From bc98352d3e331003db625be96139b3c1f95f63b2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 9 Aug 2023 14:38:23 +0200 Subject: nginx/vhost: major change in certifcate/tls handling (WIP) --- roles/nginx/vhost/defaults/main.yml | 8 ++++++-- roles/nginx/vhost/tasks/main.yml | 21 +++++++++++---------- roles/nginx/vhost/templates/generic.conf.j2 | 10 ++++++++-- 3 files changed, 25 insertions(+), 14 deletions(-) (limited to 'roles/nginx') diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index b80a5442..5984e623 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -3,7 +3,8 @@ # default: yes # name: example # template: generic -# acme: yes +# tls: +# certificate_provider: acmetool # hostnames: # - example.com # - www.example.com @@ -26,7 +27,10 @@ # nginx_vhost: # name: mixed-static-and-proxy # template: generic -# acme: yes +# tls: +# variant: legacy +# hsts: false +# certificate_provider: acmetool # hostnames: # - static.example.com # extra_directives: |- diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 424c86a0..c5e68732 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -1,11 +1,12 @@ --- - name: ensure certificate exists (fake it, until you make it) - when: "'acme' in nginx_vhost and nginx_vhost.acme" - import_role: - name: x509/acmetool/cert/prepare + when: "'tls' in nginx_vhost" + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare" + public: true vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" - name: install nginx configs from template when: "'template' in nginx_vhost" @@ -31,14 +32,14 @@ notify: reload nginx - name: generate acme certificate - when: "'acme' in nginx_vhost and nginx_vhost.acme" + when: "'tls' in nginx_vhost" block: - name: make sure nginx config has been (re)loaded meta: flush_handlers - name: actually request the certificate - import_role: - name: x509/acmetool/cert/finalize + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize" vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 5c7576e7..434fa679 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -3,9 +3,11 @@ server { listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; -{% if 'acme' in nginx_vhost and nginx_vhost.acme %} +{% if 'tls' in nginx_vhost %} +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; +{% endif %} location / { return 301 https://$host$request_uri; } @@ -16,11 +18,15 @@ server { listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; - include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf; +{% endif %} + include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; +{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %} include snippets/hsts.conf; +{% endif %} {% endif %} {% if 'extra_directives' in nginx_vhost %} -- cgit v1.2.3