roles/nginx: Use snakeoil cert from ssl-cert

Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.

roles/nginx/tasks/main.yml

@@ -16,8 +16,14 @@
     add_nginx_apt_key is changed or
     add_nginx_apt_repository is changed
 
-- name: Install nginx
-  apt: pkg=nginx cache_valid_time=3600 state=present
+- name: Set nginx packages
+  set_fact:
+    nginx_packages:
+      - nginx
+      - ssl-cert # for ssl-cert-snakeoil.pem in nginx
+
+- name: Install nginx packages
+  apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
   tags: nginx, packages
 
 - name: Copy nginx.conf

roles/nginx/tasks/vhosts.yml

@@ -7,11 +7,6 @@
     notify:
       - reload nginx
 
-  - name: Generate self-signed TLS cert
-    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
-    notify:
-      - reload nginx
-
   - name: Download 4096-bit RFC 7919 dhparams
     get_url:
       url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem

roles/nginx/templates/blank-vhost.conf.j2

@@ -16,9 +16,9 @@ server {
     listen [::]:443 ssl http2 default_server;
     server_name _;
 
-    # "snakeoil" certificate (self signed!)
-    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
-    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+    # self-signed "snakeoil" certificate from ssl-cert package
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
     ssl_session_cache {{ nginx_ssl_session_cache }};