fix tls implementation
This commit is contained in:
parent
3967a2d772
commit
8eee8600f7
@ -50,7 +50,12 @@ nginx_tls_enabled: False
|
||||
nginx_tls_certs_dir: /etc/pki/tls/certs
|
||||
nginx_tls_key_dir: /etc/pki/tls/private
|
||||
nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
|
||||
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem"
|
||||
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mykey.pem"
|
||||
nginx_tls_source_use_content: False
|
||||
nginx_tls_source_use_files: True
|
||||
nginx_tls_cert_source: mycert.pem
|
||||
nginx_tls_key_source: mykey.pem
|
||||
|
||||
|
||||
nginx_pfs_enabled: False
|
||||
nginx_dhparam_size: 4069
|
||||
|
@ -4,6 +4,6 @@
|
||||
state: reloaded
|
||||
name: nginx
|
||||
listen:
|
||||
- "nginx_reload"
|
||||
- __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
|
@ -59,8 +59,7 @@
|
||||
group: root
|
||||
mode: 0640
|
||||
validate: /sbin/nginx -t -c %s
|
||||
notify:
|
||||
- nginx_reload
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Remove default.conf from conf.d
|
||||
file:
|
||||
@ -75,8 +74,7 @@
|
||||
group: root
|
||||
mode: 0640
|
||||
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
|
||||
notify:
|
||||
- nginx_reload
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Open ports in iptables
|
||||
iptables_raw:
|
||||
@ -86,6 +84,18 @@
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Add default page
|
||||
template:
|
||||
src: var/www/vhosts/default/index.html.j2
|
||||
dest: /var/www/vhosts/default/index.html
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0750
|
||||
when: nginx_default_page_enabled
|
||||
become: True
|
||||
become_user: nginx
|
||||
|
||||
- block:
|
||||
- name: Add default page configuration file
|
||||
template:
|
||||
@ -94,8 +104,7 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify:
|
||||
- nginx_reload
|
||||
notify: __nginx_reload
|
||||
|
||||
- name: Enable default page
|
||||
file:
|
||||
@ -104,8 +113,7 @@
|
||||
owner: root
|
||||
group: root
|
||||
state: link
|
||||
notify:
|
||||
- nginx_reload
|
||||
notify: __nginx_reload
|
||||
when: nginx_default_page_enabled
|
||||
become: True
|
||||
become_user: root
|
||||
|
@ -1,2 +1,4 @@
|
||||
---
|
||||
- include_tasks: install.yml
|
||||
- include_tasks: tls.yml
|
||||
when: nginx_tls_enabled
|
||||
|
@ -1,61 +1,53 @@
|
||||
- block:
|
||||
- name: Copy tls certificate
|
||||
copy:
|
||||
content: "{{ nginx_tls_cert }}"
|
||||
dest: "{{ nginx_tls_cert_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
- name: Create tls folder structure
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 700
|
||||
with_items:
|
||||
- "{{ nginx_tls_certs_dir }}"
|
||||
- "{{ nginx_tls_key_dir }}"
|
||||
|
||||
- name: Copy ssl intermediate cert
|
||||
- name: Copy certs and private key (content)
|
||||
copy:
|
||||
content: "{{ nginx_tls_intermediate_ca }}"
|
||||
dest: "{{ nginx_tls_intermediate_ca_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- nginx_reload
|
||||
content: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
|
||||
- { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
notify: __nginx_reload
|
||||
when: nginx_tls_source_use_content
|
||||
|
||||
- name: Copy tls private key
|
||||
- name: Copy certs and private key (files)
|
||||
copy:
|
||||
content: "{{ nginx_tls_private_key }}"
|
||||
dest: "{{ nginx_tls_private_key_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
notify:
|
||||
- nginx_reload
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
|
||||
- { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
notify: __nginx_reload
|
||||
when: nginx_tls_source_use_files
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_tls_enabled
|
||||
|
||||
- block:
|
||||
- name: Register dhparam file
|
||||
stat:
|
||||
path: "{{ nginx_dhparam_file }}"
|
||||
register: dh_file
|
||||
register: __nginx_dh_file
|
||||
|
||||
- name: Generate Diffie-Hellman parameter file
|
||||
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
|
||||
async: 3600
|
||||
poll: 60
|
||||
when: not dh_file.stat.exists
|
||||
notify:
|
||||
- nginx_reload
|
||||
when: not __nginx_dh_file.stat.exists
|
||||
notify: __nginx_reload
|
||||
become: True
|
||||
become_user: root
|
||||
when: nginx_pfs_enabled
|
||||
|
||||
- block:
|
||||
- name: Add default page
|
||||
template:
|
||||
src: 'var/www/vhosts/default/index.html.j2'
|
||||
dest: '/var/www/vhosts/default/index.html'
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0750
|
||||
become: True
|
||||
become_user: nginx
|
||||
|
Loading…
Reference in New Issue
Block a user