API tools faq
paste
Advertisement
Guest User

Holy cow...

a guest
Jul 17th, 2018
85
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 149.39 KB | None | 0 0
raw download clone embed print report
  1. TASK [debops.nginx : Generate nginx server configuration] *********************************************************************************************************
  2. failed: [rangers] (item={u'name': [u'marc.test.aiprx.com'], u'redirect_to_ssl': False, u'enabled': True, u'stapling': True, u'ssl': True, u'pki_key': u'default.key', u'root': u'/srv/www/sites/acme/public/', u'pki_crt': u'default.crt'}) => {"changed": false, "item": {"enabled": true, "name": ["marc.test.aiprx.com"], "pki_crt": "default.crt", "pki_key": "default.key", "redirect_to_ssl": false, "root": "/srv/www/sites/acme/public/", "ssl": true, "stapling": true}, "msg": "AnsibleError: Unexpected templating type error occurred on ({% import 'debops__tpl_macros.j2' as debops__tpl_macros with context %}\n{#\n #\n # ==== Default server template for debops.nginx role ====\n #\n # Refer to the documentation in /docs/defaults-detailed.rst\n #\n #}\n\n{#\n #\n # ---- HTTPS, ports to listen on, default server, HTTPS redirect ----\n #}\n{% set nginx_version = ansible_local.nginx.version if (ansible_local|d() and ansible_local.nginx|d() and ansible_local.nginx.version|d()) else \"0.0\" %}\n{% set nginx_tpl_robots_tag = [] if (item.robots_tag|d(nginx__http_robots_tag) is string and item.robots_tag|d(nginx__http_robots_tag) == omit)\n else (\n [ item.robots_tag|d(nginx__http_robots_tag) ]\n if (item.robots_tag|d(nginx__http_robots_tag) is string)\n else (item.robots_tag|d(nginx__http_robots_tag))) %}\n{% set nginx_tpl_acme = (item.acme | default(nginx_acme)) | bool %}\n{% set nginx_tpl_ssl = (item.ssl | default(nginx_pki)) | bool %}\n{% set nginx_tpl_listen = item.listen | default(nginx_listen_port if nginx_listen_port else nginx_listen_socket) %}\n{% if nginx_tpl_ssl | bool %}\n{% set nginx_tpl_listen_ssl = item.listen_ssl | default(nginx_listen_ssl_port if nginx_listen_ssl_port else nginx_listen_ssl_socket) %}\n{% endif %}\n{% set nginx_tpl_default_server = [] %}\n{% set nginx_tpl_ipv6only = [] %}\n{% if nginx_register_default_server|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server or\n not name and nginx_register_default_server == \"default\") %}\n{% set _ = nginx_tpl_default_server.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_server_ssl = [] %}\n{% set nginx_tpl_ipv6only_ssl = [] %}\n{% if nginx_register_default_server_ssl|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server_ssl or\n not name and nginx_register_default_server_ssl == \"default\") %}\n{% set _ = nginx_tpl_default_server_ssl.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only_ssl.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_redirect_code = '307' %}\n{% set nginx_tpl_default_redirect_code_ssl = '301' %}\n{% set nginx_tpl_http_redirect = item.redirect | default('https://$host$request_uri') %}\n{% set nginx_tpl_pki_custom_realm = '' %}\n{% set nginx_tpl_pki_custom_realm_list = [] %}\n{% if (nginx_pki | bool and item.name | d() and (ansible_local|d() and ansible_local.pki|d() and ansible_local.pki.known_realms|d())) %}\n{# TODO: Legacy code. Use debops__tpl_macros.j2 #}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if name in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name) %}\n{% elif (name.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name.split('.')[1:] | join('.')) %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% if nginx_tpl_pki_custom_realm_list %}\n{% set nginx_tpl_pki_custom_realm = nginx_tpl_pki_custom_realm_list[0] %}\n{% endif %}\n{#\n #\n # ---- SSL certificate ----\n #}\n{% set nginx_tpl_ssl_certificate = item.ssl_crt|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_crt|d(nginx_pki_crt))) %}\n{#\n #\n # ---- SSL certificate key ----\n #}\n{% set nginx_tpl_ssl_certificate_key = item.ssl_key|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_key|d(nginx_pki_key))) %}\n{#\n #\n # ---- SSL client CA certificate ----\n #}\n{% set nginx_tpl_ssl_client_certificate = item.ssl_ca|d(nginx_pki_path + \"/\" + item.pki_ca_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_ca_realm) + \"/\" + (item.pki_ca|d(nginx_pki_ca))) %}\n{#\n #\n # ---- SSL trusted CA certificate ----\n #}\n{% set nginx_tpl_ssl_trusted_certificate = item.ssl_trusted\n |d(nginx_pki_path + \"/\" + (item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + item.pki_trusted | d(nginx_pki_trusted))) %}\n{#\n #\n # ---- Diffie-Hellman Key Exchange parameters ----\n #}\n{% set nginx_tpl_ssl_dhparam = item.ssl_dhparam | default(nginx_ssl_dhparam) %}\n{#\n #\n # ---- root directory ----\n #}\n{% if item.owner|d() %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/' + item.owner + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% else %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% endif %}\n{% if item.root_suffix|d() %}\n{% set nginx_tpl_root = nginx_tpl_root + '/' + item.root_suffix %}\n{% endif %}\n{% macro print_root() %}\n{% block nginx_tpl_block_root %}\n{% if (not (item.root|d() | bool)) and nginx_tpl_root %}\n root {{ nginx_tpl_root }};\n{% endif %}\n{% endblock %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location' hash, flat ----\n #}\n{% macro print_location(location,location_allow=[],location_referers=[],location_deny=[]) %}\n{% if location is defined %}\n{% for path in location.keys() %}\n{% if location[path] %}\n location {{ path }} {\n{% if location_referers is defined %}\n{% if location_referers[path] is defined and location_referers[path] %}\n valid_referers none blocked {{ location_referers[path] | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% endif %}\n {{ item.location[path] | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% if location_allow is defined %}\n{% if location_allow[path] is defined and location_allow[path] %}\n{% for address in location_allow[path] | unique %}\n allow {{ address }};\n{% endfor %}\n{% if location_deny is defined %}\n{% if location_deny[path] is defined %}\n{% for address in location_deny[path] | unique %}\n deny {{ address }};\n{% endfor %}\n{% endif %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% endif %}\n }\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location_list' list, recursive\n #}\n{% macro print_location_list(location_list) %}\n{% if location_list is defined %}\n{% for entry in location_list %}\n{% if entry.pattern|d() and (entry.enabled|d(True) | bool) %}\n location {{ entry.pattern_prefix | default('') + entry.pattern }} {\n{% if entry.referers|d() %}\n valid_referers none blocked {{ entry.referers | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% if entry.options|d() %}\n {{ entry.options | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n{% if entry.allow|d() %}\n{% for address in entry.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% if entry.deny|d() %}\n{% for address in entry.deny | unique %}\n deny {{ address }};\n{% endfor %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% if entry.locations|d() %}\n{{ print_location_list(entry.locations) | indent(8, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n }\n{% endif %}\n{% if not loop.last %}\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints the nginx server block which is shared between HTTP and HTTPS\n #}\n{% macro print_shared_nginx_server_block() %}\n{% if (not nginx_tpl_ssl and ((item.redirect|d()) or (item.redirect_to_ssl|d() | bool))) %}\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n{% elif nginx_tpl_ssl and item.redirect_ssl|d() %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} {{ item.redirect_ssl }};\n{% else %}\n keepalive_timeout {{ item.keepalive | default(nginx_default_keepalive_timeout) | string }};\n\n{% block nginx_tpl_block_log %}\n{% if item.name|d() %}\n{% set nginx_tpl_access_log_format = '' %}\n{% if item.access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + item.access_log_format %}\n{% elif nginx_access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + nginx_access_log_format %}\n{% endif %}\n access_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.access_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_access') }}.log{{ nginx_tpl_access_log_format }};\n error_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.error_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_error') }}.log;\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_index %}\n{% if item.index|d(True) %}\n index {{ item.index | default('index.html index.htm') }};\n\n{% endif %}\n{% endblock %}\n{% if nginx_real_ip_from|d() and nginx_real_ip_from %}\n{% if nginx_real_ip_header|d() and nginx_real_ip_header %}\n real_ip_header {{ nginx_real_ip_header }};\n{% endif %}\n{% if nginx_real_ip_recursive | bool %}\n real_ip_recursive on;\n{% elif not nginx_real_ip_recursive | bool %}\n real_ip_recursive off;\n{% endif %}\n{% if nginx_real_ip_from is string %}\n set_real_ip_from {{ nginx_real_ip_from }};\n\n{% else %}\n{% for element in nginx_real_ip_from %}\n set_real_ip_from {{ element }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n{% if item.maintenance|d(True)|bool %}\n if (-f $document_root/{{ item.maintenance_file | d('maintenance.html') }}) {\n return 503;\n }\n error_page 503 @maintenance;\n location @maintenance {\n rewrite ^(.