cleaned up and streamlined the wildcard cert creation process
This commit is contained in:
parent
41b95fb710
commit
fb2dde1d7d
61
README.MD
61
README.MD
|
@ -38,11 +38,58 @@ nginx_vhosts:
|
|||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
```
|
||||
|
||||
# Selfsigned cert example:
|
||||
- name: 'privatebin.example.com'
|
||||
template: 'privatebin'
|
||||
proto: 'https'
|
||||
listen: '443'
|
||||
root: 'privatebin'
|
||||
index: 'index.php'
|
||||
ssl_name: 'bin.example.com'
|
||||
selfsigned: 'true'
|
||||
use_access_log: 'false'
|
||||
use_error_log: 'true'
|
||||
nginx_error_log_level: 'warn'
|
||||
upstream_params:
|
||||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
- 'fastcgi_index index.php;'
|
||||
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
|
||||
header_xframe: 'none'
|
||||
header_cto: 'none'
|
||||
file_cache:
|
||||
- cache: 'max=1000 inactive=20s'
|
||||
valid: '30s'
|
||||
min_users: '2'
|
||||
cache_errors: 'on'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
|
||||
## Changelog
|
||||
- **04.03.2021** - Modyfied header info for proxy (locations), and core templates
|
||||
- **26.01.2021** - Rewritten templates structure
|
||||
- **02.12.2020** - conversejs template
|
||||
- **14.12.2019** - Start changelog
|
||||
- **14.12.2019** - Updated hubzilla,privatebin, framadate template
|
||||
# Selfsigned wildcard cert example:
|
||||
- name: 'privatebin.example.com'
|
||||
template: 'privatebin'
|
||||
proto: 'https'
|
||||
listen: '443'
|
||||
root: 'privatebin'
|
||||
index: 'index.php'
|
||||
wildcard: 'true' #enable wildcard
|
||||
ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert
|
||||
domain_name: 'example.com' #domain name to create the cert for: *.example.com
|
||||
selfsigned: 'true'
|
||||
use_access_log: 'false'
|
||||
use_error_log: 'true'
|
||||
nginx_error_log_level: 'warn'
|
||||
upstream_params:
|
||||
- 'fastcgi_pass unix:{{ pool_listen }};'
|
||||
- 'fastcgi_index index.php;'
|
||||
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
|
||||
header_xframe: 'none'
|
||||
header_cto: 'none'
|
||||
file_cache:
|
||||
- cache: 'max=1000 inactive=20s'
|
||||
valid: '30s'
|
||||
min_users: '2'
|
||||
cache_errors: 'on'
|
||||
state: 'enable'
|
||||
letsencrypt: 'false'
|
||||
```
|
||||
|
|
|
@ -76,16 +76,7 @@
|
|||
state: directory
|
||||
mode: 0755
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.selfsigned == 'true' and item.wildcard is not defined and (item.wildcard is not defined or item.wildcard != 'true')
|
||||
notify: reload nginx
|
||||
|
||||
- name: "[SELFSIGNED] - Create Key folder"
|
||||
file:
|
||||
path: "{{ nginx_ssl_dir }}/{{ item.machine_name }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
|
||||
when: item.selfsigned is defined and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Create a self-signed key'
|
||||
|
@ -94,16 +85,7 @@
|
|||
size: 2048
|
||||
type: RSA
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and (item.wildcard is not defined or item.wildcard != 'true')
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Create a self-signed key'
|
||||
openssl_privatekey:
|
||||
path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
|
||||
size: 2048
|
||||
type: RSA
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
|
||||
|
@ -116,10 +98,10 @@
|
|||
|
||||
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for wildcard'
|
||||
openssl_csr:
|
||||
path: '{{ ssl_src_path }}/{{ item.machine_name }}/selfsigned.crs'
|
||||
privatekey_path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
|
||||
common_name: "*.{{ item.machine_name }}"
|
||||
subject_alt_name: "DNS:*.{{ item.machine_name }}"
|
||||
path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
|
||||
privatekey_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
|
||||
common_name: "*.{{ item.domain_name }}"
|
||||
subject_alt_name: "DNS:*.{{ item.domain_name }}"
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
|
||||
notify: reload nginx
|
||||
|
@ -131,15 +113,6 @@
|
|||
csr_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
|
||||
provider: selfsigned
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and (item.wildcard is not defined or item.wildcard != 'true')
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
|
||||
notify: reload nginx
|
||||
|
||||
- name: '[SELFSIGNED] - Create a self-signed certificate'
|
||||
openssl_certificate:
|
||||
path: '{{ ssl_src_path }}/{{ item.machine_name }}/fullchain.pem'
|
||||
privatekey_path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
|
||||
csr_path: '{{ ssl_src_path }}/{{ item.machine_name }}/selfsigned.crs'
|
||||
provider: selfsigned
|
||||
with_items: "{{ nginx_vhosts }}"
|
||||
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
|
||||
notify: reload nginx
|
|
@ -20,13 +20,8 @@ server {
|
|||
{% endif %}
|
||||
{% if item.proto == 'https' %}
|
||||
listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
|
||||
{% if item.wildcard is defined and item.wildcard == 'true' %}
|
||||
ssl_certificate {{ nginx_ssl_dir + '/' + item.machine_name + '/' + 'fullchain.pem' + ';' }}
|
||||
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.machine_name + '/' + 'privkey.pem;' }}
|
||||
{% else %}
|
||||
ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
|
||||
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
server_tokens off;
|
||||
{% if item.max_upload is defined %}
|
||||
|
|
Loading…
Reference in New Issue