fix tls implementation

2018-08-12 11:31:12 +02:00 · 2018-08-12 11:31:12 +02:00 · 8eee8600f7
parent 3967a2d772
commit 8eee8600f7
5 changed files with 58 additions and 51 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -50,7 +50,12 @@ nginx_tls_enabled: False
 nginx_tls_certs_dir: /etc/pki/tls/certs
 nginx_tls_key_dir: /etc/pki/tls/private
 nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
-nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
+nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mykey.pem"
+nginx_tls_source_use_content: False
+nginx_tls_source_use_files: True
+nginx_tls_cert_source: mycert.pem
+nginx_tls_key_source: mykey.pem
+

 nginx_pfs_enabled: False
 nginx_dhparam_size: 4069
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -4,6 +4,6 @@
    state: reloaded
    name: nginx
  listen:
-    - "nginx_reload"
+    - __nginx_reload
  become: True
  become_user: root
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -59,8 +59,7 @@
      group: root
      mode: 0640
      validate: /sbin/nginx -t -c %s
-    notify:
-      - nginx_reload
+    notify: __nginx_reload

  - name: Remove default.conf from conf.d
    file:
@ -75,8 +74,7 @@
      group: root
      mode: 0640
      validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
-    notify:
-      - nginx_reload
+    notify: __nginx_reload

  - name: Open ports in iptables
    iptables_raw:
@ -86,6 +84,18 @@
  become: True
  become_user: root

+- block:
+  - name: Add default page
+    template:
+      src: var/www/vhosts/default/index.html.j2
+      dest: /var/www/vhosts/default/index.html
+      owner: nginx
+      group: nginx
+      mode: 0750
+  when: nginx_default_page_enabled
+  become: True
+  become_user: nginx
+
 - block:
  - name: Add default page configuration file
    template:
@ -94,8 +104,7 @@
      owner: root
      group: root
      mode: 0640
-    notify:
-      - nginx_reload
+    notify: __nginx_reload

  - name: Enable default page
    file:
@ -104,8 +113,7 @@
      owner: root
      group: root
      state: link
-    notify:
-      - nginx_reload
+    notify: __nginx_reload
  when: nginx_default_page_enabled
  become: True
  become_user: root
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,4 @@
 ---
 - include_tasks: install.yml
+- include_tasks: tls.yml
+  when: nginx_tls_enabled
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@ -1,61 +1,53 @@
 - block:
-  - name: Copy tls certificate
-    copy:
-      content: "{{ nginx_tls_cert }}"
-      dest: "{{ nginx_tls_cert_file }}"
-      owner: root
-      group: root
-      mode: 0644
-    notify:
-      - nginx_reload
+  - name: Create tls folder structure
+    file:
+      path: "{{ item }}"
+      state: directory
+      mode: 700
+    with_items:
+      - "{{ nginx_tls_certs_dir }}"
+      - "{{ nginx_tls_key_dir }}"

-  - name: Copy ssl intermediate cert
+  - name: Copy certs and private key (content)
    copy:
-      content: "{{ nginx_tls_intermediate_ca }}"
-      dest: "{{ nginx_tls_intermediate_ca_file }}"
-      owner: root
-      group: root
-      mode: 0644
-    notify:
-      - nginx_reload
+      content: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
+      - { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    notify: __nginx_reload
+    when: nginx_tls_source_use_content

-  - name: Copy tls private key
+  - name: Copy certs and private key (files)
    copy:
-      content: "{{ nginx_tls_private_key }}"
-      dest: "{{ nginx_tls_private_key_file }}"
-      owner: root
-      group: root
-      mode: 0600
-    notify:
-      - nginx_reload
+      src: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
+      - { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    notify: __nginx_reload
+    when: nginx_tls_source_use_files
  become: True
  become_user: root
-  when: nginx_tls_enabled

 - block:
  - name: Register dhparam file
    stat:
      path: "{{ nginx_dhparam_file }}"
-    register: dh_file
+    register: __nginx_dh_file

  - name: Generate Diffie-Hellman parameter file
    shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
    async: 3600
    poll: 60
-    when: not dh_file.stat.exists
-    notify:
-      - nginx_reload
+    when: not __nginx_dh_file.stat.exists
+    notify: __nginx_reload
  become: True
  become_user: root
  when: nginx_pfs_enabled
-
- block:
-  - name: Add default page
-    template:
-      src: 'var/www/vhosts/default/index.html.j2'
-      dest: '/var/www/vhosts/default/index.html'
-      owner: nginx
-      group: nginx
-      mode: 0750
-  become: True
-  become_user: nginx