*)$ /{{ item.maintenance_file | d('maintenance.html') }} break;\n }\n\n{% endif %}\n{% if item.error_pages|d() %}\n{% for code, location in item.error_pages.items() %}\n error_page {{ code }} {{ location }};\n location {{ location }} {\n internal;\n }\n\n{% endfor %}\n{% endif %}\n{% if item.include_files_begin|d() %}\n{% for file in item.include_files_begin %}\n include {{ file }};\n{% endfor %}\n\n{% endif %}\n{% if item.error_pages_list|d() %}\n{% for element in item.error_pages_list %}\n{% if element.location|d() or element.location_options|d() %}\n\n{% endif %}\n error_page {{ element.code if (element.code is string) else (element.code | join(\" \")) }} {{ element.uri }};\n{% if element.location|d() or element.location_options|d() %}\n location {{ element.location | d(element.uri) }} {\n{{ element.location_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n }\n{% if not loop.last %}\n\n{% endif %}\n{% endif %}\n{% endfor %}\n\n{% endif %}\n{% if item.options|d() %}\n {{ item.options | indent(8) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_satisfy_map) %}\n satisfy {{ nginx_access_policy_satisfy_map[item.access_policy] }};\n\n{% elif item.allow|d() or\n (item.auth_basic|d() | bool) or\n (item.satisfy|d()) or\n (item.access_policy|d() and\n item.access_policy not in nginx_access_policy_satisfy_map) %}\n satisfy {{ item.satisfy | default(nginx_default_satisfy) }};\n\n{% endif %}\n{% if item.allow|d() or item.access_policy|d() %}\n{% if item.allow is defined %}\n{% if item.allow is string %}\n allow {{ item.allow }};\n{% else %}\n{% for address in item.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_allow_map) %}\n{% for address in nginx_access_policy_allow_map[item.access_policy] | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_auth_basic_map) %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ nginx_private_path + \"/\" + nginx_access_policy_auth_basic_map[item.access_policy] }};\n\n{% elif item.auth_basic|d() | bool %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ item.auth_basic_filename | default(nginx_private_path + \"/\" + item.auth_basic_name|d()) }};\n\n{% endif %}\n{% if item.userdir|d()|bool %}\n location ~ {{ item.userdir_regexp | d('^/~(.+?)(/.*)?$') }} {\n alias {{ item.userdir_alias | d(nginx_www + '/$1/userdir/public$2') }};\n index {{ item.userdir_index | d(item.index | default('index.html index.htm')) }};\n{% if item.userdir_options|d() %}\n{{ item.userdir_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% else %}\n autoindex on;\n autoindex_exact_size off;\n{% endif %}\n }\n\n{% endif %}\n{% if item.deny_hidden|d(True) | bool %}\n # Disallow access to hidden files and directories\n location ~ /\\. {\n return 404;\n }\n\n{% endif %}\n{% if item.favicon|d(True) | bool %}\n location = /favicon.ico {\n try_files /favicon.ico =204;\n access_log off;\n log_not_found off;\n }\n\n{% endif %}\n{% if item.status|d(True) and (nginx_status or nginx_status_localhost) %}\n location = {{ item.status_name | default(nginx_status_name) }} {\n stub_status on;\n access_log off;\n{% if nginx_status_localhost %}\n{% for address in nginx_status_localhost | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if nginx_status %}\n{% for address in nginx_status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if item.status|d() %}\n{% for address in item.status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n }\n\n{% endif %}\n{% block nginx_tpl_block_custom_status_locations %}\n{% endblock %}\n{% if nginx_tpl_default_server or nginx_tpl_default_server_ssl %}\n include /etc/nginx/sites-default.d/*.conf;\n\n{% endif %}\n{% block nginx_tpl_block_location %}\n{% if item.location|d() or item.location_list|d() %}\n{% if item.location_list|d() %}\n{{ print_location_list(item.location_list) }}\n{% endif %}\n{% if item.location|d() %}\n{{ print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}\n{% endif %}\n{% else %}\n location / {\n{% block nginx_tpl_block_location_root %}\n try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files|d() else nginx_default_try_files) | join(' ') }} =404;\n{% endblock %}\n }\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_custom_locations %}\n{% endblock %}\n{% if item.include_files_end|d() %}\n\n{% for file in item.include_files_end %}\n include {{ file }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- nginx server template begins here ----\n #}\n# {{ ansible_managed }}\n\n{% if item.name|d() %}\n# nginx server configuration for:\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if nginx_tpl_ssl and not (item.redirect_to_ssl|d(True) | bool) %}\n# - http://{{ address }}/\n{% endif %}\n# - {{ \"https\" if nginx_tpl_ssl else \"http\" }}://{{ address }}/\n{% endfor %}\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% else %}\n# nginx server default configuration\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% endif %}\n{% if item.redirect_from|d() and item.name|d() %}\n{% if item.name is string or item.name | length == 1 %}\n# Cannot redirect from only one name: {{ item.name if item.name is string else item.name | join(', ') }}\n\n{% else %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port|string }};\n{% endfor %}\n{% if nginx_tpl_ssl | bool %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port|string }} ssl;\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n{% endif %}\n\n{% if item.redirect_from is iterable %}\n{% for name in item.redirect_from %}\n server_name {{ name }};\n{% endfor %}\n{% else %}{# item.redirect_from is True #}\n{% for name in item.name[1:] %}\n server_name {{ name }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;\n\n}\n\n{% endif %}\n{% elif item.redirect_to|d() and item.name|d() %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }};\n{% endfor %}\n\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if address != item.redirect_to %}\n server_name {{ address }};\n{% endif %}\n{% endfor %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.redirect_to }}$request_uri;\n\n}\n\n{% endif %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }}{% if nginx_tpl_default_server %} {{ nginx_tpl_default_server | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only) %} {{ nginx_tpl_ipv6only | join(\" \") }}{% endif %};\n{% endfor %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl %}\n{% if item.listen|d(True) %}\n{% if not (item.redirect_to_ssl|d(True) | bool) %}\n{{ print_shared_nginx_server_block() }}\n{% else %}\n location / {\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n }\n{% endif %}\n\n}\n\nserver {\n\n{% endif %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port }} ssl{% if nginx_version is version_compare('1.9.5','>=') %} http2{% elif nginx_version is version_compare('1.4','>=') %} spdy{% endif %}{% if nginx_tpl_default_server_ssl %} {{ nginx_tpl_default_server_ssl | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only_ssl) %} {{ nginx_tpl_ipv6only_ssl | join(\" \") }}{% endif %};\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n ssl_protocols {{ (item.tls_protocols | d(nginx_default_tls_protocols)) | join(\" \") }};\n ssl_prefer_server_ciphers on;\n{% if (nginx_ssl_ciphers[item.ssl_ciphers | d(nginx_default_ssl_ciphers)]) %}\n ssl_ciphers \"{{ nginx_ssl_ciphers[item.ssl_ciphers | default(nginx_default_ssl_ciphers)] }}\"; # TLS cipher suites set: {{ item.ssl_ciphers | default(nginx_default_ssl_ciphers) }}\n{% else %}\n #ssl_ciphers \"default set of ciphers used by this nginx install\";\n{% endif %}\n{% if nginx_tpl_ssl_dhparam %}\n ssl_dhparam {{ nginx_tpl_ssl_dhparam }};\n{% endif %}\n{% if item.ssl_curve | default(nginx_default_ssl_curve) %}\n ssl_ecdh_curve {{ item.ssl_curve | default(nginx_default_ssl_curve) }};\n{% endif %}\n{% if nginx_version is version_compare('1.4','>=') and (item.ocsp | d(nginx_ocsp)) | bool %}\n ssl_stapling on;\n{% if (item.ocsp_verify | d(nginx_ocsp_verify)) | bool %}\n ssl_stapling_verify on;\n ssl_trusted_certificate {{ nginx_tpl_ssl_trusted_certificate }};\n{% endif %}\n resolver {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ipwrap | join(\" \") }} valid=300s;\n resolver_timeout 5s;\n{% endif %}\n{% if (item.ssl_verify_client | d(nginx_default_ssl_verify_client)) | bool %}\n{% if item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) %}\n ssl_verify_client on;\n ssl_client_certificate {{ item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) }};\n{% endif %}\n{% if item.ssl_crl | d(nginx_default_ssl_crl) %}\n ssl_crl {{ item.ssl_crl | d(nginx_default_ssl_crl) }};\n{% endif %}\n{% endif %}\n{% if item.hsts_enabled|d(True) | bool %}\n add_header Strict-Transport-Security \"max-age={{ nginx_hsts_age }}{{ \"; includeSubDomains\" if nginx_hsts_subdomains|bool else \"\" }}{{ \"; preload\" if ((item.hsts_preload | d(nginx_hsts_preload)) | bool) else \"\" }}\";\n{% endif %}\n{% if item.csp_enabled|d(False) | bool %}\n add_header Content-Security-Policy \"{{ item.csp|d(\"default-src https: ;\") + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.csp_report_enabled|d(False) | bool %}\n add_header Content-Security-Policy-Report-Only \"{{ item.csp_report|d(item.csp|d(\"default-src https: ;\")) + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.content_type_options|d(True) != omit %}\n add_header X-Content-Type-Options \"{{ item.content_type_options | d('nosniff') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.frame_options|d() != omit %}\n add_header X-Frame-Options \"{{ item.frame_options | d('SAMEORIGIN') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.xss_protection | d(nginx__http_xss_protection) != omit %}\n add_header X-XSS-Protection \"{{ item.xss_protection | d(nginx__http_xss_protection) }}\";\n{% endif %}\n{% if item.http_referrer_policy | d(nginx__http_referrer_policy) != omit %}\n add_header Referrer-Policy \"{{ item.http_referrer_policy | d(nginx__http_referrer_policy) }}\";\n{% endif %}\n{% for robots_tag in nginx_tpl_robots_tag %}\n add_header X-Robots-Tag \"{{ robots_tag }}\";\n{% endfor %}\n{% if item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) != omit %}\n add_header X-Permitted-Cross-Domain-Policies \"{{ item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) }}\";\n{% endif %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl | bool %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{# ---- end of nginx_tpl_ssl ---- #}\n{{ print_shared_nginx_server_block() }}\n}\n): coercing to Unicode: need string or buffer, list found"}
