Add nginx role.

2016-03-09 22:10:14 +01:00 · 2016-03-09 22:10:14 +01:00 · 2fe21d0638
commit 2fe21d0638
parent 42e928126d
3 changed files with 77 additions and 0 deletions
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,4 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,38 @@
+---
+
+- name: Enable backports
+  apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
+  tags: nginx
+
+- name: Install nginx
+  apt: name=nginx default_release=jessie-backports state=present
+  tags: nginx
+
+- name: Create certificate directory
+  file: path=/etc/nginx/ssl state=directory mode=0750
+  tags: nginx
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt
+  notify: Restart nginx
+  tags: nginx
+
+- name: Ensure correct certificate permissions
+  file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400
+  notify: Restart nginx
+  tags: nginx
+
+- name: Create DH parameters
+  command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
+  with_items:
+  - /etc/nginx/dhparam.pem
+  tags: nginx
+
+- name: Configure nginx
+  template: src=default.j2 dest=/etc/nginx/sites-available/default
+  notify: Restart nginx
+  tags: nginx
+
+- name: Start nginx
+  service: name=nginx state=started enabled=yes
+  tags: nginx
--- a/roles/nginx/templates/default.j2
+++ b/roles/nginx/templates/default.j2
@ -0,0 +1,35 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	server_name _;
+	server_name_in_redirect on;
+
+	location '/.well-known/acme-challenge' {
+		default_type "text/plain";
+		root /tmp/letsencrypt-auto;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+    }
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name _;
+
+	ssl_dhparam /etc/nginx/dhparam.pem;
+
+	ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+	ssl_prefer_server_ciphers on;
+
+	ssl_stapling on;
+    ssl_stapling_verify on;
+}