From f1f28a80f102de8700adbb2052343c56d57b9814 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Fri, 14 May 2021 22:45:51 +0200
Subject: [PATCH] Change how certificates are installed

---
 roles/nginx/tasks/main.yml        | 31 ++++++++++++++++++++++-----
 roles/nginx/tasks/self-signed.yml | 35 +++++++++++++++++--------------
 2 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 552df97..cc55864 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,11 +1,17 @@
+# If self_signed = true, in nginx/files: generate root CA (if regenereate_root_ca = true),
+# and sign a wildcard certificate. Copy certificates to /etc/ssl/.
 - name: ensure directories exist
   file:
     path: "{{ item }}"
     state: directory
     mode: '0755'
   loop:
-    - "{{ nginx_confd_folder }}"
-- name: generate and install self-signed certs
+    - "{{ data_folder }}/nginx"
+    - "{{ data_folder }}/nginx/conf.d"
+    - "{{ data_folder }}/nginx/sites-enabled"
+    - "{{ data_folder }}/nginx/sites-available"
+    - "{{ data_folder }}/nginx/snippets"
+- name: generate self-signed certs
   import_tasks: self-signed.yml
   when: self_signed
 - name: create nginx bridge network
@@ -14,6 +20,18 @@
     attachable: true
     internal: true
     state: present
+- name: copy nginx.conf
+  template:
+    src: nginx.conf.j2
+    dest: "{{ data_folder }}/nginx/nginx.conf"
+    mode: '0755'
+- name: copy snippets
+  template:
+    src: "{{ item }}"
+    dest: "{{ data_folder }}/nginx/snippets/{{ item | basename | regex_replace('.j2$', '') }}"
+    mode: '0755'
+  with_fileglob:
+    - "../templates/snippets/*.conf"
 - name: run container
   docker_container:
     name: 'nginx'
@@ -22,10 +40,13 @@
       - name: bridge
       - name: nginx-internal
     volumes:
+      - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
       - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
-      - "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/nginx/{{ base_domain }}.key"
-      - "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/nginx/{{ base_domain }}.crt"
-      - "{{ nginx_confd_folder }}:/etc/nginx/conf.d"
+      - "{{ data_folder }}/nginx/sites-available:/etc/nginx/sites-available"
+      - "{{ data_folder }}/nginx/sites-enabled:/etc/nginx/sites-enabled"
+      - "{{ data_folder }}/nginx/snippets:/etc/nginx/snippets"
+      - "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/ssl/{{ base_domain }}.key"
+      - "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/ssl/{{ base_domain }}.crt"
     ports:
       - "80:80"
       - "443:443"
diff --git a/roles/nginx/tasks/self-signed.yml b/roles/nginx/tasks/self-signed.yml
index 9192a96..3b0c028 100644
--- a/roles/nginx/tasks/self-signed.yml
+++ b/roles/nginx/tasks/self-signed.yml
@@ -4,34 +4,37 @@
                     -new \
                     -nodes \
                     -newkey rsa:2048 \
-                    -keyout "{{ data_folder }}/nginx/rootca.key" \
-                    -out "{{ data_folder }}/nginx/rootca.pem" \
+                    -keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
+                    -out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
                     -sha256 \
                     -days 3650 \
                     -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
+  when: generate_cert.root
 - name: generate wildcard csr
   command: openssl req \
                     -new \
                     -nodes \
                     -newkey rsa:2048 \
-                    -keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
-                    -out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
+                    -keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \
+                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
                     -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
+  when: generate_cert.wildcard
 - name: sign wildcard csr with root ca
   command: openssl x509 \
                     -req \
-                    -in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-                    -CA "{{ data_folder }}/nginx/rootca.pem" \
-                    -CAkey "{{ data_folder }}/nginx/rootca.key" \
+                    -in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
+                    -CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
+                    -CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
                     -CAcreateserial \
-                    -out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
+                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \
                     -days 3650 \
                     -sha256
-- name: install root ca
-  command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
-  become: yes
-- name: copy .conf file
-  template:
-    src: nginx.conf.j2
-    dest: "{{ data_folder }}/nginx/nginx.conf"
-    mode: '0755'
\ No newline at end of file
+  when: generate_cert.wildcard
+- name: copy wildcard certificate and key
+  copy:
+    src: "{{ item }}"
+    dest: "{{ data_folder }}/nginx/{{ item }}"
+    mode: '0700'
+  loop:
+    - "{{ base_domain }}.crt"
+    - "{{ base_domain }}.key"
\ No newline at end of file