From 43b50663523b9185007c68ec9baee2fd20bdd459 Mon Sep 17 00:00:00 2001 From: Fedor Batonogov Date: Tue, 23 Jul 2024 10:40:07 +0300 Subject: [PATCH] Add MinIO cluster --- ansible/install_minio.yml | 24 ++++++ ansible/install_nginx.yml | 27 +++++++ ansible/inventory.yml | 24 ++++++ .../roles/create_filesystem/tasks/main.yml | 7 ++ ansible/roles/docker_cleaner/meta/main.yml | 20 +++++ ansible/roles/docker_cleaner/tasks/docker.yml | 10 +++ ansible/roles/docker_cleaner/tasks/main.yml | 4 + .../roles/docker_install/files/daemon.json | 14 ++-- ansible/roles/minio_start/handlers/main.yml | 13 ++++ ansible/roles/minio_start/tasks/add_dirs.yml | 8 ++ ansible/roles/minio_start/tasks/add_user.yml | 8 ++ ansible/roles/minio_start/tasks/main.yml | 10 +++ .../roles/minio_start/tasks/start_minio.yml | 34 +++++++++ .../minio_start/templates/minio.config.j2 | 21 ++++++ .../minio_start/templates/minio.service.j2 | 29 ++++++++ ansible/roles/minio_start/vars/main.yml | 5 ++ ansible/roles/mount/tasks/main.yml | 8 ++ .../nginx_install/files/conf.d/minio.conf | 73 +++++++++++++++++++ ansible/roles/nginx_install/handlers/main.yml | 8 ++ ansible/roles/nginx_install/tasks/cert.yml | 34 +++++++++ ansible/roles/nginx_install/tasks/config.yml | 19 +++++ ansible/roles/nginx_install/tasks/main.yml | 16 ++++ ansible/roles/nginx_install/tasks/nginx.yml | 23 ++++++ ansible/roles/nginx_install/tasks/user.yml | 7 ++ .../templates/docker-compose.yml.j2 | 28 +++++++ ansible/roles/nginx_install/vars/main.yml | 5 ++ 26 files changed, 474 insertions(+), 5 deletions(-) create mode 100644 ansible/install_minio.yml create mode 100644 ansible/install_nginx.yml create mode 100644 ansible/roles/create_filesystem/tasks/main.yml create mode 100644 ansible/roles/docker_cleaner/meta/main.yml create mode 100644 ansible/roles/docker_cleaner/tasks/docker.yml create mode 100644 ansible/roles/docker_cleaner/tasks/main.yml create mode 100644 ansible/roles/minio_start/handlers/main.yml create mode 100644 ansible/roles/minio_start/tasks/add_dirs.yml create mode 100644 ansible/roles/minio_start/tasks/add_user.yml create mode 100644 ansible/roles/minio_start/tasks/main.yml create mode 100644 ansible/roles/minio_start/tasks/start_minio.yml create mode 100644 ansible/roles/minio_start/templates/minio.config.j2 create mode 100644 ansible/roles/minio_start/templates/minio.service.j2 create mode 100644 ansible/roles/minio_start/vars/main.yml create mode 100644 ansible/roles/mount/tasks/main.yml create mode 100644 ansible/roles/nginx_install/files/conf.d/minio.conf create mode 100644 ansible/roles/nginx_install/handlers/main.yml create mode 100644 ansible/roles/nginx_install/tasks/cert.yml create mode 100644 ansible/roles/nginx_install/tasks/config.yml create mode 100644 ansible/roles/nginx_install/tasks/main.yml create mode 100644 ansible/roles/nginx_install/tasks/nginx.yml create mode 100644 ansible/roles/nginx_install/tasks/user.yml create mode 100644 ansible/roles/nginx_install/templates/docker-compose.yml.j2 create mode 100644 ansible/roles/nginx_install/vars/main.yml diff --git a/ansible/install_minio.yml b/ansible/install_minio.yml new file mode 100644 index 0000000..03b2952 --- /dev/null +++ b/ansible/install_minio.yml @@ -0,0 +1,24 @@ +--- +- name: Подготовка узлов + become: true + hosts: + - minio_hosts + roles: + - docker_install + +- name: Развертывание MinIO Multi-Node Multi-Drive + become: true + hosts: + - minio_hosts + vars: + filesystem: xfs + device_name: + - /dev/vdb + device: + - { src: /dev/vdb, path: /mnt/disk1 } + minio_username: minio + roles: + - create_filesystem + - mount + - minio_start + - docker_cleaner diff --git a/ansible/install_nginx.yml b/ansible/install_nginx.yml new file mode 100644 index 0000000..1ded7ab --- /dev/null +++ b/ansible/install_nginx.yml @@ -0,0 +1,27 @@ +- name: Подготавливаю узлы + become: true + hosts: + - nginx_hosts + roles: + - docker_install + - nginx_install + +- name: Настраиваю keepalived + become: true + hosts: + - nginx-01 + roles: + - role: keepalived + unit_file: "keepalived.master.conf.j2" + virtual_ip: "10.0.75.90/24" + virtual_router_id: 10 + +- name: Настраиваю keepalived + become: true + hosts: + - nginx-02 + roles: + - role: keepalived + unit_file: "keepalived.backup.conf.j2" + virtual_ip: "10.0.75.90/24" + virtual_router_id: 10 diff --git a/ansible/inventory.yml b/ansible/inventory.yml index b2db812..dfa6176 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -47,3 +47,27 @@ patroni_postgresql_cluster: vars: ansible_user: infra ansible_port: 22 + +minio_hosts: + hosts: + minio1: + ansible_host: 10.0.75.55 + minio2: + ansible_host: 10.0.75.56 + minio3: + ansible_host: 10.0.75.57 + minio4: + ansible_host: 10.0.75.58 + vars: + ansible_user: infra + ansible_port: 22 + +nginx_hosts: + hosts: + nginx-01: + ansible_host: 10.0.75.91 + nginx-02: + ansible_host: 10.0.75.92 + vars: + ansible_user: infra + ansible_port: 22 diff --git a/ansible/roles/create_filesystem/tasks/main.yml b/ansible/roles/create_filesystem/tasks/main.yml new file mode 100644 index 0000000..a87afce --- /dev/null +++ b/ansible/roles/create_filesystem/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# tasks file for create_filesystem +- name: Create a filesystem + community.general.filesystem: + fstype: "{{ filesystem }}" + dev: '{{ item["src"] }}' + loop: "{{ device }}" diff --git a/ansible/roles/docker_cleaner/meta/main.yml b/ansible/roles/docker_cleaner/meta/main.yml new file mode 100644 index 0000000..55e4aea --- /dev/null +++ b/ansible/roles/docker_cleaner/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Fedor Batonogov + description: Ansible роль для очистки мусора за докером + company: Verum LLC + + license: MIT + + min_ansible_version: '2.1' + + platforms: + - name: Ubuntu + versions: + - jammy + + galaxy_tags: + - docker + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible/roles/docker_cleaner/tasks/docker.yml b/ansible/roles/docker_cleaner/tasks/docker.yml new file mode 100644 index 0000000..962eef5 --- /dev/null +++ b/ansible/roles/docker_cleaner/tasks/docker.yml @@ -0,0 +1,10 @@ +--- +- name: Навожу порядок + community.docker.docker_prune: + containers: false + images: true + images_filters: + dangling: false + networks: false + volumes: false + builder_cache: false diff --git a/ansible/roles/docker_cleaner/tasks/main.yml b/ansible/roles/docker_cleaner/tasks/main.yml new file mode 100644 index 0000000..c0eeeb3 --- /dev/null +++ b/ansible/roles/docker_cleaner/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# tasks file for docker_cleaner +- name: Чищу докер + ansible.builtin.import_tasks: docker.yml diff --git a/ansible/roles/docker_install/files/daemon.json b/ansible/roles/docker_install/files/daemon.json index aa6d6cb..161caae 100644 --- a/ansible/roles/docker_install/files/daemon.json +++ b/ansible/roles/docker_install/files/daemon.json @@ -1,7 +1,11 @@ { - "registry-mirrors": [ - "https://dockerhub.timeweb.cloud", - "https://mirror.gcr.io", - "https://public.ecr.aws" - ] + "registry-mirrors": [ + "https://dockerhub.timeweb.cloud", + "https://mirror.gcr.io", + "https://public.ecr.aws" + ], + "log-driver": "json-file", + "log-opts": { + "max-size": "1g" + } } diff --git a/ansible/roles/minio_start/handlers/main.yml b/ansible/roles/minio_start/handlers/main.yml new file mode 100644 index 0000000..123408d --- /dev/null +++ b/ansible/roles/minio_start/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: Загружаю образ + community.docker.docker_image: + name: "quay.io/minio/minio" + tag: "{{ minio_version }}" + source: pull + +- name: Перезапускаю minio.service + ansible.builtin.systemd: + name: minio.service + state: restarted + enabled: true + daemon_reload: true diff --git a/ansible/roles/minio_start/tasks/add_dirs.yml b/ansible/roles/minio_start/tasks/add_dirs.yml new file mode 100644 index 0000000..65fa617 --- /dev/null +++ b/ansible/roles/minio_start/tasks/add_dirs.yml @@ -0,0 +1,8 @@ +--- +- name: Create a directory if it does not exist + ansible.builtin.file: + path: /var/lib/minio + state: directory + owner: "{{ minio_username }}" + group: "{{ minio_username }}" + mode: "755" diff --git a/ansible/roles/minio_start/tasks/add_user.yml b/ansible/roles/minio_start/tasks/add_user.yml new file mode 100644 index 0000000..38d1fe7 --- /dev/null +++ b/ansible/roles/minio_start/tasks/add_user.yml @@ -0,0 +1,8 @@ +--- +- name: Создаю пользователя + ansible.builtin.user: + name: "{{ minio_username }}" + shell: /sbin/nologin + create_home: true + groups: docker + uid: "{{ minio_uid }}" diff --git a/ansible/roles/minio_start/tasks/main.yml b/ansible/roles/minio_start/tasks/main.yml new file mode 100644 index 0000000..d5ab987 --- /dev/null +++ b/ansible/roles/minio_start/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# tasks file for minio_start +- name: Создаю пользователя + ansible.builtin.import_tasks: add_user.yml + +- name: Создаю директории + ansible.builtin.import_tasks: add_dirs.yml + +- name: Запускаю minio + ansible.builtin.import_tasks: start_minio.yml diff --git a/ansible/roles/minio_start/tasks/start_minio.yml b/ansible/roles/minio_start/tasks/start_minio.yml new file mode 100644 index 0000000..d067fb5 --- /dev/null +++ b/ansible/roles/minio_start/tasks/start_minio.yml @@ -0,0 +1,34 @@ +--- +- name: Наливаю переменные + ansible.builtin.template: + src: minio.config.j2 + dest: /etc/default/minio + owner: "{{ minio_username }}" + group: "{{ minio_username }}" + mode: "644" + notify: + - Перезапускаю minio.service + +- name: Наливаю юнит файл + ansible.builtin.template: + src: minio.service.j2 + dest: /etc/systemd/system/minio.service + mode: "644" + notify: + - Загружаю образ + - Перезапускаю minio.service + +- name: Create a directory if it does not exist + ansible.builtin.file: + path: '{{ item["path"] }}/minio' + state: directory + owner: "{{ minio_username }}" + group: "{{ minio_username }}" + mode: "755" + loop: "{{ device }}" + +- name: Настраиваю minio.service + ansible.builtin.systemd: + name: minio.service + state: started + enabled: true diff --git a/ansible/roles/minio_start/templates/minio.config.j2 b/ansible/roles/minio_start/templates/minio.config.j2 new file mode 100644 index 0000000..59435d9 --- /dev/null +++ b/ansible/roles/minio_start/templates/minio.config.j2 @@ -0,0 +1,21 @@ +# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server. +# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment. +# Omit to use the default values 'minioadmin:minioadmin'. +# MinIO recommends setting non-default values as a best practice, regardless of environment. + +MINIO_ROOT_USER=admin +MINIO_ROOT_PASSWORD={{ lookup('password', 'secrets/minio/admin_secret length=64') }} + +# MINIO_VOLUMES sets the storage volumes or paths to use for the MinIO server. +# The specified path uses MinIO expansion notation to denote a sequential series of drives between 1 and 4, inclusive. +# All drives or paths included in the expanded drive list must exist *and* be empty or freshly formatted for MinIO to start successfully. + +MINIO_VOLUMES="http://minio-node{1...4}:9000/mnt/disk1/minio" + +# MINIO_SERVER_URL sets the hostname of the local machine for use with the MinIO Server. +# MinIO assumes your network control plane can correctly resolve this hostname to the local machine. + +# Uncomment the following line and replace the value with the correct hostname for the local machine. + +MINIO_SERVER_URL="http://10.0.75.90" +MINIO_BROWSER_REDIRECT_URL="https://s3.example.local/minio/ui" diff --git a/ansible/roles/minio_start/templates/minio.service.j2 b/ansible/roles/minio_start/templates/minio.service.j2 new file mode 100644 index 0000000..635e0c4 --- /dev/null +++ b/ansible/roles/minio_start/templates/minio.