init

handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
+
+- name: dehydrated
+  command: /usr/bin/dehydrated -c

tasks/main.yml

@@ -0,0 +1,66 @@
+- name: Install
+  package:
+    name:
+    - nginx
+    - dehydrated
+
+- name: create folders
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+  - /srv/http/.well-known/acme-challenge
+  - /etc/nginx/sites.d
+  - /etc/nginx/snippets
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "{{ item.file }}"
+    dest: "/etc/nginx/{{ item.path }}"
+  with_items:
+  - file: nginx.conf
+    path: nginx.conf
+  - file: letsencrypt.nginx
+    path: snippets/letsencrypt.conf
+  - file: 00-tls-redirect.nginx
+    path: sites.d/00-tls-redirect.act
+
+- name: started
+  systemd:
+    name: nginx
+    state: started
+
+- name: config dehydrated
+  template:
+    src: dehydrated
+    dest: /etc/dehydrated/config
+
+- name: get let's encrypt account 
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /etc/dehydrated/accounts
+
+- name: get inventory_hostname cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ inventory_hostname }}"
+    create: yes
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "10-tls.nginx"
+    dest: "/etc/nginx/sites.d/10-tls.act"
+
+- name: enabled dehydrated
+  systemd:
+    name: dehydrated.timer
+    state: started
+    enabled: yes
+
+- name: enabled nginx
+  systemd:
+    name: nginx
+    enabled: yes

templates/00-tls-redirect.nginx

@@ -0,0 +1,12 @@
+server {
+	listen [::]:80;
+	listen 80;
+
+	server_name _;
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+
+	include snippets/letsencrypt.conf;
+}

templates/10-tls.nginx

@@ -0,0 +1,21 @@
+server {
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+
+	server_name {{ inventory_hostname }};
+
+	ssl_certificate /etc/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem;
+	ssl_certificate_key /etc/dehydrated/certs/{{ inventory_hostname }}/privkey.pem;
+
+	location / {
+		root   /usr/share/nginx/html;
+		index  index.html index.htm;
+	}
+
+	error_page   500 502 503 504  /50x.html;
+	location = /50x.html {
+		root   /usr/share/nginx/html;
+	}
+
+	include snippets/letsencrypt.conf;
+}

templates/dehydrated

@@ -0,0 +1,2 @@
+WELLKNOWN=/srv/http/.well-known/acme-challenge
+CONTACT_EMAIL={{ nginx_dehydrated_email  }}

templates/letsencrypt.nginx

@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge {
+	alias /srv/http/.well-known/acme-challenge;
+	allow all;
+}

templates/nginx.conf

@@ -0,0 +1,49 @@
+#user html;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid	logs/nginx.pid;
+
+
+events {
+	worker_connections	1024;
+}
+
+
+http {
+	include		mime.types;
+	default_type	application/octet-stream;
+
+	types_hash_max_size 2048;
+	types_hash_bucket_size 128;
+	server_names_hash_bucket_size 128;
+
+	access_log	off;
+	sendfile	on;
+
+	#tcp_nopush		on;
+	keepalive_timeout	65;
+
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+	ssl_session_tickets off;
+
+	# intermediate configuration
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers off;
+
+	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+	add_header Strict-Transport-Security "max-age=63072000" always;
+
+	# OCSP stapling
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	gzip  on;
+
+	include /etc/nginx/sites.d/*.act; 
+}