  3. failed: [rangers] (item={u'welcome_domain': u'aimediagroup.com', u'name': [u'welcome'], u'csp_enabled': True, u'welcome': True, u'enabled': True, u'csp': u"default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self';"}) => {"changed": false, "item": {"csp": "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self';", "csp_enabled": true, "enabled": true, "name": ["welcome"], "welcome": true, "welcome_domain": "aimediagroup.com"}, "msg": "AnsibleError: Unexpected templating type error occurred on ({% import 'debops__tpl_macros.j2' as debops__tpl_macros with context %}\n{#\n #\n # ==== Default server template for debops.nginx role ====\n #\n # Refer to the documentation in /docs/defaults-detailed.rst\n #\n #}\n\n{#\n #\n # ---- HTTPS, ports to listen on, default server, HTTPS redirect ----\n #}\n{% set nginx_version = ansible_local.nginx.version if (ansible_local|d() and ansible_local.nginx|d() and ansible_local.nginx.version|d()) else \"0.0\" %}\n{% set nginx_tpl_robots_tag = [] if (item.robots_tag|d(nginx__http_robots_tag) is string and item.robots_tag|d(nginx__http_robots_tag) == omit)\n else (\n [ item.robots_tag|d(nginx__http_robots_tag) ]\n if (item.robots_tag|d(nginx__http_robots_tag) is string)\n else (item.robots_tag|d(nginx__http_robots_tag))) %}\n{% set nginx_tpl_acme = (item.acme | default(nginx_acme)) | bool %}\n{% set nginx_tpl_ssl = (item.ssl | default(nginx_pki)) | bool %}\n{% set nginx_tpl_listen = item.listen | default(nginx_listen_port if nginx_listen_port else nginx_listen_socket) %}\n{% if nginx_tpl_ssl | bool %}\n{% set nginx_tpl_listen_ssl = item.listen_ssl | default(nginx_listen_ssl_port if nginx_listen_ssl_port else nginx_listen_ssl_socket) %}\n{% endif %}\n{% set nginx_tpl_default_server = [] %}\n{% set nginx_tpl_ipv6only = [] %}\n{% if nginx_register_default_server|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server or\n not name and nginx_register_default_server == \"default\") %}\n{% set _ = nginx_tpl_default_server.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_server_ssl = [] %}\n{% set nginx_tpl_ipv6only_ssl = [] %}\n{% if nginx_register_default_server_ssl|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server_ssl or\n not name and nginx_register_default_server_ssl == \"default\") %}\n{% set _ = nginx_tpl_default_server_ssl.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only_ssl.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_redirect_code = '307' %}\n{% set nginx_tpl_default_redirect_code_ssl = '301' %}\n{% set nginx_tpl_http_redirect = item.redirect | default('https://$host$request_uri') %}\n{% set nginx_tpl_pki_custom_realm = '' %}\n{% set nginx_tpl_pki_custom_realm_list = [] %}\n{% if (nginx_pki | bool and item.name | d() and (ansible_local|d() and ansible_local.pki|d() and ansible_local.pki.known_realms|d())) %}\n{# TODO: Legacy code. Use debops__tpl_macros.j2 #}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if name in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name) %}\n{% elif (name.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name.split('.')[1:] | join('.')) %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% if nginx_tpl_pki_custom_realm_list %}\n{% set nginx_tpl_pki_custom_realm = nginx_tpl_pki_custom_realm_list[0] %}\n{% endif %}\n{#\n #\n # ---- SSL certificate ----\n #}\n{% set nginx_tpl_ssl_certificate = item.ssl_crt|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_crt|d(nginx_pki_crt))) %}\n{#\n #\n # ---- SSL certificate key ----\n #}\n{% set nginx_tpl_ssl_certificate_key = item.ssl_key|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_key|d(nginx_pki_key))) %}\n{#\n #\n # ---- SSL client CA certificate ----\n #}\n{% set nginx_tpl_ssl_client_certificate = item.ssl_ca|d(nginx_pki_path + \"/\" + item.pki_ca_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_ca_realm) + \"/\" + (item.pki_ca|d(nginx_pki_ca))) %}\n{#\n #\n # ---- SSL trusted CA certificate ----\n #}\n{% set nginx_tpl_ssl_trusted_certificate = item.ssl_trusted\n |d(nginx_pki_path + \"/\" + (item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + item.pki_trusted | d(nginx_pki_trusted))) %}\n{#\n #\n # ---- Diffie-Hellman Key Exchange parameters ----\n #}\n{% set nginx_tpl_ssl_dhparam = item.ssl_dhparam | default(nginx_ssl_dhparam) %}\n{#\n #\n # ---- root directory ----\n #}\n{% if item.owner|d() %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/' + item.owner + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% else %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% endif %}\n{% if item.root_suffix|d() %}\n{% set nginx_tpl_root = nginx_tpl_root + '/' + item.root_suffix %}\n{% endif %}\n{% macro print_root() %}\n{% block nginx_tpl_block_root %}\n{% if (not (item.root|d() | bool)) and nginx_tpl_root %}\n root {{ nginx_tpl_root }};\n{% endif %}\n{% endblock %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location' hash, flat ----\n #}\n{% macro print_location(location,location_allow=[],location_referers=[],location_deny=[]) %}\n{% if location is defined %}\n{% for path in location.keys() %}\n{% if location[path] %}\n location {{ path }} {\n{% if location_referers is defined %}\n{% if location_referers[path] is defined and location_referers[path] %}\n valid_referers none blocked {{ location_referers[path] | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% endif %}\n {{ item.location[path] | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% if location_allow is defined %}\n{% if location_allow[path] is defined and location_allow[path] %}\n{% for address in location_allow[path] | unique %}\n allow {{ address }};\n{% endfor %}\n{% if location_deny is defined %}\n{% if location_deny[path] is defined %}\n{% for address in location_deny[path] | unique %}\n deny {{ address }};\n{% endfor %}\n{% endif %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% endif %}\n }\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location_list' list, recursive\n #}\n{% macro print_location_list(location_list) %}\n{% if location_list is defined %}\n{% for entry in location_list %}\n{% if entry.pattern|d() and (entry.enabled|d(True) | bool) %}\n location {{ entry.pattern_prefix | default('') + entry.pattern }} {\n{% if entry.referers|d() %}\n valid_referers none blocked {{ entry.referers | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% if entry.options|d() %}\n {{ entry.options | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n{% if entry.allow|d() %}\n{% for address in entry.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% if entry.deny|d() %}\n{% for address in entry.deny | unique %}\n deny {{ address }};\n{% endfor %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% if entry.locations|d() %}\n{{ print_location_list(entry.locations) | indent(8, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n }\n{% endif %}\n{% if not loop.last %}\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints the nginx server block which is shared between HTTP and HTTPS\n #}\n{% macro print_shared_nginx_server_block() %}\n{% if (not nginx_tpl_ssl and ((item.redirect|d()) or (item.redirect_to_ssl|d() | bool))) %}\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n{% elif nginx_tpl_ssl and item.redirect_ssl|d() %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} {{ item.redirect_ssl }};\n{% else %}\n keepalive_timeout {{ item.keepalive | default(nginx_default_keepalive_timeout) | string }};\n\n{% block nginx_tpl_block_log %}\n{% if item.name|d() %}\n{% set nginx_tpl_access_log_format = '' %}\n{% if item.access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + item.access_log_format %}\n{% elif nginx_access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + nginx_access_log_format %}\n{% endif %}\n access_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.access_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_access') }}.log{{ nginx_tpl_access_log_format }};\n error_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.error_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_error') }}.log;\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_index %}\n{% if item.index|d(True) %}\n index {{ item.index | default('index.html index.htm') }};\n\n{% endif %}\n{% endblock %}\n{% if nginx_real_ip_from|d() and nginx_real_ip_from %}\n{% if nginx_real_ip_header|d() and nginx_real_ip_header %}\n real_ip_header {{ nginx_real_ip_header }};\n{% endif %}\n{% if nginx_real_ip_recursive | bool %}\n real_ip_recursive on;\n{% elif not nginx_real_ip_recursive | bool %}\n real_ip_recursive off;\n{% endif %}\n{% if nginx_real_ip_from is string %}\n set_real_ip_from {{ nginx_real_ip_from }};\n\n{% else %}\n{% for element in nginx_real_ip_from %}\n set_real_ip_from {{ element }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n{% if item.maintenance|d(True)|bool %}\n if (-f $document_root/{{ item.maintenance_file | d('maintenance.html') }}) {\n return 503;\n }\n error_page 503 @maintenance;\n location @maintenance {\n rewrite ^(.*)$ /{{ item.maintenance_file | d('maintenance.html') }} break;\n }\n\n{% endif %}\n{% if item.error_pages|d() %}\n{% for code, location in item.error_pages.items() %}\n error_page {{ code }} {{ location }};\n location {{ location }} {\n internal;\n }\n\n{% endfor %}\n{% endif %}\n{% if item.include_files_begin|d() %}\n{% for file in item.include_files_begin %}\n include {{ file }};\n{% endfor %}\n\n{% endif %}\n{% if item.error_pages_list|d() %}\n{% for element in item.error_pages_list %}\n{% if element.location|d() or element.location_options|d() %}\n\n{% endif %}\n error_page {{ element.code if (element.code is string) else (element.code | join(\" \")) }} {{ element.uri }};\n{% if element.location|d() or element.location_options|d() %}\n location {{ element.location | d(element.uri) }} {\n{{ element.location_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n }\n{% if not loop.last %}\n\n{% endif %}\n{% endif %}\n{% endfor %}\n\n{% endif %}\n{% if item.options|d() %}\n {{ item.options | indent(8) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_satisfy_map) %}\n satisfy {{ nginx_access_policy_satisfy_map[item.access_policy] }};\n\n{% elif item.allow|d() or\n (item.auth_basic|d() | bool) or\n (item.satisfy|d()) or\n (item.access_policy|d() and\n item.access_policy not in nginx_access_policy_satisfy_map) %}\n satisfy {{ item.satisfy | default(nginx_default_satisfy) }};\n\n{% endif %}\n{% if item.allow|d() or item.access_policy|d() %}\n{% if item.allow is defined %}\n{% if item.allow is string %}\n allow {{ item.allow }};\n{% else %}\n{% for address in item.