From 642aa37a60f0df627d3cfadc9c6b407640feefa2 Mon Sep 17 00:00:00 2001
From: Raoul <raoul@ccczh.ch>
Date: Wed, 23 Dec 2020 03:49:11 +0100
Subject: [PATCH] Extend per-site snippet handling to tls, certificates and
 logging

---
 defaults/main.yml                             | 11 ++-
 files/nginx/sites-available/default_http.j2   |  5 +-
 files/nginx/sites-available/default_tls.j2    |  2 +-
 .../http_plain_redirect.conf.j2               |  2 +
 files/nginx/snippets/logging.snippet.conf     |  4 ++
 .../snippets/tls_certificate.snippet.conf     |  2 +
 ...ippet.conf => tls_parameters.snippet.conf} |  5 +-
 tasks/single_site.yml                         | 67 ++++++++++++-------
 8 files changed, 66 insertions(+), 32 deletions(-)
 create mode 100644 files/nginx/snippets/logging.snippet.conf
 create mode 100644 files/nginx/snippets/tls_certificate.snippet.conf
 rename files/nginx/snippets/{tls_settings.snippet.conf => tls_parameters.snippet.conf} (61%)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8f7a222..d61e9c8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -7,13 +7,18 @@ nginx_sites: {}
 #    altnames:
 #      - 'www.example.org'
 #      - 'ftp.example.org'
-#    robots: 'robots_allow_all.txt'         Optional
-#    htaccess: 'htpasswd.example.org'       Optional
+#    robots: 'robots_allow_all.txt'         Optional, unimplemented
+#    htaccess: 'htpasswd.example.org'       Optional, unimplemented
+#    webroot:                               Optional, for use with 'webhost' role
+#       path                                Optional, for use with 'webhost' role
+#       user                                Optional, for use with 'webhost' role
+#       group                               Optional, for use with 'webhost' role
+#       mode                                Optional, for use with 'webhost' role
 
 
 snippet_files:
   - 'acmetool.snippet.conf'
-  - 'tls_settings.snippet.conf'
+  - 'tls_parameters.snippet.conf'
 
 
 #default_robots_file: 'robots_disallow_all.txt'
diff --git a/files/nginx/sites-available/default_http.j2 b/files/nginx/sites-available/default_http.j2
index 2299a02..5509087 100644
--- a/files/nginx/sites-available/default_http.j2
+++ b/files/nginx/sites-available/default_http.j2
@@ -2,9 +2,12 @@ server {
         listen 80 default_server;
         listen [::]:80 default_server;
 
+        access_log /var/log/nginx/log_{{ inventory_hostname }}.access.log;
+        error_log /var/log/nginx/log_{{ inventory_hostname }}.error.log;
+
         include snippets/acmetool.snippet.conf;
 
         location ^~ / {
-                return 308 https://{{ inventory_hostname }}$request_uri;
+                return 403;
         }
 }
diff --git a/files/nginx/sites-available/default_tls.j2 b/files/nginx/sites-available/default_tls.j2
index 8416ff4..6f80d83 100644
--- a/files/nginx/sites-available/default_tls.j2
+++ b/files/nginx/sites-available/default_tls.j2
@@ -2,7 +2,7 @@ server {
         listen 443 ssl http2 default_server;
         listen [::]:443 ssl http2 default_server;
 
-        include snippets/tls_settings.snippet.conf;
+        include snippets/tls_parameters.snippet.conf;
 
         ssl_certificate /var/lib/acme/live/{{ inventory_hostname }}/fullchain;
         ssl_certificate_key /var/lib/acme/live/{{ inventory_hostname }}/privkey;
diff --git a/files/nginx/sites-available/http_plain_redirect.conf.j2 b/files/nginx/sites-available/http_plain_redirect.conf.j2
index 71eca6f..9093f43 100644
--- a/files/nginx/sites-available/http_plain_redirect.conf.j2
+++ b/files/nginx/sites-available/http_plain_redirect.conf.j2
@@ -4,6 +4,8 @@ server {
 
         server_name {{ site.name }};
 
