ansible-personal/roles/nginx/defaults/main.yml

---
# file: roles/nginx/defaults/main.yml

# path config
nginx_confd_path: /etc/nginx/conf.d

# parent directory of vhost roots
nginx_root_prefix: /var/www

# 1 hour timeout
nginx_ssl_session_timeout: 1h
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'

# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'

# install certbot + dependencies?
# True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True

# Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live

# Location of Let's Encrypt's certbot script
letsencrypt_certbot_dest: /opt/certbot-auto

# stable is 1.16.x
# mainline is 1.17.x
nginx_version: mainline

# vim: set ts=2 sw=2:
roles/nginx: Add defaults for nginx role Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 20:02:29 +03:00			`---`
			`# file: roles/nginx/defaults/main.yml`

			`# path config`
			`nginx_confd_path: /etc/nginx/conf.d`

			`# parent directory of vhost roots`
			`nginx_root_prefix: /var/www`

roles/nginx: Templatize SSL parameters using role defaults Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:28:31 +03:00			`# 1 hour timeout`
			`nginx_ssl_session_timeout: 1h`
			`# 10MB -> 40,000 sessions`
			`nginx_ssl_session_cache: shared:SSL:10m`
			`# 1400 bytes to fit in one MTU (default is 16k!)`
			`nginx_ssl_buffer_size: 1400`
			`nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem`
Update nginx cipher suite and TLS protocols Use latest Mozilla "intermediate" TLS settings. This configuration works on (at least) Ubuntu 18.04 and Debian 10. See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1 2019-07-23 17:53:22 +03:00			`nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'`
roles/nginx: Templatize SSL parameters using role defaults Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-04 23:28:31 +03:00
roles/nginx: Allow custom resolvers for TLS stapling Allows to specify custom DNS resolvers for TLS stapling, with a default of Cloudflare's public DNS servers. 2018-04-30 18:04:17 +03:00			`# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)`
			`# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling`
			`nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'`

Set use_letsencrypt to true for nginx role The variable name is misleading as this really does is install the certbot client and its dependencies, and we generally want this to always happen. If a host doesn't want it, they can override it in their host vars. Perhaps I should rename this variable to "bootstrap_letsencrypt" or something so it is more accurate. 2016-10-09 11:57:23 +03:00			`# install certbot + dependencies?`
			`# True unless you're in development and using "localhost" + snakeoil certs`
			`use_letsencrypt: True`

roles/nginx: Allow usage of Let's Encrypt certs Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs). 2016-06-27 19:07:48 +03:00			`# Directory root for Let's Encrypt certs`
			`letsencrypt_root: /etc/letsencrypt/live`
roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-09-13 23:16:54 +03:00
roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 23:52:39 +03:00			`# Location of Let's Encrypt's certbot script`
			`letsencrypt_certbot_dest: /opt/certbot-auto`

roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00			`# stable is 1.16.x`
			`# mainline is 1.17.x`
roles/nginx: Use mainline branch by default Has all the good stuff: http://nginx.org/en/CHANGES 2016-05-27 08:14:04 +03:00			`nginx_version: mainline`
roles/nginx: Use template for nginx repo A template is better than ansible's `apt_repository` module because we can idempotently control the contents of the file based on vari- ables. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-05-25 00:15:49 +03:00
roles/nginx: Add defaults for nginx role Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-27 20:02:29 +03:00			`# vim: set ts=2 sw=2:`