Initial checkin

defaults/main.yml

@@ -0,0 +1,19 @@
+---
+
+nginx_sites: {}
+
+#nginx_sites:
+#  - name: 'example.org'
+#    altnames:
+#      - 'www.example.org'
+#      - 'ftp.example.org'
+#    robots: 'robots_allow_all.txt'         Optional
+#    htaccess: 'htpasswd.example.org'       Optional
+
+
+snippet_files:
+  - 'acmetool.snippet.conf'
+  - 'tls_settings.snippet.conf'
+
+
+#default_robots_file: 'robots_disallow_all.txt'

files/acmetool/enable_tls.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euf -o pipefail
+
+IFS=$'\n'
+
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+while read -r host; do
+    if [[ -e "/etc/nginx/sites-available/${host}_tls" ]]; then
+        echo "Enabling tls site for ${host}"
+        ln -s -f "/etc/nginx/sites-available/${host}_tls" "/etc/nginx/sites-enabled/${host}_tls"
+    fi
+done
+
+exit 0

files/nginx/nginx.conf

@@ -0,0 +1,29 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+
+include /usr/share/nginx/modules/*.conf;
+
+
+events {
+        worker_connections 1024;
+}
+
+
+http {
+        access_log /var/log/nginx/access.log;
+
+        sendfile            on;
+        tcp_nopush          on;
+        tcp_nodelay         on;
+        keepalive_timeout   65;
+        types_hash_max_size 2048;
+        server_tokens off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}

files/nginx/sites-available/default_http.j2

@@ -0,0 +1,10 @@
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        include snippets/acmetool.snippet.conf;
+
+        location ^~ / {
+                return 308 https://{{ inventory_hostname }}$request_uri;
+        }
+}

files/nginx/sites-available/default_tls.j2

@@ -0,0 +1,16 @@
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        include snippets/tls_settings.snippet.conf;
+
+        ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain;
+        ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey;
+
+        access_log /var/log/nginx/log_{{ inventory_hostname }}.access.log;
+        error_log /var/log/nginx/log_{{ inventory_hostname }}.error.log;
+
+        location ^~ / {
+                return 403;
+        }
+}

files/nginx/sites-available/http_plain_redirect.conf.j2

@@ -0,0 +1,12 @@
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name {{ site.name }};
+
+        include snippets/acmetool.snippet.conf;
+
+        location ^~ / {
+                return 308 https://{{ site.name }}$request_uri;
+        }
+}

files/nginx/snippets/acmetool.snippet.conf

@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+        alias /run/acme/acme-challenge/;
+        auth_basic "off";
+}

files/nginx/snippets/tls_settings.snippet.conf

@@ -0,0 +1,6 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+#ssl_stapling on;
+#ssl_stapling_verify on;
+#resolver 8.8.8.8 8.8.4.4 valid=300s;
+#resolver_timeout 3s;

handlers/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Restart nginx
+  systemd:
+    name: 'nginx.service'
+    daemon_reload: yes
+    state: restarted
+
+
+- name: Reload nginx
+  systemd:
+    name: 'nginx.service'
+    daemon_reload: yes
+    state: reloaded

tasks/acme.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Copy shell script to enable tls sites
+  copy:
+    src: 'files/acmetool/enable_tls.sh'
+    dest: '/etc/acme/hooks/enable_tls.sh'
+    owner: root
+    group: root
+    mode: 'u=rx,g=r,o='
+  tags:
+    - configuration
+    - acme
+
+
+- name: Get certificate for default server
+  command: acmetool want '{{ inventory_hostname }}'
+  args:
+    creates: '/var/lib/acme/live/{{ inventory_hostname }}'
+  tags:
+    - configuration
+    - acme
+    - certificates
+    - operation
+
+
+- name: Get certificates for all configured sites
+  #command: acmetool want '{{ site.name }}' '{{ site.altnames | default([]) | join(" ") }}'
+  command: acmetool want '{{ ([site.name] + (site.altnames | default([]) )) | join(" ") }}'
+  args:
+    creates: '/var/lib/acme/live/{{ site.name }}/'
+  with_items: '{{ nginx_sites }}'
+  loop_control:
+    loop_var: site
+  tags:
+    - configuration
+    - acme
+    - certificates
+    - operation

tasks/default_site.yml

@@ -0,0 +1,57 @@
+---
+
+- name: Create default site plain http configuration
+  template:
+    src: 'files/nginx/sites-available/default_http.j2'
+    dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Create default site tls https configuration
+  template:
+    src: 'files/nginx/sites-available/default_tls.j2'
+    dest: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Enable default site plain http configuration
+  file:
+    src: '/etc/nginx/sites-available/{{ inventory_hostname }}_http'
+    dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_http'
+    state: link
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+# Note: Done by acmetool after sucessfully obtaining a suitable certificate
+#- name: Enable default site configuration
+#  file:
+#    src: '/etc/nginx/sites-available/{{ inventory_hostname }}_tls'
+#    dest: '/etc/nginx/sites-enabled/{{ inventory_hostname }}_tls'
+#    state: link
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - sites

