diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 5b51525..e82c102 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -16,8 +16,14 @@ add_nginx_apt_key is changed or add_nginx_apt_repository is changed -- name: Install nginx - apt: pkg=nginx cache_valid_time=3600 state=present +- name: Set nginx packages + set_fact: + nginx_packages: + - nginx + - ssl-cert # for ssl-cert-snakeoil.pem in nginx + +- name: Install nginx packages + apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present tags: nginx, packages - name: Copy nginx.conf diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml index c18127b..3fc1549 100644 --- a/roles/nginx/tasks/vhosts.yml +++ b/roles/nginx/tasks/vhosts.yml @@ -7,11 +7,6 @@ notify: - reload nginx - - name: Generate self-signed TLS cert - command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt - notify: - - reload nginx - - name: Download 4096-bit RFC 7919 dhparams get_url: url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem diff --git a/roles/nginx/templates/blank-vhost.conf.j2 b/roles/nginx/templates/blank-vhost.conf.j2 index d2574ea..8baf36f 100644 --- a/roles/nginx/templates/blank-vhost.conf.j2 +++ b/roles/nginx/templates/blank-vhost.conf.j2 @@ -16,9 +16,9 @@ server { listen [::]:443 ssl http2 default_server; server_name _; - # "snakeoil" certificate (self signed!) - ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; - ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; + # self-signed "snakeoil" certificate from ssl-cert package + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_cache {{ nginx_ssl_session_cache }};