diff --git a/defaults/main.yml b/defaults/main.yml index b50c758..6c5edcc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,3 +12,15 @@ nginx: resolver: - 8.8.8.8 - 8.8.4.4 + +nginx_forcessl_vhost: + "https-redirect": + listen: + nossl: True + ssl: False + locations: + - match: '/.well-known/acme-challenge/' + alias: '/var/www/letsencrypt/' + - match: '/' + custom: + - return 301 https://$host$request_uri diff --git a/files/config/sites-available/https-redirect b/files/config/sites-available/https-redirect deleted file mode 100644 index 5e37684..0000000 --- a/files/config/sites-available/https-redirect +++ /dev/null @@ -1,11 +0,0 @@ -server { - listen 80; - listen [::]:80; - - location /.well-known/acme-challenge/ { - alias /var/www/letsencrypt/; - } - location / { - return 301 https://$host$request_uri; - } -} diff --git a/tasks/main.yml b/tasks/main.yml index 4480696..c21ea5c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,12 +2,17 @@ - set_fact: nginx_certs: "{{ nginx.vhosts|nginx_vhosts_to_certificates }}" inventory_certs: "{{ certificates.certs|d({}) }}" + selfsigned_cert: "{ '{{ inventory_hostname }}': { 'backend': 'selfsigned' }}" - include_role: name: certificates vars: certificates: - certs: "{{ {}|combine(nginx_certs, inventory_certs, recursive=True) }}" + certs: "{{ {}|combine(selfsigned_cert|from_yaml, nginx_certs, inventory_certs, recursive=True) }}" + +- debug: + verbosity: 1 + var: nginx - name: install nginx apt: pkg=nginx @@ -74,16 +79,7 @@ src: "/etc/nginx/sites-available/{{ item.key }}" path: "/etc/nginx/sites-enabled/{{ item.key }}" state: link - with_dict: "{{ nginx.vhosts }}" - notify: - - restart nginx - -- name: enable https redirect - file: - src: "/etc/nginx/sites-available/https-redirect" - path: "/etc/nginx/sites-enabled/https-redirect" - state: link - when: nginx.force_ssl + with_dict: "{{ {}|combine((nginx_forcessl_vhost if nginx.force_ssl else {}), nginx.vhosts, recursive=True) }}" notify: - restart nginx