tasks/installation.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Install nginx
+  apt:
+    package:
+      - 'nginx'
+    state: latest
+    update_cache: yes
+    cache_valid_time: 43200
+  tags:
+    - installation

tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install nginx
+  include_tasks: installation.yml
+  tags:
+    - repository
+    - installation
+
+
+- name: Configure nginx
+  include_tasks: nginx.yml
+  tags:
+    - configuration
+    - nginx
+    - dhparam
+
+
+- name: Start nginx webserver
+  service:
+    name: nginx
+    state: started
+    enabled: yes
+  tags:
+    - operation
+    - nginx
+
+
+- name: Configure nginx default site
+  include_tasks: default_site.yml
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Configure nginx sites
+  include_tasks: single_site.yml
+  with_items: '{{ nginx_sites }}'
+  loop_control:
+    loop_var: site
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Configure acmetool and obtain certificates
+  include_tasks: acme.yml
+  tags:
+    - configuration
+    - acme

tasks/nginx.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Copy main nginx configuration file
+  copy:
+    src: 'nginx/nginx.conf'
+    dest: '/etc/nginx/'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+
+
+#- name: Create strong dhparams
+#  openssl_dhparam:
+#    path: '/etc/nginx/dhparam.pem'
+#    size: 4096
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - dhparam
+
+
+- name: Create 'sites-available' directory
+  file:
+    path: '/etc/nginx/sites-available'
+    state: directory
+    owner: root
+    group: root
+    mode: 'u=rwx,g=rx,o=rx'
+  tags:
+    - configuration
+    - nginx
+
+
+- name: Create 'sites-enabled' directory
+  file:
+    path: '/etc/nginx/sites-enabled'
+    state: directory
+    owner: root
+    group: root
+    mode: 'u=rwx,g=rx,o=rx'
+  tags:
+    - configuration
+    - nginx
+
+
+- name: Create 'snippets' directory
+  file:
+    path: '/etc/nginx/snippets'
+    state: directory
+    owner: root
+    group: root
+    mode: 'u=rwx,g=rx,o=rx'
+  tags:
+    - configuration
+    - nginx
+
+
+- name: Copy nginx snippet files
+  copy:
+    src: 'files/nginx/snippets/{{ item }}'
+    dest: '/etc/nginx/snippets/{{ item }}'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  with_items: '{{ snippet_files }}'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx

tasks/single_site.yml

@@ -0,0 +1,109 @@
+---
+# TODO: Implement site config template templates
+
+
+- name: Create '{{ site.name }}' site plain http configuration
+  template:
+    src:  'files/nginx/sites-available/http_plain_redirect.conf.j2'
+    dest: '/etc/nginx/sites-available/{{ site.name }}_http'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  #when: site.http_plain_template | default(True)
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Create '{{ site.name }}' site tls https configuration
+  template:
+    src: 'files/nginx/sites/{{ site.name }}_tls.conf'
+    dest: '/etc/nginx/sites-available/{{ site.name }}_tls'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  #when: not site.redirect_target | default(True)
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+#- name: Create '{{ site.name }}' site tls parameter configuration
+#  template:
+#    src: 'files/nginx/snippets/tls_certificate.snippet.conf'
+#    dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
+#    owner: root
+#    group: root
+#    mode: 'u=rw,g=r,o=r'
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - sites
+
+
+#- name: Create '{{ site.name }}' site logging configuration
+#  template:
+#    src: 'files/nginx/snippets/logging.snippet.conf'
+#    dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
+#    owner: root
+#    group: root
+#    mode: 'u=rw,g=r,o=r'
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - sites
+
+
+#- name: Copy additional per site '{{ site.name }}' snippet files
+#  template:
+#    src: 'files/nginx/snippets/{{ item }}'
+#    dest: '/etc/nginx/snippets/{{ item }}'
+#    owner: root
+#    group: root
+#    mode: 'u=rw,g=r,o=r'
+#  with_items: '{{ site.snippets }}'
+#  when: site.snippets | default([])
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - sites
+
+
+- name: Enable '{{ site.name }}' site plain http configuration
+  file:
+    src: '/etc/nginx/sites-available/{{ site.name }}_http'
+    dest: '/etc/nginx/sites-enabled/{{ site.name }}_http'
+    state: link
+  when: site.http_plain_template | default(True)
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+# Note: done by acmetool after sucessfully obtaining a suitable certificate
+#- name: Enable '{{ site.name }}' site tls configuration
+#  file:
+#    src: '/etc/nginx/sites-available/{{ site.name }}_tls'
+#    dest: '/etc/nginx/sites-enabled/{{ site.name }}_tls'
+#    state: link
+#  notify:
+#    - Reload nginx
+#  tags:
+#    - configuration
+#    - nginx
+#    - sites