diff --git a/filter_plugins/nginx.py b/filter_plugins/nginx.py index 45d103c..837c360 100644 --- a/filter_plugins/nginx.py +++ b/filter_plugins/nginx.py @@ -10,11 +10,29 @@ def nginx_site_name(site): else: return site['name'] +def nginx_ssl_dir(pair, ssl_dir): + return ssl_dir + '/' + nginx_site_filename(pair) + +def nginx_key_path(pair, ssl_dir): + if pair.has_key('dest_key'): + return pair['dest_key'] + else: + return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.key' + +def nginx_cert_path(pair, ssl_dir): + if pair.has_key('dest_cert'): + return pair['dest_cert'] + else: + return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.crt' + class FilterModule(object): ''' Nginx module ''' def filters(self): return { 'nginx_site_filename': nginx_site_filename, - 'nginx_site_name': nginx_site_name + 'nginx_site_name': nginx_site_name, + 'nginx_ssl_dir': nginx_ssl_dir, + 'nginx_key_path': nginx_key_path, + 'nginx_cert_path': nginx_cert_path } diff --git a/meta/main.yml b/meta/main.yml index 23d04cb..6df101c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -26,4 +26,3 @@ galaxy_info: - nginx - cdn dependencies: [] - diff --git a/tasks/install_Debian.yml b/tasks/install_Debian.yml index d52fe53..96bb246 100644 --- a/tasks/install_Debian.yml +++ b/tasks/install_Debian.yml @@ -11,17 +11,9 @@ cache_valid_time: 3600 changed_when: false -- name: APT | Force OpenSSL from backports (fix dependency break) - apt: - pkg: openssl - state: latest - default_release: "{{ ansible_distribution_release + '-backports' }}" - when: nginx_backports - - name: APT | Install nginx and dependencies apt: pkg: "{{ nginx_apt_package }}" - state: present default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}" - name: APT | Install nginx modules @@ -50,9 +42,10 @@ repo: 'https://github.com/Neilpang/acme.sh.git' dest: '{{ nginx_acmesh_git_dir }}' update: no + version: master - - name: SHELL | Install acme.sh - shell: ./acme.sh --install --home "{{ nginx_acmesh_dir }}" + - name: COMMAND | Install acme.sh + command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}" args: chdir: "{{ nginx_acmesh_git_dir }}" creates: "{{ nginx_acmesh_dir }}" diff --git a/tasks/prepare.yml b/tasks/prepare.yml index 010e566..ec94cc1 100644 --- a/tasks/prepare.yml +++ b/tasks/prepare.yml @@ -7,14 +7,24 @@ register: nginx_version changed_when: false check_mode: no + tags: + - skip_ansible_lint - name: SHELL | Get module list - shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module//g; s/\s+//g' | sort + shell: | + nginx -V 2>&1 | + tr -- - '\n' | + grep -A 1 with | + grep _module | + sed -r 's/_module//g; s/\s+//g' | + sort args: executable: /bin/sh register: shell_modules changed_when: false check_mode: no + tags: + - skip_ansible_lint - name: SET_FACT | Save modules set_fact: diff --git a/tasks/site.yml b/tasks/site.yml index 9529ce3..eb7d4d0 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -75,7 +75,7 @@ - name: FILE | Disable sites file: - path: "{{ nginx_etc_dir}}/sites-enabled/{{ item | nginx_site_filename }}" + path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}" state: absent loop: "{{ nginx_sites }}" notify: ['reload nginx', 'restart nginx freebsd'] diff --git a/tasks/ssl/acme.yml b/tasks/ssl/acme.yml index 9605d94..a57b896 100644 --- a/tasks/ssl/acme.yml +++ b/tasks/ssl/acme.yml @@ -46,8 +46,13 @@ warn: false when: fake_site.changed and ansible_virtualization_type == 'docker' - - name: SHELL | Get certificates - shell: '{{ nginx_acmesh_bin }} --home {{ nginx_acmesh_dir }} --issue{% if item.name is string %} -d {{ item.name }}{% else %}{% for name in item.name %} -d {{ name }}{% endfor %}{% endif %} --nginx {% if nginx_acmesh_test %}--test{% endif %}' + - name: COMMAND | Get certificates + command: | + {{ nginx_acmesh_bin }} + --home {{ nginx_acmesh_dir }} + --issue{% if item.name is string %} -d {{ item.name }}{% else %}{% for name in item.name %} -d {{ name }}{% endfor %}{% endif %} + --nginx + {% if nginx_acmesh_test %}--test{% endif %} args: creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key" loop: "{{ acme_create }}" @@ -60,8 +65,14 @@ path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}" loop: "{{ acme_create }}" - - name: SHELL | Install certificates - shell: '{{ nginx_acmesh_bin }} --home {{ nginx_acmesh_dir }} --install-cert -d {{ item | nginx_site_name }} --fullchain-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt --key-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key --reloadcmd "service nginx