nginx: add support for anonymization

roles/nginx/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nginx_anonymize: False

roles/nginx/tasks/main.yml

@@ -8,7 +8,13 @@
   when: nginx_ssl
 
 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
+      -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
   when: nginx_ssl
   notify: Restart nginx
 
@@ -24,7 +30,7 @@
   - /etc/nginx/dhparam.pem
 
 - name: Configure nginx
-  copy: src=nginx.conf dest=/etc/nginx/nginx.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
   notify: Restart nginx
 
 - name: Configure default vhost

roles/nginx/templates/default.j2

@@ -1,3 +1,5 @@
+# {{ ansible_managed }}
+
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;

roles/nginx/templates/nginx.conf.j2

@@ -47,7 +47,32 @@ http {
 	# Logging Settings
 	##
 
+{% if nginx_anonymize %}
+	map $remote_addr $ip_anonym1 {
+		default 0.0.0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+		"~(?P<ip>[^:]+:[^:]+):" $ip;
+	}
+
+	map $remote_addr $ip_anonym2 {
+		default .0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+		"~(?P<ip>[^:]+:[^:]+):" ::;
+	}
+
+	map $ip_anonym1$ip_anonym2 $ip_anonymized {
+		default 0.0.0.0;
+		"~(?P<ip>.*)" $ip;
+	}
+
+	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+		'"$request" $status $body_bytes_sent '
+		'"$http_referer" "$http_user_agent"';
+
+	access_log /var/log/nginx/access.log anonymized;
+{% else %}
 	access_log /var/log/nginx/access.log;
+{% endif %}
 	error_log /var/log/nginx/error.log;
 
 	##