ansible/roles/nginx/README.md

Overview
========

Role for using nginx.  Sets up ssl certs in known locations and inactive
template for application use.


Role options
------------
* `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx


SSL
---
This role will copy over key/crt by default.
It can be disabled by setting `httpd_no_ssl` to true

You will still need to configure the application to use ssl.  A reference template templates/example_ssl.conf.j2 is provided

The script will look for keys and certs in the paths specified by the
`httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables.

If that fails, it will attempt to create key/crt pair if there isn't one already installed.

If a pem file exists in the location specified by `httpd_ssl_pem_file`,
it will be copied across as `ssl.pem`. Applications that required the certificate
chain should point at `/etc/nginx/conf.d/ssl.pem`.

Caveats
-------
The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{
inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup.
Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here.

Logrotate
---------

A default template is configured.

SELinux
-------

selinux contexts are application specific.  Enable the following as needed by your setup:

```
httpd_can_network_relay
httpd_can_network_memcache
httpd_can_network_connect *
httpd_can_network_connect_db *
httpd_can_sendmail
```

- * commonly used items enabled by default

Handlers
--------

restart nginx - restart the nginx service

Variables
---------

* `service_name` - canonical name for service
* `httpd_no_ssl` - don't set up ssl
* `httpd_ssl_key_file` - local path to use as source for ssl.key file
* `httpd_ssl_crt_file` - local path to use as source for ssl.crt file
* `httpd_ssl_pem_file` - local path to use as source for ssl.pem file
* `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman
    parameters
* `ssl_intermediate_ca_pattern` - pattern to check if certificate is
    self-signed
* `ssl_self_signed_string` - location and CN settings for self signed cert
introduce nginx role 2017-04-27 13:59:10 +10:00			`Overview`
			`========`

			`Role for using nginx. Sets up ssl certs in known locations and inactive`
			`template for application use.`


			`Role options`
			`------------`
			* `update_ssl_certs` - Only push the SSL key and PEM files and restart Nginx


			`SSL`
			`---`
			`This role will copy over key/crt by default.`
			It can be disabled by setting `httpd_no_ssl` to true

			`You will still need to configure the application to use ssl. A reference template templates/example_ssl.conf.j2 is provided`

			`The script will look for keys and certs in the paths specified by the`
			`httpd_ssl_key_file`, `httpd_ssl_crt_file` and `httpd_ssl_pem_file` variables.

			`If that fails, it will attempt to create key/crt pair if there isn't one already installed.`

			If a pem file exists in the location specified by `httpd_ssl_pem_file`,
			it will be copied across as `ssl.pem`. Applications that required the certificate
			chain should point at `/etc/nginx/conf.d/ssl.pem`.

			`Caveats`
			`-------`
			The key, crt and pem will always be stored on the host under `/etc/nginx/conf.d/{{
			inventory_hostname }}.{key,crt,pem}` due to the multi-sourcing nature of the setup.
			Use `httpd_no_ssl` and setup as desired if it deviates from what is covered here.

			`Logrotate`
			`---------`

			`A default template is configured.`

			`SELinux`
			`-------`

			`selinux contexts are application specific. Enable the following as needed by your setup:`

			```
			`httpd_can_network_relay`
			`httpd_can_network_memcache`
			`httpd_can_network_connect *`
			`httpd_can_network_connect_db *`
			`httpd_can_sendmail`
			```

			`- * commonly used items enabled by default`

			`Handlers`
			`--------`

			`restart nginx - restart the nginx service`

			`Variables`
			`---------`

			* `service_name` - canonical name for service
			* `httpd_no_ssl` - don't set up ssl
			* `httpd_ssl_key_file` - local path to use as source for ssl.key file
			* `httpd_ssl_crt_file` - local path to use as source for ssl.crt file
			* `httpd_ssl_pem_file` - local path to use as source for ssl.pem file
			* `ssl_fast_dh` - whether to use a speedy method to generate Diffie Hellman
			`parameters`
			* `ssl_intermediate_ca_pattern` - pattern to check if certificate is
			`self-signed`
			* `ssl_self_signed_string` - location and CN settings for self signed cert