Configuring nginx using debops ansible scripts

I started using ansible some months ago to configure my servers. As a beginner I wrote simply structured recipes, using templates with only few variables.

Recently I've been made aware of DebOps, a collection of ansible scripts for configuring nearly everything on a server.

With the move to letsencrypt certificates, I decided to script my nginx setup and domains configuration. Main motivation was to have identical configurations, settings and options defined for all domains without having to manually edit evvery single config file. I also wanted to have some kind of templates, like for instance to define the settings for the ACME protocol challenge.

While first thinking about doing it all by myself, I decided to get inspired by the ansible-nginx module.

It took me several (!) hours to migrate my configuration to the nginx module of DebOps. Not that my configurations are that complex. In fact it's rather the module that is very complex as it can handle lots of constellations. As an example, the template for generating the server { } statement for one domain is approx 35kB in size ! This makes it pretty hard to get the configuration right on the first time.

But finally I did it ! The configuration needed for this website is :

  - name: [ 'tech.joel-hatsch.net' ]
    enabled: true
    delete: false
    acme: true
    ssl: true
    ssl_crt: /etc/ssl/joel-hatsch.net.csr_signed
    ssl_key: /etc/ssl/joel-hatsch.net.key
    hsts_enabled: true
    redirect_to_ssl: true
    root: '{{ nginx_www + "/tech.joel-hatsch.net/httpdocs" }}'
    redirect_to_ssl: true
    favicon: true

The nice thing is that I only had to add one single statement to be able to run the letsencrypt challenge to verify the domain.

Adding some statements (ssl=true etc), I had the website available with HTTPS, using correct ciphers et security settings.

I also had only to active one single line (forward_to_ssl=true) to have the website for use of HTTPS !

This is the real advantage of these templates.

One downside however, is that - unless one wants to do heavy editing of the templates and recipes - there are also some hardcoded things in the templates, like the structure of the domains within the $nginx_www directory, the name of the tags defined in the cookbooks ... some of them didn't match my already existing settings :-(