Add facts about ssl certificate installation

2017-09-09 14:06:45 +03:00 · 2017-09-09 14:06:45 +03:00 · e80ca9292f
commit e80ca9292f
parent 9634d7ab61
5 changed files with 14 additions and 17 deletions
--- a/ansible/roles/ssl-certificate/defaults/main.yml
+++ b/ansible/roles/ssl-certificate/defaults/main.yml
@ -11,14 +11,13 @@ cert_email: ''
 # Required: domains for lets encrypt certificate creation
 cert_domains: []

-# Parameters to store generated keys
+# Paths to store generated keys
 cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
 cert_key: '{{ cert_directory }}/ssl.key'
 cert_request: '{{ cert_directory }}/ssl.csr'
 cert_certificate: '{{ cert_directory }}/ssl.crt'
-
-# DH parameters
-cert_dhparam: '/etc/nginx/dhparam.pem'
+cert_dhparam: '{{ cert_directory }}/dhparam.pem'
 cert_dhparam_n: 2048

+# lets encrypt well-known challenge folder
 cert_le_webroot_path: /var/www/letsencrypt
--- a/ansible/roles/ssl-certificate/tasks/main.yml
+++ b/ansible/roles/ssl-certificate/tasks/main.yml
@ -14,3 +14,9 @@
  shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
  args:
    creates: '{{ cert_dhparam }}'
+
+- name: Set facts about generated files.
+  set_fact:
+    '{{ cert_name }}_ssl_key': '{{ cert_key }}'
+    '{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}'
+    '{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}'
--- a/ansible/roles/symfony-app/defaults/main.yml
+++ b/ansible/roles/symfony-app/defaults/main.yml
@ -29,11 +29,7 @@ app_web_listen: 'unix:/var/run/php-fpm-{{ app_name }}.sock'

 app_cert: no
 app_cert_type: 'self-signed'
-app_cert_email: ''
-app_cert_directory: '/opt/ssl-certificates/{{ app_name }}'
-app_cert_certificate: '/opt/ssl-certificates/{{ app_name }}/ssl.crt'
-app_cert_key: '/opt/ssl-certificates/{{ app_name }}/ssl.key'
-app_dhparam_file: '/opt/ssl-certificates/{{ app_name }}/dhparam.pem'
+app_cert_email: 'name@example.com'


 # PHP-FPM
--- a/ansible/roles/symfony-app/tasks/main.yml
+++ b/ansible/roles/symfony-app/tasks/main.yml
@ -39,10 +39,6 @@
    cert_name: '{{ app_name }}'
    cert_email: '{{ app_cert_email }}'
    cert_domains: '{{ app_domains }}'
-    cert_directory: '{{ app_cert_directory }}'
-    cert_key: '{{ app_cert_key }}'
-    cert_certificate: '{{ app_cert_certificate }}'
-    cert_dhparam: '{{ app_dhparam_file }}'
  when: app_cert

 - name: 'Create web directory for {{ app_name }}.'
--- a/ansible/roles/symfony-app/templates/ssl.j2
+++ b/ansible/roles/symfony-app/templates/ssl.j2
@ -1,7 +1,7 @@
 ssl on;
-ssl_certificate         {{ app_cert_certificate }};
-ssl_certificate_key     {{ app_cert_key }};
-ssl_trusted_certificate {{ app_cert_certificate }};
+ssl_certificate         {{ vars[app_name + "_ssl_certificate"] }};
+ssl_certificate_key     {{ vars[app_name + "_ssl_key"] }};
+ssl_trusted_certificate {{ vars[app_name + "_ssl_certificate"] }};

 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;
@ -11,5 +11,5 @@ ssl_stapling_verify on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

-ssl_dhparam {{ app_dhparam_file }};
+ssl_dhparam {{ vars[app_name + "_ssl_dhparam"] }};
 ssl_prefer_server_ciphers on;