From 79b29f0c51b7f47bf92bcbe2c238a60281d1fc1f Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Mon, 27 Sep 2021 10:48:24 +0300
Subject: [PATCH] roles/nginx: generate snakeoil cert manually

The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
---
 roles/nginx/tasks/main.yml                | 11 ++---------
 roles/nginx/tasks/vhosts.yml              |  5 +++++
 roles/nginx/templates/blank-vhost.conf.j2 |  6 +++---
 3 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index d4c6e79..e442c7f 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -16,15 +16,8 @@
     add_nginx_apt_key is changed or
     add_nginx_apt_repository is changed
 
-- name: Set nginx packages
-  set_fact:
-    nginx_packages:
-      - nginx
-      - ssl-cert # for ssl-cert-snakeoil.pem in nginx
-  tags: nginx, packages
-
-- name: Install nginx packages
-  apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
+- name: Install nginx
+  apt: pkg=nginx cache_valid_time=3600 state=present
   tags: nginx, packages
 
 - name: Copy nginx.conf
diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml
index 3fc1549..c18127b 100644
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -7,6 +7,11 @@
     notify:
       - reload nginx
 
+  - name: Generate self-signed TLS cert
+    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+    notify:
+      - reload nginx
+
   - name: Download 4096-bit RFC 7919 dhparams
     get_url:
       url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
diff --git a/roles/nginx/templates/blank-vhost.conf.j2 b/roles/nginx/templates/blank-vhost.conf.j2
index 8baf36f..92b9234 100644
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@@ -16,9 +16,9 @@ server {
     listen [::]:443 ssl http2 default_server;
     server_name _;
 
-    # self-signed "snakeoil" certificate from ssl-cert package
-    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+    # self-signed "snakeoil" certificate
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
     ssl_session_cache {{ nginx_ssl_session_cache }};