From 1bcada7ffeeb553a3cc5aa7dbb730737cffe16e6 Mon Sep 17 00:00:00 2001
From: Geno <genofire@emma.ccchb.de>
Date: Thu, 17 Sep 2020 00:16:19 +0000
Subject: [PATCH] roles: Add nginx (for debian)

---
 roles/nginx/defaults/main.yml            |  2 ++
 roles/nginx/handlers/main.yml            |  5 ++++
 roles/nginx/tasks/main.yml               | 29 ++++++++++++++++++++++++
 roles/nginx/templates/default.nginx      | 12 ++++++++++
 roles/nginx/templates/snippets-tls.nginx |  4 ++++
 5 files changed, 52 insertions(+)
 create mode 100644 roles/nginx/defaults/main.yml
 create mode 100644 roles/nginx/handlers/main.yml
 create mode 100644 roles/nginx/tasks/main.yml
 create mode 100644 roles/nginx/templates/default.nginx
 create mode 100644 roles/nginx/templates/snippets-tls.nginx

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 0000000..a38d704
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+#nginx_acme_mail: "" # required
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..cd1b328
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  systemd:
+    state: reloaded
+    name: nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..faa88f2
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: Install webserver
+  package:
+    state: latest
+    name:
+    - nginx
+    - dehydrated
+
+- name: acme mail
+  copy:
+    dest: "/etc/dehydrated/conf.d/mail"
+    content: "CONTACT_EMAIL={{ nginx_acme_mail }}"
+
+- name: get let's encrypt account
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /var/lib/dehydrated/accounts
+
+- name: nginx default config
+  notify: reload nginx
+  template:
+    src: default.nginx
+    dest: /etc/nginx/sites-available/default
+
+- name: nginx snippets for acme
+  notify: reload nginx
+  template:
+    src: snippets-tls.nginx
+    dest: /etc/nginx/snippets/tls-acme.conf
diff --git a/roles/nginx/templates/default.nginx b/roles/nginx/templates/default.nginx
new file mode 100644
index 0000000..61488dd
--- /dev/null
+++ b/roles/nginx/templates/default.nginx
@@ -0,0 +1,12 @@
+server {
+	listen [::]:80;
+	listen 80;
+
+	server_name _;
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+
+	include snippets/tls-acme.conf;
+}
diff --git a/roles/nginx/templates/snippets-tls.nginx b/roles/nginx/templates/snippets-tls.nginx
new file mode 100644
index 0000000..5b03991
--- /dev/null
+++ b/roles/nginx/templates/snippets-tls.nginx
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge {
+	alias /var/lib/dehydrated/acme-challenges;
+	allow all;
+}