restart"' + - name: COMMAND | Install certificates + command: | + {{ nginx_acmesh_bin }} + --home {{ nginx_acmesh_dir }} + --install-cert -d {{ item | nginx_site_name }} + --fullchain-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt + --key-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key + --reloadcmd "service nginx restart" args: creates: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key" loop: "{{ nginx_ssl_pairs }}" diff --git a/tasks/ssl/standard.yml b/tasks/ssl/standard.yml index af797c0..e02c0c7 100644 --- a/tasks/ssl/standard.yml +++ b/tasks/ssl/standard.yml @@ -30,7 +30,7 @@ - name: FILE | Create SSL directories file: - path: "{{ nginx_ssl_dir + '/' + item | nginx_site_name }}" + path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}" state: directory loop: "{{ nginx_ssl_pairs }}" when: item.dest_key is not defined or item.dest_cert is not defined @@ -39,7 +39,7 @@ - name: COPY | Deploy SSL keys copy: content: "{{ item.key }}" - dest: "{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.key' if item.dest_key is not defined else item.dest_key }}" + dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}" mode: 0640 loop: "{{ nginx_ssl_pairs }}" when: item.key is defined @@ -49,7 +49,7 @@ - name: COPY | Deploy SSL certs copy: content: "{{ item.cert }}" - dest: "{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.crt' if item.dest_cert is not defined else item.dest_cert }}" + dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}" mode: 0644 loop: "{{ nginx_ssl_pairs }}" when: item.cert is defined @@ -57,10 +57,15 @@ no_log: not nginx_debug_role - name: COMMAND | Create self-signed certificates - command: "openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -subj '/CN={{ item | nginx_site_name }}' -keyout {{ item | nginx_site_name + '.key' }} -out {{ item | nginx_site_name + '.crt' }}" + command: | + openssl req + -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 + -subj '/CN={{ item | nginx_site_name }}' + -keyout {{ item | nginx_key_path(nginx_ssl_dir) }} + -out {{ item | nginx_cert_path(nginx_ssl_dir) }} args: - chdir: "{{ nginx_ssl_dir + '/' + item | nginx_site_name }}" - creates: "{% if item.force is defined and item.force %}/tmp/dummy{% else %}{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.crt' }}{% endif %}" + chdir: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}" + creates: "{{ '/tmp/dummy' if item.force is defined and item.force else item | nginx_cert_path(nginx_ssl_dir) }}" loop: "{{ nginx_ssl_pairs }}" when: item.self_signed is defined notify: restart nginx diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index 4c9a5f2..6e435cf 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -41,8 +41,8 @@ {%- endmacro %} {% macro ssl(ssl_name) %} {% for sn in nginx_ssl_pairs if ((sn.name is string and sn.name == ssl_name) or (sn.name.0 == ssl_name)) %} - ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }}; - ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }}; + ssl_certificate {{ sn | nginx_cert_path(nginx_ssl_dir) }}; + ssl_certificate_key {{ sn | nginx_key_path(nginx_ssl_dir) }}; {% endfor %} {%- endmacro %} {% macro httpsredirect(name) %} diff --git a/tests/test.yml b/tests/test.yml index 48688ff..5ae3363 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -23,10 +23,20 @@ src: "file/test.key" dest: "{{ int_ansible_ssl_dir }}/test.key" - - name: LINEINFILE | Add all hosts in /etc/hosts - lineinfile: - line: "127.0.0.1\tlocalhost {% for s in nginx_sites %}{% if s.name is string %}{{ s.name }}{% else %}{% for n in s.name %}{{ n }} {% endfor %}{% endif %} {% if s.redirect_from is defined %}{% for rf in s.redirect_from %}{{ rf }} {% endfor %}{% endif %}{% endfor %}" - regexp: '^127\.0\.0\.1' + - name: COPY | Add all hosts in /etc/hosts + copy: + content: | + 127.0.0.1 localhost + {% for s in nginx_sites %} + {% if s.name is string %} + 127.0.0.1 {{ s.name }} + {% else %} + 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} + {% endif %} + {% if s.redirect_from is defined %} + 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} + {% endif %} + {% endfor %} dest: "/etc/hosts" unsafe_writes: yes @@ -355,7 +365,7 @@ # -------------------------------- - name: -- VERIFY PHP SITES -- uri: - url: "http://{{ item.name}}/" + url: "http://{{ item.name }}/" return_content: yes register: p loop: "{{ nginx_sites }}" @@ -510,3 +520,5 @@ executable: /bin/sh changed_when: false when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules + tags: + - skip_ansible_lint