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_allow_map) %}\n{% for address in nginx_access_policy_allow_map[item.access_policy] | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_auth_basic_map) %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ nginx_private_path + \"/\" + nginx_access_policy_auth_basic_map[item.access_policy] }};\n\n{% elif item.auth_basic|d() | bool %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ item.auth_basic_filename | default(nginx_private_path + \"/\" + item.auth_basic_name|d()) }};\n\n{% endif %}\n{% if item.userdir|d()|bool %}\n location ~ {{ item.userdir_regexp | d('^/~(.+?)(/.*)?$') }} {\n alias {{ item.userdir_alias | d(nginx_www + '/$1/userdir/public$2') }};\n index {{ item.userdir_index | d(item.index | default('index.html index.htm')) }};\n{% if item.userdir_options|d() %}\n{{ item.userdir_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% else %}\n autoindex on;\n autoindex_exact_size off;\n{% endif %}\n }\n\n{% endif %}\n{% if item.deny_hidden|d(True) | bool %}\n # Disallow access to hidden files and directories\n location ~ /\\. {\n return 404;\n }\n\n{% endif %}\n{% if item.favicon|d(True) | bool %}\n location = /favicon.ico {\n try_files /favicon.ico =204;\n access_log off;\n log_not_found off;\n }\n\n{% endif %}\n{% if item.status|d(True) and (nginx_status or nginx_status_localhost) %}\n location = {{ item.status_name | default(nginx_status_name) }} {\n stub_status on;\n access_log off;\n{% if nginx_status_localhost %}\n{% for address in nginx_status_localhost | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if nginx_status %}\n{% for address in nginx_status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if item.status|d() %}\n{% for address in item.status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n }\n\n{% endif %}\n{% block nginx_tpl_block_custom_status_locations %}\n{% endblock %}\n{% if nginx_tpl_default_server or nginx_tpl_default_server_ssl %}\n include /etc/nginx/sites-default.d/*.conf;\n\n{% endif %}\n{% block nginx_tpl_block_location %}\n{% if item.location|d() or item.location_list|d() %}\n{% if item.location_list|d() %}\n{{ print_location_list(item.location_list) }}\n{% endif %}\n{% if item.location|d() %}\n{{ print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}\n{% endif %}\n{% else %}\n location / {\n{% block nginx_tpl_block_location_root %}\n try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files|d() else nginx_default_try_files) | join(' ') }} =404;\n{% endblock %}\n }\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_custom_locations %}\n{% endblock %}\n{% if item.include_files_end|d() %}\n\n{% for file in item.include_files_end %}\n include {{ file }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- nginx server template begins here ----\n #}\n# {{ ansible_managed }}\n\n{% if item.name|d() %}\n# nginx server configuration for:\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if nginx_tpl_ssl and not (item.redirect_to_ssl|d(True) | bool) %}\n# - http://{{ address }}/\n{% endif %}\n# - {{ \"https\" if nginx_tpl_ssl else \"http\" }}://{{ address }}/\n{% endfor %}\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% else %}\n# nginx server default configuration\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% endif %}\n{% if item.redirect_from|d() and item.name|d() %}\n{% if item.name is string or item.name | length == 1 %}\n# Cannot redirect from only one name: {{ item.name if item.name is string else item.name | join(', ') }}\n\n{% else %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port|string }};\n{% endfor %}\n{% if nginx_tpl_ssl | bool %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port|string }} ssl;\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n{% endif %}\n\n{% if item.redirect_from is iterable %}\n{% for name in item.redirect_from %}\n server_name {{ name }};\n{% endfor %}\n{% else %}{# item.redirect_from is True #}\n{% for name in item.name[1:] %}\n server_name {{ name }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;\n\n}\n\n{% endif %}\n{% elif item.redirect_to|d() and item.name|d() %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }};\n{% endfor %}\n\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if address != item.redirect_to %}\n server_name {{ address }};\n{% endif %}\n{% endfor %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.redirect_to }}$request_uri;\n\n}\n\n{% endif %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }}{% if nginx_tpl_default_server %} {{ nginx_tpl_default_server | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only) %} {{ nginx_tpl_ipv6only | join(\" \") }}{% endif %};\n{% endfor %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl %}\n{% if item.listen|d(True) %}\n{% if not (item.redirect_to_ssl|d(True) | bool) %}\n{{ print_shared_nginx_server_block() }}\n{% else %}\n location / {\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n }\n{% endif %}\n\n}\n\nserver {\n\n{% endif %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port }} ssl{% if nginx_version is version_compare('1.9.5','>=') %} http2{% elif nginx_version is version_compare('1.4','>=') %} spdy{% endif %}{% if nginx_tpl_default_server_ssl %} {{ nginx_tpl_default_server_ssl | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only_ssl) %} {{ nginx_tpl_ipv6only_ssl | join(\" \") }}{% endif %};\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n ssl_protocols {{ (item.tls_protocols | d(nginx_default_tls_protocols)) | join(\" \") }};\n ssl_prefer_server_ciphers on;\n{% if (nginx_ssl_ciphers[item.ssl_ciphers | d(nginx_default_ssl_ciphers)]) %}\n ssl_ciphers \"{{ nginx_ssl_ciphers[item.ssl_ciphers | default(nginx_default_ssl_ciphers)] }}\"; # TLS cipher suites set: {{ item.ssl_ciphers | default(nginx_default_ssl_ciphers) }}\n{% else %}\n #ssl_ciphers \"default set of ciphers used by this nginx install\";\n{% endif %}\n{% if nginx_tpl_ssl_dhparam %}\n ssl_dhparam {{ nginx_tpl_ssl_dhparam }};\n{% endif %}\n{% if item.ssl_curve | default(nginx_default_ssl_curve) %}\n ssl_ecdh_curve {{ item.ssl_curve | default(nginx_default_ssl_curve) }};\n{% endif %}\n{% if nginx_version is version_compare('1.4','>=') and (item.ocsp | d(nginx_ocsp)) | bool %}\n ssl_stapling on;\n{% if (item.ocsp_verify | d(nginx_ocsp_verify)) | bool %}\n ssl_stapling_verify on;\n ssl_trusted_certificate {{ nginx_tpl_ssl_trusted_certificate }};\n{% endif %}\n resolver {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ipwrap | join(\" \") }} valid=300s;\n resolver_timeout 5s;\n{% endif %}\n{% if (item.ssl_verify_client | d(nginx_default_ssl_verify_client)) | bool %}\n{% if item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) %}\n ssl_verify_client on;\n ssl_client_certificate {{ item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) }};\n{% endif %}\n{% if item.ssl_crl | d(nginx_default_ssl_crl) %}\n ssl_crl {{ item.ssl_crl | d(nginx_default_ssl_crl) }};\n{% endif %}\n{% endif %}\n{% if item.hsts_enabled|d(True) | bool %}\n add_header Strict-Transport-Security \"max-age={{ nginx_hsts_age }}{{ \"; includeSubDomains\" if nginx_hsts_subdomains|bool else \"\" }}{{ \"; preload\" if ((item.hsts_preload | d(nginx_hsts_preload)) | bool) else \"\" }}\";\n{% endif %}\n{% if item.csp_enabled|d(False) | bool %}\n add_header Content-Security-Policy \"{{ item.csp|d(\"default-src https: ;\") + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.csp_report_enabled|d(False) | bool %}\n add_header Content-Security-Policy-Report-Only \"{{ item.csp_report|d(item.csp|d(\"default-src https: ;\")) + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.content_type_options|d(True) != omit %}\n add_header X-Content-Type-Options \"{{ item.content_type_options | d('nosniff') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.frame_options|d() != omit %}\n add_header X-Frame-Options \"{{ item.frame_options | d('SAMEORIGIN') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.xss_protection | d(nginx__http_xss_protection) != omit %}\n add_header X-XSS-Protection \"{{ item.xss_protection | d(nginx__http_xss_protection) }}\";\n{% endif %}\n{% if item.http_referrer_policy | d(nginx__http_referrer_policy) != omit %}\n add_header Referrer-Policy \"{{ item.http_referrer_policy | d(nginx__http_referrer_policy) }}\";\n{% endif %}\n{% for robots_tag in nginx_tpl_robots_tag %}\n add_header X-Robots-Tag \"{{ robots_tag }}\";\n{% endfor %}\n{% if item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) != omit %}\n add_header X-Permitted-Cross-Domain-Policies \"{{ item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) }}\";\n{% endif %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl | bool %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{# ---- end of nginx_tpl_ssl ---- #}\n{{ print_shared_nginx_server_block() }}\n}\n): coercing to Unicode: need string or buffer, list found"}
