--- /dev/null
+---
+- name: install nginx package
+ apt:
+ name: "{{ nginx_package_variant }}"
+ state: present
+
+- name: install snippets
+ with_fileglob: '../templates/snippets/*.j2'
+ loop_control:
+ label: "{{ item | basename | splitext | first }}"
+ template:
+ src: "snippets/{{ item | basename | splitext | first }}.j2"
+ dest: "/etc/nginx/snippets/{{ item | basename | splitext | first }}"
+ notify: reload nginx
+
+- name: install default vhost
+ template:
+ src: vhosts/default.j2
+ dest: /etc/nginx/sites-enabled/default
+ notify: reload nginx
+
+- name: generate Diffie-Hellman parameters
+ openssl_dhparam:
+ path: /etc/ssl/dhparams.pem
+ size: 2048
+ notify: reload nginx
+
+- name: check if acme certs already exists
+ stat:
+ path: "/var/lib/acme/live/{{ ansible_host }}"
+ register: acme_cert_stat
+
+- name: link nonexistent hostnames to self-signed interim cert
+ when: acme_cert_stat.stat.exists == false
+ block:
+ - name: get id of existing selfsigned interim certificate
+ command: cat /var/lib/acme/.selfsigned-interim-cert
+ changed_when: false
+ check_mode: false
+ register: selfsigned_interim_cert_id
+
+ - name: set selfsigned_interim_cert_id variable
+ set_fact:
+ selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
+
+ - name: link to snakeoil cert for nonexistent hostname
+ file:
+ src: "../certs/{{ selfsigned_interim_cert_id }}"
+ dest: "/var/lib/acme/live/{{ ansible_host }}"
+ state: link
+
+- name: make sure nginx config has been loaded
+ meta: flush_handlers
+
+- name: get certificate using acmetool
+ import_role:
+ name: acmetool/cert
+ vars:
+ acmetool_cert_name: "{{ ansible_host }}"
+ acmetool_cert_hostnames: "{{ [ansible_host] }}"
--- /dev/null
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ADH:!AECDH:!MD5;
+ssl_prefer_server_ciphers on;
+
+# openssl dhparam -out /etc/ssl/dhparams.pem 2048
+ssl_dhparam /etc/ssl/dhparams.pem;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;
--- /dev/null
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+
+ include snippets/acmetool.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ server_name _;
+
+ include snippets/acmetool.conf;
+ include snippets/ssl.conf;
+ ssl_certificate /var/lib/acme/live/{{ ansible_host }}/fullchain;
+ ssl_certificate_key /var/lib/acme/live/{{ ansible_host }}/privkey;
+ include snippets/hsts.conf;
+
+ include snippets/security-headers.conf;
+
+ location / {
+ default_type text/plain;
+ return 200 "Welcome to {{ ansible_host }}!";
+ }
+}
projects / noc.git / commitdiff