You can put all this variables in a separated vault file.
nginx_dh
: DH contentnginx_dh_length
: DH key length (default is 2048)nginx_dh_path
: file locationnginx_ssl_dir
: directory where you install your SSL/TLS keysnginx_ssl_pairs
Each pair must have a name
.
Note: name
is used to deploy key/cert. With defaults values dans name
= "foo", key is -> /etc/nginx/ssl/foo/foo.key
Key/Cert content is stored in variable. Useful with vault.
key
: content of the private keycert
: content of the public key
You can use these variables if you use another task/role to manages your certificates.
dest_cert
: remote path where certificate is locateddest_key
: remote path where key is located
Create a self-signed pair and deploy it. Do not use this feature in production.
self_signed
: set true to use this featureforce
: optional feature (default: false), force regen pair (not idempotent)
Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this feature for standalone servers.
acme
: set true to use this feature. It usesname
(can be a string or string list).
Have a look to [acme configuration](acme.md configuration).
- In
nginx_sites
,ssl_name
is mandatory. This role will search innginx_ssl_pairs
with sitename
(first in list if it's a list).
If you do not specify any dh param, this role auto generates it.
nginx_sites;
- name: 'test-ssl.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'mysuperkey'
- name: 'test-ssl2.local'
proto: ['http', 'https']
template: '_base'
- name: 'test-ssl3.local'
proto: ['http', 'https']
template: '_base'
- name: 'test-self-signed.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'this.is.self.signed'
nginx_ssl_pairs:
- name: mysuperkey
key: |
-----BEGIN RSA PRIVATE KEY-----
....(snip)....
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....(snip)....
-----END CERTIFICATE-----
- name: test-ssl2.local
acme: true
- name: this.is.self.signed
self_signed: true
force: false