handlers.yml

#Web role handlers
- name: start nginx
  service: state=started name=nginx

- name: restart nginx
  service: state=restarted name=nginx

- name: check webapp
  wait_for_cmd: shell='curl -s -o /dev/null -k -w "%{http_code}" {{local_webapp_url}} | grep 401' delay=15 timeout=60 repeat_delay=3

main.yml

#Web role tasks

- name: Install Web packages and utilities
  apt: state=present pkg=libyaml-dev,mongodb-clients
  tags: deploy

- name: Install ssl-cert package
  apt: state=present pkg=ssl-cert
  tags: deploy
  when: self_signed_ssl

- name: Uninstall mongo server if not using localhost
  apt: state=absent pkg=mongodb-server
  tags: [deploy]
  when: mongo_hostname != 'localhost'

### Error pages
- name: error page dir
  file: state=directory path={{crunch_dir}}/errorpages owner=root group=root mode=0755
  tags: [update, deploy, epages]

- name: error pages
  template: dest={{crunch_dir}}/errorpages/{{item.filename}} src=error.html mode=0644 owner=root group=root
  tags: [update, deploy, epages]
  with_items:
    - filename: 404.html
      title: File Not Found
      headline: The page you have requested cannot be located
      estimate: Go back, or <a href="/">click here</a> to return to the main page.
      show_blog: Off
    - filename: 502.html
      title: Server Error
      headline: Crunch.io is currently down for maintenance. We're working to have it back up as soon as possible.
      estimate: Please return to the previous page and try again after waiting a few minutes.
      show_blog: On
    - filename: 503.html
      title: Server Error
      headline: Crunch.io is experiencing server issues
      estimate: We are working to resolve these issues as soon as possible
      show_blog: On
    - filename: 504.html
      title: Server Error
      headline: Crunch.io server timeout.
      estimate: This operation took too long to complete. Please try again in a few minutes.
      show_blog: On
    - filename: 500.html
      title: Unexpected Server Error
      headline: An unexpected error occured
      estimate: Please return to the previous page and try again.
      show_blog: Off
    - filename: planned_maint.html
      title: Planned Server Maintenance
      headline: The Crunch.io team is currently performing planned maintenance on our servers.
      estimate: We expect this to only last a few minutes, please check back later.
      show_blog: On
    - filename: unexpected_maint.html
      title: Unexpected Server Maintenance
      headline: The Crunch.io team is working on unexpected server issues
      estimate: We are working to resolve these issues as soon as possible
      show_blog: On


### Nginx configuration
- include: nginx.yml
  when: use_nginx

nginx.conf

proxy_headers_hash_bucket_size 128;
set_real_ip_from 10.0.0.0/8;
log_format access '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$gzip_ratio"';
access_log /var/log/nginx/access.log access buffer=32k;

upstream crunch_host {
{% for x in range(0, ((numprocs|int) if multiproc_crserver else 1)) %}
    server 127.0.0.1:{{8080 + (2*x)}};
{% endfor %}
}

server {
    listen [::]:80;
    return 301 https://{{public_hostname}}$request_uri;
}

server {
    listen [::]:{{listen_port}};
    root {{crunch_dir}}/whaam;
    server_name {{ public_hostname }};

    client_max_body_size 100m;

    gzip             on;
    gzip_min_length  1000;
    gzip_proxied     expired no-cache no-store private auth;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    {% if self_signed_ssl %}
    ssl on;
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    
    ssl_session_timeout 5m;
    
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
    {% endif %}

    location / {
        # Maintenance modes
        # Nested under / to prevent infinite redirects
        if (-f {{crunch_dir}}/planned) {
            return 307 {{public_url}}e/planned_maint.html;
        }
        if (-f {{crunch_dir}}/unexpected) {
            return 307 {{public_url}}e/unexpected_maint.html;
        }

        # CORS headers. We can't set this globally because /api sets its own.
        add_header 'Access-Control-Allow-Origin' 'http://local.crunch.io:8000';
        add_header 'Access-Control-Allow-Methods' 'OPTIONS, AUTH, POST, GET, HEAD, PUT, DELETE';
        add_header 'Access-Control-Max-Age' 1000;
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Headers' 'Content-Type, Origin, Accept, Cookie, Cache-Control';
        add_header 'Access-Control-Expose-Headers' 'Expires, Allow, Location';

        #We nest these locations so we don't have to repeat the CORS headers
        location = /index.html {
            expires -1;
        }

        location ~* \.(css|js|gif|jpe?g|png)$ {
            expires max;
            add_header Cache-Control "public";
        }

        # First attempt to serve request as file, then
        # as directory, then fall back to index.html
        try_files $uri $uri/ /index.html;
    }


    location /e {
        alias {{crunch_dir}}/errorpages;
    }

    error_page 404 /e/404.html;
    error_page 500 /e/500.html;
    error_page 502 /e/502.html;
    error_page 503 /e/503.html;
    error_page 504 /e/504.html;

    location /t {
        location  /t/404 { return 404; }
        location  /t/500 { return 500; }
        location  /t/502 { return 502; }
        location  /t/503 { return 503; }
        location  /t/504 { return 504; }
    }

    location /api {
        # Maintenance modes
        # Nested under /api to prevent infinite redirects
        if (-f {{crunch_dir}}/planned) {
            return 307 {{public_url}}e/planned_maint.html;
        }
        if (-f {{crunch_dir}}/unexpected) {
            return 307 {{public_url}}e/unexpected_maint.html;
        }

{% if listen_port != 443 %}
        proxy_set_header Host $host:$server_port;
{% else %}
        proxy_set_header Host $host;
        proxy_redirect http://{{public_hostname}}:443/ {{public_url}};
{% endif %}
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 180s;
        proxy_pass http://crunch_host;
    }

    location /nginx_status {
        stub_status on;
        access_log off;
    }
}

nginx.yml

- name: Install Nginx
  apt: state=present pkg=nginx
  tags: [deploy,update,nginx]

- name: Nginx Config
  template: src=nginx.j2 dest=/etc/nginx/sites-available/crunch-app mode=664 owner=root group=root force=yes
  notify: restart nginx
  tags: [deploy,update,nginx,rename]

- name: Nginx worker processes
  lineinfile:
    state: present
    dest: /etc/nginx/nginx.conf
    regexp: 'worker_processes \d+;'
    line: "worker_processes {{ 30 * (numprocs|int) }};"
  notify: restart nginx
  tags: [deploy,update,nginx]

- name: Disable default site
  file: state=absent path=/etc/nginx/sites-enabled/default
  notify: restart nginx
  tags: [deploy,update,nginx]

- name: Link nginx config in sites-enabled
  file: state=link path=/etc/nginx/sites-enabled/crunch-app src=/etc/nginx/sites-available/crunch-app
  notify: restart nginx
  tags: [deploy,update,nginx]

- name: Make sure nginx is started
  service: name=nginx state=started enabled=True
  tags: [deploy,update,nginx]