vault-cluster
71 строка · 2.1 Кб
1---2- name: Установка и настройка nginx3hosts: nginx-balancer4become: yes5gather_facts: no6tasks:8- name: Установка nginx10apt:11name: nginx12state: latest13update_cache: yes14autoclean: yes15autoremove: yes16- name: Ensure nginx config file exists18copy:19content: |20upstream vault_servers {21{% for host in upstreams %}22server {{ host }}:8200 max_fails=3 fail_timeout=2s;23{% endfor %}24}25server {27listen 9000 ssl http2 default_server;28listen [::]:9000 ssl http2 default_server;29ssl_certificate /etc/ssl/vault/vault.crt;31ssl_certificate_key /etc/ssl/vault/vault.key;32ssl_protocols TLSv1.3;34ssl_prefer_server_ciphers on;35ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";36ssl_ecdh_curve secp384r1;37ssl_session_cache shared:SSL:10m;38ssl_session_tickets off;39ssl_stapling on;40ssl_stapling_verify on;41resolver 8.8.8.8 8.8.4.4 valid=300s;42resolver_timeout 5s;43add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";44add_header X-Frame-Options "SAMEORIGIN";45add_header X-Content-Type-Options nosniff;46location / {48proxy_set_header Host $http_host;49proxy_set_header X-Real-IP $remote_addr;50proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;51proxy_set_header X-Forwarded-Proto $scheme;52proxy_pass {{ schema }}://vault_servers;53}54}56dest: "/etc/nginx/sites-available/default"58owner: root59group: root60mode: '0644'61- name: Проверка синтаксиса конфигурации Nginx63command: nginx -t64register: nginx_check65failed_when: "nginx_check.rc != 0"66- name: Перезагружаем Nginx68service:69name: nginx70state: restarted71when: "nginx_check.rc == 0"72