add chaining intermediat in target crt

boolean filter instead of True comparison
import suggestion from @edoput: "al massimo posso capire un filtro come | bool" FB PM 17/11/2016 00:22
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -1,4 +1,32 @@
 ---
  is_proxy: false
  php: false
  config_names: []
 is_proxy: false
 php: false
 config_names: []
 letsencrypt: false

 nginx_max_clients: 512

 nginx_http_params:
  sendfile: "on"
  tcp_nopush: "on"
  tcp_nodelay: "on"
  keepalive_timeout: "65"
  
 nginx_log_dir: "/var/log/nginx" 
 nginx_access_log_name: "access.log"
 nginx_error_log_name: "error.log"
 nginx_separate_logs_per_site: False

 letsencrypt_pause: false
 letsencrypt_account_key: "/etc/ssl/private/letsencrypt.key.pem"
 letsencrypt_intermediate_url: "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
 letsencrypt_intermediate_crt: "/etc/ssl/private/intermediatex3.crt"
 letsencrypt_challenge_webroot: "/var/www/html"
 letsencrypt_ssl_country: "IT"
 letsencrypt_ssl_state: "Italy"
 letsencrypt_ssl_loc: "Florence"
 letsencrypt_ssl_org: "LILiK"
 letsencrypt_ssl_email: "letsencrypt@example.com"

 nginx_sites:
  
--- a/roles/nginx/tasks/letsencrypt.yaml
+++ b/roles/nginx/tasks/letsencrypt.yaml
@ -0,0 +1,55 @@
 - name: provision ssl host private key
  openssl_privatekey:
    path: "{{ item.server.ssl_certificate_key }}"

 - name: generate certificate signing request
  command: >
    openssl req
      -new
      -sha256
      -nodes
      -key {{ item.server.ssl_certificate_key }}
      -out {{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~".csr") }}
      -subj "/C={{ item.letsencrypt.ssl_country | default(letsencrypt_ssl_country)
      }}/ST={{ item.letsencrypt.ssl_state | default(letsencrypt_ssl_state)
      }}/L={{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
      }}/O={{ item.letsencrypt.ssl_org | default(letsencrypt_ssl_org)
      }}/CN={{ item.letsencrypt.ssl_cn | default(item.server.server_name)
      }}/emailAddress={{ item.letsencrypt.ssl_email | default(letsencrypt_ssl_email) }}"

 - name: get challenge(s) from letsencrypt server
  letsencrypt:
    account_key: "{{ letsencrypt_account_key }}"
    csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
    dest: "{{ item.server.ssl_certificate }}"
    acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
  register: letsencrypt_challenge

 - name: store challenge(s) in local dir
  include: store_challenge.yaml
  when: letsencrypt_challenge|changed

 - pause:
    prompt: "LETSENCRYPT REMOTE VERIFICATION REQUIRED!. Perform any action to
    make server reachable from outside, then press ENTER to start
    verification"
  when: letsencrypt_challenge|changed and letsencrypt_pause|bool

 - name: get signed certificate(s) from letsencrypt server
  letsencrypt:
    account_key: "{{ letsencrypt_account_key }}"
    csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
    dest: "{{ item.server.ssl_certificate }}"
    acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
    data: "{{ letsencrypt_challenge }}"
  notify: restart nginx

 - name: download intermediate cert for chaining
  get_url:
    url: "{{ letsencrypt_intermediate_url }}"
    dest: "{{ letsencrypt_intermediate_crt }}"
  when: letsencrypt_challenge|changed

 - name: chaining intermediate certificate
  shell: "cat {{ letsencrypt_intermediate_crt }} >> {{ item.server.ssl_certificate }}"
  when: letsencrypt_challenge|changed
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@ -6,6 +6,39 @@
    service_packages:
        - nginx

 - name: install letsencrypt dependencies
  apt:
    name: "{{ item }}"
    state: present
    update_cache: yes
    cache_valid_time: 3600
  with_items: "{{ letsencrypt_requirements }}"
  when: letsencrypt|bool

 - name: provision directories for site specific configurations
  file:
    path: /etc/nginx/{{ item }}
    state: directory
    owner: root
    group: root
    mode: 0755
  with_items:
    - "sites-available"
    - "sites-enabled"

 - name: provision letsencrypt challenge folder
  file:
    path: "{{ letsencrypt_challenge_webroot }}/.well-known/acme-challenge"
    state: directory
    owner: root
    group: root
    mode: 0755
  when: letsencrypt|bool

 - name: upload nginx configuration
  template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
 - name: disable nginx default configuration
  file:
    path: /etc/nginx/sites-enabled/default
@ -33,16 +66,69 @@
      - enable nginx configuration
      - restart nginx

 - name: add nginx configurations
 - name: add nginx configuration custom templates
  template:
      src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
      dest: /etc/nginx/sites-available/{{ item }}.conf
      dest: "/etc/nginx/sites-available/{{ item }}.conf"
  with_items: "{{ config_names }}"
  when: config_names is defined and item|bool

 - name: enable nginx configurations
 - name: enable nginx configuration custom templates
  file:
      src: "/etc/nginx/sites-available/{{ item }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
      state: link
  with_items: "{{ config_names }}"
  when: config_names is defined and item|bool
  notify: restart nginx

 - name: generate nginx configurations from standard template
  template:
    src: site.j2
    dest: "/etc/nginx/sites-available/{{ item.server.file_name }}"
  with_items: "{{ nginx_sites }}"
  when: nginx_sites is defined and nginx_sites
  register: nginx_gen_conf
  notify: restart nginx

