charypar/group_vars

## group_vars
---
ssl_certificates:
  - certificate_src: secure.example.com.pem
    certificate_dest: /etc/ssl/certs/secure.example.com.pem
    key_src: secure.example.com.protected.key
    key_dest: /etc/ssl/private/secure.example.com.protected.key
    key_stripped: /etc/ssl/private/secure_example.com.key
    key_password: "{{ssl_passphrase}}"

## nginx-template.conf
server {
  listen 443;
  server_name {{item.hostname}};

  ssl on;
  ssl_certificate {{item.certificate}};
  ssl_certificate_key {{item.key}};

  location / {
    proxy_pass http://127.0.0.1:{{item.port}};
    proxy_set_header X-Real-IP $remote_addr;
  }
}

## nginx.yml
---
- name: Add SSL virtual hosts
  template: src=nginx-ssl-vhost.conf dest=/etc/nginx/sites-available/{{item.hostname}}_ssl
  with_items: ssl_virtual_hosts
  sudo: yes
  notify: restart nginx
  tags: nginx

- name: Enable SSL virtual hosts
  file: state=link
        src=/etc/nginx/sites-available/{{item.hostname}}_ssl
        path=/etc/nginx/sites-enabled/{{item.hostname}}_ssl
        owner=nginx
  with_items: ssl_virtual_hosts
  sudo: yes
  notify: restart nginx
  tags: nginx

## playbook.yml
---
- hosts: webservers
  user: "{{user}}"
  roles:
    - role: https
  vars_prompt:
    - name: ssl_passphrase
      prompt: "Enter SSL Certificate Passphrase"
      private: false

## ssl.yml
---
- name: ssl-certs group
  group: name=ssl-cert state=present
  sudo: yes
  tags: ssl

- name: Make sure nginx user is in ssl-cert
  user: name=nginx groups=www-data,ssl-cert
  sudo: yes
  tags: nginx

- name: ssl certs dir
  file: path=/etc/ssl/certs mode=755 state=directory owner=root
  sudo: yes
  tags: ssl

- name: ssl private dir
  file: path=/etc/ssl/private mode=700 state=directory owner=root
  sudo: yes
  tags: ssl

- name: copy the certificate
  copy: src={{item.certificate_src}} dest={{item.certificate_dest}} mode=644 group=ssl-cert
  with_items: ssl_certificates
  sudo: yes
  tags: ssl
  notify: restart nginx

- name: copy the key
  copy: src={{item.key_src}} dest={{item.key_dest}} mode=640 group=ssl-cert
  with_items: ssl_certificates
  sudo: yes
  tags: ssl

- name: strip ssl keys
  command: openssl rsa -in {{item.key_dest}} -out {{item.key_stripped}} -passin pass:{{item.key_password}} creates={{item.key_stripped}}
  sudo: yes
  with_items: ssl_certificates
  tags: ssl
  notify: restart nginx

## vars
---
ssl_virtual_hosts:
  - hostname: secure.example.com
    port: 3000
    certificate: /etc/ssl/certs/secure.example.com.pem
    key: /etc/ssl/private/secure.example.com.key
	---
	ssl_certificates:
	- certificate_src: secure.example.com.pem
	certificate_dest: /etc/ssl/certs/secure.example.com.pem
	key_src: secure.example.com.protected.key
	key_dest: /etc/ssl/private/secure.example.com.protected.key
	key_stripped: /etc/ssl/private/secure_example.com.key
	key_password: "{{ssl_passphrase}}"
	server {
	listen 443;
	server_name {{item.hostname}};

	ssl on;
	ssl_certificate {{item.certificate}};
	ssl_certificate_key {{item.key}};

	location / {
	proxy_pass http://127.0.0.1:{{item.port}};
	proxy_set_header X-Real-IP $remote_addr;
	}
	}
	---
	- name: Add SSL virtual hosts
	template: src=nginx-ssl-vhost.conf dest=/etc/nginx/sites-available/{{item.hostname}}_ssl
	with_items: ssl_virtual_hosts
	sudo: yes
	notify: restart nginx
	tags: nginx

	- name: Enable SSL virtual hosts
	file: state=link
	src=/etc/nginx/sites-available/{{item.hostname}}_ssl
	path=/etc/nginx/sites-enabled/{{item.hostname}}_ssl
	owner=nginx
	with_items: ssl_virtual_hosts
	sudo: yes
	notify: restart nginx
	tags: nginx
	---
	- hosts: webservers
	user: "{{user}}"
	roles:
	- role: https
	vars_prompt:
	- name: ssl_passphrase
	prompt: "Enter SSL Certificate Passphrase"
	private: false
	---
	- name: ssl-certs group
	group: name=ssl-cert state=present
	sudo: yes
	tags: ssl

	- name: Make sure nginx user is in ssl-cert
	user: name=nginx groups=www-data,ssl-cert
	sudo: yes
	tags: nginx

	- name: ssl certs dir
	file: path=/etc/ssl/certs mode=755 state=directory owner=root
	sudo: yes
	tags: ssl

	- name: ssl private dir
	file: path=/etc/ssl/private mode=700 state=directory owner=root
	sudo: yes
	tags: ssl

	- name: copy the certificate
	copy: src={{item.certificate_src}} dest={{item.certificate_dest}} mode=644 group=ssl-cert
	with_items: ssl_certificates
	sudo: yes
	tags: ssl
	notify: restart nginx

	- name: copy the key
	copy: src={{item.key_src}} dest={{item.key_dest}} mode=640 group=ssl-cert
	with_items: ssl_certificates
	sudo: yes
	tags: ssl

	- name: strip ssl keys
	command: openssl rsa -in {{item.key_dest}} -out {{item.key_stripped}} -passin pass:{{item.key_password}} creates={{item.key_stripped}}
	sudo: yes
	with_items: ssl_certificates
	tags: ssl
	notify: restart nginx
	---
	ssl_virtual_hosts:
	- hostname: secure.example.com
	port: 3000
	certificate: /etc/ssl/certs/secure.example.com.pem
	key: /etc/ssl/private/secure.example.com.key