Make basic_auth a global nginx parameter

Instead of enabling basic auth per role this makes it
an nginx parameter which makes more sense for sandboxes
and probably other servers where we want basic auth turned on

playbooks/edx-east/deploy_nginx_all_roles.yml

+- name: Configure instance(s)
+  hosts: all
+  sudo: True
+  gather_facts: False
+  vars_files:
+    - roles/edxapp/defaults/main.yml
+    - roles/ora/defaults/main.yml
+    - roles/xqueue/defaults/main.yml
+    - roles/xserver/defaults/main.yml
+  roles:
+    - common
+    - role: nginx
+      nginx_sites:
+      - cms
+      - lms
+      - ora
+      - xqueue
+      - xserver

playbooks/roles/discern/defaults/main.yml

 DISCERN_NGINX_PORT: 18070
-DISCERN_BASIC_AUTH: False
 DISCERN_MEMCACHE: [ 'localhost:11211' ]
 DISCERN_AWS_ACCESS_KEY_ID: ""
 DISCERN_AWS_SECRET_ACCESS_KEY: ""

playbooks/roles/edxapp/defaults/main.yml

@@ -89,9 +89,6 @@ EDXAPP_LMS_NGINX_PORT: 18000
 EDXAPP_LMS_PREVIEW_NGINX_PORT: 18020
 EDXAPP_CMS_NGINX_PORT: 18010
 
-EDXAPP_LMS_BASIC_AUTH: False
-EDXAPP_CMS_BASIC_AUTH: False
-EDXAPP_LMS_PREVIEW_BASIC_AUTH: False
 EDXAPP_LANG: 'en_US.UTF-8'
 EDXAPP_TIME_ZONE: 'America/New_York'
 

playbooks/roles/nginx/defaults/main.yml

 # Variables for nginx role
 ---
+# Set global htaccess for nginx
+NGINX_HTPASSWD_USER: !!null
+NGINX_HTPASSWD_PASS: !!null
 
 nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
 nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
@@ -8,10 +11,11 @@ nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
 nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
 nginx_sites_enabled_dir: "{{ nginx_app_dir }}/sites-enabled"
 nginx_user: root
+nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"
 
-pkgs:
-  nginx:
-    state: installed
+nginx_debian_pkgs:
+  - nginx
+  - python-passlib
 
 nginx_xserver_gunicorn_hosts:
   - 127.0.0.1
@@ -36,7 +40,3 @@ nginx_cfg:
   # nginx configuration
   version_html: "{{ nginx_app_dir }}/versions.html"
   version_json: "{{ nginx_app_dir }}/versions.json"
-  # default htpasswd contents set to edx/edx
-  # this value can be overiden in vars/secure/<group>.yml
-  htpasswd: |
-    edx:$apr1$2gWcIvlc$Nu7b/KTwd5HoIDEkSPNUk/

playbooks/roles/nginx/tasks/main.yml

@@ -25,8 +25,8 @@
     - "{{ nginx_log_dir }}"
   notify: nginx | restart nginx
 
-- name: nginx | Install nginx
-  apt: pkg=nginx state={{ pkgs.nginx.state }}
+- name: nginx | Install nginx packages
+  apt: pkg={{','.join(nginx_debian_pkgs)}} state=present
   notify: nginx | restart nginx
 
 - name: nginx | Server configuration file
@@ -63,10 +63,12 @@
   notify: nginx | reload nginx
   with_items: nginx_sites
 
-- name: nginx | Write out default htpasswd file
-  copy: >
-    content={{ nginx_cfg.htpasswd }} dest={{ nginx_app_dir }}/nginx.htpasswd
-    owner=www-data group=www-data mode=0600
+- name: nginx | Write out htpasswd file
+  htpasswd: >
+    name={{ NGINX_HTPASSWD_USER }}
+    password={{ NGINX_HTPASSWD_PASS }}
+    path={{ nginx_htpasswd_file }}
+  when: NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS
 
 - name: nginx | Create nginx log file location (just in case)
   file: >

playbooks/roles/nginx/templates/basic-auth.j2

+{% if  NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS %}
      auth_basic            "Restricted";
-     auth_basic_user_file  {{ nginx_app_dir }}/nginx.htpasswd;
+     auth_basic_user_file  {{ nginx_htpasswd_file }};
      index index.html
      proxy_set_header X-Forwarded-Proto https;
+{% endif %}

playbooks/roles/nginx/templates/cms.j2

@@ -32,9 +32,7 @@ server {
   }
 
   location / {
-    {% if  EDXAPP_CMS_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_cms_app;
   }
 

playbooks/roles/nginx/templates/discern.j2

@@ -20,9 +20,7 @@ server {
     }
 
     location / {
-        {% if  DISCERN_BASIC_AUTH %}
         {% include "basic-auth.j2" %}
-        {% endif %}
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
         proxy_set_header X-Forwarded-For $http_x_forwarded_for;

playbooks/roles/nginx/templates/lms-preview.j2

@@ -30,9 +30,7 @@ server {
 
   location / {
 
-    {% if  EDXAPP_LMS_PREVIEW_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_lms-preview_app;
   }
 

playbooks/roles/nginx/templates/lms.j2

@@ -31,10 +31,7 @@ server {
   }
 
   location / {
-
-    {% if  EDXAPP_LMS_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_lms_app;
   }
 

playbooks/roles/nginx/templates/ora.j2

@@ -9,9 +9,7 @@ server {
 
   location / {
 
-    {% if  ORA_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/xqueue.j2

@@ -8,9 +8,7 @@ server {
   listen {{ XQUEUE_NGINX_PORT }} default_server;
 
   location / {
-    {% if  XQUEUE_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/xserver.j2

@@ -18,9 +18,7 @@ server {
   listen {{ XSERVER_NGINX_PORT }} default_server;
 
   location / {
-    {% if  XSERVER_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/ora/defaults/main.yml

 # vars for the ORA role
 ---
 ORA_NGINX_PORT: 18060
-ORA_BASIC_AUTH: False
 
 ora_app_dir: "{{ COMMON_APP_DIR }}/ora"
 ora_code_dir: "{{ ora_app_dir }}/ora"

playbooks/roles/xqueue/defaults/main.yml

@@ -2,7 +2,6 @@
 # when the role is included
 ---
 XQUEUE_NGINX_PORT: 18040
-XQUEUE_BASIC_AUTH: False
 
 xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
 xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"

playbooks/roles/xserver/defaults/main.yml

@@ -2,7 +2,6 @@
 ---
 
 XSERVER_NGINX_PORT: 18050
-XSERVER_BASIC_AUTH: False
 
 XSERVER_RUN_URL: ''
 XSERVER_LOGGING_ENV: 'sandbox'