diff options
Diffstat (limited to 'roles/lists/tasks/nginx.yml')
| -rw-r--r-- | roles/lists/tasks/nginx.yml | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index a0aab68..bbff34a 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -1,40 +1,46 @@ - name: Install Nginx - apt: pkg=nginx - -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/lists.fripost.org.pem - --privkey=/etc/nginx/ssl/lists.fripost.org.key - --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey + apt: pkg=nginx-light - name: Copy /etc/nginx/sites-available/sympa copy: src=etc/nginx/sites-available/sympa dest=/etc/nginx/sites-available/sympa owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/sympa file: src=../sites-available/sympa dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link + register: r2 + notify: + - Restart Nginx + +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 register: r3 notify: - Restart Nginx - name: Start nginx service: name=nginx state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers + +- name: Fetch Nginx's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509 -noout -pubkey" + stdin=/etc/nginx/ssl/lists.fripost.org.pem + dest=certs/public/lists.fripost.org.pub + tags: + - genkey |