diff --git a/defaults/main.yml b/defaults/main.yml index 1869e8f..71e7cc3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -58,6 +58,11 @@ nginx_tls_source_use_files: True nginx_tls_cert_file: mycert.pem nginx_tls_key_file: mykey.pem +nginx_tls_ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-SHA + nginx_tls_ocsp_enabled: False # nginx_tls_ocsp_trusted_certificate: # defaults to not set diff --git a/handlers/main.yml b/handlers/main.yml index d662cea..6d8b718 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,9 +1,8 @@ --- -- name: reload nginx +- name: Reload nginx systemd: state: reloaded name: nginx - listen: - - __nginx_reload + listen: __nginx_reload become: True become_user: root diff --git a/meta/main.yml b/meta/main.yml index 57bdd1c..17c4486 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,3 +1,4 @@ +# Standards: 0.1 --- galaxy_info: author: xoxys @@ -5,9 +6,9 @@ galaxy_info: license: MIT min_ansible_version: 2.4 platforms: - - name: EL - versions: - - 7 + - name: EL + versions: + - 7 galaxy_tags: - nginx - webserver diff --git a/tasks/install.yml b/tasks/install.yml index cf39594..fa3944f 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,128 +1,128 @@ --- - block: - - name: Add nginx repository - yum_repository: - name: nginx - file: nginx - description: NGINX High Performance Web Server - baseurl: "https://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/" - gpgkey: https://nginx.org/keys/nginx_signing.key - gpgcheck: yes - when: nginx_official_repo_enabled + - name: Add nginx repository + yum_repository: + name: nginx + file: nginx + description: NGINX High Performance Web Server + baseurl: "https://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/" + gpgkey: https://nginx.org/keys/nginx_signing.key + gpgcheck: yes + when: nginx_official_repo_enabled - - name: Installing nginx - yum: - name: nginx - state: installed + - name: Installing nginx + yum: + name: nginx + state: installed - - name: Create group '{{ nginx_group }}' - group: - name: "{{ nginx_group }}" - state: present - when: nginx_group != "nginx" + - name: Create group '{{ nginx_group }}' + group: + name: "{{ nginx_group }}" + state: present + when: nginx_group != "nginx" - - name: Create user '{{ nginx_user }}' - user: - name: "{{ nginx_user }}" - group: "{{ nginx_group }}" - createhome: no - shell: /sbin/nologin - when: nginx_user != "nginx" + - name: Create user '{{ nginx_user }}' + user: + name: "{{ nginx_user }}" + group: "{{ nginx_group }}" + createhome: no + shell: /sbin/nologin + when: nginx_user != "nginx" - - name: Prepare vhost directories - file: - path: "{{ item }}" - state: directory - owner: "{{ nginx_user }}" - group: "{{ nginx_group }}" - mode: 0750 - with_items: - - "{{ nginx_vhosts_dir }}" - - "{{ nginx_vhosts_dir }}/default" + - name: Prepare vhost directories + file: + path: "{{ item }}" + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_group }}" + mode: 0750 + with_items: + - "{{ nginx_vhosts_dir }}" + - "{{ nginx_vhosts_dir }}/default" - - name: Prepare nginx directories - file: - path: "{{ item }}" - state: directory - owner: root - group: root - mode: 0640 - with_items: - - /etc/nginx/sites-available - - /etc/nginx/sites-enabled + - name: Prepare nginx directories + file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0640 + with_items: + - /etc/nginx/sites-available + - /etc/nginx/sites-enabled - - name: Update nginx.conf - template: - src: etc/nginx/nginx.conf.j2 - dest: "/etc/nginx/nginx.conf" - owner: root - group: root - mode: 0640 - validate: /sbin/nginx -t -c %s - notify: __nginx_reload + - name: Update nginx.conf + template: + src: etc/nginx/nginx.conf.j2 + dest: "/etc/nginx/nginx.conf" + owner: root + group: root + mode: 0640 + validate: /sbin/nginx -t -c %s + notify: __nginx_reload - - name: Remove default.conf from conf.d - file: - path: /etc/nginx/conf.d/default.conf - state: absent + - name: Remove default.conf from conf.d + file: + path: /etc/nginx/conf.d/default.conf + state: absent - - name: Update header.conf - template: - src: etc/nginx/conf.d/header.conf.j2 - dest: /etc/nginx/conf.d/header.conf - owner: root - group: root - mode: 0640 - validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"' - notify: __nginx_reload + - name: Update header.conf + template: + src: etc/nginx/conf.d/header.conf.j2 + dest: /etc/nginx/conf.d/header.conf + owner: root + group: root + mode: 