  4. failed: [rangers] (item={u'name': [u'localhost', u'127.0.0.1', u'[::1]'], u'acme': False, u'welcome': True, u'enabled': True, u'ssl': False, u'welcome_css': False}) => {"changed": false, "item": {"acme": false, "enabled": true, "name": ["localhost", "127.0.0.1", "[::1]"], "ssl": false, "welcome": true, "welcome_css": false}, "msg": "AnsibleError: Unexpected templating type error occurred on ({% import 'debops__tpl_macros.j2' as debops__tpl_macros with context %}\n{#\n #\n # ==== Default server template for debops.nginx role ====\n #\n # Refer to the documentation in /docs/defaults-detailed.rst\n #\n #}\n\n{#\n #\n # ---- HTTPS, ports to listen on, default server, HTTPS redirect ----\n #}\n{% set nginx_version = ansible_local.nginx.version if (ansible_local|d() and ansible_local.nginx|d() and ansible_local.nginx.version|d()) else \"0.0\" %}\n{% set nginx_tpl_robots_tag = [] if (item.robots_tag|d(nginx__http_robots_tag) is string and item.robots_tag|d(nginx__http_robots_tag) == omit)\n else (\n [ item.robots_tag|d(nginx__http_robots_tag) ]\n if (item.robots_tag|d(nginx__http_robots_tag) is string)\n else (item.robots_tag|d(nginx__http_robots_tag))) %}\n{% set nginx_tpl_acme = (item.acme | default(nginx_acme)) | bool %}\n{% set nginx_tpl_ssl = (item.ssl | default(nginx_pki)) | bool %}\n{% set nginx_tpl_listen = item.listen | default(nginx_listen_port if nginx_listen_port else nginx_listen_socket) %}\n{% if nginx_tpl_ssl | bool %}\n{% set nginx_tpl_listen_ssl = item.listen_ssl | default(nginx_listen_ssl_port if nginx_listen_ssl_port else nginx_listen_ssl_socket) %}\n{% endif %}\n{% set nginx_tpl_default_server = [] %}\n{% set nginx_tpl_ipv6only = [] %}\n{% if nginx_register_default_server|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server or\n not name and nginx_register_default_server == \"default\") %}\n{% set _ = nginx_tpl_default_server.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_server_ssl = [] %}\n{% set nginx_tpl_ipv6only_ssl = [] %}\n{% if nginx_register_default_server_ssl|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server_ssl or\n not name and nginx_register_default_server_ssl == \"default\") %}\n{% set _ = nginx_tpl_default_server_ssl.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only_ssl.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_redirect_code = '307' %}\n{% set nginx_tpl_default_redirect_code_ssl = '301' %}\n{% set nginx_tpl_http_redirect = item.redirect | default('https://$host$request_uri') %}\n{% set nginx_tpl_pki_custom_realm = '' %}\n{% set nginx_tpl_pki_custom_realm_list = [] %}\n{% if (nginx_pki | bool and item.name | d() and (ansible_local|d() and ansible_local.pki|d() and ansible_local.pki.known_realms|d())) %}\n{# TODO: Legacy code. Use debops__tpl_macros.j2 #}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if name in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name) %}\n{% elif (name.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name.split('.')[1:] | join('.')) %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% if nginx_tpl_pki_custom_realm_list %}\n{% set nginx_tpl_pki_custom_realm = nginx_tpl_pki_custom_realm_list[0] %}\n{% endif %}\n{#\n #\n # ---- SSL certificate ----\n #}\n{% set nginx_tpl_ssl_certificate = item.ssl_crt|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_crt|d(nginx_pki_crt))) %}\n{#\n #\n # ---- SSL certificate key ----\n #}\n{% set nginx_tpl_ssl_certificate_key = item.ssl_key|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_key|d(nginx_pki_key))) %}\n{#\n #\n # ---- SSL client CA certificate ----\n #}\n{% set nginx_tpl_ssl_client_certificate = item.ssl_ca|d(nginx_pki_path + \"/\" + item.pki_ca_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_ca_realm) + \"/\" + (item.pki_ca|d(nginx_pki_ca))) %}\n{#\n #\n # ---- SSL trusted CA certificate ----\n #}\n{% set nginx_tpl_ssl_trusted_certificate = item.ssl_trusted\n |d(nginx_pki_path + \"/\" + (item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + item.pki_trusted | d(nginx_pki_trusted))) %}\n{#\n #\n # ---- Diffie-Hellman Key Exchange parameters ----\n #}\n{% set nginx_tpl_ssl_dhparam = item.ssl_dhparam | default(nginx_ssl_dhparam) %}\n{#\n #\n # ---- root directory ----\n #}\n{% if item.owner|d() %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/' + item.owner + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% else %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% endif %}\n{% if item.root_suffix|d() %}\n{% set nginx_tpl_root = nginx_tpl_root + '/' + item.root_suffix %}\n{% endif %}\n{% macro print_root() %}\n{% block nginx_tpl_block_root %}\n{% if (not (item.root|d() | bool)) and nginx_tpl_root %}\n root {{ nginx_tpl_root }};\n{% endif %}\n{% endblock %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location' hash, flat ----\n #}\n{% macro print_location(location,location_allow=[],location_referers=[],location_deny=[]) %}\n{% if location is defined %}\n{% for path in location.keys() %}\n{% if location[path] %}\n location {{ path }} {\n{% if location_referers is defined %}\n{% if location_referers[path] is defined and location_referers[path] %}\n valid_referers none blocked {{ location_referers[path] | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% endif %}\n {{ item.location[path] | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% if location_allow is defined %}\n{% if location_allow[path] is defined and location_allow[path] %}\n{% for address in location_allow[path] | unique %}\n allow {{ address }};\n{% endfor %}\n{% if location_deny is defined %}\n{% if location_deny[path] is defined %}\n{% for address in location_deny[path] | unique %}\n deny {{ address }};\n{% endfor %}\n{% endif %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% endif %}\n }\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location_list' list, recursive\n #}\n{% macro print_location_list(location_list) %}\n{% if location_list is defined %}\n{% for entry in location_list %}\n{% if entry.pattern|d() and (entry.enabled|d(True) | bool) %}\n location {{ entry.pattern_prefix | default('') + entry.pattern }} {\n{% if entry.referers|d() %}\n valid_referers none blocked {{ entry.referers | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% if entry.options|d() %}\n {{ entry.options | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n{% if entry.allow|d() %}\n{% for address in entry.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% if entry.deny|d() %}\n{% for address in entry.deny | unique %}\n deny {{ address }};\n{% endfor %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% if entry.locations|d() %}\n{{ print_location_list(entry.locations) | indent(8, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n }\n{% endif %}\n{% if not loop.last %}\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints the nginx server block which is shared between HTTP and HTTPS\n #}\n{% macro print_shared_nginx_server_block() %}\n{% if (not nginx_tpl_ssl and ((item.redirect|d()) or (item.redirect_to_ssl|d() | bool))) %}\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n{% elif nginx_tpl_ssl and item.redirect_ssl|d() %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} {{ item.redirect_ssl }};\n{% else %}\n keepalive_timeout {{ item.keepalive | default(nginx_default_keepalive_timeout) | string }};\n\n{% block nginx_tpl_block_log %}\n{% if item.name|d() %}\n{% set nginx_tpl_access_log_format = '' %}\n{% if item.access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + item.access_log_format %}\n{% elif nginx_access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + nginx_access_log_format %}\n{% endif %}\n access_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.access_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_access') }}.log{{ nginx_tpl_access_log_format }};\n error_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.error_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_error') }}.log;\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_index %}\n{% if item.index|d(True) %}\n index {{ item.index | default('index.html index.htm') }};\n\n{% endif %}\n{% endblock %}\n{% if nginx_real_ip_from|d() and nginx_real_ip_from %}\n{% if nginx_real_ip_header|d() and nginx_real_ip_header %}\n real_ip_header {{ nginx_real_ip_header }};\n{% endif %}\n{% if nginx_real_ip_recursive | bool %}\n real_ip_recursive on;\n{% elif not nginx_real_ip_recursive | bool %}\n real_ip_recursive off;\n{% endif %}\n{% if nginx_real_ip_from is string %}\n set_real_ip_from {{ nginx_real_ip_from }};\n\n{% else %}\n{% for element in nginx_real_ip_from %}\n set_real_ip_from {{ element }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n{% if item.maintenance|d(True)|bool %}\n if (-f $document_root/{{ item.maintenance_file | d('maintenance.html') }}) {\n return 503;\n }\n error_page 503 @maintenance;\n location @maintenance {\n rewrite ^(.*)$ /{{ item.maintenance_file | d('maintenance.html') }} break;\n }\n\n{% endif %}\n{% if item.error_pages|d() %}\n{% for code, location in item.error_pages.items() %}\n error_page {{ code }} {{ location }};\n location {{ location }} {\n internal;\n }\n\n{% endfor %}\n{% endif %}\n{% if item.include_files_begin|d() %}\n{% for file in item.include_files_begin %}\n include {{ file }};\n{% endfor %}\n\n{% endif %}\n{% if item.error_pages_list|d() %}\n{% for element in item.error_pages_list %}\n{% if element.location|d() or element.location_options|d() %}\n\n{% endif %}\n error_page {{ element.code if (element.code is string) else (element.code | join(\" \")) }} {{ element.uri }};\n{% if element.location|d() or element.location_options|d() %}\n location {{ element.location | d(element.uri) }} {\n{{ element.location_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n }\n{% if not loop.last %}\n\n{% endif %}\n{% endif %}\n{% endfor %}\n\n{% endif %}\n{% if item.options|d() %}\n {{ item.options | indent(8) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_satisfy_map) %}\n satisfy {{ nginx_access_policy_satisfy_map[item.access_policy] }};\n\n{% elif item.allow|d() or\n (item.auth_basic|d() | bool) or\n (item.satisfy|d()) or\n (item.access_policy|d() and\n item.access_policy not in nginx_access_policy_satisfy_map) %}\n satisfy {{ item.satisfy | default(nginx_default_satisfy) }};\n\n{% endif %}\n{% if item.allow|d() or item.access_policy|d() %}\n{% if item.allow is defined %}\n{% if item.allow is string %}\n allow {{ item.allow }};\n{% else %}\n{% for address in item.