Extend per-site snippet handling to tls, certificates and logging

2024-08-16 16:19:48 +02:00 · 2020-12-23 03:49:11 +01:00 · 2020-12-23 03:49:11 +01:00 · 642aa37a60
commit 642aa37a60
parent 0b60a92826
8 changed files with 66 additions and 32 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -7,13 +7,18 @@ nginx_sites: {}
 #    altnames:
 #      - 'www.example.org'
 #      - 'ftp.example.org'
-#    robots: 'robots_allow_all.txt'         Optional
-#    htaccess: 'htpasswd.example.org'       Optional
+#    robots: 'robots_allow_all.txt'         Optional, unimplemented
+#    htaccess: 'htpasswd.example.org'       Optional, unimplemented
+#    webroot:                               Optional, for use with 'webhost' role
+#       path                                Optional, for use with 'webhost' role
+#       user                                Optional, for use with 'webhost' role
+#       group                               Optional, for use with 'webhost' role
+#       mode                                Optional, for use with 'webhost' role


 snippet_files:
  - 'acmetool.snippet.conf'
-  - 'tls_settings.snippet.conf'
+  - 'tls_parameters.snippet.conf'


 #default_robots_file: 'robots_disallow_all.txt'
--- a/files/nginx/sites-available/default_http.j2
+++ b/files/nginx/sites-available/default_http.j2
@ -2,9 +2,12 @@ server {
        listen 80 default_server;
        listen [::]:80 default_server;

+        access_log /var/log/nginx/log_{{ inventory_hostname }}.access.log;
+        error_log /var/log/nginx/log_{{ inventory_hostname }}.error.log;
+
        include snippets/acmetool.snippet.conf;

        location ^~ / {
-                return 308 https://{{ inventory_hostname }}$request_uri;
+                return 403;
        }
 }
--- a/files/nginx/sites-available/default_tls.j2
+++ b/files/nginx/sites-available/default_tls.j2
@ -2,7 +2,7 @@ server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

-        include snippets/tls_settings.snippet.conf;
+        include snippets/tls_parameters.snippet.conf;

        ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain;
        ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey;
--- a/files/nginx/sites-available/http_plain_redirect.conf.j2
+++ b/files/nginx/sites-available/http_plain_redirect.conf.j2
@ -4,6 +4,8 @@ server {

        server_name {{ site.name }};

+        include snippets/logging_{{ site.name }}.snippet.conf;
+
        include snippets/acmetool.snippet.conf;

        location ^~ / {
--- a/files/nginx/snippets/logging.snippet.conf
+++ b/files/nginx/snippets/logging.snippet.conf
@ -0,0 +1,4 @@
+error_log /var/log/nginx/log_{{ site.name }}.error.log;
+
+#access_log /var/log/nginx/log_{{ site.name }}.access.log;
+access_log off;
--- a/files/nginx/snippets/tls_certificate.snippet.conf
+++ b/files/nginx/snippets/tls_certificate.snippet.conf
@ -0,0 +1,2 @@
+ssl_certificate           /var/lib/acme/live/{{ site.name }}/fullchain;
+ssl_certificate_key       /var/lib/acme/live/{{ site.name }}/privkey;
--- a/files/nginx/snippets/tls_parameters.snippet.conf
+++ b/files/nginx/snippets/tls_parameters.snippet.conf
@ -1,6 +1,9 @@
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
+
 #ssl_stapling on;
 #ssl_stapling_verify on;
-#resolver 8.8.8.8 8.8.4.4 valid=300s;
+#resolver 8.8.8.8 1.1.1.1 valid=300s;
 #resolver_timeout 3s;
+
+#ssl_dhparam /etc/ssl/private/site.dh;
--- a/tasks/single_site.yml
+++ b/tasks/single_site.yml
@ -34,34 +34,49 @@
    - sites


-#- name: Create '{{ site.name }}' site tls parameter configuration
-#  template:
-#    src: 'files/nginx/snippets/tls_certificate.snippet.conf'
-#    dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
-#    owner: root
-#    group: root
-#    mode: 'u=rw,g=r,o=r'
-#  notify:
-#    - Reload nginx
-#  tags:
-#    - configuration
-#    - nginx
-#    - sites
+- name: Create '{{ site.name }}' site tls parameter configuration
+  template:
+    src: 'files/nginx/snippets/tls_parameters.snippet.conf'
+    dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites


-#- name: Create '{{ site.name }}' site logging configuration
-#  template:
-#    src: 'files/nginx/snippets/logging.snippet.conf'
-#    dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
-#    owner: root
-#    group: root
-#    mode: 'u=rw,g=r,o=r'
-#  notify:
-#    - Reload nginx
-#  tags:
-#    - configuration
-#    - nginx
-#    - sites
+- name: Create '{{ site.name }}' site tls certificate configuration
+  template:
+    src: 'files/nginx/snippets/tls_certificate.snippet.conf'
+    dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Create '{{ site.name }}' site logging configuration
+  template:
+    src: 'files/nginx/snippets/logging.snippet.conf'
+    dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites


 #- name: Copy additional per site '{{ site.name }}' snippet files