jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: apparmor config typo

Browse Source
This commit is contained in:
Clément Désiles 2025-11-15 00:17:04 +01:00
parent 3ab48b93a6
commit 9c10116dcb
No known key found for this signature in database
2 changed files with 113 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
roles/nginx/README.md
View File

@ -10,6 +10,8 @@ This Ansible role installs and configures Nginx as a reverse proxy for web appli
- SSL/TLS configuration - SSL/TLS configuration
- Modular vhost configuration via `/etc/nginx/conf.d/` - Modular vhost configuration via `/etc/nginx/conf.d/`
- Zero-downtime reloads - Zero-downtime reloads
- Configurable logging backend (journald or traditional files)
- Automatic logrotate configuration for file-based logging
## Requirements ## Requirements
@ -24,6 +26,29 @@ See `defaults/main.yml` for all available variables and their default values.
The role provides sensible defaults for worker processes, connection limits, upload sizes, compression, and SSL/TLS settings. Override as needed in your inventory. The role provides sensible defaults for worker processes, connection limits, upload sizes, compression, and SSL/TLS settings. Override as needed in your inventory.
### Logging Configuration
```yaml
# Logging backend: 'journald' (systemd journal) or 'file' (traditional logs)
nginx_log_backend: journald # Default: journald
# Logrotate settings (only used when nginx_log_backend: file)
nginx_logrotate_rotate: 14 # Keep 14 days of logs
nginx_logrotate_frequency: daily # daily|weekly|monthly
nginx_logrotate_compress: true # Compress rotated logs
```
**journald backend (default):**
- Logs sent to systemd journal via syslog
- Centralized with other system logs
- Managed by systemd-journald (size limits, retention, compression)
- View with: `journalctl -u nginx`
**file backend:**
- Traditional `/var/log/nginx/*.log` files
- Automatic logrotate configuration deployed
- Useful for external log aggregation tools
## Dependencies ## Dependencies
None. None.
@ -133,20 +158,76 @@ This pattern allows for independent service deployments:
## Log Management ## Log Management
Nginx logs are written to: ### Journald Backend (Default)
When `nginx_log_backend: journald`, logs are sent to systemd journal:
```bash
# View all nginx logs
journalctl -u nginx -f
# Last 100 lines
journalctl -u nginx -n 100
# Filter by priority (error, warning, info)
journalctl -u nginx -p err
# Time range
journalctl -u nginx --since "1 hour ago"
# Export to file
journalctl -u nginx > nginx-logs.txt
```
**Benefits:**
- Centralized with all system logs
- Automatic rotation/compression via systemd-journald
- Structured metadata (timestamps, priorities)
- No separate logrotate configuration needed
### File Backend
When `nginx_log_backend: file`, logs are written to:
- `/var/log/nginx/access.log` - Access logs - `/var/log/nginx/access.log` - Access logs
- `/var/log/nginx/error.log` - Error logs - `/var/log/nginx/error.log` - Error logs
These are also captured by systemd journal:
```bash ```bash
# View nginx logs
journalctl -u nginx -f
# View traditional log files # View traditional log files
tail -f /var/log/nginx/access.log tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log tail -f /var/log/nginx/error.log
``` ```
Logrotate is automatically configured to:
- Rotate daily (configurable)
- Keep 14 days (configurable)
- Compress old logs
- Reload nginx gracefully after rotation
### Switching Backends
To switch from journald to file logging:
```yaml
- hosts: servers
roles:
- role: nginx
vars:
nginx_log_backend: file
nginx_logrotate_rotate: 30 # Keep 30 days
```
To switch back to journald:
```yaml
- hosts: servers
roles:
- role: nginx
vars:
nginx_log_backend: journald
```
The role automatically removes logrotate config when using journald.
## Configuration Validation ## Configuration Validation
The role automatically validates nginx configuration before applying changes using `nginx -t`. The role automatically validates nginx configuration before applying changes using `nginx -t`.

29
roles/unbound/tasks/main.yml
View File

@ -25,8 +25,33 @@
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/apparmor.d/usr.sbin.unbound dest: /etc/apparmor.d/usr.sbin.unbound
content: | content: |
/etc/unbound/** r, #include <tunables/global>
/var/lib/unbound/** rwk,
/usr/sbin/unbound {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
/etc/unbound/** r,
/var/lib/unbound/** rwk,
/run/unbound.pid rw,
/usr/sbin/unbound mr,
# Allow reading system certificates
/etc/ssl/certs/** r,
/usr/share/ca-certificates/** r,
# Allow network access
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
}
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"