 - name: disable ssl configurations with pending cert issuing
  file:
    path: "/etc/nginx/sites-enabled/{{ item.item.server.file_name }}"
    state: absent
  with_items: "{{ nginx_gen_conf.results }}"
  when:
    - item | changed
    - item.item.letsencrypt is defined
  
 - name: enable nginx configurations used for letsencrypt challenge
  file:
    path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
    state: link
    src: "/etc/nginx/sites-available/{{ item.server.file_name }}"
  with_items: "{{ nginx_sites }}"
  when: letsencrypt|bool and item.use_for_challenge is defined and item.use_for_challenge|bool and nginx_sites is defined and nginx_sites

 - name: restart nginx to start enabled configurations used for letsencrypt
  service:
    name: nginx
    state: restarted
  when: letsencrypt|bool

 - name: provision letsencrypt account private key
  openssl_privatekey:
    path: "{{ letsencrypt_account_key }}"
  when: letsencrypt|bool

 - name: provision ssl cert/key(s) with letsencrypt
  include: letsencrypt.yaml
  with_items: "{{ nginx_sites }}"
  when: letsencrypt|bool and item.letsencrypt is defined and nginx_sites is defined and nginx_sites

 - name: enable nginx configuration generated from standard template
  file:
    path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
    state: link
    src: "/etc/nginx/sites-available/{{ item.server.file_name }}"
  with_items: "{{ nginx_sites }}"
  when: nginx_sites is defined and nginx_sites
  notify: restart nginx
--- a/roles/nginx/tasks/store_challenge.yaml
+++ b/roles/nginx/tasks/store_challenge.yaml
@ -0,0 +1,9 @@
 - name: copy challenge file inside webroot
  copy:
    dest: "{{ letsencrypt_challenge_webroot }}/{{ chall.value['http-01']['resource'] }}"
    content: "{{ chall.value['http-01']['resource_value'] }}"
  with_dict: "{{ letsencrypt_challenge.challenge_data }}"
  loop_control:
    loop_var: chall

    
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -0,0 +1,27 @@
 # {{ ansible_managed }}
 #
 user              www-data;

 pid        /var/run/nginx.pid;

 events {
    worker_connections  {{ nginx_max_clients }};
 }

 http {
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log {{ nginx_log_dir }}/{{ nginx_access_log_name }};
        error_log {{ nginx_log_dir }}/{{ nginx_error_log_name }};

 {% for k,v in nginx_http_params.iteritems() %}
        {{ k }}  {{ v }};
 {% endfor %}

        gzip on;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
 }
--- a/roles/nginx/templates/site.j2
+++ b/roles/nginx/templates/site.j2
@ -0,0 +1,28 @@
 # {{ ansible_managed }}

 server {

 {% for key,value in item.server|dictsort if key != 'file_name' %}
    {{ key }} {{ value }};
 {% if nginx_separate_logs_per_site|bool %}
 	access_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_access_log_name }};
 	error_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_error_log_name }};
 {% endif %}

 {% endfor %}
 {% if item.use_for_challenge is defined %}
   location /.well-known/acme-challenge {
        root {{ letsencrypt_challenge_webroot }};

   }
 {% endif %}
 {% if 'location' in item %}
 {% for location in item.location if 'location' in item %}
    location {{ location.name }} { {% for key,value in location|dictsort if key != 'name' %}
        {{ key }} {{ value }}; {% endfor %}

    }
 {% endfor %}
 {% endif %}
 }

--- a/roles/nginx/vars/main.yaml
+++ b/roles/nginx/vars/main.yaml
@ -0,0 +1,6 @@
 ---
 letsencrypt_requirements:
 #  - python-selinux
  - openssl
  - python-openssl
  - ca-certificates
Author	SHA1	Message	Date
Zolfa	6e9fc282cf	add chaining intermediat in target crt	7 years ago
Lorenzo	1b76775fc8	boolean filter instead of True comparison import suggestion from @edoput: "al massimo posso capire un filtro come \| bool" FB PM 17/11/2016 00:22	8 years ago
Lorenzo	d5edc93549	nginx daemon settings: suggestion from @edoput number of worker: "lascierei stare questa cosa del numero di worker" disable gzip for msie6: "questa la rimuovi tanto non ci interessa" on facebook PM 17/11/2016 00:22	8 years ago
Lorenzo	6d332231c6	disable broken server configuration files necessary to avoid nginx startup failure	8 years ago
Lorenzo	293d502ade	now is possible to define acme dir with letsencrypt_acme_dir var	8 years ago
Lorenzo	944314dc5d	default for le_pause	8 years ago
Lorenzo	bdf0a90396	bug-fix: handle empty config_files`	8 years ago
Lorenzo	1427fe3069	pause before remote-testing server only if letsencrypt_pause is true	8 years ago
Lorenzo	37c875a18c	bug fixes: nginx.conf is updated, typo in defaults corrected	8 years ago
Lorenzo	530c1b2ebb	various bug and typos fixes	8 years ago
Lorenzo	775b463295	change php requirement to php-fpm deb package - fix bug introduced with last commit	8 years ago
Lorenzo	94dc5d0f10	a first attempt to merge lilik nginx role with functionalities from Ginsys.nginx and to include letsencrypt automation tasks - must not break functionality of other roles using previous lilik nginx role	8 years ago