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_allow_map) %}\n{% for address in nginx_access_policy_allow_map[item.access_policy] | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_auth_basic_map) %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ nginx_private_path + \"/\" + nginx_access_policy_auth_basic_map[item.access_policy] }};\n\n{% elif item.auth_basic|d() | bool %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ item.auth_basic_filename | default(nginx_private_path + \"/\" + item.auth_basic_name|d()) }};\n\n{% endif %}\n{% if item.userdir|d()|bool %}\n location ~ {{ item.userdir_regexp | d('^/~(.+?)(/.*)?$') }} {\n alias {{ item.userdir_alias | d(nginx_www + '/$1/userdir/public$2') }};\n index {{ item.userdir_index | d(item.index | default('index.html index.htm')) }};\n{% if item.userdir_options|d() %}\n{{ item.userdir_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% else %}\n autoindex on;\n autoindex_exact_size off;\n{% endif %}\n }\n\n{% endif %}\n{% if item.deny_hidden|d(True) | bool %}\n # Disallow access to hidden files and directories\n location ~ /\\. {\n return 404;\n }\n\n{% endif %}\n{% if item.favicon|d(True) | bool %}\n location = /favicon.ico {\n try_files /favicon.ico =204;\n access_log off;\n log_not_found off;\n }\n\n{% endif %}\n{% if item.status|d(True) and (nginx_status or nginx_status_localhost) %}\n location = {{ item.status_name | default(nginx_status_name) }} {\n stub_status on;\n access_log off;\n{% if nginx_status_localhost %}\n{% for address in nginx_status_localhost | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if nginx_status %}\n{% for address in nginx_status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if item.status|d() %}\n{% for address in item.status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n }\n\n{% endif %}\n{% block nginx_tpl_block_custom_status_locations %}\n{% endblock %}\n{% if nginx_tpl_default_server or nginx_tpl_default_server_ssl %}\n include /etc/nginx/sites-default.d/*.conf;\n\n{% endif %}\n{% block nginx_tpl_block_location %}\n{% if item.location|d() or item.location_list|d() %}\n{% if item.location_list|d() %}\n{{ print_location_list(item.location_list) }}\n{% endif %}\n{% if item.location|d() %}\n{{ print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}\n{% endif %}\n{% else %}\n location / {\n{% block nginx_tpl_block_location_root %}\n try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files|d() else nginx_default_try_files) | join(' ') }} =404;\n{% endblock %}\n }\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_custom_locations %}\n{% endblock %}\n{% if item.include_files_end|d() %}\n\n{% for file in item.include_files_end %}\n include {{ file }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- nginx server template begins here ----\n #}\n# {{ ansible_managed }}\n\n{% if item.name|d() %}\n# nginx server configuration for:\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if nginx_tpl_ssl and not (item.redirect_to_ssl|d(True) | bool) %}\n# - http://{{ address }}/\n{% endif %}\n# - {{ \"https\" if nginx_tpl_ssl else \"http\" }}://{{ address }}/\n{% endfor %}\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% else %}\n# nginx server default configuration\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% endif %}\n{% if item.redirect_from|d() and item.name|d() %}\n{% if item.name is string or item.name | length == 1 %}\n# Cannot redirect from only one name: {{ item.name if item.name is string else item.name | join(', ') }}\n\n{% else %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port|string }};\n{% endfor %}\n{% if nginx_tpl_ssl | bool %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port|string }} ssl;\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n{% endif %}\n\n{% if item.redirect_from is iterable %}\n{% for name in item.redirect_from %}\n server_name {{ name }};\n{% endfor %}\n{% else %}{# item.redirect_from is True #}\n{% for name in item.name[1:] %}\n server_name {{ name }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;\n\n}\n\n{% endif %}\n{% elif item.redirect_to|d() and item.name|d() %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }};\n{% endfor %}\n\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if address != item.redirect_to %}\n server_name {{ address }};\n{% endif %}\n{% endfor %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.redirect_to }}$request_uri;\n\n}\n\n{% endif %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }}{% if nginx_tpl_default_server %} {{ nginx_tpl_default_server | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only) %} {{ nginx_tpl_ipv6only | join(\" \") }}{% endif %};\n{% endfor %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl %}\n{% if item.listen|d(True) %}\n{% if not (item.redirect_to_ssl|d(True) | bool) %}\n{{ print_shared_nginx_server_block() }}\n{% else %}\n location / {\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n }\n{% endif %}\n\n}\n\nserver {\n\n{% endif %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port }} ssl{% if nginx_version is version_compare('1.9.5','>=') %} http2{% elif nginx_version is version_compare('1.4','>=') %} spdy{% endif %}{% if nginx_tpl_default_server_ssl %} {{ nginx_tpl_default_server_ssl | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only_ssl) %} {{ nginx_tpl_ipv6only_ssl | join(\" \") }}{% endif %};\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n ssl_protocols {{ (item.tls_protocols | d(nginx_default_tls_protocols)) | join(\" \") }};\n ssl_prefer_server_ciphers on;\n{% if (nginx_ssl_ciphers[item.ssl_ciphers | d(nginx_default_ssl_ciphers)]) %}\n ssl_ciphers \"{{ nginx_ssl_ciphers[item.ssl_ciphers | default(nginx_default_ssl_ciphers)] }}\"; # TLS cipher suites set: {{ item.ssl_ciphers | default(nginx_default_ssl_ciphers) }}\n{% else %}\n #ssl_ciphers \"default set of ciphers used by this nginx install\";\n{% endif %}\n{% if nginx_tpl_ssl_dhparam %}\n ssl_dhparam {{ nginx_tpl_ssl_dhparam }};\n{% endif %}\n{% if item.ssl_curve | default(nginx_default_ssl_curve) %}\n ssl_ecdh_curve {{ item.ssl_curve | default(nginx_default_ssl_curve) }};\n{% endif %}\n{% if nginx_version is version_compare('1.4','>=') and (item.ocsp | d(nginx_ocsp)) | bool %}\n ssl_stapling on;\n{% if (item.ocsp_verify | d(nginx_ocsp_verify)) | bool %}\n ssl_stapling_verify on;\n ssl_trusted_certificate {{ nginx_tpl_ssl_trusted_certificate }};\n{% endif %}\n resolver {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ipwrap | join(\" \") }} valid=300s;\n resolver_timeout 5s;\n{% endif %}\n{% if (item.ssl_verify_client | d(nginx_default_ssl_verify_client)) | bool %}\n{% if item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) %}\n ssl_verify_client on;\n ssl_client_certificate {{ item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) }};\n{% endif %}\n{% if item.ssl_crl | d(nginx_default_ssl_crl) %}\n ssl_crl {{ item.ssl_crl | d(nginx_default_ssl_crl) }};\n{% endif %}\n{% endif %}\n{% if item.hsts_enabled|d(True) | bool %}\n add_header Strict-Transport-Security \"max-age={{ nginx_hsts_age }}{{ \"; includeSubDomains\" if nginx_hsts_subdomains|bool else \"\" }}{{ \"; preload\" if ((item.hsts_preload | d(nginx_hsts_preload)) | bool) else \"\" }}\";\n{% endif %}\n{% if item.csp_enabled|d(False) | bool %}\n add_header Content-Security-Policy \"{{ item.csp|d(\"default-src https: ;\") + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.csp_report_enabled|d(False) | bool %}\n add_header Content-Security-Policy-Report-Only \"{{ item.csp_report|d(item.csp|d(\"default-src https: ;\")) + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.content_type_options|d(True) != omit %}\n add_header X-Content-Type-Options \"{{ item.content_type_options | d('nosniff') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.frame_options|d() != omit %}\n add_header X-Frame-Options \"{{ item.frame_options | d('SAMEORIGIN') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.xss_protection | d(nginx__http_xss_protection) != omit %}\n add_header X-XSS-Protection \"{{ item.xss_protection | d(nginx__http_xss_protection) }}\";\n{% endif %}\n{% if item.http_referrer_policy | d(nginx__http_referrer_policy) != omit %}\n add_header Referrer-Policy \"{{ item.http_referrer_policy | d(nginx__http_referrer_policy) }}\";\n{% endif %}\n{% for robots_tag in nginx_tpl_robots_tag %}\n add_header X-Robots-Tag \"{{ robots_tag }}\";\n{% endfor %}\n{% if item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) != omit %}\n add_header X-Permitted-Cross-Domain-Policies \"{{ item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) }}\";\n{% endif %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl | bool %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{# ---- end of nginx_tpl_ssl ---- #}\n{{ print_shared_nginx_server_block() }}\n}\n): coercing to Unicode: need string or buffer, list found"}
