# Variables for nginx role
---
# These are paramters to the role
# and should be overridden
nginx_sites: []
nginx_redirects: {}
nginx_extra_sites: []
nginx_extra_configs: []
NGINX_EDXAPP_EXTRA_SITES: []
NGINX_EDXAPP_EXTRA_CONFIGS: []
NGINX_EDXAPP_CUSTOM_REDIRECTS: {}

# Override these vars for adding user to nginx.htpasswd
NGINX_USERS:
  - name: "{{ COMMON_HTPASSWD_USER }}"
    password: "{{ COMMON_HTPASSWD_PASS }}"
    state: present

NGINX_ENABLE_SSL: False
NGINX_REDIRECT_TO_HTTPS: False
# Set these to real paths on your
# filesystem, otherwise nginx will
# use a self-signed snake-oil cert
#
# To use a certificate chain add the contents
# to your certificate:
#
# cat www.example.com.crt bundle.crt > www.example.com.chained.crt

# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
# It should be set to one of !!null, "scheme" or "forward_for_proto"
NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"

NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'

NGINX_LOG_FORMAT_NAME: 'p_combined'
# When set to False, nginx will pass X-Forwarded-For, X-Forwarded-Port,
# and X-Forwarded-Proto headers through to the backend unmodified.
# This is desired when nginx is deployed behind another load balancer
# which takes care of properly setting the X-Forwarded-* headers.
# When there is no other load balancer in front of nginx, set this
# variable to True to force nginx to set the values of the X-Forwarded-*
# headers to reflect the properties of the incoming request.
NGINX_SET_X_FORWARDED_HEADERS: False

NGINX_SERVER_ERROR_IMG: 'https://upload.wikimedia.org/wikipedia/commons/thumb/1/11/Pendleton_Sinking_Ship.jpg/640px-Pendleton_Sinking_Ship.jpg'
NGINX_SERVER_HTML_FILES:
  - file: rate-limit.html
    title: 'Rate limit exceeded'
    msg: 'If think you have encountered this message in error please let us know at <a href="mailto:{{ EDXAPP_TECH_SUPPORT_EMAIL|default("technical@example.com") }}">{{ EDXAPP_TECH_SUPPORT_EMAIL|default("technical@example.com") }}</a>'
    img: "{{ NGINX_SERVER_ERROR_IMG }}"
    heading: 'Uh oh, we are having some server issues..'
  - file: server-error.html
    title: 'Server error'
    msg: 'We have been notified of the error, if it persists please let us know at <a href="mailto:{{ EDXAPP_TECH_SUPPORT_EMAIL|default("technical@example.com") }}">{{ EDXAPP_TECH_SUPPORT_EMAIL|default("technical@example.com") }}</a>'
    img: "{{ NGINX_SERVER_ERROR_IMG }}"
    heading: 'Uh oh, we are having some server issues..'

NGINX_APT_REPO: deb http://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx


nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
nginx_server_static_dir: "{{ nginx_data_dir }}/server-static"
nginx_conf_dir: "{{ nginx_app_dir }}/conf.d"
nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
nginx_sites_enabled_dir: "/etc/nginx/sites-enabled"
nginx_user: root
nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"
nginx_default_sites: []
nginx_debian_pkgs:
  - python-passlib

NGINX_EDXAPP_ENABLE_S3_MAINTENANCE: False
nginx_default_error_page: "/server/server-error.html"
NGINX_EDXAPP_ERROR_PAGES:
  "500": "{{ nginx_default_error_page }}"
  "502": "{{ nginx_default_error_page }}"
  "504": "{{ nginx_default_error_page }}"

CMS_HOSTNAME: '~^((stage|prod)-)?studio.*'
ECOMMERCE_HOSTNAME: '~^((stage|prod)-)?ecommerce.*'
PROGRAMS_HOSTNAME: '~^((stage|prod)-)?programs.*'
CREDENTIALS_HOSTNAME: '~^((stage|prod)-)?credentials.*'

nginx_template_dir: "edx/app/nginx/sites-available"

nginx_xserver_gunicorn_hosts:
  - 127.0.0.1
nginx_xqueue_gunicorn_hosts:
  - 127.0.0.1
nginx_ora_gunicorn_hosts:
  - 127.0.0.1
nginx_lms_gunicorn_hosts:
  - 127.0.0.1
nginx_lms_preview_gunicorn_hosts:
  - 127.0.0.1
nginx_cms_gunicorn_hosts:
  - 127.0.0.1
nginx_analytics_api_gunicorn_hosts:
  - 127.0.0.1
nginx_insights_gunicorn_hosts:
  - 127.0.0.1
nginx_gitreload_gunicorn_hosts:
  - 127.0.0.1
nginx_edx_notes_api_gunicorn_hosts:
  - 127.0.0.1
nginx_ecommerce_gunicorn_hosts:
  - 127.0.0.1
nginx_programs_gunicorn_hosts:
  - 127.0.0.1
nginx_credentails_gunicorn_hosts:
  - 127.0.0.1

nginx_cfg:
  #   - link - turn on
  #   - absent - turn off
  sites_enabled:
    basic_auth: link
    edx_release: link
  # path to version files for the basic
  # nginx configuration
  version_html: "{{ nginx_app_dir }}/versions.html"
  version_json: "{{ nginx_app_dir }}/versions.json"

NGINX_ROBOT_RULES: [ ]
NGINX_EDXAPP_EMBARGO_CIDRS: []
NGINX_P3P_MESSAGE: 'CP="Open edX does not have a P3P policy."'

COMMON_ENABLE_BASIC_AUTH: False

CERTS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
ECOMMERCE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_CMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_LMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
KIBANA_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
PROGRAMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
XQUEUE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
XSERVER_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"

NGINX_CREATE_HTPASSWD_FILE: >
  {{
    CERTS_ENABLE_BASIC_AUTH|bool or
    ECOMMERCE_ENABLE_BASIC_AUTH|bool or
    EDXAPP_CMS_ENABLE_BASIC_AUTH|bool or
    EDXAPP_LMS_ENABLE_BASIC_AUTH|bool or
    EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH|bool or
    KIBANA_ENABLE_BASIC_AUTH|bool or
    PROGRAMS_ENABLE_BASIC_AUTH|bool or
    XQUEUE_ENABLE_BASIC_AUTH|bool or
    XSERVER_ENABLE_BASIC_AUTH|bool
  }}