nginx/vhost: major change in certifcate/tls handling (WIP)

3 files changed, 25 insertions, 14 deletions

diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml
index b80a5442..5984e623 100644
--- a/roles/nginx/vhost/defaults/main.yml
+++ b/roles/nginx/vhost/defaults/main.yml
@@ -3,7 +3,8 @@
 #   default: yes
 #   name: example
 #   template: generic
-#   acme: yes
+#   tls:
+#     certificate_provider: acmetool
 #   hostnames:
 #   - example.com
 #   - www.example.com
@@ -26,7 +27,10 @@
 # nginx_vhost:
 #   name: mixed-static-and-proxy
 #   template: generic
-#   acme: yes
+#   tls:
+#     variant: legacy
+#     hsts: false
+#     certificate_provider: acmetool
 #   hostnames:
 #   - static.example.com
 #   extra_directives: |-
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index 424c86a0..c5e68732 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -1,11 +1,12 @@
 ---
 - name: ensure certificate exists (fake it, until you make it)
-  when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
-  import_role:
-    name: x509/acmetool/cert/prepare
+  when: "'tls' in nginx_vhost"
+  include_role:
+    name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare"
+    public: true
   vars:
-    acmetool_cert_name: "{{ nginx_vhost.name }}"
-    acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
+    x509_certificate_name: "{{ nginx_vhost.name }}"
+    x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
 
 - name: install nginx configs from template
   when: "'template' in nginx_vhost"
@@ -31,14 +32,14 @@
   notify: reload nginx
 
 - name: generate acme certificate
-  when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
+  when: "'tls' in nginx_vhost"
   block:
   - name: make sure nginx config has been (re)loaded
     meta: flush_handlers
 
   - name: actually request the certificate
-    import_role:
-      name: x509/acmetool/cert/finalize
+    include_role:
+      name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize"
     vars:
-      acmetool_cert_name: "{{ nginx_vhost.name }}"
-      acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
+      x509_certificate_name: "{{ nginx_vhost.name }}"
+      x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2
index 5c7576e7..434fa679 100644
--- a/roles/nginx/vhost/templates/generic.conf.j2
+++ b/roles/nginx/vhost/templates/generic.conf.j2
@@ -3,9 +3,11 @@ server {
     listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
     server_name {{ nginx_vhost.hostnames | join(' ') }};
 
-{% if 'acme' in nginx_vhost and nginx_vhost.acme %}
+{% if 'tls' in nginx_vhost %}
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' %}
     include snippets/acmetool.conf;
 
+{% endif %}
     location / {
         return 301 https://$host$request_uri;
     }
@@ -16,11 +18,15 @@ server {
     listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
     server_name {{ nginx_vhost.hostnames | join(' ') }};
 
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' %}
     include snippets/acmetool.conf;
-    include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf;
+{% endif %}
+    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
     ssl_certificate     {{ x509_certificate_path_fullchain }};
     ssl_certificate_key {{ x509_certificate_path_key }};
+{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
     include snippets/hsts.conf;
+{% endif %}
 
 {% endif %}
 {% if 'extra_directives' in nginx_vhost %}