Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts

Everything is TLS now (whether self-signed or not), so it's pointless to distinguish. Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
parent 7b9536838c
commit 41547defb9
5 changed files with 94 additions and 92 deletions
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -28,8 +28,8 @@
 - name: Create fastcgi cache dir
  file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755

- include: tls_vhosts.yml
-  when: nginx_tls_vhosts is defined
+- include: vhosts.yml
+  when: nginx_vhosts is defined
  tags: nginx

 - name: Configure blank nginx vhost
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -2,7 +2,7 @@

 - name: Configure https vhosts
  template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.nginx_domain_name }}.conf mode=0644 owner=root group=root
-  with_items: nginx_tls_vhosts
+  with_items: nginx_vhosts
  notify:
    - reload nginx

@ -18,18 +18,18 @@

 - name: Create vhost document roots
  file: path={{ nginx_root_prefix }}/{{ item.nginx_domain_name }} state=directory mode=0755 owner=nginx group=nginx
-  with_items: nginx_tls_vhosts
+  with_items: nginx_vhosts

 - name: Install WordPress
  git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.nginx_domain_name }}/wordpress version={{ item.wordpress_version }} depth=1
  when: item.has_wordpress == 'yes'
-  with_items: nginx_tls_vhosts
+  with_items: nginx_vhosts
  tags: wordpress

 - name: Fix WordPress directory permissions
  file: path={{ nginx_root_prefix }}/{{ item.nginx_domain_name }} state=directory owner=nginx group=nginx recurse=yes
  when: item.has_wordpress == 'yes'
-  with_items: nginx_tls_vhosts
+  with_items: nginx_vhosts
  tags: wordpress

 # vim: set ts=2 sw=2:
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@ -4,12 +4,15 @@
 # a vhost serving that domain.
 server {
    listen 80 default;
-    {% if nginx_tls_vhosts is defined %}
-    listen 443 ssl http2 default;
-    {% endif %}
+    listen [::]:80 default;
+    server_name _;
+
+    return 403;
+}
+server {
+    listen 443 ssl http2 default;
    server_name _;

-    {% if nginx_tls_vhosts is defined %}
    # "snakeoil" certificate (self signed!)
    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
@ -30,7 +33,6 @@ server {
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;
-    {% endif %}

    return 403;
 }