ansible/xoxys.nginx
1
0
Fork 0
Code Issues Pull Requests Releases Activity

fix tls implementation

Browse Source
This commit is contained in:
Robert Kaussow 2018-08-12 11:31:12 +02:00
parent 3967a2d772
commit 8eee8600f7
5 changed files with 58 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
defaults/main.yml
View File

@ -50,7 +50,12 @@ nginx_tls_enabled: False
nginx_tls_certs_dir: /etc/pki/tls/certs nginx_tls_certs_dir: /etc/pki/tls/certs
nginx_tls_key_dir: /etc/pki/tls/private nginx_tls_key_dir: /etc/pki/tls/private
nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem" nginx_tls_cert_file: "{{ nginx_tls_certs_dir }}/mycert.pem"
nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mycert.pem" nginx_tls_private_key_file: "{{ nginx_tls_key_dir }}/mykey.pem"
nginx_tls_source_use_content: False
nginx_tls_source_use_files: True
nginx_tls_cert_source: mycert.pem
nginx_tls_key_source: mykey.pem
nginx_pfs_enabled: False nginx_pfs_enabled: False
nginx_dhparam_size: 4069 nginx_dhparam_size: 4069

2
handlers/main.yml
View File

@ -4,6 +4,6 @@
state: reloaded state: reloaded
name: nginx name: nginx
listen: listen:
- "nginx_reload" - __nginx_reload
become: True become: True
become_user: root become_user: root

24
tasks/install.yml
View File

@ -59,8 +59,7 @@
group: root group: root
mode: 0640 mode: 0640
validate: /sbin/nginx -t -c %s validate: /sbin/nginx -t -c %s
notify: notify: __nginx_reload
- nginx_reload
- name: Remove default.conf from conf.d - name: Remove default.conf from conf.d
file: file:
@ -75,8 +74,7 @@
group: root group: root
mode: 0640 mode: 0640
validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"' validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
notify: notify: __nginx_reload
- nginx_reload
- name: Open ports in iptables - name: Open ports in iptables
iptables_raw: iptables_raw:
@ -86,6 +84,18 @@
become: True become: True
become_user: root become_user: root
- block:
- name: Add default page
template:
src: var/www/vhosts/default/index.html.j2
dest: /var/www/vhosts/default/index.html
owner: nginx
group: nginx
mode: 0750
when: nginx_default_page_enabled
become: True
become_user: nginx
- block: - block:
- name: Add default page configuration file - name: Add default page configuration file
template: template:
@ -94,8 +104,7 @@
owner: root owner: root
group: root group: root
mode: 0640 mode: 0640
notify: notify: __nginx_reload
- nginx_reload
- name: Enable default page - name: Enable default page
file: file:
@ -104,8 +113,7 @@
owner: root owner: root
group: root group: root
state: link state: link
notify: notify: __nginx_reload
- nginx_reload
when: nginx_default_page_enabled when: nginx_default_page_enabled
become: True become: True
become_user: root become_user: root

2
tasks/main.yml
View File

@ -1,2 +1,4 @@
--- ---
- include_tasks: install.yml - include_tasks: install.yml
- include_tasks: tls.yml
when: nginx_tls_enabled

74
tasks/tls.yml
View File

@ -1,61 +1,53 @@
- block: - block:
- name: Copy tls certificate - name: Create tls folder structure
copy: file:
content: "{{ nginx_tls_cert }}" path: "{{ item }}"
dest: "{{ nginx_tls_cert_file }}" state: directory
owner: root mode: 700
group: root with_items:
mode: 0644 - "{{ nginx_tls_certs_dir }}"
notify: - "{{ nginx_tls_key_dir }}"
- nginx_reload
- name: Copy ssl intermediate cert - name: Copy certs and private key (content)
copy: copy:
content: "{{ nginx_tls_intermediate_ca }}" content: "{{ item.src }}"
dest: "{{ nginx_tls_intermediate_ca_file }}" dest: "{{ item.dest }}"
owner: root mode: "{{ item.mode }}"
group: root with_items:
mode: 0644 - { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
notify: - { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
- nginx_reload loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: nginx_tls_source_use_content
- name: Copy tls private key - name: Copy certs and private key (files)
copy: copy:
content: "{{ nginx_tls_private_key }}" src: "{{ item.src }}"
dest: "{{ nginx_tls_private_key_file }}" dest: "{{ item.dest }}"
owner: root mode: "{{ item.mode }}"
group: root with_items:
mode: 0600 - { src: "{{ nginx_tls_key_source }}", dest: '{{ nginx_tls_key_file }}', mode: '0600' }
notify: - { src: "{{ nginx_tls_cert_source }}", dest: '{{ nginx_tls_cert_file }}', mode: '0750' }
- nginx_reload loop_control:
label: "{{ item.dest }}"
notify: __nginx_reload
when: nginx_tls_source_use_files
become: True become: True
become_user: root become_user: root
when: nginx_tls_enabled
- block: - block:
- name: Register dhparam file - name: Register dhparam file
stat: stat:
path: "{{ nginx_dhparam_file }}" path: "{{ nginx_dhparam_file }}"
register: dh_file register: __nginx_dh_file
- name: Generate Diffie-Hellman parameter file - name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}" shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600 async: 3600
poll: 60 poll: 60
when: not dh_file.stat.exists when: not __nginx_dh_file.stat.exists
notify: notify: __nginx_reload
- nginx_reload
become: True become: True
become_user: root become_user: root
when: nginx_pfs_enabled when: nginx_pfs_enabled
- block:
- name: Add default page
template:
src: 'var/www/vhosts/default/index.html.j2'
dest: '/var/www/vhosts/default/index.html'
owner: nginx
group: nginx
mode: 0750
become: True
become_user: nginx