fix tls implementation

This commit is contained in:
Robert Kaussow 2018-08-12 11:31:12 +02:00
parent 3967a2d772
commit 8eee8600f7
5 changed files with 58 additions and 51 deletions

View File

@ -50,7 +50,12 @@ nginx_tls_enabled: False
nginx_tls_certs_dir: /etc/pki/tls/certs
nginx_tls_key_dir: /etc/pki/tls/private
nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mykey.pem"
nginx_tls_source_use_content: False
nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem
nginx_pfs_enabled: False
nginx_dhparam_size: 4069

View File

@ -4,6 +4,6 @@
state: reloaded
name: nginx
listen:
- "nginx_reload"
- __nginx_reload
become: True
become_user: root

View File

@ -59,8 +59,7 @@
group: root
mode: 0640
validate: /sbin/nginx -t -c %s
notify:
- nginx_reload
notify: __nginx_reload
- name: Remove default.conf from conf.d
file:
@ -75,8 +74,7 @@
group: root
mode: 0640
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
notify:
- nginx_reload
notify: __nginx_reload
- name: Open ports in iptables
iptables_raw:
@ -86,6 +84,18 @@
become: True
become_user: root
- block:
- name: Add default page
template:
src: var/www/vhosts/default/index.html.j2
dest: /var/www/vhosts/default/index.html
owner: nginx
group: nginx
mode: 0750
when: nginx_default_page_enabled
become: True
become_user: nginx
- block:
- name: Add default page configuration file
template:
@ -94,8 +104,7 @@
owner: root
group: root
mode: 0640
notify:
- nginx_reload
notify: __nginx_reload
- name: Enable default page
file:
@ -104,8 +113,7 @@
owner: root
group: root
state: link
notify:
- nginx_reload
notify: __nginx_reload
when: nginx_default_page_enabled
become: True
become_user: root

View File

@ -1,2 +1,4 @@
---
- include_tasks: install.yml
- include_tasks: tls.yml
when: nginx_tls_enabled

View File

@ -1,61 +1,53 @@
- block:
- name: Copy tls certificate
copy:
content: "{{ nginx_tls_cert }}"
dest: "{{ nginx_tls_cert_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
- name: Create tls folder structure
file:
path: "{{ item }}"
state: directory
mode: 700
with_items:
- "{{ nginx_tls_certs_dir }}"
- "{{ nginx_tls_key_dir }}"
- name: Copy ssl intermediate cert
- name: Copy certs and private key (content)
copy:
content: "{{ nginx_tls_intermediate_ca }}"
dest: "{{ nginx_tls_intermediate_ca_file }}"
owner: root
group: root
mode: 0644
notify:
- nginx_reload
content: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
- { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: nginx_tls_source_use_content
- name: Copy tls private key
- name: Copy certs and private key (files)
copy:
content: "{{ nginx_tls_private_key }}"
dest: "{{ nginx_tls_private_key_file }}"
owner: root
group: root
mode: 0600
notify:
- nginx_reload
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
- { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: nginx_tls_source_use_files
become: True
become_user: root
when: nginx_tls_enabled
- block:
- name: Register dhparam file
stat:
path: "{{ nginx_dhparam_file }}"
register: dh_file
register: __nginx_dh_file
- name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600
poll: 60
when: not dh_file.stat.exists
notify:
- nginx_reload
when: not __nginx_dh_file.stat.exists
notify: __nginx_reload
become: True
become_user: root
when: nginx_pfs_enabled
- block:
- name: Add default page
template:
src: 'var/www/vhosts/default/index.html.j2'
dest: '/var/www/vhosts/default/index.html'
owner: nginx
group: nginx
mode: 0750
become: True
become_user: nginx