+        include snippets/logging_{{ site.name }}.snippet.conf;
+
         include snippets/acmetool.snippet.conf;
 
         location ^~ / {
diff --git a/files/nginx/snippets/logging.snippet.conf b/files/nginx/snippets/logging.snippet.conf
new file mode 100644
index 0000000..18af9a6
--- /dev/null
+++ b/files/nginx/snippets/logging.snippet.conf
@@ -0,0 +1,4 @@
+error_log /var/log/nginx/log_{{ site.name }}.error.log;
+
+#access_log /var/log/nginx/log_{{ site.name }}.access.log;
+access_log off;
diff --git a/files/nginx/snippets/tls_certificate.snippet.conf b/files/nginx/snippets/tls_certificate.snippet.conf
new file mode 100644
index 0000000..901eeca
--- /dev/null
+++ b/files/nginx/snippets/tls_certificate.snippet.conf
@@ -0,0 +1,2 @@
+ssl_certificate           /var/lib/acme/live/{{ site.name }}/fullchain;
+ssl_certificate_key       /var/lib/acme/live/{{ site.name }}/privkey;
diff --git a/files/nginx/snippets/tls_settings.snippet.conf b/files/nginx/snippets/tls_parameters.snippet.conf
similarity index 61%
rename from files/nginx/snippets/tls_settings.snippet.conf
rename to files/nginx/snippets/tls_parameters.snippet.conf
index 23326fc..b435d6b 100644
--- a/files/nginx/snippets/tls_settings.snippet.conf
+++ b/files/nginx/snippets/tls_parameters.snippet.conf
@@ -1,6 +1,9 @@
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
+
 #ssl_stapling on;
 #ssl_stapling_verify on;
-#resolver 8.8.8.8 8.8.4.4 valid=300s;
+#resolver 8.8.8.8 1.1.1.1 valid=300s;
 #resolver_timeout 3s;
+
+#ssl_dhparam /etc/ssl/private/site.dh;
diff --git a/tasks/single_site.yml b/tasks/single_site.yml
index 844e780..e2046a3 100644
--- a/tasks/single_site.yml
+++ b/tasks/single_site.yml
@@ -34,34 +34,49 @@
     - sites
 
 
-#- name: Create '{{ site.name }}' site tls parameter configuration
-#  template:
-#    src: 'files/nginx/snippets/tls_certificate.snippet.conf'
-#    dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
-#    owner: root
-#    group: root
-#    mode: 'u=rw,g=r,o=r'
-#  notify:
-#    - Reload nginx
-#  tags:
-#    - configuration
-#    - nginx
-#    - sites
+- name: Create '{{ site.name }}' site tls parameter configuration
+  template:
+    src: 'files/nginx/snippets/tls_parameters.snippet.conf'
+    dest: '/etc/nginx/snippets/tls_parameters_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
 
 
-#- name: Create '{{ site.name }}' site logging configuration
-#  template:
-#    src: 'files/nginx/snippets/logging.snippet.conf'
-#    dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
-#    owner: root
-#    group: root
-#    mode: 'u=rw,g=r,o=r'
-#  notify:
-#    - Reload nginx
-#  tags:
-#    - configuration
-#    - nginx
-#    - sites
+- name: Create '{{ site.name }}' site tls certificate configuration
+  template:
+    src: 'files/nginx/snippets/tls_certificate.snippet.conf'
+    dest: '/etc/nginx/snippets/tls_certificate_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
+
+
+- name: Create '{{ site.name }}' site logging configuration
+  template:
+    src: 'files/nginx/snippets/logging.snippet.conf'
+    dest: '/etc/nginx/snippets/logging_{{ site.name }}.snippet.conf'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - Reload nginx
+  tags:
+    - configuration
+    - nginx
+    - sites
 
 
 #- name: Copy additional per site '{{ site.name }}' snippet files