  5. failed: [rangers] (item={u'name': [u'marc.test.aiprx.com'], u'redirect_to_ssl': False, u'enabled': True, u'stapling': True, u'ssl': True, u'pki_key': u'default.key', u'root': u'/srv/www/sites/acme/public/', u'pki_crt': u'default.crt'}) => {"changed": false, "item": {"enabled": true, "name": ["marc.test.aiprx.com"], "pki_crt": "default.crt", "pki_key": "default.key", "redirect_to_ssl": false, "root": "/srv/www/sites/acme/public/", "ssl": true, "stapling": true}, "msg": "AnsibleError: Unexpected templating type error occurred on ({% import 'debops__tpl_macros.j2' as debops__tpl_macros with context %}\n{#\n #\n # ==== Default server template for debops.nginx role ====\n #\n # Refer to the documentation in /docs/defaults-detailed.rst\n #\n #}\n\n{#\n #\n # ---- HTTPS, ports to listen on, default server, HTTPS redirect ----\n #}\n{% set nginx_version = ansible_local.nginx.version if (ansible_local|d() and ansible_local.nginx|d() and ansible_local.nginx.version|d()) else \"0.0\" %}\n{% set nginx_tpl_robots_tag = [] if (item.robots_tag|d(nginx__http_robots_tag) is string and item.robots_tag|d(nginx__http_robots_tag) == omit)\n else (\n [ item.robots_tag|d(nginx__http_robots_tag) ]\n if (item.robots_tag|d(nginx__http_robots_tag) is string)\n else (item.robots_tag|d(nginx__http_robots_tag))) %}\n{% set nginx_tpl_acme = (item.acme | default(nginx_acme)) | bool %}\n{% set nginx_tpl_ssl = (item.ssl | default(nginx_pki)) | bool %}\n{% set nginx_tpl_listen = item.listen | default(nginx_listen_port if nginx_listen_port else nginx_listen_socket) %}\n{% if nginx_tpl_ssl | bool %}\n{% set nginx_tpl_listen_ssl = item.listen_ssl | default(nginx_listen_ssl_port if nginx_listen_ssl_port else nginx_listen_ssl_socket) %}\n{% endif %}\n{% set nginx_tpl_default_server = [] %}\n{% set nginx_tpl_ipv6only = [] %}\n{% if nginx_register_default_server|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server or\n not name and nginx_register_default_server == \"default\") %}\n{% set _ = nginx_tpl_default_server.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_server_ssl = [] %}\n{% set nginx_tpl_ipv6only_ssl = [] %}\n{% if nginx_register_default_server_ssl|d() %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if (name == nginx_register_default_server_ssl or\n not name and nginx_register_default_server_ssl == \"default\") %}\n{% set _ = nginx_tpl_default_server_ssl.append('default_server') %}\n{% if (nginx_manage_ipv6only | bool) %}\n{% set _ = nginx_tpl_ipv6only_ssl.append('ipv6only=off') %}\n{% endif %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% set nginx_tpl_default_redirect_code = '307' %}\n{% set nginx_tpl_default_redirect_code_ssl = '301' %}\n{% set nginx_tpl_http_redirect = item.redirect | default('https://$host$request_uri') %}\n{% set nginx_tpl_pki_custom_realm = '' %}\n{% set nginx_tpl_pki_custom_realm_list = [] %}\n{% if (nginx_pki | bool and item.name | d() and (ansible_local|d() and ansible_local.pki|d() and ansible_local.pki.known_realms|d())) %}\n{# TODO: Legacy code. Use debops__tpl_macros.j2 #}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n{% if name in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name) %}\n{% elif (name.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}\n{% set _ = nginx_tpl_pki_custom_realm_list.append(name.split('.')[1:] | join('.')) %}\n{% endif %}\n{% endfor %}\n{% endif %}\n{% if nginx_tpl_pki_custom_realm_list %}\n{% set nginx_tpl_pki_custom_realm = nginx_tpl_pki_custom_realm_list[0] %}\n{% endif %}\n{#\n #\n # ---- SSL certificate ----\n #}\n{% set nginx_tpl_ssl_certificate = item.ssl_crt|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_crt|d(nginx_pki_crt))) %}\n{#\n #\n # ---- SSL certificate key ----\n #}\n{% set nginx_tpl_ssl_certificate_key = item.ssl_key|d(nginx_pki_path + \"/\" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + (item.pki_key|d(nginx_pki_key))) %}\n{#\n #\n # ---- SSL client CA certificate ----\n #}\n{% set nginx_tpl_ssl_client_certificate = item.ssl_ca|d(nginx_pki_path + \"/\" + item.pki_ca_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_ca_realm) + \"/\" + (item.pki_ca|d(nginx_pki_ca))) %}\n{#\n #\n # ---- SSL trusted CA certificate ----\n #}\n{% set nginx_tpl_ssl_trusted_certificate = item.ssl_trusted\n |d(nginx_pki_path + \"/\" + (item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + \"/\" + item.pki_trusted | d(nginx_pki_trusted))) %}\n{#\n #\n # ---- Diffie-Hellman Key Exchange parameters ----\n #}\n{% set nginx_tpl_ssl_dhparam = item.ssl_dhparam | default(nginx_ssl_dhparam) %}\n{#\n #\n # ---- root directory ----\n #}\n{% if item.owner|d() %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/' + item.owner + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% else %}\n{% set nginx_tpl_root = item.root | default(nginx_www + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}\n{% endif %}\n{% if item.root_suffix|d() %}\n{% set nginx_tpl_root = nginx_tpl_root + '/' + item.root_suffix %}\n{% endif %}\n{% macro print_root() %}\n{% block nginx_tpl_block_root %}\n{% if (not (item.root|d() | bool)) and nginx_tpl_root %}\n root {{ nginx_tpl_root }};\n{% endif %}\n{% endblock %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location' hash, flat ----\n #}\n{% macro print_location(location,location_allow=[],location_referers=[],location_deny=[]) %}\n{% if location is defined %}\n{% for path in location.keys() %}\n{% if location[path] %}\n location {{ path }} {\n{% if location_referers is defined %}\n{% if location_referers[path] is defined and location_referers[path] %}\n valid_referers none blocked {{ location_referers[path] | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% endif %}\n {{ item.location[path] | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% if location_allow is defined %}\n{% if location_allow[path] is defined and location_allow[path] %}\n{% for address in location_allow[path] | unique %}\n allow {{ address }};\n{% endfor %}\n{% if location_deny is defined %}\n{% if location_deny[path] is defined %}\n{% for address in location_deny[path] | unique %}\n deny {{ address }};\n{% endfor %}\n{% endif %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% endif %}\n }\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints location entries from 'location_list' list, recursive\n #}\n{% macro print_location_list(location_list) %}\n{% if location_list is defined %}\n{% for entry in location_list %}\n{% if entry.pattern|d() and (entry.enabled|d(True) | bool) %}\n location {{ entry.pattern_prefix | default('') + entry.pattern }} {\n{% if entry.referers|d() %}\n valid_referers none blocked {{ entry.referers | unique | join(' ') }};\n if ($invalid_referer) {\n return 403;\n }\n{% endif %}\n{% if entry.options|d() %}\n {{ entry.options | indent(16) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n{% if entry.allow|d() %}\n{% for address in entry.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% if entry.deny|d() %}\n{% for address in entry.deny | unique %}\n deny {{ address }};\n{% endfor %}\n{% else %}\n deny all;\n{% endif %}\n{% endif %}\n{% if entry.locations|d() %}\n{{ print_location_list(entry.locations) | indent(8, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% endif %}\n }\n{% endif %}\n{% if not loop.last %}\n\n{% endif %}\n{% endfor %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- macro which prints the nginx server block which is shared between HTTP and HTTPS\n #}\n{% macro print_shared_nginx_server_block() %}\n{% if (not nginx_tpl_ssl and ((item.redirect|d()) or (item.redirect_to_ssl|d() | bool))) %}\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n{% elif nginx_tpl_ssl and item.redirect_ssl|d() %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} {{ item.redirect_ssl }};\n{% else %}\n keepalive_timeout {{ item.keepalive | default(nginx_default_keepalive_timeout) | string }};\n\n{% block nginx_tpl_block_log %}\n{% if item.name|d() %}\n{% set nginx_tpl_access_log_format = '' %}\n{% if item.access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + item.access_log_format %}\n{% elif nginx_access_log_format is defined %}\n{% set nginx_tpl_access_log_format = ' ' + nginx_access_log_format %}\n{% endif %}\n access_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.access_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_access') }}.log{{ nginx_tpl_access_log_format }};\n error_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.error_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_error') }}.log;\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_index %}\n{% if item.index|d(True) %}\n index {{ item.index | default('index.html index.htm') }};\n\n{% endif %}\n{% endblock %}\n{% if nginx_real_ip_from|d() and nginx_real_ip_from %}\n{% if nginx_real_ip_header|d() and nginx_real_ip_header %}\n real_ip_header {{ nginx_real_ip_header }};\n{% endif %}\n{% if nginx_real_ip_recursive | bool %}\n real_ip_recursive on;\n{% elif not nginx_real_ip_recursive | bool %}\n real_ip_recursive off;\n{% endif %}\n{% if nginx_real_ip_from is string %}\n set_real_ip_from {{ nginx_real_ip_from }};\n\n{% else %}\n{% for element in nginx_real_ip_from %}\n set_real_ip_from {{ element }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n{% if item.maintenance|d(True)|bool %}\n if (-f $document_root/{{ item.maintenance_file | d('maintenance.html') }}) {\n return 503;\n }\n error_page 503 @maintenance;\n location @maintenance {\n rewrite ^(.*)$ /{{ item.maintenance_file | d('maintenance.html') }} break;\n }\n\n{% endif %}\n{% if item.error_pages|d() %}\n{% for code, location in item.error_pages.items() %}\n error_page {{ code }} {{ location }};\n location {{ location }} {\n internal;\n }\n\n{% endfor %}\n{% endif %}\n{% if item.include_files_begin|d() %}\n{% for file in item.include_files_begin %}\n include {{ file }};\n{% endfor %}\n\n{% endif %}\n{% if item.error_pages_list|d() %}\n{% for element in item.error_pages_list %}\n{% if element.location|d() or element.location_options|d() %}\n\n{% endif %}\n error_page {{ element.code if (element.code is string) else (element.code | join(\" \")) }} {{ element.uri }};\n{% if element.location|d() or element.location_options|d() %}\n location {{ element.location | d(element.uri) }} {\n{{ element.location_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n }\n{% if not loop.last %}\n\n{% endif %}\n{% endif %}\n{% endfor %}\n\n{% endif %}\n{% if item.options|d() %}\n {{ item.options | indent(8) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_satisfy_map) %}\n satisfy {{ nginx_access_policy_satisfy_map[item.access_policy] }};\n\n{% elif item.allow|d() or\n (item.auth_basic|d() | bool) or\n (item.satisfy|d()) or\n (item.access_policy|d() and\n item.access_policy not in nginx_access_policy_satisfy_map) %}\n satisfy {{ item.satisfy | default(nginx_default_satisfy) }};\n\n{% endif %}\n{% if item.allow|d() or item.access_policy|d() %}\n{% if item.allow is defined %}\n{% if item.allow is string %}\n allow {{ item.allow }};\n{% else %}\n{% for address in item.allow | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_allow_map) %}\n{% for address in nginx_access_policy_allow_map[item.access_policy] | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n\n{% endif %}\n{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_auth_basic_map) %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ nginx_private_path + \"/\" + nginx_access_policy_auth_basic_map[item.access_policy] }};\n\n{% elif item.auth_basic|d() | bool %}\n auth_basic \"{{ item.auth_basic_realm|d(nginx_default_auth_basic_realm) }}\";\n auth_basic_user_file {{ item.auth_basic_filename | default(nginx_private_path + \"/\" + item.auth_basic_name|d()) }};\n\n{% endif %}\n{% if item.userdir|d()|bool %}\n location ~ {{ item.userdir_regexp | d('^/~(.