Add nginx role.
This commit is contained in:
parent
42e928126d
commit
2fe21d0638
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
|
||||
- name: Enable backports
|
||||
apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
|
||||
tags: nginx
|
||||
|
||||
- name: Install nginx
|
||||
apt: name=nginx default_release=jessie-backports state=present
|
||||
tags: nginx
|
||||
|
||||
- name: Create certificate directory
|
||||
file: path=/etc/nginx/ssl state=directory mode=0750
|
||||
tags: nginx
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn}}.key -out /etc/nginx/ssl/{{ ansible_fqdn}}.crt -days 730 -subj "/CN={{ ansible_fqdn}}" creates=/etc/nginx/ssl/{{ ansible_fqdn}}.crt
|
||||
notify: Restart nginx
|
||||
tags: nginx
|
||||
|
||||
- name: Ensure correct certificate permissions
|
||||
file: path=/etc/nginx/ssl/{{ ansible_fqdn}}.key owner=root mode=0400
|
||||
notify: Restart nginx
|
||||
tags: nginx
|
||||
|
||||
- name: Create DH parameters
|
||||
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
|
||||
with_items:
|
||||
- /etc/nginx/dhparam.pem
|
||||
tags: nginx
|
||||
|
||||
- name: Configure nginx
|
||||
template: src=default.j2 dest=/etc/nginx/sites-available/default
|
||||
notify: Restart nginx
|
||||
tags: nginx
|
||||
|
||||
- name: Start nginx
|
||||
service: name=nginx state=started enabled=yes
|
||||
tags: nginx
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
server_name _;
|
||||
server_name_in_redirect on;
|
||||
|
||||
location '/.well-known/acme-challenge' {
|
||||
default_type "text/plain";
|
||||
root /tmp/letsencrypt-auto;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name _;
|
||||
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
}
|
||||
Loading…
Reference in New Issue