cleanup
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Robert Kaussow 2019-07-18 08:59:41 +02:00
parent bd9efe2939
commit 30e3b7859e
8 changed files with 19 additions and 14 deletions

View File

@ -50,14 +50,14 @@ nginx_open_ports:
nginx_tls_enabled: False
nginx_tls_versions:
- TLSv1.2
# Source has to be a file
nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem
# Set the destination filename
## Source has to be a file
# nginx_tls_cert_source: # defaults to not set
# nginx_tls_key_source: # defaults to not set
## Set the destination filename
nginx_tls_cert_file: mycert.pem
nginx_tls_key_file: mykey.pem
# nginx_tls_dhparam_file: # defaults to not set
# nginx_tls_dhparam_size: # defaults to 2048
nginx_tls_dhparam_size: 2048
nginx_tls_ciphers:
- ECDHE-RSA-AES256-GCM-SHA512
@ -65,6 +65,7 @@ nginx_tls_ciphers:
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
# nginx_tls_ecdh_curve: # defaults to not set
nginx_tls_ocsp_enabled: False
# nginx_tls_ocsp_trusted_certificate: # defaults to not set

View File

@ -73,7 +73,7 @@
owner: root
group: root
mode: 0640
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
validate: bash -c '/sbin/nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
notify: __nginx_reload
- name: Open ports in iptables
@ -122,6 +122,7 @@
owner: root
group: root
mode: 0640
validate: /sbin/nginx -t -c %s
loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
loop_control:
label: "{{ item.file }}"

View File

@ -1,6 +1,5 @@
---
- import_tasks: install.yml
- import_tasks: tls.yml
when: nginx_tls_enabled | bool
tags: tls_renewal
- import_tasks: post_tasks.yml

View File

@ -10,13 +10,15 @@
- { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
when:
- nginx_tls_cert_source is defined
- nginx_tls_key_source is defined
notify: __nginx_reload
when: nginx_tls_source_use_files | bool
- name: Create Diffie-Hellman Parameter
openssl_dhparam:
path: "{{ nginx_tls_dhparam_file }}"
size: "{{ nginx_tls_dhparam_size | default('2048') }}"
size: "{{ nginx_tls_dhparam_size }}"
when: nginx_tls_dhparam_file is defined
- name: Update tls.conf

View File

@ -1,5 +1,5 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
{{ ansible_managed | comment }}
# protect against protocol downgrading and cookie hijacking
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts

View File

@ -1,5 +1,6 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
{{ ansible_managed | comment }}
ssl_ciphers {{ nginx_tls_ciphers | join(":") }};
ssl_prefer_server_ciphers on;
{% if nginx_tls_ecdh_curve is defined %}

View File

@ -1,5 +1,6 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
{{ ansible_managed | comment }}
user {{ nginx_user }} {{ nginx_group }};
worker_processes {{ nginx_worker_processes }};

View File

@ -15,8 +15,8 @@ server {
server_name {{ server.server_name }};
{% if server.tls is defined and server.tls %}
ssl_certificate {{ server.tls.cert }};
ssl_certificate_key {{ server.tls.key }};
ssl_certificate /etc/pki/tls/certs/{{ server.tls.cert }};
ssl_certificate_key /etc/pki/tls/private/{{ server.tls.key }};
{% if server.tls.dhparam is defined %}
ssl_dhparam {{ item.value.ssl.dhparam }};
{% endif %}