diff --git a/ansible/roles/ssl-certificate/defaults/main.yml b/ansible/roles/ssl-certificate/defaults/main.yml index c619a08..bacef48 100644 --- a/ansible/roles/ssl-certificate/defaults/main.yml +++ b/ansible/roles/ssl-certificate/defaults/main.yml @@ -11,14 +11,13 @@ cert_email: '' # Required: domains for lets encrypt certificate creation cert_domains: [] -# Parameters to store generated keys +# Paths to store generated keys cert_directory: '/opt/ssl-certificates/{{ cert_name }}' cert_key: '{{ cert_directory }}/ssl.key' cert_request: '{{ cert_directory }}/ssl.csr' cert_certificate: '{{ cert_directory }}/ssl.crt' - -# DH parameters -cert_dhparam: '/etc/nginx/dhparam.pem' +cert_dhparam: '{{ cert_directory }}/dhparam.pem' cert_dhparam_n: 2048 +# lets encrypt well-known challenge folder cert_le_webroot_path: /var/www/letsencrypt diff --git a/ansible/roles/ssl-certificate/tasks/main.yml b/ansible/roles/ssl-certificate/tasks/main.yml index 09f5750..f8b3874 100644 --- a/ansible/roles/ssl-certificate/tasks/main.yml +++ b/ansible/roles/ssl-certificate/tasks/main.yml @@ -14,3 +14,9 @@ shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}' args: creates: '{{ cert_dhparam }}' + +- name: Set facts about generated files. + set_fact: + '{{ cert_name }}_ssl_key': '{{ cert_key }}' + '{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}' + '{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}' diff --git a/ansible/roles/symfony-app/defaults/main.yml b/ansible/roles/symfony-app/defaults/main.yml index f33c9a1..feeeb69 100644 --- a/ansible/roles/symfony-app/defaults/main.yml +++ b/ansible/roles/symfony-app/defaults/main.yml @@ -29,11 +29,7 @@ app_web_listen: 'unix:/var/run/php-fpm-{{ app_name }}.sock' app_cert: no app_cert_type: 'self-signed' -app_cert_email: '' -app_cert_directory: '/opt/ssl-certificates/{{ app_name }}' -app_cert_certificate: '/opt/ssl-certificates/{{ app_name }}/ssl.crt' -app_cert_key: '/opt/ssl-certificates/{{ app_name }}/ssl.key' -app_dhparam_file: '/opt/ssl-certificates/{{ app_name }}/dhparam.pem' +app_cert_email: 'name@example.com' # PHP-FPM diff --git a/ansible/roles/symfony-app/tasks/main.yml b/ansible/roles/symfony-app/tasks/main.yml index 1cef058..402281f 100644 --- a/ansible/roles/symfony-app/tasks/main.yml +++ b/ansible/roles/symfony-app/tasks/main.yml @@ -39,10 +39,6 @@ cert_name: '{{ app_name }}' cert_email: '{{ app_cert_email }}' cert_domains: '{{ app_domains }}' - cert_directory: '{{ app_cert_directory }}' - cert_key: '{{ app_cert_key }}' - cert_certificate: '{{ app_cert_certificate }}' - cert_dhparam: '{{ app_dhparam_file }}' when: app_cert - name: 'Create web directory for {{ app_name }}.' diff --git a/ansible/roles/symfony-app/templates/ssl.j2 b/ansible/roles/symfony-app/templates/ssl.j2 index 56e82fc..476cf46 100644 --- a/ansible/roles/symfony-app/templates/ssl.j2 +++ b/ansible/roles/symfony-app/templates/ssl.j2 @@ -1,7 +1,7 @@ ssl on; -ssl_certificate {{ app_cert_certificate }}; -ssl_certificate_key {{ app_cert_key }}; -ssl_trusted_certificate {{ app_cert_certificate }}; +ssl_certificate {{ vars[app_name + "_ssl_certificate"] }}; +ssl_certificate_key {{ vars[app_name + "_ssl_key"] }}; +ssl_trusted_certificate {{ vars[app_name + "_ssl_certificate"] }}; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; @@ -11,5 +11,5 @@ ssl_stapling_verify on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; -ssl_dhparam {{ app_dhparam_file }}; +ssl_dhparam {{ vars[app_name + "_ssl_dhparam"] }}; ssl_prefer_server_ciphers on;