checkin

roles/3-base-server/tasks/main.yml

@@ -6,9 +6,15 @@
 - name: HTTPD (APACHE)
   include_role:
     name: httpd
-  # has no "when: XXXXX_install" flag
+  when: apache_install
   tags: base, httpd
 
+- name: NGINX
+  include_role:
+    name: nginx
+  when: nginx_install
+  tags: base, nginx
+
 - name: MYSQL
   include_role:
     name: mysql

roles/awstats/tasks/install.yml

@@ -18,7 +18,6 @@
   tags:
     - download
 
-# SEE ALSO THE apache2_module SECTION IN roles/httpd/tasks/main.yml
 - name: Enable cgi execution (debuntu)
   command: a2enmod cgi
   when: is_debuntu | bool
@@ -35,25 +34,21 @@
   with_items:
     - "{{ awstats_data_dir }}"
     - "{{ apache_log_dir }}"
+    - /usr/lib/cgi-bin/awstats   # create backward compatible path for awstats
 
-- name: Install Apache's awstats.conf from template (debuntu)
+- name: Install nginx's awstats.conf from template (debuntu)
   template:
-    src: apache.conf
-    dest: "/etc/{{ apache_config_dir }}/awstats.conf"
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: 0644
+  with_items:
+     - { src: "awstats-nginx.conf", dest: "/etc/nginx/conf.d/" }
+     - { src: "cgi-bin.php", dest: "/etc/nginx/" }
+#     - { src: "apache-awstats.conf", dest: "/etc/{{ apache_config_dir }}/awstats.conf" }
   when: awstats_enabled and is_debuntu
 
-- name: Install Apache's awstats.conf from template (OS's other than debuntu)
-  template:
-    src: apache-awstats.conf
-    dest: "/etc/{{ apache_config_dir }}/awstats.conf"
-    owner: root
-    group: root
-    mode: 0644
-  when: awstats_enabled and not is_debuntu
-
 - name: Ensure logrotate doesn't make logs unreadable (debuntu)
   template:
     src: logrotate.d.apache2
@@ -69,24 +64,11 @@
   command: mv /etc/awstats/awstats.conf /etc/awstats/awstats.conf.dist
   when: awstats.stat.islnk is defined and not awstats.stat.islnk
 
-- name: Create symlink awstats.conf from sites-enabled to sites-available (debuntu)
+- name: Create symlink for awstats.pl from cgi-bin/awstats/awstats.pl to ../ so that the old apache links to awstats will work after change to nginx
   file:
-    src: /etc/apache2/sites-available/awstats.conf
-    path: /etc/apache2/sites-enabled/awstats.conf
+    src: /usr/lib/cgi-bin/awstats.pl
+    path: /usr/lib/cgi-bin/awstats/awstats.pl
     state: link
-  when: awstats_enabled and is_debuntu
-
-- name: Remove symlink from sites-enabled, to disable AWStats (debuntu)
-  file:
-    path: /etc/apache2/sites-enabled/awstats.conf
-    state: absent
-  when: not awstats_enabled and is_debuntu
-  
-- name: Restart Apache service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"
-    state: restarted
-
 
 - name: Install /etc/awstats/awstats.schoolserver.conf
   template:

roles/awstats/templates/awstats-nginx.conf

@@ -0,0 +1,24 @@
+location ~ ^/awstats {
+  rewrite ^ http://box.lan/cgi-bin/awstats.pl?config=schoolserver;
+}
+location ^~ /awstatsicons {
+   alias /usr/share/awstats/icon/;
+   access_log off;
+}
+location ^~ /awstatsclasses {
+   alias /usr/share/java/awstats/;
+   access_log off;
+}
+
+location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) {
+    gzip off;
+    include         fastcgi_params;
+    fastcgi_pass    php;
+    fastcgi_index   cgi-bin.php;
+    fastcgi_param   SCRIPT_FILENAME    /etc/nginx/cgi-bin.php;
+    fastcgi_param   SCRIPT_NAME        cgi-bin.php;
+    fastcgi_param   X_SCRIPT_FILENAME  /usr/lib$fastcgi_script_name;
+    fastcgi_param   X_SCRIPT_NAME      $fastcgi_script_name;
+    fastcgi_param   REMOTE_USER        $remote_user;
+}
+

roles/awstats/templates/awstats.schoolserver.conf.j2

@@ -49,7 +49,7 @@
 #
 
 {% if is_debuntu %}
-LogFile="/usr/share/awstats/tools/logresolvemerge.pl /var/log/{{ apache_service }}/access.log* |"
+LogFile="/usr/share/awstats/tools/logresolvemerge.pl {{ apache_log_dir }}/access.log* |"
 {% else %}
 LogFile="/usr/share/awstats/tools/logresolvemerge.pl /var/log/httpd/access_log* |"
 {% endif %}

