add ssl setup

defaults/main.yml

@@ -2,3 +2,6 @@
 nginx_open_ports:
   - 80
   - 443
+ssl_priv_key: ""
+ssl_intermediate_cert: ""
+ssl_chained_cert: ""

tasks/config.yml

@@ -80,6 +80,30 @@
   notify:
     - nginx_restart
 
+- name: Copy ssl chained certs
+  copy:
+    content: '{{ ssl_chained_cert }}'
+    dest: /etc/pki/tls/certs/my-chained.crt
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy ssl intermediate cert
+  copy:
+    content: '{{ ssl_intermediate_cert }}'
+    dest: /etc/pki/tls/certs/my-intermediate.crt
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy ssl private key
+  copy:
+    content: '{{ ssl_priv_key }}'
+    dest: /etc/pki/tls/private/my-private.key
+    owner: root
+    group: root
+    mode: 0600
+
 - name: Open ports in iptables
   iptables_raw:
     name: allow_nginx_ports

templates/etc/nginx/conf.d/header.conf.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
+# default header settings
 add_header Strict-Transport-Security max-age=63072000;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

templates/etc/nginx/conf.d/tls.conf.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# certificate settings
+ssl_certificate_key /etc/pki/tls/private/my-private.key;
+ssl_certificate /etc/pki/tls/certs/my-chained.crt;
+
+ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_session_cache shared:SSL:10m;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
+
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/nginx/cert/dhparam.pem;