10 files changed, 162 insertions, 0 deletions

diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
new file mode 100644
index 0000000..e46aab8
--- /dev/null
+++ b/roles/acme/defaults/main.yml
@@ -0,0 +1,3 @@
+acme_reload_cmd: "/bin/systemctl reload nginx"
+## Specify certificates as list of lists of domains
+acme_issue_certs: []
diff --git a/roles/acme/meta/main.yml b/roles/acme/meta/main.yml
new file mode 100644
index 0000000..23b99d1
--- /dev/null
+++ b/roles/acme/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+- { role: nginx }
diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml
new file mode 100644
index 0000000..d9c1a0a
--- /dev/null
+++ b/roles/acme/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Create user acme
+  user:
+    name: acme
+    shell: /bin/bash
+    state: present
+
+- name: Clone ACME.sh repository
+  become: yes
+  become_user: acme
+  git:
+    repo: https://github.com/Neilpang/acme.sh.git
+    dest: /home/acme/acme.sh
+    update: no
+
+- name: Prepare webroot directory
+  file:
+    path: /home/acme/webroot/.well-known
+    state: directory
+    owner: acme
+    group: acme
+    mode: 0755
+
+- name: Install ACME.sh
+  become: yes
+  become_user: acme
+  command: ./acme.sh --install
+  args:
+    chdir: /home/acme/acme.sh
+    creates: /home/acme/.acme.sh
+
+- name: Deploy sudoers file for acme
+  template:
+    src: acme.j2
+    dest: /etc/sudoers.d/acme
+    owner: root
+    group: root
+    mode: 0440
+
+- name: Issue certificates
+  become: yes
+  become_user: acme
+  command: '.acme.sh/acme.sh --issue -d {{ item | join(" -d ") }} -w /home/acme/webroot/ --reloadcmd "sudo {{ acme_reload_cmd }}"'
+  args:
+    chdir: /home/acme
+    creates: "/home/acme/.acme.sh/{{ item[0] }}/{{ item[0] }}.cer"
+  with_items:
+  - "{{ acme_issue_certs }}"
diff --git a/roles/acme/templates/acme.j2 b/roles/acme/templates/acme.j2
new file mode 100644
index 0000000..dc61823
--- /dev/null
+++ b/roles/acme/templates/acme.j2
@@ -0,0 +1 @@
+acme ALL=(ALL) NOPASSWD: {{ acme_reload_cmd }}
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 0000000..dde38dc
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,4 @@
+## This value is consistent with path in role acme
+nginx_well_known_path: "/home/acme/webroot/"
+## First of all - make sure that HTTPS works well; then is possible to enable HSTS
+nginx_enable_hsts: no
diff --git a/roles/nginx/files/default b/roles/nginx/files/default
new file mode 100644
index 0000000..2b909ce
--- /dev/null
+++ b/roles/nginx/files/default
@@ -0,0 +1,16 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	include snippets/common.conf;
+
+	root /var/www/html;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..82c6f07
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart nginx
+  service: name=nginx state=restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..da86af6
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+
+- name: Install nginx
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - nginx
+
+- name: Generate dhparams
+  command: openssl dhparam -out /etc/ssl/dh4096.pem 4096
+  args:
+    creates: /etc/ssl/dh4096.pem
+
+- name: Fix dhparams privileges
+  file:
+    path: /etc/ssl/dh4096.pem
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Deploy snippets
+  template:
+    src: "snippets/{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+  - common.conf
+  - ssl-common.conf
+
+- name: Check nginx default page
+  stat:
+    path: /etc/nginx/sites-enabled/default
+  register: stat_default
+
+- name: Delete nginx default page
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify:
+  - restart nginx
+  when: stat_default.stat.islnk == True
+
+- name: Deploy temporary default page (with our snippets etc)
+  copy:
+    src: default
+    ## Do not deploy it as symlik
+    ## This method keeps default config available, provides necessary definitions (.well-known)
+    ## and the particular server ussually deletes /etc/nginx/sites-enabled/default
+    dest: /etc/nginx/sites-enabled/default
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart nginx
+
+
diff --git a/roles/nginx/templates/snippets/common.conf.j2 b/roles/nginx/templates/snippets/common.conf.j2
new file mode 100644
index 0000000..727da03
--- /dev/null
+++ b/roles/nginx/templates/snippets/common.conf.j2
@@ -0,0 +1,10 @@
+## Ignore Apache's configuration files
+location ~ /\.ht {
+	deny all;
+}
+
+location ^~ /.well-known/ {
+	root {{ nginx_well_known_path }};
+}
+
+charset utf-8;
diff --git a/roles/nginx/templates/snippets/ssl-common.conf.j2 b/roles/nginx/templates/snippets/ssl-common.conf.j2
new file mode 100644
index 0000000..a7806ac
--- /dev/null
+++ b/roles/nginx/templates/snippets/ssl-common.conf.j2
@@ -0,0 +1,13 @@
+ssl on;
+ssl_dhparam /etc/ssl/dh4096.pem;
+
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!LOW:!EXPORT:!DES:!3DES:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA';
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 1h;
+
+{% if nginx_enable_hsts == True %}
+add_header Strict-Transport-Security max-age=15768000;
+{% endif %}