roles/nginx: Add convenience tags to fact task

roles/nginx: Use snakeoil cert from ssl-cert
Instead of manually creating our own self-signed certificate we can use the one created automatically by the ssl-cert package on Debian. This is only used by the dummy default HTTPS vhost.
2021-07-01 18:17:14 +03:00 · 2021-07-01 18:11:34 +03:00 · 2021-07-01 18:11:11 +03:00
4 changed files with 16 additions and 14 deletions
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -18,17 +18,17 @@
    "default": {
        "ansible": {
            "hashes": [
-                "sha256:f561cca7fbc4daa14d98e18cd0cb74bd8b173f1501b8fa11543f6ef002de3167"
+                "sha256:737d819ffbd7a80c28795b4edd93e59ad21e6e6d53af0d19f57412814f9260d0"
            ],
            "index": "pypi",
-            "version": "==4.1.0"
+            "version": "==4.2.0"
        },
        "ansible-core": {
            "hashes": [
-                "sha256:7e75827a94d47d1c3e1930d708f0ef637a3ab9a21f757aaf55deab6e9f47c682"
+                "sha256:5ae4c3da765df08ce23f6315a6d48121c0090324fe0a9d305c85f362ff6bcaeb"
            ],
            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
-            "version": "==2.11.1"
+            "version": "==2.11.2"
        },
        "cffi": {
            "hashes": [
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -16,8 +16,15 @@
    add_nginx_apt_key is changed or
    add_nginx_apt_repository is changed
- name: Install nginx
+- name: Set nginx packages
-  apt: pkg=nginx cache_valid_time=3600 state=present
+  set_fact:
    nginx_packages:
      - nginx
      - ssl-cert # for ssl-cert-snakeoil.pem in nginx
  tags: nginx, packages
 - name: Install nginx packages
  apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
  tags: nginx, packages
 - name: Copy nginx.conf
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -7,11 +7,6 @@
    notify:
      - reload nginx
  - name: Generate self-signed TLS cert
    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
    notify:
      - reload nginx
  - name: Download 4096-bit RFC 7919 dhparams
    get_url:
      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@ -16,9 +16,9 @@ server {
    listen [::]:443 ssl http2 default_server;
    server_name _;
-    # "snakeoil" certificate (self signed!)
+    # self-signed "snakeoil" certificate from ssl-cert package
-    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_session_timeout {{ nginx_ssl_session_timeout }};
    ssl_session_cache {{ nginx_ssl_session_cache }};
Author	SHA1	Message	Date
Alan Orth	82d3a7ff2a	roles/nginx: Add convenience tags to fact task	2021-07-01 18:17:14 +03:00
Alan Orth	6c3cf40a16	roles/nginx: Use snakeoil cert from ssl-cert Instead of manually creating our own self-signed certificate we can use the one created automatically by the ssl-cert package on Debian. This is only used by the dummy default HTTPS vhost.	2021-07-01 18:11:34 +03:00
Alan Orth	681be5eb19	Pipfile.lock: run pipenv update Ansible 4.2.0 and Ansible Core 2.11.2	2021-07-01 18:11:11 +03:00