cleanup

defaults/main.yml

@@ -50,14 +50,14 @@ nginx_open_ports:
 nginx_tls_enabled: False
 nginx_tls_versions:
   - TLSv1.2
-# Source has to be a file
-nginx_tls_cert_source: mycert.pem
-nginx_tls_key_source: mykey.pem
-# Set the destination filename
+## Source has to be a file
+# nginx_tls_cert_source: # defaults to not set
+# nginx_tls_key_source: # defaults to not set
+## Set the destination filename
 nginx_tls_cert_file: mycert.pem
 nginx_tls_key_file: mykey.pem
 # nginx_tls_dhparam_file: # defaults to not set
-# nginx_tls_dhparam_size: # defaults to 2048
+nginx_tls_dhparam_size: 2048
 
 nginx_tls_ciphers:
   - ECDHE-RSA-AES256-GCM-SHA512
@@ -65,6 +65,7 @@ nginx_tls_ciphers:
   - ECDHE-RSA-AES256-GCM-SHA384
   - DHE-RSA-AES256-GCM-SHA384
   - ECDHE-RSA-AES256-SHA384
+# nginx_tls_ecdh_curve: # defaults to not set
 
 nginx_tls_ocsp_enabled: False
 # nginx_tls_ocsp_trusted_certificate: # defaults to not set

tasks/install.yml

@@ -73,7 +73,7 @@
         owner: root
         group: root
         mode: 0640
-        validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
+        validate: bash -c '/sbin/nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
       notify: __nginx_reload
 
     - name: Open ports in iptables
@@ -122,6 +122,7 @@
         owner: root
         group: root
         mode: 0640
+        validate: /sbin/nginx -t -c %s
       loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
       loop_control:
         label: "{{ item.file }}"

tasks/main.yml

@@ -1,6 +1,5 @@
 ---
 - import_tasks: install.yml
 - import_tasks: tls.yml
-  when: nginx_tls_enabled | bool
   tags: tls_renewal
 - import_tasks: post_tasks.yml

tasks/tls.yml

@@ -10,13 +10,15 @@
         - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
       loop_control:
         label: "{{ item.dest }}"
+      when:
+        - nginx_tls_cert_source is defined
+        - nginx_tls_key_source is defined
       notify: __nginx_reload
-      when: nginx_tls_source_use_files | bool
 
     - name: Create Diffie-Hellman Parameter
       openssl_dhparam:
         path: "{{ nginx_tls_dhparam_file }}"
-        size: "{{ nginx_tls_dhparam_size | default('2048') }}"
+        size: "{{ nginx_tls_dhparam_size }}"
       when: nginx_tls_dhparam_file is defined
 
     - name: Update tls.conf

templates/etc/nginx/conf.d/header.conf.j2

@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 # protect against protocol downgrading and cookie hijacking
 # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts

templates/etc/nginx/conf.d/tls.conf.j2

@@ -1,5 +1,6 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
+
 ssl_ciphers {{ nginx_tls_ciphers | join(":") }};
 ssl_prefer_server_ciphers on;
 {% if nginx_tls_ecdh_curve is defined %}

templates/etc/nginx/nginx.conf.j2

@@ -1,5 +1,6 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
+
 user {{ nginx_user }} {{ nginx_group }};
 worker_processes {{ nginx_worker_processes }};
 

templates/etc/nginx/sites-available/vhost.j2

@@ -15,8 +15,8 @@ server {
     server_name  {{ server.server_name }};
 
     {% if server.tls is defined and server.tls %}
-    ssl_certificate {{ server.tls.cert }};
-    ssl_certificate_key {{ server.tls.key }};
+    ssl_certificate /etc/pki/tls/certs/{{ server.tls.cert }};
+    ssl_certificate_key /etc/pki/tls/private/{{ server.tls.key }};
     {% if server.tls.dhparam is defined %}
     ssl_dhparam {{ item.value.ssl.dhparam }};
     {% endif %}