refactoring

This commit is contained in:
Robert Kaussow 2017-12-23 12:25:55 +01:00
parent ffa86b14df
commit d016e27874
3 changed files with 69 additions and 52 deletions

View File

@ -2,9 +2,10 @@
nginx_open_ports: nginx_open_ports:
- 80 - 80
- 443 - 443
ssl_priv_key: "" nginx_tls_enabled: False
ssl_intermediate_cert: "" nginx_tls_cert: ""
ssl_chained_cert: "" nginx_tls_private_key: ""
nginx_tls_intermediate_ca: ""
dhparam_size: '4069' nginx_pfs_enabled: False
dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem' nginx_dhparam_size: '4069'
nginx_dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem'

View File

@ -1,12 +1,17 @@
--- ---
- name: Installing nginx repo rpm - name:
yum: yum_repository:
name: http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm name: nginx
file: nginx
description: NGINX High Performance Web Server
baseurl: "http://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/"
gpgkey: https://nginx.org/keys/nginx_signing.key
gpgcheck: yes
- name: Installing nginx - name: Installing nginx
yum: yum:
name: nginx name: nginx
state: latest state: installed
- name: Prepare vhost directories - name: Prepare vhost directories
file: file:
@ -86,48 +91,56 @@
notify: notify:
- nginx_reload - nginx_reload
- name: Copy ssl chained certs - block:
copy: - name: Copy tls certificate
content: '{{ ssl_chained_cert }}' copy:
dest: /etc/pki/tls/certs/my-chained.crt content: '{{ nginx_tls_cert }}'
owner: root dest: /etc/pki/tls/certs/my-chained.crt
group: root owner: root
mode: 0644 group: root
notify: mode: 0644
- nginx_reload notify:
- nginx_reload
- name: Copy ssl intermediate cert - name: Copy ssl intermediate cert
copy: copy:
content: '{{ ssl_intermediate_cert }}' content: '{{ nginx_tls_intermediate_ca }}'
dest: /etc/pki/tls/certs/my-intermediate.crt dest: /etc/pki/tls/certs/my-intermediate.crt
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: notify:
- nginx_reload - nginx_reload
- name: Copy ssl private key - name: Copy tls private key
copy: copy:
content: '{{ ssl_priv_key }}' content: '{{ nginx_tls_private_key }}'
dest: /etc/pki/tls/private/my-private.key dest: /etc/pki/tls/private/my-private.key
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
notify: notify:
- nginx_reload - nginx_reload
become: True
become_user: root
when: nginx_tls_enabled
- name: Register dhparam file - block:
stat: - name: Register dhparam file
path: "{{ dhparam_file }}" stat:
register: dh_file path: "{{ nginx_dhparam_file }}"
register: dh_file
- name: Generate Diffie-Hellman parameter file - name: Generate Diffie-Hellman parameter file
shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}" shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
async: 3600 async: 3600
poll: 60 poll: 60
when: dh_file.stat.exists == False when: not dh_file.stat.exists
notify: notify:
- nginx_reload - nginx_reload
become: True
become_user: root
when: nginx_pfs_enabled
- name: Open ports in iptables - name: Open ports in iptables
iptables_raw: iptables_raw:
@ -136,7 +149,10 @@
rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT' rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'
- name: Enable nginx service - name: Enable nginx service
service: systemd:
name: nginx
enabled: yes
state: started state: started
daemon_reload: yes
enabled: yes
name: nginx
become: True
become_user: root

View File

@ -13,4 +13,4 @@ ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt; ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_dhparam {{ dhparam_file }}; ssl_dhparam {{ nginx_dhparam_file }};