Disroot-Ansible
/
nginx
11
1
Fork 0
Code Pull Requests 4 Projects Releases Activity

cleaned up and streamlined the wildcard cert creation process

This commit is contained in:
muppeth 2023-12-29 18:26:59 +01:00
parent 41b95fb710
commit fb2dde1d7d
Signed by: muppeth
GPG Key ID: 0EBC7B9848D04031
3 changed files with 61 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
README.MD
View File

@ -38,11 +38,58 @@ nginx_vhosts:
- 'fastcgi_pass unix:{{ pool_listen }};'
state: 'enable'
letsencrypt: 'false'
```
# Selfsigned cert example:
- name: 'privatebin.example.com'
template: 'privatebin'
proto: 'https'
listen: '443'
root: 'privatebin'
index: 'index.php'
ssl_name: 'bin.example.com'
selfsigned: 'true'
use_access_log: 'false'
use_error_log: 'true'
nginx_error_log_level: 'warn'
upstream_params:
- 'fastcgi_pass unix:{{ pool_listen }};'
- 'fastcgi_index index.php;'
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
header_xframe: 'none'
header_cto: 'none'
file_cache:
- cache: 'max=1000 inactive=20s'
valid: '30s'
min_users: '2'
cache_errors: 'on'
state: 'enable'
letsencrypt: 'false'
## Changelog
- **04.03.2021** - Modyfied header info for proxy (locations), and core templates
- **26.01.2021** - Rewritten templates structure
- **02.12.2020** - conversejs template
- **14.12.2019** - Start changelog
- **14.12.2019** - Updated hubzilla,privatebin, framadate template
# Selfsigned wildcard cert example:
- name: 'privatebin.example.com'
template: 'privatebin'
proto: 'https'
listen: '443'
root: 'privatebin'
index: 'index.php'
wildcard: 'true' #enable wildcard
ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert
domain_name: 'example.com' #domain name to create the cert for: *.example.com
selfsigned: 'true'
use_access_log: 'false'
use_error_log: 'true'
nginx_error_log_level: 'warn'
upstream_params:
- 'fastcgi_pass unix:{{ pool_listen }};'
- 'fastcgi_index index.php;'
- 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
header_xframe: 'none'
header_cto: 'none'
file_cache:
- cache: 'max=1000 inactive=20s'
valid: '30s'
min_users: '2'
cache_errors: 'on'
state: 'enable'
letsencrypt: 'false'
```

41
tasks/ssl.yml
View File

@ -76,16 +76,7 @@
state: directory
mode: 0755
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.selfsigned == 'true' and item.wildcard is not defined and (item.wildcard is not defined or item.wildcard != 'true')
notify: reload nginx
- name: "[SELFSIGNED] - Create Key folder"
file:
path: "{{ nginx_ssl_dir }}/{{ item.machine_name }}"
state: directory
mode: 0755
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
when: item.selfsigned is defined and item.selfsigned == 'true'
notify: reload nginx
- name: '[SELFSIGNED] - Create a self-signed key'
@ -94,16 +85,7 @@
size: 2048
type: RSA
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and (item.wildcard is not defined or item.wildcard != 'true')
notify: reload nginx
- name: '[SELFSIGNED] - Create a self-signed key'
openssl_privatekey:
path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
size: 2048
type: RSA
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
notify: reload nginx
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
@ -116,10 +98,10 @@
- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for wildcard'
openssl_csr:
path: '{{ ssl_src_path }}/{{ item.machine_name }}/selfsigned.crs'
privatekey_path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
common_name: "*.{{ item.machine_name }}"
subject_alt_name: "DNS:*.{{ item.machine_name }}"
path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
privatekey_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
common_name: "*.{{ item.domain_name }}"
subject_alt_name: "DNS:*.{{ item.domain_name }}"
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
notify: reload nginx
@ -131,15 +113,6 @@
csr_path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
provider: selfsigned
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and (item.wildcard is not defined or item.wildcard != 'true')
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
notify: reload nginx
- name: '[SELFSIGNED] - Create a self-signed certificate'
openssl_certificate:
path: '{{ ssl_src_path }}/{{ item.machine_name }}/fullchain.pem'
privatekey_path: '{{ ssl_src_path }}/{{ item.machine_name }}/privkey.pem'
csr_path: '{{ ssl_src_path }}/{{ item.machine_name }}/selfsigned.crs'
provider: selfsigned
with_items: "{{ nginx_vhosts }}"
when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
notify: reload nginx

5
templates/etc/nginx/sites-available/core.j2
View File

@ -20,13 +20,8 @@ server {
{% endif %}
{% if item.proto == 'https' %}
listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
{% if item.wildcard is defined and item.wildcard == 'true' %}
ssl_certificate {{ nginx_ssl_dir + '/' + item.machine_name + '/' + 'fullchain.pem' + ';' }}
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.machine_name + '/' + 'privkey.pem;' }}
{% else %}
ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
{% endif %}
{% endif %}
server_tokens off;
{% if item.max_upload is defined %}