roles/nginx: Allow using self-signed TLS certs with dev hosts

Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/templates/https.j2

@@ -1,11 +1,20 @@
 {% set domain_name      = item.nginx_domain_name %}
 {# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
 {% set enable_hsts      = item.nginx_enable_hsts | default("no") %}
+{# use self-signed certs? yes on development, no on production #}
+{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %}
 
+    {# better to check for "not yes" then "no" #}
+    {% if use_snakeoil_cert != "yes" %}
     # concatenated key + cert
     # See: http://nginx.org/en/docs/http/configuring_https_servers.html
     ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
     ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
+    {% else %}
+    # "snakeoil" certificate (self signed!)
+    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+    {% endif %}
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
     ssl_session_cache {{ nginx_ssl_session_cache }};
@@ -16,6 +25,8 @@
     ssl_ciphers "{{ tls_cipher_suite }}";
     ssl_prefer_server_ciphers on;
 
+    {# OSCP stapling only works with real certs #}
+    {% if use_snakeoil_cert != "yes" %}
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -24,7 +35,8 @@
     resolver 109.74.192.20 109.74.193.20;
     {% else %}
     resolver 8.8.8.8 8.8.4.4;
-    {% endif %}
+    {% endif %} {# end: linode_id #}
+    {% endif %} {# end: use_snakeoil_cert #}
 
     # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
     # when a restart is performed the previous key is lost, which resets all previous