roles/nginx: Allow usage of Let's Encrypt certs

Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).

roles/nginx/defaults/main.yml

@@ -16,8 +16,8 @@ nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
 
-# TLS key directory
+# Directory root for Let's Encrypt certs
-tls_key_dir: /etc/letsencrypt/live
+letsencrypt_root: /etc/letsencrypt/live
 
 # stable is 1.10.x
 # mainline is 1.11.x

roles/nginx/templates/https.j2

@@ -2,19 +2,29 @@
 {% set domain_name       = item.domain_name %}
 {# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
 {% set enable_hsts       = item.enable_hsts | default("no") %}
-{# use self-signed certs? yes on development, no on production #}
+{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
-{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %}
+{% set use_letsencrypt = item.use_letsencrypt | default("no") %}
+
+    {% if use_letsencrypt == "yes" %}
 
-    {# better to check for "not yes" then "no" #}
-    {% if use_snakeoil_cert != "yes" %}
     # concatenated key + cert
     # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
-    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
+
+    {% elif item.tls_certificate_path and item.tls_key_path %}
+
+    # concatenated key + cert
+    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
+    ssl_certificate {{ item.tls_certificate_path }};
+    ssl_certificate_key {{ item.tls_key_path }};
+
     {% else %}
+
     # "snakeoil" certificate (self signed!)
     ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
     ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+
     {% endif %}
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
@@ -27,7 +37,7 @@
     ssl_prefer_server_ciphers on;
 
     {# OSCP stapling only works with real certs #}
-    {% if use_snakeoil_cert != "yes" %}
+    {% if use_letsencrypt == "yes" or item.tls_certificate_path %}
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -37,7 +47,7 @@
     {% else %}
     resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888];
     {% endif %} {# end: linode_id #}
-    {% endif %} {# end: use_snakeoil_cert #}
+    {% endif %} {# end: use_letsencrypt #}
 
     # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
     # when a restart is performed the previous key is lost, which resets all previous