roles/awstats/templates/cgi-bin.php

@@ -0,0 +1,32 @@
+<?php
+// This is interface between nginx fastcgi and older cgi perl script: awstats.pl
+// Taken from https://wiki.archlinux.org/index.php/AWStats#Nginx
+$descriptorspec = array(
+   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
+   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
+   2 => array("pipe", "w")   // stderr is a file to write to
+);
+$newenv = $_SERVER;
+$newenv["SCRIPT_FILENAME"] = $_SERVER["X_SCRIPT_FILENAME"];
+$newenv["SCRIPT_NAME"] = $_SERVER["X_SCRIPT_NAME"];
+if (is_executable($_SERVER["X_SCRIPT_FILENAME"])) {
+   $process = proc_open($_SERVER["X_SCRIPT_FILENAME"], $descriptorspec, $pipes, NULL, $newenv);
+   if (is_resource($process)) {
+       fclose($pipes[0]);
+       $head = fgets($pipes[1]);
+       while (strcmp($head, "\n")) {
+           header($head);
+           $head = fgets($pipes[1]);
+       }
+       fpassthru($pipes[1]);
+       fclose($pipes[1]);
+       fclose($pipes[2]);
+       $return_value = proc_close($process);
+   } else {
+       header("Status: 500 Internal Server Error");
+       echo("Internal Server Error");
+   }
+} else {
+   header("Status: 404 Page Not Found");
+   echo("Page Not Found");
+}

roles/calibre-web/tasks/main.yml

@@ -71,7 +71,7 @@
     mode: 0644
   with_items:
     - { src: 'calibre-web.service.j2', dest: '/etc/systemd/system/calibre-web.service' }
-    - { src: 'calibre-web.conf.j2', dest: '/etc/apache2/sites-available/calibre-web.conf' }
+    - { src: 'calibre-web-nginx.conf.j2', dest: '/etc/nginx/conf.d/calibre-web.conf' }
 
 - name: Does /library/calibre-web/metadata.db exist?
   stat:
@@ -127,7 +127,7 @@
     daemon_reload: yes
     enabled: no
     state: stopped
-  when: not calibreweb_enabled
+  when: not calibreweb_enabled | bool
 
 - name: Disable http://box{{ calibreweb_url1 }}, http://box{{ calibreweb_url2 }}, http://box{{ calibreweb_url3 }} with Apache
   command: a2dissite calibre-web.conf

roles/calibre-web/templates/calibre-web-nginx.conf.j2

@@ -0,0 +1,8 @@
+location /books {
+   proxy_bind              $server_addr;
+   proxy_set_header        Host            $http_host;
+   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+   proxy_set_header        X-Scheme        $scheme;
+   proxy_set_header        X-Script-Name   /books;
+   proxy_pass http://127.0.0.1:8083;
+}

roles/elgg/tasks/main.yml

@@ -124,6 +124,12 @@
     src: elgg.conf
     dest: "/etc/{{ apache_config_dir }}/elgg.conf"
 
+- name: Install /etc/nginx/conf.d/elgg-nginx.conf from template, for http://box/elgg
+  template:
+    src: elgg-nginx.conf
+    dest: "/etc/nginx/conf.d/elgg-nginx.conf"
+  when: elgg_enabled and is_debuntu
+
 - name: Create symlink elgg.conf from sites-enabled to sites-available (debuntu, not nec for redhat)
   file:
     src: /etc/apache2/sites-available/elgg.conf

roles/elgg/templates/elgg-nginx.conf

@@ -0,0 +1,3 @@
+location /elgg {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/elgg;
+}

roles/httpd/tasks/main.yml

@@ -66,11 +66,12 @@
   with_items:
     - { src: '010-iiab.conf.j2', dest: '/etc/{{ apache_config_dir }}/010-iiab.conf' }
     - { src: 'proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf' }
+    - { src: 'ports.conf' , dest: '/etc/{{ apache_service }}/' , mode: '0644' }
     #- { src: 'php.ini.j2', dest: '/etc/php.ini', mode: '0644' }    # @jvonau suggests removing this in https://github.com/iiab/iiab/issues/1147
 
 # For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
+- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress and/or Moodle intensively
   lineinfile:
     path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
     regexp: "{{ item.regexp }}"
@@ -79,7 +80,7 @@
   with_items:
     - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
     - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
-    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
+    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M' }
     - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
     - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
 
@@ -123,6 +124,7 @@
     - headers
     - proxy
     - proxy_html
+    - headers
     - proxy_http
     - rewrite
   when: is_debuntu | bool

roles/httpd/templates/ports.conf

@@ -0,0 +1,15 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default.conf
+
+Listen {{ apache_port }}
+
+#<IfModule ssl_module>
+#	Listen 443
+#</IfModule>
+
+#<IfModule mod_gnutls.c>
+#	Listen 443
+#</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

roles/kolibri/tasks/main.yml

@@ -159,7 +159,7 @@
       value: "{{ kolibri_url }}"
     - option: kolibri_exec_path
       value: "{{ kolibri_exec_path }}"
-    - option: kolibri_http_port
+    - option: kolibri_port
       value: "{{ kolibri_http_port }}"
     - option: kolibri_enabled
       value: "{{ kolibri_enabled }}"

roles/lokole/tasks/install.yml

@@ -110,6 +110,11 @@
     src: lokole.conf.j2
     dest: "/etc/{{ apache_config_dir }}/lokole.conf"
 
