add global additions, set default cert-type to snakeoil

ansibleguy · Aug 5, 2024 · d8721d8 · d8721d8
1 parent 426356b
commit d8721d8
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -83,7 +83,7 @@ nginx:
         path: '/var/www/static'
 
       ssl:
-        mode: 'ca'  # create minimal ca with signed server-certificate
+        mode: 'snakeoil'
 
       config:  # add settings as key-value pairs
         LimitRequestFields: 10

diff --git a/defaults/main/2_site.yml b/defaults/main/2_site.yml
@@ -21,6 +21,7 @@ defaults_site:
   config_additions: []  # lines that will 1-to-1 be appended to the site-config (directory config etc.)
   # BE AWARE that you might break the config-syntax if you're not careful
   config_additions_root: []  # lines that will 1-to-1 be appended inside 'location / {}'
+  global_additions: []  # lines that will 1-to-1 be prepended on the global 'http' level
 
   security:
     restrict_methods: true
@@ -68,7 +69,7 @@ defaults_site:
     index: ['index.html']
 
   ssl:
-    mode: 'ca'  # existing/selfsigned/ca/letsencrypt
+    mode: 'snakeoil'  # existing/selfsigned/ca/letsencrypt/snakeoil
     # existing:
     #   We expect the certs to be placed in the role's 'files' directory named like the site
     #   Example: files/certs/ansibleguy.key and files/certs/ansibleguy.crt

diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py
@@ -8,6 +8,7 @@ def filters(self):
             "safe_key": self.safe_key,
             "config_line_end": self.config_line_end,
             "ensure_list": self.ensure_list,
+            "unique_list": self.unique_list,
             "prepare_letsencrypt": self.prepare_letsencrypt,
         }
 
@@ -27,6 +28,10 @@ def ensure_list(data: (str, list)) -> list:
 
         return [data]
 
+    @staticmethod
+    def unique_list(data: list) -> list:
+        return list(set(data))
+
     @classmethod
     def prepare_letsencrypt(cls, sites: dict, state: str, email: str = None, only_site: str = None) -> dict:
         certs = {}

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -4,7 +4,7 @@
   hosts: test-ag-nginx-tester
   vars:
     dummy_ssl:
-      mode: 'ca'
+      mode: 'snakeoil'
       cert:
         cn: 'Nginx'
         org: 'AnsibleGuy Test'

diff --git a/tasks/debian/add_certs.yml b/tasks/debian/add_certs.yml
@@ -21,7 +21,7 @@
         locality: "{{ site.ssl.cert.locality }}"
         email: "{{ site.ssl.cert.email }}"
         crl_distribution: "{{ site.ssl.cert.crl_distribution }}"
-        domains: "{{ site.aliases + [site.domain] }}"
+        domains: "{{ ((site.aliases | ensure_list) + [site.domain]) | unique_list }}"
         ips: ["{{ site.ip }}"]
       ca:
         path: "{{ NGINX_CONFIG.ssl.path }}"

diff --git a/templates/etc/nginx/sites-available/inc/site_http.j2 b/templates/etc/nginx/sites-available/inc/site_http.j2
@@ -6,7 +6,7 @@ server {
 {% if NGINX_CONFIG.ipv6 and site.listen_ipv6 != '' %}
   listen {{ site.listen_ipv6 }}:{{ site.port_plain }};
 {% endif %}
-  server_name {{ site.domain }}{% for alias in site.aliases %} {{ alias }}{% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %};
+  server_name {{ site.domain }}{% for alias in site.aliases|ensure_list %}{% if alias != site.domain %} {{ alias }}{% endif %}{% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %};
 
 {% include "inc/site_http_log.j2" %}
 {% include "inc/site_http_headers.j2" %}

diff --git a/templates/etc/nginx/sites-available/inc/site_https.j2 b/templates/etc/nginx/sites-available/inc/site_https.j2
@@ -14,7 +14,7 @@ server {
   listen {{ site.listen_ipv6 }}:{{ site.port_plain }};
 {%   endif %}
 {% endif %}
-  server_name {{ site.domain }}{% for alias in site.aliases %} {{ alias }}{% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %};
+  server_name {{ site.domain }}{% for alias in site.aliases|ensure_list %}{% if alias != site.domain %} {{ alias }}{% endif %}{% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %};
 
 {% if site.main_redirect %}
   if ($host != $server_name) {

diff --git a/templates/etc/nginx/sites-available/site.j2 b/templates/etc/nginx/sites-available/site.j2
@@ -5,5 +5,9 @@
 proxy_cache_path {{ site.proxy.cache.path }}/site_{{ name }} levels={{ site.proxy.cache.levels }} keys_zone={{ name }}_cache:{{ site.proxy.cache.memory }} max_size={{ site.proxy.cache.max_size }} inactive={{ site.proxy.cache.inactive }} use_temp_path={{ site.proxy.cache.use_temp_path }};
 {% endif %}
 
+{% for line in site.global_additions | ensure_list %}
+{{ line }}{{ line | config_line_end }}
+{% endfor %}
+
 {% include "inc/site_http.j2" %}
 {% include "inc/site_https.j2" %}