6 files changed, 106 insertions, 0 deletions

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 0000000..dde38dc
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,4 @@
+## This value is consistent with path in role acme
+nginx_well_known_path: "/home/acme/webroot/"
+## First of all - make sure that HTTPS works well; then is possible to enable HSTS
+nginx_enable_hsts: no
diff --git a/roles/nginx/files/default b/roles/nginx/files/default
new file mode 100644
index 0000000..2b909ce
--- /dev/null
+++ b/roles/nginx/files/default
@@ -0,0 +1,16 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	include snippets/common.conf;
+
+	root /var/www/html;
+
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..82c6f07
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart nginx
+  service: name=nginx state=restarted
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..da86af6
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+
+- name: Install nginx
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - nginx
+
+- name: Generate dhparams
+  command: openssl dhparam -out /etc/ssl/dh4096.pem 4096
+  args:
+    creates: /etc/ssl/dh4096.pem
+
+- name: Fix dhparams privileges
+  file:
+    path: /etc/ssl/dh4096.pem
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Deploy snippets
+  template:
+    src: "snippets/{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+  - common.conf
+  - ssl-common.conf
+
+- name: Check nginx default page
+  stat:
+    path: /etc/nginx/sites-enabled/default
+  register: stat_default
+
+- name: Delete nginx default page
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify:
+  - restart nginx
+  when: stat_default.stat.islnk == True
+
+- name: Deploy temporary default page (with our snippets etc)
+  copy:
+    src: default
+    ## Do not deploy it as symlik
+    ## This method keeps default config available, provides necessary definitions (.well-known)
+    ## and the particular server ussually deletes /etc/nginx/sites-enabled/default
+    dest: /etc/nginx/sites-enabled/default
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart nginx
+
+
diff --git a/roles/nginx/templates/snippets/common.conf.j2 b/roles/nginx/templates/snippets/common.conf.j2
new file mode 100644
index 0000000..727da03
--- /dev/null
+++ b/roles/nginx/templates/snippets/common.conf.j2
@@ -0,0 +1,10 @@
+## Ignore Apache's configuration files
+location ~ /\.ht {
+	deny all;
+}
+
+location ^~ /.well-known/ {
+	root {{ nginx_well_known_path }};
+}
+
+charset utf-8;
diff --git a/roles/nginx/templates/snippets/ssl-common.conf.j2 b/roles/nginx/templates/snippets/ssl-common.conf.j2
new file mode 100644
index 0000000..a7806ac
--- /dev/null
+++ b/roles/nginx/templates/snippets/ssl-common.conf.j2
@@ -0,0 +1,13 @@
+ssl on;
+ssl_dhparam /etc/ssl/dh4096.pem;
+
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!LOW:!EXPORT:!DES:!3DES:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA';
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 1h;
+
+{% if nginx_enable_hsts == True %}
+add_header Strict-Transport-Security max-age=15768000;
+{% endif %}