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=minio +Requires=docker.service +After=docker.service + +[Service] +User={{ minio_username }} +Group={{ minio_username }} +Restart=always +ExecStartPre=-/usr/bin/docker rm -f minio +ExecStart=/usr/bin/docker run \ + --rm \ + --network host \ + --user {{ minio_uid }}:{{ minio_uid }} \ + --name minio \ + --env "MINIO_CONFIG_ENV_FILE=/etc/config.env" \ + --add-host "minio-node1:10.0.75.55" \ + --add-host "minio-node2:10.0.75.56" \ + --add-host "minio-node3:10.0.75.57" \ + --add-host "minio-node4:10.0.75.58" \ + --volume /etc/default/minio:/etc/config.env:ro \ + --volume /var/lib/minio:/var/lib/minio \ + --volume /mnt/disk1/minio:/mnt/disk1/minio \ + quay.io/minio/minio:{{ minio_version }} \ + server /var/lib/minio --console-address ":9001" +ExecStop=/usr/bin/docker stop -t 10 minio + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/minio_start/vars/main.yml b/ansible/roles/minio_start/vars/main.yml new file mode 100644 index 0000000..0df73da --- /dev/null +++ b/ansible/roles/minio_start/vars/main.yml @@ -0,0 +1,5 @@ +--- +# vars file for minio_start +# Мы качаем docker image отсюда: https://quay.io/minio/minio/ +minio_version: RELEASE.2024-07-16T23-46-41Z +minio_uid: 1111 diff --git a/ansible/roles/mount/tasks/main.yml b/ansible/roles/mount/tasks/main.yml new file mode 100644 index 0000000..d17ada8 --- /dev/null +++ b/ansible/roles/mount/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Mount up device + ansible.posix.mount: + path: '{{ item["path"] }}' + src: '{{ item["src"] }}' + fstype: "{{ filesystem }}" + state: mounted + loop: "{{ device }}" diff --git a/ansible/roles/nginx_install/files/conf.d/minio.conf b/ansible/roles/nginx_install/files/conf.d/minio.conf new file mode 100644 index 0000000..ccd6688 --- /dev/null +++ b/ansible/roles/nginx_install/files/conf.d/minio.conf @@ -0,0 +1,73 @@ +upstream minio_s3 { + least_conn; + server 10.0.75.55:9000; + server 10.0.75.56:9000; + server 10.0.75.57:9000; + server 10.0.75.58:9000; +} + +upstream minio_console { + least_conn; + server 10.0.75.55:9001; + server 10.0.75.56:9001; + server 10.0.75.57:9001; + server 10.0.75.58:9001; +} + +server { + listen 80; + listen [::]:80; + listen *:443 ssl; + server_name s3.example.local www.s3.example.local; + ssl_certificate /etc/ssl/private/minio.crt; + ssl_certificate_key /etc/ssl/private/private.key; + + server_tokens off; + + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + proxy_pass http://minio_s3; # This uses the upstream directive definition to load balance + } + + location /minio/ui/ { + rewrite ^/minio/ui/(.*) /$1 break; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-NginX-Proxy true; + + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + + proxy_connect_timeout 300; + + # To support websockets in MinIO versions released after January 2023 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + chunked_transfer_encoding off; + + proxy_pass http://minio_console; # This uses the upstream directive definition to load balance + } +} diff --git a/ansible/roles/nginx_install/handlers/main.yml b/ansible/roles/nginx_install/handlers/main.yml new file mode 100644 index 0000000..a8fae67 --- /dev/null +++ b/ansible/roles/nginx_install/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: Перезапускаю сервер nginx + community.docker.docker_container_exec: + container: nginx + command: "{{ item }}" + loop: + - nginx -t + - nginx -s reload diff --git a/ansible/roles/nginx_install/tasks/cert.yml b/ansible/roles/nginx_install/tasks/cert.yml new file mode 100644 index 0000000..4e31ff3 --- /dev/null +++ b/ansible/roles/nginx_install/tasks/cert.yml @@ -0,0 +1,34 @@ +--- +- name: Создаю директорию для ключей + ansible.builtin.file: + path: /etc/ssl/private + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + mode: "755" + +- name: Генерирую приватный ключ + community.crypto.openssl_privatekey: + path: "/etc/ssl/private/private.key" + mode: "0600" + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + +- name: Создаю запроса на подписание сертификата (CSR) для самоподписанного сертификата + community.crypto.openssl_csr_pipe: + privatekey_path: "/etc/ssl/private/private.key" + common_name: "minio" + organization_name: Verum, Inc. + subject_alt_name: + - "DNS:s3.verum.local" + register: csr + +- name: Создаю самоподписанный сертификат из CSR + community.crypto.x509_certificate: + path: "/etc/ssl/private/minio.crt" + csr_content: "{{ csr.csr }}" + privatekey_path: "/etc/ssl/private/private.key" + provider: selfsigned + mode: "0640" + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" diff --git a/ansible/roles/nginx_install/tasks/config.yml b/ansible/roles/nginx_install/tasks/config.yml new file mode 100644 index 0000000..cd95e39 --- /dev/null +++ b/ansible/roles/nginx_install/tasks/config.yml @@ -0,0 +1,19 @@ +--- +- name: Создаю директорию для nginx conf + ansible.builtin.file: + path: /etc/nginx/conf.d + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + mode: "755" + +- name: Синхронизирую конфигурационные файлы + ansible.posix.synchronize: + src: "conf.d/" + dest: "/etc/nginx/conf.d/" + delete: true + rsync_opts: + - "--chown={{ nginx_user }}:{{ nginx_user }}" + - "--chmod=F640" + notify: + - Перезапускаю сервер nginx diff --git a/ansible/roles/nginx_install/tasks/main.yml b/ansible/roles/nginx_install/tasks/main.yml new file mode 100644 index 0000000..87bbea2 --- /dev/null +++ b/ansible/roles/nginx_install/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Создаю пользователя nginx + ansible.builtin.import_tasks: user.yml + when: ansible_distribution == 'Ubuntu' + +- name: Копирую конфигурацию + ansible.builtin.import_tasks: config.yml + when: ansible_distribution == 'Ubuntu' + +- name: Генерирую самоподписанный сертификат + ansible.builtin.import_tasks: cert.yml + when: ansible_distribution == 'Ubuntu' + +- name: Устанавливаю nginx + ansible.builtin.import_tasks: nginx.yml + when: ansible_distribution == 'Ubuntu' diff --git a/ansible/roles/nginx_install/tasks/nginx.yml b/ansible/roles/nginx_install/tasks/nginx.yml new file mode 100644 index 0000000..197d8ae --- /dev/null +++ b/ansible/roles/nginx_install/tasks/nginx.yml @@ -0,0 +1,23 @@ +--- +- name: Наливаю docker-compose файл nginx + ansible.builtin.template: + src: docker-compose.yml.j2 + dest: "/home/{{ nginx_user }}/docker-compose.yml" + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + mode: "640" + +- name: Налаживаю права для директории /etc/letsencrypt/ + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + recurse: true + with_items: + - "/etc/letsencrypt/" + +- name: Поднимаю nginx + community.docker.docker_compose_v2: + project_src: "/home/{{ nginx_user }}/" + remove_orphans: true + wait: true diff --git a/ansible/roles/nginx_install/tasks/user.yml b/ansible/roles/nginx_install/tasks/user.yml new file mode 100644 index 0000000..6c89a06 --- /dev/null +++ b/ansible/roles/nginx_install/tasks/user.yml @@ -0,0 +1,7 @@ +--- +- name: Создаю пользователя {{ nginx_user }} + ansible.builtin.user: + name: "{{ nginx_user }}" + state: present + groups: docker + shell: /bin/bash diff --git a/ansible/roles/nginx_install/templates/docker-compose.yml.j2 b/ansible/roles/nginx_install/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..cb277f7 --- /dev/null +++ b/ansible/roles/nginx_install/templates/docker-compose.yml.j2 @@ -0,0 +1,28 @@ +services: + nginx: + image: nginx:{{ nginx_version }} + container_name: nginx + restart: always + ports: + - "80:80" + - "443:443" + environment: + - TZ=Europe/Moscow + volumes: + - /etc/nginx/conf.d/:/etc/nginx/conf.d/:ro + - /etc/nginx/include.d/:/etc/nginx/include.d/:ro + - /etc/ssl/private/:/etc/ssl/private/:ro + - /var/lib/letsencrypt/:/var/lib/letsencrypt/:ro + - /etc/letsencrypt:/etc/letsencrypt:ro + depends_on: + - certbot + + certbot: + image: certbot/certbot:{{ certbot_version }} + container_name: certbot + restart: always + environment: + - TZ=Europe/Moscow + volumes: + - /etc/letsencrypt:/etc/letsencrypt + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /etc/letsencrypt/ -n; sleep 12h & wait $${!}; done;'" diff --git a/ansible/roles/nginx_install/vars/main.yml b/ansible/roles/nginx_install/vars/main.yml new file mode 100644 index 0000000..9427c91 --- /dev/null +++ b/ansible/roles/nginx_install/vars/main.yml @@ -0,0 +1,5 @@ +--- +# vars file for nginx-install +nginx_version: 1.27.0-alpine +nginx_user: nginx +certbot_version: v2.11.0