From 2fe21d0638b8f83e9156be31979c55a67837dd26 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Wed, 9 Mar 2016 22:10:14 +0100 Subject: [PATCH] Add nginx role. --- roles/nginx/handlers/main.yml | 4 ++++ roles/nginx/tasks/main.yml | 38 ++++++++++++++++++++++++++++++++ roles/nginx/templates/default.j2 | 35 +++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 roles/nginx/handlers/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/default.j2 diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..44975c4 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..1a18841 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,38 @@ +--- + +- name: Enable backports + apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present + tags: nginx + +- name: Install nginx + apt: name=nginx default_release=jessie-backports state=present + tags: nginx + +- name: Create certificate directory + file: path=/etc/nginx/ssl state=directory mode=0750 + tags: nginx + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt + notify: Restart nginx + tags: nginx + +- name: Ensure correct certificate permissions + file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400 + notify: Restart nginx + tags: nginx + +- name: Create DH parameters + command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }} + with_items: + - /etc/nginx/dhparam.pem + tags: nginx + +- name: Configure nginx + template: src=default.j2 dest=/etc/nginx/sites-available/default + notify: Restart nginx + tags: nginx + +- name: Start nginx + service: name=nginx state=started enabled=yes + tags: nginx diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 new file mode 100644 index 0000000..2a85eed --- /dev/null +++ b/roles/nginx/templates/default.j2 @@ -0,0 +1,35 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + server_name_in_redirect on; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /tmp/letsencrypt-auto; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name _; + + ssl_dhparam /etc/nginx/dhparam.pem; + + ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key; + ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; +}