vault-cluster
71 строка · 2.1 Кб
1---
2- name: Установка и настройка nginx
3hosts: nginx-balancer
4become: yes
5gather_facts: no
6
7tasks:
8
9- name: Установка nginx
10apt:
11name: nginx
12state: latest
13update_cache: yes
14autoclean: yes
15autoremove: yes
16
17- name: Ensure nginx config file exists
18copy:
19content: |
20upstream vault_servers {
21{% for host in upstreams %}
22server {{ host }}:8200 max_fails=3 fail_timeout=2s;
23{% endfor %}
24}
25
26server {
27listen 9000 ssl http2 default_server;
28listen [::]:9000 ssl http2 default_server;
29
30ssl_certificate /etc/ssl/vault/vault.crt;
31ssl_certificate_key /etc/ssl/vault/vault.key;
32
33ssl_protocols TLSv1.3;
34ssl_prefer_server_ciphers on;
35ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
36ssl_ecdh_curve secp384r1;
37ssl_session_cache shared:SSL:10m;
38ssl_session_tickets off;
39ssl_stapling on;
40ssl_stapling_verify on;
41resolver 8.8.8.8 8.8.4.4 valid=300s;
42resolver_timeout 5s;
43add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
44add_header X-Frame-Options "SAMEORIGIN";
45add_header X-Content-Type-Options nosniff;
46
47location / {
48proxy_set_header Host $http_host;
49proxy_set_header X-Real-IP $remote_addr;
50proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
51proxy_set_header X-Forwarded-Proto $scheme;
52proxy_pass {{ schema }}://vault_servers;
53}
54
55}
56
57dest: "/etc/nginx/sites-available/default"
58owner: root
59group: root
60mode: '0644'
61
62- name: Проверка синтаксиса конфигурации Nginx
63command: nginx -t
64register: nginx_check
65failed_when: "nginx_check.rc != 0"
66
67- name: Перезагружаем Nginx
68service:
69name: nginx
70state: restarted
71when: "nginx_check.rc == 0"
72