vhost definition

handlers/main.yml

@@ -9,3 +9,4 @@
   service:
     name: nginx
     state: reloaded
+  listen: certificate changed

tasks/main.yml

@@ -10,6 +10,25 @@
 
 - name: default vhost
   template:
-    src: default-vhost.j2
+    src: default-vhost.conf.j2
     dest: /etc/nginx/sites-available/default
   notify: reload nginx
+
+- name: vhosts
+  template:
+    src: vhost.conf.j2
+    dest: /etc/nginx/sites-available/{{vhost.name}}
+  notify: reload nginx
+  with_items: "{{ nginx_vhosts }}"
+  loop_control:
+    loop_var: vhost
+
+- name: enable vhosts
+  file:
+    src: ../sites-available/{{vhost.name}}
+    dest: /etc/nginx/sites-enabled/{{vhost.name}}
+    state: link
+  notify: reload nginx
+  with_items: "{{ nginx_vhosts }}"
+  loop_control:
+    loop_var: vhost

tasks/setup_Debian.yml

@@ -6,7 +6,8 @@
     state: present
   with_items:
     - nginx
-    - nginx-full
+    - nginx-light
+    - ssl-cert
 
 - name: remove default page
   file:

templates/default-vhost.j2 → templates/default-vhost.conf.j2

@@ -1,7 +1,14 @@
 server {
+
         listen 80 default_server;
         listen [::]:80 default_server;
 
+        listen 443 ssl default_server;
+    	  listen [::]:443 ssl default_server;
+
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
         server_name _;
 
         return 404;
@@ -10,4 +17,5 @@ server {
                 default_type "text/plain";
                 root /var/www/letsencrypt-auto;
         }
+
 }

templates/nginx.conf.j2

@@ -20,7 +20,7 @@ http {
         types_hash_max_size 2048;
         server_tokens off;
 
-        server_names_hash_bucket_size 64;
+        server_names_hash_bucket_size 128;
         # server_name_in_redirect off;
 
         include /etc/nginx/mime.types;

templates/vhost.conf.j2

@@ -0,0 +1,53 @@
+server {
+
+  server_name {{ vhost.server_names | join(' ') }};
+
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  ssl_certificate     /etc/ssl/certs/{{ vhost.name }}.fullchain.pem;
+  ssl_certificate_key /etc/ssl/private/{{ vhost.name }}.key.pem;
+
+  charset utf-8;
+
+  {% if vhost.root is defined %}
+  root {{ vhost.root }};
+  {% endif %}
+
+  {% if vhost.try_files is defined %}
+  try_files {{ vhost.try_files }};
+  {% endif %}
+
+  {% if vhost.locations is defined %}
+  {% for loc in vhost.locations %}
+  location {{ loc.location }} {
+    {% if loc.proxy_pass is defined %}
+    proxy_pass {{ loc.proxy_pass }};
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    {% endif %}
+    {% if loc.alias is defined %}
+    alias {{ loc.alias }};
+    {% endif %}
+    {% if loc.try_files is defined %}
+    try_files {{ loc.try_files }};
+    {% endif %}
+    {% if loc.redirect is defined %}
+    return 301 {{ loc.redirect }};
+    {% endif %}
+  }
+  {% endfor %}
+  {% endif %}
+
+}
+
+server {
+
+  listen 80;
+  listen [::]:80;
+
+  server_name {{ vhost.server_names | join(' ') }};
+
+  return 301 https://$host$request_uri;
+
+}