Initial

roles/nginxinc.nginx_unit/tasks/keys/setup-keys.yml

@@ -0,0 +1,17 @@
+---
+- name: (Debian/Red Hat OSs) Set up NGINX signing key URL
+  set_fact:
+    keysite: "{{ nginx_unit_signing_key | default(nginx_unit_default_signing_key) }}"
+
+- name: (Debian/Ubuntu) Add NGINX signing key
+  apt_key:
+    id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+    url: "{{ keysite }}"
+  when: ansible_facts['os_family'] == "Debian"
+
+- name: (Amazon Linux/CentOS/RHEL) Add NGINX signing key
+  rpm_key:
+    fingerprint: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+    key: "{{ keysite }}"
+    validate_certs: "{{ (ansible_facts['distribution_major_version'] is version('6', '==')) | ternary('no', 'yes') }}"
+  when: ansible_facts['os_family'] in ['RedHat', 'Suse']

roles/nginxinc.nginx_unit/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Setup prerequisites
+  include_tasks: "{{ role_path }}/tasks/prerequisites/prerequisites.yml"
+  tags: nginx_unit_prerequisites
+
+- name: Setup keys
+  include_tasks: keys/setup-keys.yml
+  when:
+    - ansible_facts['os_family'] in ['Debian', 'RedHat']
+    - nginx_unit_enable | bool
+  tags: nginx_unit_key
+
+- name: Install NGINX Unit
+  include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
+  when: nginx_unit_enable | bool
+  tags: nginx_unit_install

roles/nginxinc.nginx_unit/tasks/prerequisites/install-dependencies.yml

@@ -0,0 +1,26 @@
+---
+- name: (Debian/Ubuntu) Install dependencies
+  apt:
+    name: "{{ nginx_unit_debian_dependencies }}"
+    update_cache: yes
+  when: ansible_facts['os_family'] == "Debian"
+
+- name: (Amazon Linux/CentOS/RHEL) Install dependencies
+  yum:
+    name: "{{ nginx_unit_redhat_dependencies }}"
+  when: ansible_facts['os_family'] == "RedHat"
+
+- name: (FreeBSD) Install dependencies
+  block:
+    - name: (FreeBSD) Install dependencies using package(s)
+      pkgng:
+        name: "{{ nginx_unit_freebsd_dependencies }}"
+      when: nginx_bsd_install_packages | bool
+
+    - name: (FreeBSD) Install dependencies using port(s)
+      portinstall:
+        name: "{{ item }}"
+        use_packages: "{{ nginx_unit_bsd_portinstall_use_packages | default(omit) }}"
+      loop: "{{ nginx_unit_freebsd_dependencies }}"
+      when: not nginx_bsd_install_packages | bool
+  when: ansible_facts['distribution'] == "FreeBSD"

roles/nginxinc.nginx_unit/tasks/prerequisites/prerequisites.yml

@@ -0,0 +1,19 @@
+---
+- name: Install dependencies
+  include_tasks: "{{ role_path }}/tasks/prerequisites/install-dependencies.yml"
+
+- name: Set up SELinux
+  block:
+    - name: Check if SELinux is enabled
+      debug:
+        msg: You need to enable SELinux, if it was disabled you need to reboot
+      when: ansible_facts['selinux'] is undefined
+
+    - name: Configure SELinux
+      include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
+      when: ansible_facts['selinux']['mode'] is defined
+  when:
+    - nginx_unit_selinux | bool
+    - "'selinux' in ansible_facts"
+    - ansible_facts['os_family'] in ['RedHat']
+    - ansible_facts['distribution'] not in ['Amazon']

roles/nginxinc.nginx_unit/tasks/prerequisites/setup-selinux.yml

@@ -0,0 +1,57 @@
+---
+- name: (CentOS/RHEL) Install dependencies
+  block:
+    - name: (CentOS/RHEL 6/7) Install dependencies
+      yum:
+        name:
+          - policycoreutils-python
+          - setools
+      when: ansible_facts['distribution_major_version'] is version('8', '!=')
+
+    - name: (CentOS/RHEL 8) Install dependencies
+      yum:
+        name:
+          - libselinux-utils
+          - policycoreutils
+          - selinux-policy-targeted
+      when: ansible_facts['distribution_major_version'] is version('8', '==')
+  when: ansible_facts['os_family'] == "RedHat"
+
+- name: Set SELinux mode to permissive
+  selinux:
+    state: permissive
+    policy: targeted
+
+- name: Allow SELinux HTTP network connections
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+
+- name: Allow SELinux HTTP network connections
+  seboolean:
+    name: httpd_can_network_relay
+    state: yes
+    persistent: yes
+
+- name: Allow SELinux TCP connections on specific ports
+  seport:
+    ports: "{{ nginx_unit_selinux_tcp_ports }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when: nginx_unit_selinux_tcp_ports is defined
+
+- name: Allow SELinux UDP connections on specific ports
+  seport:
+    ports: "{{ nginx_unit_selinux_udp_ports }}"
+    proto: udp
+    setype: http_port_t
+    state: present
+  when: nginx_unit_selinux_udp_ports is defined
+
+- name: Set SELinux mode to enforcing
+  selinux:
+    state: enforcing
+    policy: targeted
+  when: nginx_unit_selinux_enforcing | bool

