From e6ffdf8652e72c45eef6a3f16da6b78f86923359 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sat, 13 Sep 2014 23:16:54 +0300 Subject: [PATCH] roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth --- roles/nginx/defaults/main.yml | 3 +++ roles/nginx/tasks/main.yml | 16 ++++------------ roles/nginx/tasks/tls_vhosts.yml | 26 ++++++++++++++++++++++++++ roles/nginx/tasks/vhosts.yml | 13 +++++++++++++ roles/nginx/templates/https.j2 | 9 +++++---- 5 files changed, 51 insertions(+), 16 deletions(-) create mode 100644 roles/nginx/tasks/tls_vhosts.yml create mode 100644 roles/nginx/tasks/vhosts.yml diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 6a09235..1104f14 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -10,4 +10,7 @@ nginx_root_prefix: /var/www # TLS protocol versions to support nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2 +# TLS key directory +tls_key_dir: /etc/ssl/private + # vim: set ts=2 sw=2: diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 59e0df8..8f917cc 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -23,16 +23,12 @@ file: path=/etc/nginx/conf.d/default.conf state=absent tags: nginx -- name: Configure nginx vhosts - template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.nginx_domain_name }}.conf mode=0644 owner=root group=root - with_items: nginx_vhosts - notify: - - reload nginx +- include: vhosts.yml + when: nginx_vhosts is defined tags: nginx -- name: Create vhost document roots - file: path={{ nginx_root_prefix }}/{{ item.nginx_domain_name }} state=directory mode=0755 owner=nginx group=nginx - with_items: nginx_vhosts +- include: tls_vhosts.yml + when: nginx_tls_vhosts is defined tags: nginx - name: Configure munin vhost @@ -41,10 +37,6 @@ - reload nginx tags: nginx -- name: Generate 2048-bit dhparam - command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem - tags: nginx - - name: Start & enable nginx service service: name=nginx state=started enabled=yes tags: nginx diff --git a/roles/nginx/tasks/tls_vhosts.yml b/roles/nginx/tasks/tls_vhosts.yml new file mode 100644 index 0000000..4217b44 --- /dev/null +++ b/roles/nginx/tasks/tls_vhosts.yml @@ -0,0 +1,26 @@ +--- + +- name: Configure https vhosts + template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.nginx_domain_name }}.conf mode=0644 owner=root group=root + with_items: nginx_tls_vhosts + notify: + - reload nginx + +# concatenated key + cert, can live in the same file +# See: http://nginx.org/en/docs/http/configuring_https_servers.html +- name: Copy TLS certs + copy: content="{{ item.tls_cert }}" dest={{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem mode=0700 owner=root group=root + with_items: nginx_tls_vhosts + notify: + - reload nginx + +- name: Generate 2048-bit dhparam + command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem + notify: + - reload nginx + +- name: Create vhost document roots + file: path={{ nginx_root_prefix }}/{{ item.nginx_domain_name }} state=directory mode=0755 owner=nginx group=nginx + with_items: nginx_tls_vhosts + +# vim: set ts=2 sw=2: diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml new file mode 100644 index 0000000..cb6cb73 --- /dev/null +++ b/roles/nginx/tasks/vhosts.yml @@ -0,0 +1,13 @@ +--- + +- name: Configure http vhosts + template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.nginx_domain_name }}.conf mode=0644 owner=root group=root + with_items: nginx_vhosts + notify: + - reload nginx + +- name: Create vhost document roots + file: path={{ nginx_root_prefix }}/{{ item.nginx_domain_name }} state=directory mode=0755 owner=nginx group=nginx + with_items: nginx_vhosts + +# vim: set ts=2 sw=2: diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2 index d094aeb..65ede01 100644 --- a/roles/nginx/templates/https.j2 +++ b/roles/nginx/templates/https.j2 @@ -1,8 +1,9 @@ -{% set tls_cert = item.tls_cert %} -{% set tls_key = item.tls_key %} +{% set domain_name = item.nginx_domain_name %} - ssl_certificate {{ tls_cert }}; - ssl_certificate_key {{ tls_key }}; + # concatenated key + cert + # See: http://nginx.org/en/docs/http/configuring_https_servers.html + ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem; + ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:1m;