refactoring

defaults/main.yml

@@ -2,9 +2,10 @@
 nginx_open_ports:
   - 80
   - 443
-ssl_priv_key: ""
-ssl_intermediate_cert: ""
-ssl_chained_cert: ""
-
-dhparam_size: '4069'
-dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem'
+nginx_tls_enabled: False
+nginx_tls_cert: ""
+nginx_tls_private_key: ""
+nginx_tls_intermediate_ca: ""
+nginx_pfs_enabled: False
+nginx_dhparam_size: '4069'
+nginx_dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem'

tasks/install.yml

@@ -1,12 +1,17 @@
 ---
-- name: Installing nginx repo rpm
-  yum:
-    name: http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
+- name:
+  yum_repository:
+    name: nginx
+    file: nginx
+    description: NGINX High Performance Web Server
+    baseurl: "http://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/"
+    gpgkey: https://nginx.org/keys/nginx_signing.key
+    gpgcheck: yes
 
 - name: Installing nginx
   yum:
     name: nginx
-    state: latest
+    state: installed
 
 - name: Prepare vhost directories
   file:
@@ -86,48 +91,56 @@
   notify:
     - nginx_reload
 
-- name: Copy ssl chained certs
-  copy:
-    content: '{{ ssl_chained_cert }}'
-    dest: /etc/pki/tls/certs/my-chained.crt
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - nginx_reload
+- block:
+  - name: Copy tls certificate
+    copy:
+      content: '{{ nginx_tls_cert }}'
+      dest: /etc/pki/tls/certs/my-chained.crt
+      owner: root
+      group: root
+      mode: 0644
+    notify:
+      - nginx_reload
 
-- name: Copy ssl intermediate cert
-  copy:
-    content: '{{ ssl_intermediate_cert }}'
-    dest: /etc/pki/tls/certs/my-intermediate.crt
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - nginx_reload
+  - name: Copy ssl intermediate cert
+    copy:
+      content: '{{ nginx_tls_intermediate_ca }}'
+      dest: /etc/pki/tls/certs/my-intermediate.crt
+      owner: root
+      group: root
+      mode: 0644
+    notify:
+      - nginx_reload
 
-- name: Copy ssl private key
-  copy:
-    content: '{{ ssl_priv_key }}'
-    dest: /etc/pki/tls/private/my-private.key
-    owner: root
-    group: root
-    mode: 0600
-  notify:
-    - nginx_reload
+  - name: Copy tls private key
+    copy:
+      content: '{{ nginx_tls_private_key }}'
+      dest: /etc/pki/tls/private/my-private.key
+      owner: root
+      group: root
+      mode: 0600
+    notify:
+      - nginx_reload
+  become: True
+  become_user: root
+  when: nginx_tls_enabled
 
-- name: Register dhparam file
-  stat:
-    path: "{{ dhparam_file }}"
-  register: dh_file
+- block:
+  - name: Register dhparam file
+    stat:
+      path: "{{ nginx_dhparam_file }}"
+    register: dh_file
 
-- name: Generate Diffie-Hellman parameter file
-  shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}"
-  async: 3600
-  poll: 60
-  when: dh_file.stat.exists == False
-  notify:
-    - nginx_reload
+  - name: Generate Diffie-Hellman parameter file
+    shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
+    async: 3600
+    poll: 60
+    when: not dh_file.stat.exists
+    notify:
+      - nginx_reload
+  become: True
+  become_user: root
+  when: nginx_pfs_enabled
 
 - name: Open ports in iptables
   iptables_raw:
@@ -136,7 +149,10 @@
     rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
 
 - name: Enable nginx service
-  service:
-    name: nginx
-    enabled: yes
+  systemd:
     state: started
+    daemon_reload: yes
+    enabled: yes
+    name: nginx
+  become: True
+  become_user: root

templates/etc/nginx/conf.d/tls.conf.j2

@@ -13,4 +13,4 @@ ssl_stapling_verify on;
 ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
 
 ssl_prefer_server_ciphers on;
-ssl_dhparam {{ dhparam_file }};
+ssl_dhparam {{ nginx_dhparam_file }};