+?)(/.*)?$') }} {\n alias {{ item.userdir_alias | d(nginx_www + '/$1/userdir/public$2') }};\n index {{ item.userdir_index | d(item.index | default('index.html index.htm')) }};\n{% if item.userdir_options|d() %}\n{{ item.userdir_options | indent(16, true) | regex_replace(\"(?m)^\\s*$\", \"\") }}\n{% else %}\n autoindex on;\n autoindex_exact_size off;\n{% endif %}\n }\n\n{% endif %}\n{% if item.deny_hidden|d(True) | bool %}\n # Disallow access to hidden files and directories\n location ~ /\\. {\n return 404;\n }\n\n{% endif %}\n{% if item.favicon|d(True) | bool %}\n location = /favicon.ico {\n try_files /favicon.ico =204;\n access_log off;\n log_not_found off;\n }\n\n{% endif %}\n{% if item.status|d(True) and (nginx_status or nginx_status_localhost) %}\n location = {{ item.status_name | default(nginx_status_name) }} {\n stub_status on;\n access_log off;\n{% if nginx_status_localhost %}\n{% for address in nginx_status_localhost | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if nginx_status %}\n{% for address in nginx_status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n{% if item.status|d() %}\n{% for address in item.status | unique %}\n allow {{ address }};\n{% endfor %}\n{% endif %}\n deny all;\n }\n\n{% endif %}\n{% block nginx_tpl_block_custom_status_locations %}\n{% endblock %}\n{% if nginx_tpl_default_server or nginx_tpl_default_server_ssl %}\n include /etc/nginx/sites-default.d/*.conf;\n\n{% endif %}\n{% block nginx_tpl_block_location %}\n{% if item.location|d() or item.location_list|d() %}\n{% if item.location_list|d() %}\n{{ print_location_list(item.location_list) }}\n{% endif %}\n{% if item.location|d() %}\n{{ print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}\n{% endif %}\n{% else %}\n location / {\n{% block nginx_tpl_block_location_root %}\n try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files|d() else nginx_default_try_files) | join(' ') }} =404;\n{% endblock %}\n }\n{% endif %}\n{% endblock %}\n{% block nginx_tpl_block_custom_locations %}\n{% endblock %}\n{% if item.include_files_end|d() %}\n\n{% for file in item.include_files_end %}\n include {{ file }};\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endmacro %}\n{#\n #\n # ---- nginx server template begins here ----\n #}\n# {{ ansible_managed }}\n\n{% if item.name|d() %}\n# nginx server configuration for:\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if nginx_tpl_ssl and not (item.redirect_to_ssl|d(True) | bool) %}\n# - http://{{ address }}/\n{% endif %}\n# - {{ \"https\" if nginx_tpl_ssl else \"http\" }}://{{ address }}/\n{% endfor %}\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% else %}\n# nginx server default configuration\n{% if item.by_role|d() %}\n# generated by Ansible role: {{ item.by_role }}\n{% endif %}\n\n{% endif %}\n{% if item.redirect_from|d() and item.name|d() %}\n{% if item.name is string or item.name | length == 1 %}\n# Cannot redirect from only one name: {{ item.name if item.name is string else item.name | join(', ') }}\n\n{% else %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port|string }};\n{% endfor %}\n{% if nginx_tpl_ssl | bool %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port|string }} ssl;\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n{% endif %}\n\n{% if item.redirect_from is iterable %}\n{% for name in item.redirect_from %}\n server_name {{ name }};\n{% endfor %}\n{% else %}{# item.redirect_from is True #}\n{% for name in item.name[1:] %}\n server_name {{ name }};\n{% endfor %}\n{% endif %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;\n\n}\n\n{% endif %}\n{% elif item.redirect_to|d() and item.name|d() %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }};\n{% endfor %}\n\n{% for address in ([ item.name ] if item.name is string else item.name) %}\n{% if address != item.redirect_to %}\n server_name {{ address }};\n{% endif %}\n{% endfor %}\n\n{% endif %}\n return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.redirect_to }}$request_uri;\n\n}\n\n{% endif %}\nserver {\n\n{% if item.listen|d(True) %}\n{% for port in nginx_tpl_listen %}\n listen {{ port }}{% if nginx_tpl_default_server %} {{ nginx_tpl_default_server | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only) %} {{ nginx_tpl_ipv6only | join(\" \") }}{% endif %};\n{% endfor %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl %}\n{% if item.listen|d(True) %}\n{% if not (item.redirect_to_ssl|d(True) | bool) %}\n{{ print_shared_nginx_server_block() }}\n{% else %}\n location / {\n return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};\n }\n{% endif %}\n\n}\n\nserver {\n\n{% endif %}\n{% for port in nginx_tpl_listen_ssl %}\n listen {{ port }} ssl{% if nginx_version is version_compare('1.9.5','>=') %} http2{% elif nginx_version is version_compare('1.4','>=') %} spdy{% endif %}{% if nginx_tpl_default_server_ssl %} {{ nginx_tpl_default_server_ssl | join(\" \") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only_ssl) %} {{ nginx_tpl_ipv6only_ssl | join(\" \") }}{% endif %};\n{% endfor %}\n\n ssl_certificate {{ nginx_tpl_ssl_certificate }};\n ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};\n ssl_protocols {{ (item.tls_protocols | d(nginx_default_tls_protocols)) | join(\" \") }};\n ssl_prefer_server_ciphers on;\n{% if (nginx_ssl_ciphers[item.ssl_ciphers | d(nginx_default_ssl_ciphers)]) %}\n ssl_ciphers \"{{ nginx_ssl_ciphers[item.ssl_ciphers | default(nginx_default_ssl_ciphers)] }}\"; # TLS cipher suites set: {{ item.ssl_ciphers | default(nginx_default_ssl_ciphers) }}\n{% else %}\n #ssl_ciphers \"default set of ciphers used by this nginx install\";\n{% endif %}\n{% if nginx_tpl_ssl_dhparam %}\n ssl_dhparam {{ nginx_tpl_ssl_dhparam }};\n{% endif %}\n{% if item.ssl_curve | default(nginx_default_ssl_curve) %}\n ssl_ecdh_curve {{ item.ssl_curve | default(nginx_default_ssl_curve) }};\n{% endif %}\n{% if nginx_version is version_compare('1.4','>=') and (item.ocsp | d(nginx_ocsp)) | bool %}\n ssl_stapling on;\n{% if (item.ocsp_verify | d(nginx_ocsp_verify)) | bool %}\n ssl_stapling_verify on;\n ssl_trusted_certificate {{ nginx_tpl_ssl_trusted_certificate }};\n{% endif %}\n resolver {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ipwrap | join(\" \") }} valid=300s;\n resolver_timeout 5s;\n{% endif %}\n{% if (item.ssl_verify_client | d(nginx_default_ssl_verify_client)) | bool %}\n{% if item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) %}\n ssl_verify_client on;\n ssl_client_certificate {{ item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) }};\n{% endif %}\n{% if item.ssl_crl | d(nginx_default_ssl_crl) %}\n ssl_crl {{ item.ssl_crl | d(nginx_default_ssl_crl) }};\n{% endif %}\n{% endif %}\n{% if item.hsts_enabled|d(True) | bool %}\n add_header Strict-Transport-Security \"max-age={{ nginx_hsts_age }}{{ \"; includeSubDomains\" if nginx_hsts_subdomains|bool else \"\" }}{{ \"; preload\" if ((item.hsts_preload | d(nginx_hsts_preload)) | bool) else \"\" }}\";\n{% endif %}\n{% if item.csp_enabled|d(False) | bool %}\n add_header Content-Security-Policy \"{{ item.csp|d(\"default-src https: ;\") + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.csp_report_enabled|d(False) | bool %}\n add_header Content-Security-Policy-Report-Only \"{{ item.csp_report|d(item.csp|d(\"default-src https: ;\")) + (\" \" + item.csp_append|d(nginx__http_csp_append) if (item.csp_append|d(nginx__http_csp_append)) else \"\") }}\";\n{% endif %}\n{% if item.content_type_options|d(True) != omit %}\n add_header X-Content-Type-Options \"{{ item.content_type_options | d('nosniff') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.frame_options|d() != omit %}\n add_header X-Frame-Options \"{{ item.frame_options | d('SAMEORIGIN') }}\"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};\n{% endif %}\n{% if item.xss_protection | d(nginx__http_xss_protection) != omit %}\n add_header X-XSS-Protection \"{{ item.xss_protection | d(nginx__http_xss_protection) }}\";\n{% endif %}\n{% if item.http_referrer_policy | d(nginx__http_referrer_policy) != omit %}\n add_header Referrer-Policy \"{{ item.http_referrer_policy | d(nginx__http_referrer_policy) }}\";\n{% endif %}\n{% for robots_tag in nginx_tpl_robots_tag %}\n add_header X-Robots-Tag \"{{ robots_tag }}\";\n{% endfor %}\n{% if item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) != omit %}\n add_header X-Permitted-Cross-Domain-Policies \"{{ item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) }}\";\n{% endif %}\n\n{% if item.name|d() %}\n{% if item.redirect_from|d() %}\n server_name {{ item.name if item.name is string else item.name[0] }};\n\n{% elif item.redirect_to|d() %}\n server_name {{ item.redirect_to }};\n\n{% else %}\n{% for name in ([ item.name ] if item.name is string else item.name) %}\n server_name {{ name }};\n{% endfor %}\n\n{% endif %}\n{% endif %}\n{% endif %}\n{% if nginx_tpl_ssl | bool %}\n{{ print_root() }}\n{% if nginx_tpl_acme | bool %}\n include snippets/acme-challenge.conf;\n\n{% endif %}\n{% endif %}\n{# ---- end of nginx_tpl_ssl ---- #}\n{{ print_shared_nginx_server_block() }}\n}\n): coercing to Unicode: need string or buffer, list found"}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!