introduce nginx role

2017-04-27 13:59:10 +10:00 · 2017-04-27 13:59:10 +10:00 · 2ab4b9be13
commit 2ab4b9be13
parent 88e9560a53
10 changed files with 314 additions and 0 deletions
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,5 @@
+---
+- include: nginx.yml
+
+- include: ssl-setup.yml
+  when: not httpd_no_ssl
--- a/roles/nginx/tasks/nginx.yml
+++ b/roles/nginx/tasks/nginx.yml
@ -0,0 +1,33 @@
+- name: install nginx
+  dnf:
+    name: nginx
+    state: present
+
+- name: Ensure nginx is started and enabled to start at boot.
+  service: name=nginx state=started enabled=yes
+
+- name: install nginx logrotation file
+  copy:
+    src: etc/logrotate.d/nginx
+    dest: /etc/logrotate.d/nginx
+    owner: root
+    group: root
+    mode: 0644
+
+- name: install /etc/nginx/nginx.conf
+  template:
+    src: etc/nginx/nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
+
+- name: install /etc/nginx/conf.d/default.conf
+  copy:
+    src: etc/nginx/conf.d/default.conf
+    dest: /etc/nginx/conf.d/default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
--- a/roles/nginx/tasks/ssl-setup.yml
+++ b/roles/nginx/tasks/ssl-setup.yml
@ -0,0 +1,45 @@
+- name: copy over ssl key
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/conf.d/ssl.key"
+  with_first_found:
+  - files:
+    - "{{ httpd_ssl_key_file }}"
+    skip: True
+  register: setup_ssl_key
+  notify: restart nginx service
+  no_log: True
+  tags:
+  - update_ssl_certs
+
+- name: copy over ssl pem file
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/conf.d/ssl.pem"
+  with_first_found:
+  - files:
+    - "{{ httpd_ssl_pem_file }}"
+    - "{{ httpd_ssl_crt_file }}"
+    skip: True
+  register: setup_ssl_pem
+  when: setup_ssl_key|success
+  tags:
+  - update_ssl_certs
+
+  #  generate our own key/crt if pem is missing
+- name: generate self signed ssl certificate
+  command: openssl req -new -nodes -x509 -subj "{{ ssl_self_signed_string }}" -days 3650 -keyout /etc/nginx/conf.d/ssl.key -out /etc/nginx/conf.d/ssl.pem -extensions v3_ca
+  args:
+    creates: /etc/nginx/conf.d/ssl.pem
+  when: setup_ssl_key|failed or setup_ssl_pem|failed
+
+- name: warn that the next step takes a while
+  debug:
+    msg: "the next step can take around 15 minutes if it hasn't already been done"
+
+- name: create Diffie Hellman ephemeral parameters
+  # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  command: openssl dhparam {{ '-dsaparam' if ssl_fast_dh else '' }} -out dhparam.pem 4096
+  args:
+    chdir: /etc/ssl/certs
+    creates: /etc/ssl/certs/dhparam.pem