0640 + validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"' + notify: __nginx_reload - - name: Open ports in iptables - iptables_raw: - name: allow_nginx_ports - state: present - rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' - when: nginx_iptables_enabled + - name: Open ports in iptables + iptables_raw: + name: allow_nginx_ports + state: present + rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' + when: nginx_iptables_enabled - - name: Set selinux booleans - seboolean: - name: "{{ item.name }}" - state: "{{ item.state }}" - persistent: "{{ item.persistent }}" - with_items: "{{ nginx_set_sebooleans }}" - when: nginx_set_sebooleans is defined + - name: Set selinux booleans + seboolean: + name: "{{ item.name }}" + state: "{{ item.state }}" + persistent: "{{ item.persistent }}" + with_items: "{{ nginx_set_sebooleans }}" + when: nginx_set_sebooleans is defined become: True become_user: root - block: - - name: Add default page - template: - src: var/www/vhosts/default/index.html.j2 - dest: /var/www/vhosts/default/index.html - owner: "{{ nginx_user }}" - group: "{{ nginx_group }}" - mode: 0750 + - name: Add default page + template: + src: var/www/vhosts/default/index.html.j2 + dest: /var/www/vhosts/default/index.html + owner: "{{ nginx_user }}" + group: "{{ nginx_group }}" + mode: 0750 when: nginx_default_page_enabled become: True become_user: "{{ nginx_user }}" - block: - - name: Add default page configuration file - template: - src: etc/nginx/sites-available/default.j2 - dest: /etc/nginx/sites-available/default - owner: root - group: root - mode: 0640 - notify: __nginx_reload + - name: Add default page configuration file + template: + src: etc/nginx/sites-available/default.j2 + dest: /etc/nginx/sites-available/default + owner: root + group: root + mode: 0640 + notify: __nginx_reload - - name: Enable default page - file: - src: /etc/nginx/sites-available/default - dest: /etc/nginx/sites-enabled/default - owner: root - group: root - state: link - notify: __nginx_reload + - name: Enable default page + file: + src: /etc/nginx/sites-available/default + dest: /etc/nginx/sites-enabled/default + owner: root + group: root + state: link + notify: __nginx_reload when: nginx_default_page_enabled become: True become_user: root diff --git a/tasks/tls.yml b/tasks/tls.yml index 1cbc5f4..e54e069 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -1,28 +1,29 @@ +--- - block: - - name: Copy certs and private key (content) - copy: - content: "{{ item.src }}" - dest: "{{ item.dest }}" - mode: "{{ item.mode }}" - with_items: - - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' } - - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' } - loop_control: - label: "{{ item.dest }}" - notify: __nginx_reload - when: nginx_tls_source_use_content + - name: Copy certs and private key (content) + copy: + content: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' } + - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + notify: __nginx_reload + when: nginx_tls_source_use_content - - name: Copy certs and private key (files) - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - mode: "{{ item.mode }}" - with_items: - - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' } - - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' } - loop_control: - label: "{{ item.dest }}" - notify: __nginx_reload - when: nginx_tls_source_use_files + - name: Copy certs and private key (files) + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + with_items: + - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' } + - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + notify: __nginx_reload + when: nginx_tls_source_use_files become: True become_user: root diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2 index 86b496c..9134ce7 100644 --- a/templates/etc/nginx/conf.d/tls.conf.j2 +++ b/templates/etc/nginx/conf.d/tls.conf.j2 @@ -1,13 +1,12 @@ # {{ ansible_managed }} -# certificate settings -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA'; +ssl_ciphers '{{ nginx_tls_ciphers | join(":") }}'; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_session_cache shared:SSL:10m; -{% if nginx_tls_enabled and nginx_tls_ocsp_enabled %} +{% if nginx_tls_ocsp_enabled %} ssl_stapling on; -ssl_trusted_certificate /pfad/bundle.ca.pem; +ssl_trusted_certificate {{ nginx_tls_ocsp_trusted_certificate }}; ssl_stapling_verify on; {% endif %}