roles/nginxinc.nginx_unit/tasks/unit/install-modules.yml

@@ -0,0 +1,16 @@
+---
+- name: (Amazon Linux/CentOS/Debian/RedHat/Ubuntu) Install NGINX Unit modules
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ nginx_unit_modules }}"
+  when: ansible_facts['os_family'] != "FreeBSD"
+  notify: (Handler - Amazon Linux/CentOS/Debian/RedHat/Ubuntu) Start NGINX Unit
+
+- name: (FreeBSD) Install NGINX Unit modules
+  portinstall:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ nginx_unit_modules }}"
+  when: ansible_facts['os_family'] == "FreeBSD"
+  notify: (Handler - FreeBSD) Start NGINX Unit

roles/nginxinc.nginx_unit/tasks/unit/install-unit.yml

@@ -0,0 +1,22 @@
+---
+- name: Configure NGINX Unit repository
+  include_tasks: "{{ role_path }}/tasks/unit/setup-{{ ansible_facts['os_family'] | lower }}.yml"
+  when: ansible_facts['os_family'] in ['Debian', 'FreeBSD', 'RedHat']
+
+- name: (Amazon Linux/CentOS/Debian/RedHat/Ubuntu) Install NGINX Unit
+  package:
+    name: unit
+    state: present
+  when: ansible_facts['os_family'] != "FreeBSD"
+  notify: (Handler - Amazon Linux/CentOS/Debian/RedHat/Ubuntu) Start NGINX Unit
+
+- name: (FreeBSD) Install NGINX Unit
+  portinstall:
+    name: unit
+    state: present
+  when: ansible_facts['os_family'] == "FreeBSD"
+  notify: (Handler - FreeBSD) Start NGINX Unit
+
+- name: Install NGINX Unit modules
+  include_tasks: "{{ role_path }}/tasks/unit/install-modules.yml"
+  when: nginx_unit_modules is defined

roles/nginxinc.nginx_unit/tasks/unit/setup-debian.yml

@@ -0,0 +1,10 @@
+---
+- name: "(Debian/Ubuntu) Add NGINX Unit repository"
+  apt_repository:
+    filename: nginx-unit
+    repo: "{{ item }}"
+    update_cache: yes
+    mode: 0644
+  loop:
+    - deb [arch=amd64] https://packages.nginx.org/unit/{{ ansible_facts['distribution'] | lower }}/ {{ ansible_facts['distribution_release'] }} unit
+    - deb-src https://packages.nginx.org/unit/{{ ansible_facts['distribution'] | lower }}/ {{ ansible_facts['distribution_release'] }} unit

roles/nginxinc.nginx_unit/tasks/unit/setup-freebsd.yml

@@ -0,0 +1,10 @@
+---
+- name: (FreeBSD) fetch ports
+  command: portsnap fetch --interactive
+  args:
+    creates: /var/db/portsnap/INDEX
+
+- name: (FreeBSD) Extract ports
+  command: portsnap extract
+  args:
+    creates: /usr/ports

roles/nginxinc.nginx_unit/tasks/unit/setup-redhat.yml

@@ -0,0 +1,21 @@
+---
+- name: (CentOS/RHEL) Add NGINX Unit repository
+  yum_repository:
+    name: nginx-unit
+    baseurl: "https://packages.nginx.org/unit/{{ (ansible_facts['distribution'] == 'RedHat') | ternary('rhel/', 'centos/') }}$releasever/$basearch/"
+    description: NGINX Unit Repository
+    enabled: yes
+    gpgcheck: yes
+    mode: 0644
+  when: ansible_facts['distribution'] != "Amazon"
+
+- name: (Amazon Linux) Add NGINX Unit repository
+  yum_repository:
+    name: nginx-unit
+    baseurl: "https://packages.nginx.org/unit/amzn\
+              {{ (ansible_facts['distribution_major_version'] is version('2', '==')) | ternary('2', '') }}/$releasever/$basearch/"
+    description: NGINX Unit Repository
+    enabled: yes
+    gpgcheck: yes
+    mode: 0644
+  when: ansible_facts['distribution'] == "Amazon"