Download:
Patch
child 83:c57344d0b80a
parent 81:c67e1a77c996
82:42c94c347db5
Anton Shestakov <av6@dwimlabs.net>, Wed, 06 Apr 2016 13:26:28 +0800
provision: configurable ssl certificate and key file paths
3 файлов изменено, 18 вставок(+), 11 удалений(-) [+]
provision/roles/fruitbar/tasks/main.yml file | annotate | diff | comparison | revisions
provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar file | annotate | diff | comparison | revisions
provision/roles/fruitbar/vars/main.yml file | annotate | diff | comparison | revisions 
--- a/provision/roles/fruitbar/tasks/main.yml	Wed Apr 06 13:23:50 2016 +0800
+++ b/provision/roles/fruitbar/tasks/main.yml	Wed Apr 06 13:26:28 2016 +0800
@@ -23,17 +23,22 @@
   notify:
     - reload supervisor
 
-- stat: path=/etc/ssl/local/fruitbar.{{ umbrella }}.pem
-  register: project_pemfile
+- stat: path='{{ ssl_cert }}'
+  register: certfile
 
-- stat: path=/etc/ssl/local/fruitbar.{{ umbrella }}.clean.key
-  register: project_keyfile
+- stat: path='{{ ssl_key }}'
+  register: keyfile
 
 - name: Extract information for HPKP header
-  shell: openssl rsa -in /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+  shell: >
+    openssl x509 -pubkey -noout -in '{{ ssl_cert }}'
+    | openssl pkey -pubin -outform der
+    | openssl dgst -sha256 -binary
+    | openssl enc -base64
   register: hpkpinfo
-  when: project_pemfile.stat.exists and project_keyfile.stat.exists
+  when: certfile.stat.exists and keyfile.stat.exists
   always_run: yes
+  changed_when: false
   failed_when: "'unable' in hpkpinfo.stderr"
 
 - name: Add Nginx site
--- a/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Wed Apr 06 13:23:50 2016 +0800
+++ b/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Wed Apr 06 13:26:28 2016 +0800
@@ -2,7 +2,7 @@
     server unix:/home/{{ user }}/webapps/fruitbar/socket fail_timeout=0;
 }
 
-{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
+{% if certfile.stat.exists and keyfile.stat.exists %}
 server {
     server_name fruitbar.{{ umbrella }};
 
@@ -19,7 +19,7 @@
 server {
     server_name fruitbar.{{ umbrella }};
 
-{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
+{% if certfile.stat.exists and keyfile.stat.exists %}
     listen 443 ssl spdy;
     listen [::]:443 ssl spdy;
 {% else %}
@@ -27,9 +27,9 @@
     listen [::]:80;
 {% endif %}
 
-{% if project_pemfile.stat.exists and project_keyfile.stat.exists %}
-    ssl_certificate /etc/ssl/local/fruitbar.{{ umbrella }}.pem;
-    ssl_certificate_key /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key;
+{% if certfile.stat.exists and keyfile.stat.exists %}
+    ssl_certificate {{ ssl_cert }};
+    ssl_certificate_key {{ ssl_key }};
     ssl_dhparam /etc/nginx/dh-2048.pem;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_session_cache shared:SSL:1m;
--- a/provision/roles/fruitbar/vars/main.yml	Wed Apr 06 13:23:50 2016 +0800
+++ b/provision/roles/fruitbar/vars/main.yml	Wed Apr 06 13:26:28 2016 +0800
@@ -1,4 +1,6 @@
 ---
 user: projects
 site_order: 50
+ssl_cert: /etc/ssl/local/fruitbar.{{ umbrella }}.pem
+ssl_key: /etc/ssl/local/fruitbar.{{ umbrella }}.clean.key
 ...