initial

roles/nginx/tasks/install_certs.yml

@@ -0,0 +1,42 @@
+---
+
+- name: generate ssl forward secrecy key
+  command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 creates=/etc/ssl/certs/dhparam.pem
+  sudo: true
+  tags: nginx
+
+- name: get root cert for ssl stapling
+  get_url: url=http://www.startssl.com/certs/ca.pem dest=/etc/ssl/certs/ca.pem sha256sum=916a8f9232328192968c81c8edb672fa539f726861dfe379ca722050e19962cd
+  sudo: true
+
+- name: get inter cert for ssl stapling
+  get_url: url=http://www.startssl.com/certs/sub.class1.server.ca.pem dest=/etc/ssl/certs/sub.class1.server.ca.pem sha256sum=e7241cd06fed26efdb1db2283ce5c2f9693b18c6698d76b0427f39c3f71ee001
+  sudo: true
+
+- name: generate combined cert for stapling
+  shell: cat /etc/ssl/certs/ca.pem /etc/ssl/certs/sub.class1.server.ca.pem > /etc/ssl/certs/combined_startssl.pem creates=/etc/ssl/certs/combined_startssl.pem
+  sudo: true
+  tags: nginx
+
+- name: Copy private key
+  copy:
+    content: "{{ ssl_key }}"
+    dest: /etc/ssl/private/koodiklinikka.fi.key 
+    mode: u+rw
+  tags: [nginx]
+  notify: reload nginx
+  sudo: true
+
+- name: Copy cert
+  copy:
+    content: "{{ ssl_certificate }}"
+    dest: /etc/ssl/certs/koodiklinikka.fi.pem
+  tags: [nginx]
+  notify: reload nginx
+  sudo: true
+
+- name: Copy nginx SSL configuration
+  copy: src=files/nginx/ssl_profile.conf dest=/etc/nginx/conf.d
+  notify: reload nginx
+  sudo: true
+  tags: [nginx]

roles/nginx/tasks/install_nginx.yml

@@ -0,0 +1,41 @@
+---
+- name: Install python dependencies for managing apt repositories
+  apt: pkg=python-pycurl
+  tags: [nginx, repo]
+
+- name: Add nginx repository
+  apt_repository: repo='deb http://nginx.org/packages/ubuntu/ precise nginx' state=present update_cache=yes
+  tags: [nginx, repo]
+
+- name: Add nginx repository signing key
+  apt_key: url=http://nginx.org/keys/nginx_signing.key id=7BD9BF62 state=present
+  tags: [nginx, repo]
+
+- name: Install nginx
+  apt: pkg=nginx state=latest
+  tags: [nginx, install]
+
+- name: Ensure nginx config directories exist
+  file: path={{ item }} state=directory
+  with_items:
+    - /etc/nginx
+    - /etc/nginx/sites-available
+    - /etc/nginx/sites-enabled
+  tags: [nginx]
+
+- name: Remove default nginx configs
+  file: path=/etc/nginx/sites-available/default state=absent
+  with_items:
+    - /etc/nginx/sites-available/default
+    - /etc/nginx/sites-enabled/default
+    - /etc/nginx/conf.d
+  notify: restart nginx
+  tags: [nginx, config]
+
+- name: Allow tcp/80 and tcp/443 for HTTP
+  ufw: rule=allow insert={{ item.num }} proto=tcp port={{ item.port }}
+  with_items:
+    - { num: 1, port: 80  }
+    - { num: 2, port: 443 }
+  sudo: true
+  tags: [nginx, ufw]

roles/nginx/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include: install_nginx.yml
+- include: install_certs.yml
+- include: nginx_config.yml

roles/nginx/tasks/nginx_config.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Copy nginx main configuration file
+  copy: src=files/nginx/nginx.conf dest=/etc/nginx
+  notify: reload nginx
+  sudo: true
+  tags: [nginx]
+
+- file: path=/etc/nginx/location state=directory group=web mode=775
+  sudo: true
+  tags: [nginx]
+
+- file: path=/etc/nginx/htpasswd state=directory group=web mode=775
+  sudo: true
+  tags: [nginx]
+
+- name: Copy site configs
+  sudo: true
+  template: >
+    src=files/nginx/koodiklinikka.fi
+    dest=/etc/nginx/sites-available/
+  notify: reload nginx
+  tags: [nginx]
+
+- name: Enable sites
+  sudo: true
+  file: >
+    src=/etc/nginx/sites-available/{{ item }}
+    path=/etc/nginx/sites-enabled/{{ item }}
+    state=link
+  with_items:
+    - koodiklinikka.fi
+  notify: reload nginx
+  tags: [nginx]