+- name: Install /etc/nginx/lokole-nginx.conf from template, for http://box/lokole
+  template:
+    src: lokole-nginx.conf.j2
+    dest: "/etc/nginx/conf.d/lokole-nginx.conf"
+
 - name: Symlink /etc/apache2/sites-enabled/lokole.conf to /etc/{{ apache_config_dir }}/lokole.conf, if lokole_enabled (debuntu)
   file:
     src: "/etc/{{ apache_config_dir }}/lokole.conf"

roles/lokole/templates/lokole-nginx.conf.j2

@@ -0,0 +1,3 @@
+location /lokole {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/lokole;
+}

roles/mediawiki/tasks/install.yml

@@ -72,6 +72,12 @@
     state: link
   when: mediawiki_enabled and is_debuntu
 
+- name: Install nginx config file, if mediawiki_enabled (debuntu)
+  template:
+    src: mediawiki-nginx.conf.j2
+    dest: /etc/nginx/conf.d/mediawiki-nginx.conf
+  when: mediawiki_enabled and is_debuntu
+
 - name: Remove mediawiki.conf if not mediawiki_enabled (debuntu)
   file:
     path: /etc/apache2/sites-enabled/mediawiki.conf

roles/mediawiki/templates/mediawiki-nginx.conf.j2

@@ -0,0 +1,11 @@
+location /mediawiki {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/mediawiki;
+}
+ location ~ /mediawiki/.*\.php$ {
+
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+
+}

roles/moodle/tasks/main.yml

@@ -81,6 +81,15 @@
     mode: 0644
   when: moodle_enabled | bool
 
+- name: Install nginx's config file from template, if moodle_enabled
+  template:
+    src: moodle-nginx.conf.j2
+    dest: "/etc/nginx/conf.d/moodle-nginx.conf"
+    owner: root
+    group: root
+    mode: 0644
+  when: moodle_enabled | bool
+
 - name: Create symlink 022-moodle.conf from sites-enabled to sites-available, if moodle_enabled (debuntu)
   file:
     src: /etc/apache2/sites-available/022-moodle.conf

roles/moodle/templates/moodle-nginx.conf.j2

@@ -0,0 +1,13 @@
+location /moodle {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+}
+location ~ ^/moodle.*\.php$ {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+}
+   

roles/moodle/templates/moodle-nginx.conf.j2.native

@@ -0,0 +1,16 @@
+location ^/moodle {
+   alias /opt/iiab/moodle;
+   try_files $uri $uri/ index.php =404;
+}
+location ~ /moodle/(.*)\.php {
+    root /opt/iiab/;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    include fastcgi_params;
+    fastcgi_index index.php;
+    fastcgi_pass php;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
+}

roles/munin/tasks/main.yml

@@ -30,7 +30,7 @@
     mode: 0644
   with_items:
     - { src: 'munin.conf.j2', dest: '/etc/munin/munin.conf' }
-    - { src: 'munin24.conf.j2', dest: '/etc/{{ apache_config_dir }}/munin24.conf' }
+    - { src: 'munin24-nginx.conf.j2', dest: '/etc/nginx/conf.d/munin24-nginx.conf' }
 
 - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
   htpasswd:

roles/munin/templates/munin24-nginx.conf.j2

@@ -0,0 +1,4 @@
+location  /munin {
+  alias /var/cache/munin/www/ ;
+  try_files $uri $uri/ /index.html;
+}

roles/nextcloud/defaults/main.yml

@@ -3,6 +3,7 @@
 
 # nextcloud_install: False
 # nextcloud_enabled: False
+nextcloud_force_install: False
 
 # nextcloud_allow_public_ips: False
 

roles/nextcloud/tasks/enable_or_disable.yml

@@ -33,6 +33,17 @@
     state: absent
   when: not nextcloud_enabled and is_redhat
 
+- name: Enable the nginx proxying to apache
+  template: src=nextcloud-nginx.conf dest=/etc/nginx/conf.d/nextcloud-nginx.conf
+  when: nextcloud_enabled | bool
+
+- name: Restart apache, so it picks up the new aliases
+  service: name={{ apache_service }} state=restarted
+
+- name: Restart nnginx
+  service: name=nginx state=restarted
+  when: nginx_enabled | bool
+
 - name: Restart Apache, enabling/disabling http://box/nextcloud
   service:
     name: "{{ apache_service }}"

roles/nextcloud/tasks/main.yml

@@ -7,7 +7,7 @@
   #set_fact:
   #  nextcloud_force_install: True
   include_tasks: install.yml
-  when: nextcloud_install and not nextcloud_page.stat.exists
+  when: (nextcloud_install and not nextcloud_page.stat.exists) or nextcloud_force_install
 
 # - debug:
 #     var: nextcloud_force_install

roles/nextcloud/templates/nextcloud-nginx.conf

@@ -0,0 +1,11 @@
+location /nextcloud {
+  proxy_pass http://127.0.0.1:{{ apache_port }}/nextcloud;
+}
+
+location ~ /nextcloud/.*\.php$ {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+}
+