_prestart }};
   passenger_instance_registry_dir /tmp;
-  passenger_app_env {{ server_env }};
+  passenger_app_env {{ server_env }};