diff --git a/defaults/main.yml b/defaults/main.yml index 1a674a9..7d75ea2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,9 +2,10 @@ nginx_open_ports: - 80 - 443 -ssl_priv_key: "" -ssl_intermediate_cert: "" -ssl_chained_cert: "" - -dhparam_size: '4069' -dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem' +nginx_tls_enabled: False +nginx_tls_cert: "" +nginx_tls_private_key: "" +nginx_tls_intermediate_ca: "" +nginx_pfs_enabled: False +nginx_dhparam_size: '4069' +nginx_dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem' diff --git a/tasks/install.yml b/tasks/install.yml index b7b36d9..4a78eba 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,12 +1,17 @@ --- -- name: Installing nginx repo rpm - yum: - name: http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm +- name: + yum_repository: + name: nginx + file: nginx + description: NGINX High Performance Web Server + baseurl: "http://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/" + gpgkey: https://nginx.org/keys/nginx_signing.key + gpgcheck: yes - name: Installing nginx yum: name: nginx - state: latest + state: installed - name: Prepare vhost directories file: @@ -86,48 +91,56 @@ notify: - nginx_reload -- name: Copy ssl chained certs - copy: - content: '{{ ssl_chained_cert }}' - dest: /etc/pki/tls/certs/my-chained.crt - owner: root - group: root - mode: 0644 - notify: - - nginx_reload +- block: + - name: Copy tls certificate + copy: + content: '{{ nginx_tls_cert }}' + dest: /etc/pki/tls/certs/my-chained.crt + owner: root + group: root + mode: 0644 + notify: + - nginx_reload -- name: Copy ssl intermediate cert - copy: - content: '{{ ssl_intermediate_cert }}' - dest: /etc/pki/tls/certs/my-intermediate.crt - owner: root - group: root - mode: 0644 - notify: - - nginx_reload + - name: Copy ssl intermediate cert + copy: + content: '{{ nginx_tls_intermediate_ca }}' + dest: /etc/pki/tls/certs/my-intermediate.crt + owner: root + group: root + mode: 0644 + notify: + - nginx_reload -- name: Copy ssl private key - copy: - content: '{{ ssl_priv_key }}' - dest: /etc/pki/tls/private/my-private.key - owner: root - group: root - mode: 0600 - notify: - - nginx_reload + - name: Copy tls private key + copy: + content: '{{ nginx_tls_private_key }}' + dest: /etc/pki/tls/private/my-private.key + owner: root + group: root + mode: 0600 + notify: + - nginx_reload + become: True + become_user: root + when: nginx_tls_enabled -- name: Register dhparam file - stat: - path: "{{ dhparam_file }}" - register: dh_file +- block: + - name: Register dhparam file + stat: + path: "{{ nginx_dhparam_file }}" + register: dh_file -- name: Generate Diffie-Hellman parameter file - shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}" - async: 3600 - poll: 60 - when: dh_file.stat.exists == False - notify: - - nginx_reload + - name: Generate Diffie-Hellman parameter file + shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}" + async: 3600 + poll: 60 + when: not dh_file.stat.exists + notify: + - nginx_reload + become: True + become_user: root + when: nginx_pfs_enabled - name: Open ports in iptables iptables_raw: @@ -136,7 +149,10 @@ rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' - name: Enable nginx service - service: - name: nginx - enabled: yes + systemd: state: started + daemon_reload: yes + enabled: yes + name: nginx + become: True + become_user: root diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2 index 1bfecf1..19fb3ec 100644 --- a/templates/etc/nginx/conf.d/tls.conf.j2 +++ b/templates/etc/nginx/conf.d/tls.conf.j2 @@ -13,4 +13,4 @@ ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt; ssl_prefer_server_ciphers on; -ssl_dhparam {{ dhparam_file }}; +ssl_dhparam {{ nginx_dhparam_file }};