allow uploading a list of certificate files

2020-06-04 23:09:15 +02:00 · 2020-06-04 23:09:15 +02:00 · 7b9af21abf
parent 8236e8a98e
commit 7b9af21abf
3 changed files with 29 additions and 23 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -43,15 +43,17 @@ nginx_tls_enabled: False
 nginx_tls_versions:
  - TLSv1.2

-# @var nginx_tls_cert_source:description: Source has to be a file.
-# @var nginx_tls_cert_source: $ "_unset_"
-# @var nginx_tls_key_source:description: Source has to be a file.
-# @var nginx_tls_key_source: $ "_unset_"
+nginx_tls_certificates: []
+# @var nginx_tls_certificates:example: >
+# nginx_tls_certificates:
+#   - source: "{{ ansible_user_dir }}/files/mycert.pem"
+#     dest: /etc/pki/tls/certs/mycert.pem
+#     mode: 0644
+#   - source: "{{ ansible_user_dir }}/files/mykey.pem"
+#     dest: /etc/pki/tls/private/mykey.pem
+#     mode: 0600
+# @end

-# @var nginx_tls_cert_file:description: Set the destination filename.
-nginx_tls_cert_file: mycert.pem
-# @var nginx_tls_key_file:description: Set the destination filename.
-nginx_tls_key_file: mykey.pem
 # @var nginx_tls_dhparam_file: $ "_unset_"
 nginx_tls_dhparam_size: 2048

@ -149,8 +151,8 @@ nginx_vhosts_default:
 #         tls_redirect: False # skips locations if enabled
 #         tls_redirect_url:
 #         tls:
-#           cert: /etc/pki/tls/..
-#           key: /etc/pki/tls/..
+#           cert: /etc/pki/tls/certs/mycert.pem
+#           key: /etc/pki/tls/private/mykey.pem
 #           dhparam:
 #         client_max_body_size:
 #         send_timeout:
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@ -1,18 +1,22 @@
 ---
 - block:
-    - name: Copy certs and private key
-      copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dest }}"
-        mode: "{{ item.mode }}"
-      loop:
-        - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' }
-        - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
+    - name: Ensur target directories exist for certificate files
+      file:
+        name: "{{ item.dest | dirname }}"
+        state: directory
+      loop: "{{ nginx_tls_certificates }}"
+      loop_control:
+        label: "{{ item.dest }}"
+
+    - name: Copy certificate files
+      copy:
+        src: "{{ item.source }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode | default('0600') }}"
+        owner: "{{ item.owner | default('root') }}"
+      loop: "{{ nginx_tls_certificates }}"
      loop_control:
        label: "{{ item.dest }}"
-      when:
-        - nginx_tls_cert_source is defined
-        - nginx_tls_key_source is defined
      notify: __nginx_reload

    - name: Create Diffie-Hellman Parameter
--- a/templates/etc/nginx/sites-available/vhost.j2
+++ b/templates/etc/nginx/sites-available/vhost.j2
@ -21,8 +21,8 @@ server {
    {% endif %}
    {% if server.tls is defined and server.tls %}

-    ssl_certificate /etc/pki/tls/certs/{{ server.tls.cert }};
-    ssl_certificate_key /etc/pki/tls/private/{{ server.tls.key }};
+    ssl_certificate {{ server.tls.cert }};
+    ssl_certificate_key {{ server.tls.key }};
    {% if server.tls.dhparam is defined %}
    ssl_dhparam {{ item.value.ssl.dhparam }};
    {% endif %}