2016-01-12 00:20:42 +07:00
|
|
|
---
|
|
|
|
|
2022-11-25 15:52:40 +07:00
|
|
|
- name: Generate DH if needed
|
|
|
|
when: nginx_dh is not string
|
|
|
|
block:
|
2019-02-13 00:04:57 +07:00
|
|
|
|
2023-05-30 20:28:55 +07:00
|
|
|
- name: STAT | Get info about DH file
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: "{{ nginx_dh_path }}"
|
|
|
|
get_checksum: false
|
|
|
|
register: stat_dh_file
|
2019-02-13 00:04:57 +07:00
|
|
|
|
2023-05-30 20:28:55 +07:00
|
|
|
- name: SHELL | Get info about DH file
|
|
|
|
ansible.builtin.shell: |
|
|
|
|
set -o pipefail &&
|
|
|
|
openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
|
|
|
|
args:
|
|
|
|
executable: /bin/bash
|
|
|
|
changed_when: false
|
|
|
|
register: dh_info
|
|
|
|
when: stat_dh_file.stat.exists
|
2019-02-13 00:04:57 +07:00
|
|
|
|
2023-05-30 20:28:55 +07:00
|
|
|
- name: COMMAND | Generate DH file # noqa: no-changed-when
|
|
|
|
ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
|
|
|
|
when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
|
|
|
|
notify: Restart nginx
|
2016-01-12 17:16:41 +07:00
|
|
|
|
|
|
|
- name: COPY | Deploy DH file from vars
|
2021-09-01 16:58:39 +07:00
|
|
|
ansible.builtin.copy:
|
2017-07-27 17:21:10 +07:00
|
|
|
content: "{{ nginx_dh }}"
|
|
|
|
dest: "{{ nginx_dh_path }}"
|
2021-09-01 16:45:44 +07:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0640
|
2016-01-12 17:16:41 +07:00
|
|
|
when: nginx_dh is string
|
2022-11-25 15:52:40 +07:00
|
|
|
notify: Restart nginx
|
2016-01-12 00:20:42 +07:00
|
|
|
|
|
|
|
- name: FILE | Create SSL directories
|
2021-09-01 16:58:39 +07:00
|
|
|
ansible.builtin.file:
|
2019-04-26 18:29:06 +07:00
|
|
|
path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
|
2017-07-27 17:21:10 +07:00
|
|
|
state: directory
|
2021-09-01 16:45:44 +07:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0750
|
2019-02-05 03:25:25 +07:00
|
|
|
loop: "{{ nginx_ssl_pairs }}"
|
2016-01-12 23:26:30 +07:00
|
|
|
when: item.dest_key is not defined or item.dest_cert is not defined
|
2021-09-01 16:02:45 +07:00
|
|
|
no_log: "{{ not nginx_debug_role }}"
|
2016-01-12 00:20:42 +07:00
|
|
|
|
|
|
|
- name: COPY | Deploy SSL keys
|
2021-09-01 16:58:39 +07:00
|
|
|
ansible.builtin.copy:
|
2017-07-27 17:21:10 +07:00
|
|
|
content: "{{ item.key }}"
|
2019-04-26 18:29:06 +07:00
|
|
|
dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}"
|
2021-09-01 16:45:44 +07:00
|
|
|
owner: root
|
|
|
|
group: root
|
2017-07-27 17:21:10 +07:00
|
|
|
mode: 0640
|
2019-02-05 03:25:25 +07:00
|
|
|
loop: "{{ nginx_ssl_pairs }}"
|
2016-01-12 23:26:30 +07:00
|
|
|
when: item.key is defined
|
2022-11-25 15:52:40 +07:00
|
|
|
notify: Restart nginx
|
2021-09-01 16:02:45 +07:00
|
|
|
no_log: "{{ not nginx_debug_role }}"
|
2016-01-12 00:20:42 +07:00
|
|
|
|
|
|
|
- name: COPY | Deploy SSL certs
|
2021-09-01 16:58:39 +07:00
|
|
|
ansible.builtin.copy:
|
2017-07-27 17:21:10 +07:00
|
|
|
content: "{{ item.cert }}"
|
2019-04-26 18:29:06 +07:00
|
|
|
dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
|
2021-09-01 16:45:44 +07:00
|
|
|
owner: root
|
|
|
|
group: root
|
2017-07-27 17:21:10 +07:00
|
|
|
mode: 0644
|
2019-02-05 03:25:25 +07:00
|
|
|
loop: "{{ nginx_ssl_pairs }}"
|
2016-01-12 23:26:30 +07:00
|
|
|
when: item.cert is defined
|
2022-11-25 15:52:40 +07:00
|
|
|
notify: Restart nginx
|
2021-09-01 16:02:45 +07:00
|
|
|
no_log: "{{ not nginx_debug_role }}"
|
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
- name: COMMAND | Create self-signed certificates
|
2021-09-01 16:58:39 +07:00
|
|
|
ansible.builtin.command: |
|
2019-04-26 18:29:06 +07:00
|
|
|
openssl req
|
|
|
|
-new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509
|
|
|
|
-subj '/CN={{ item | nginx_site_name }}'
|
|
|
|
-keyout {{ item | nginx_key_path(nginx_ssl_dir) }}
|
|
|
|
-out {{ item | nginx_cert_path(nginx_ssl_dir) }}
|
2018-04-20 14:32:46 +07:00
|
|
|
args:
|
2019-04-26 18:29:06 +07:00
|
|
|
chdir: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
|
|
|
|
creates: "{{ '/tmp/dummy' if item.force is defined and item.force else item | nginx_cert_path(nginx_ssl_dir) }}"
|
2019-02-05 03:25:25 +07:00
|
|
|
loop: "{{ nginx_ssl_pairs }}"
|
2018-04-20 14:32:46 +07:00
|
|
|
when: item.self_signed is defined
|
2022-11-25 15:52:40 +07:00
|
|
|
notify: Restart nginx
|
2021-09-01 16:02:45 +07:00
|
|
|
no_log: "{{ not nginx_debug_role }}"
|