roles/nginx: generate snakeoil cert manually

The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.

roles/nginx/tasks/main.yml

@@ -16,15 +16,8 @@
     add_nginx_apt_key is changed or
     add_nginx_apt_repository is changed
 
-- name: Set nginx packages
-  set_fact:
-    nginx_packages:
-      - nginx
-      - ssl-cert # for ssl-cert-snakeoil.pem in nginx
-  tags: nginx, packages
-
-- name: Install nginx packages
-  apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
+- name: Install nginx
+  apt: pkg=nginx cache_valid_time=3600 state=present
   tags: nginx, packages
 
 - name: Copy nginx.conf

roles/nginx/tasks/vhosts.yml

@@ -7,6 +7,11 @@
     notify:
       - reload nginx
 
+  - name: Generate self-signed TLS cert
+    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+    notify:
+      - reload nginx
+
   - name: Download 4096-bit RFC 7919 dhparams
     get_url:
       url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem

roles/nginx/templates/blank-vhost.conf.j2

@@ -16,9 +16,9 @@ server {
     listen [::]:443 ssl http2 default_server;
     server_name _;
 
-    # self-signed "snakeoil" certificate from ssl-cert package
-    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+    # self-signed "snakeoil" certificate
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
     ssl_session_cache {{ nginx_ssl_session_cache }};