--- - name: Configure Nginx Load Balancer (ALT Linux) hosts: proxy become: true vars: vip_address: "172.16.1.253" backend_servers: "{{ groups['server'] }}" backend_port: 443 stats_port: 9000 server_name: "www.au.team" ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt" ssl_key_path: "/etc/nginx/ssl/www.au.team.key" tasks: - name: Update package cache (ALT Linux) ansible.builtin.command: cmd: apt-rpm update changed_when: false tags: - nginx - name: Install Nginx package (ALT Linux) ansible.builtin.package: name: nginx state: present tags: - nginx - name: Create SSL directory for Nginx ansible.builtin.file: path: /etc/nginx/ssl state: directory mode: '0755' owner: root group: root tags: - ssl - name: Copy SSL certificate to Nginx (from web server) ansible.builtin.shell: | cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem chmod 600 /etc/nginx/ssl/www.au.team.pem args: creates: /etc/nginx/ssl/www.au.team.pem tags: - ssl - name: Create directories for Nginx config ansible.builtin.file: path: "{{ item }}" state: directory mode: '0755' owner: root group: root loop: - /etc/nginx/conf.d - /etc/nginx/sites-available - /etc/nginx/sites-enabled tags: - nginx - name: Configure Nginx upstream for backend servers ansible.builtin.copy: content: | upstream backend_servers { balance roundrobin; {% for server in backend_servers %} server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s; {% endfor %} } dest: /etc/nginx/conf.d/upstream.conf mode: '0644' backup: true notify: Reload nginx tags: - nginx - name: Configure Nginx vhost with SSL and load balancing ansible.builtin.copy: content: | # HTTP server - redirect to HTTPS server { listen {{ vip_address }}:80; listen [::]:80; server_name {{ server_name }}; return 301 https://$host$request_uri; } # HTTPS server with load balancing server { listen {{ vip_address }}:443 ssl; listen [::]:443 ssl; server_name {{ server_name }}; ssl_certificate /etc/nginx/ssl/www.au.team.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Proxy to backend servers location / { proxy_pass https://backend_servers; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_verify off; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; } # HSTS header add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } # Stats server server { listen {{ vip_address }}:{{ stats_port }}; server_name {{ server_name }}; location / { stub_status on; allow 127.0.0.1; allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; } location /haproxy_stats { return 200 "Nginx Stats\nActive connections: $connections_active\n"; add_header Content-Type text/plain; } } dest: /etc/nginx/sites-available/www.au.team.conf mode: '0644' backup: true notify: Reload nginx tags: - nginx - name: Enable site configuration ansible.builtin.file: src: /etc/nginx/sites-available/www.au.team.conf dest: /etc/nginx/sites-enabled/www.au.team.conf state: link notify: Reload nginx tags: - nginx - name: Remove default Nginx site ansible.builtin.file: path: /etc/nginx/sites-enabled/default state: absent ignore_errors: true tags: - nginx - name: Enable and start Nginx service ansible.builtin.systemd: name: nginx enabled: true state: started tags: - nginx handlers: - name: Reload nginx ansible.builtin.systemd: name: nginx state: reloaded