roles/nginx: Add blank vhost

For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/tasks/main.yml

@@ -37,6 +37,11 @@
   when: nginx_tls_vhosts is defined
   tags: nginx
 
+- name: Configure blank nginx vhost
+  template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  notify:
+    - reload nginx
+
 - name: Configure munin vhost
   copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
   notify:

roles/nginx/tasks/tls_vhosts.yml

@@ -15,9 +15,11 @@
   notify:
     - reload nginx
 
-#- name: Generate self-signed TLS cert
-#  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=KE/ST=Nairobi/L=Nairobi/O=/CN={{ item.nginx_domain_name }}" -newkey rsa:2048 -keyout {{ item.nginx_domain_name }}.key -out {{ item.nginx_domain_name }}.crt -extensions v3_ca creates={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem
-#
+- name: Generate self-signed TLS cert
+  command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+  notify:
+    - reload nginx
+
 - name: Generate 2048-bit dhparam
   command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
   notify: