Chapter 3

files/nginx.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIULJrcR7o2C6LlIK/TiUcDJX+i8QcwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTExOTA3NTkyM1oXDTI1MTEx
+OTA3NTkyM1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuz0AxbZ9inpAQB29+zWZ6e0g391ROI8vNevl/0s3Bhfj
+fGgV44soSNHdj+iYLMMnBRfzGMNpgcD+MaoJc8O2aOxGYPpTFW3JHTN022pfvCos
+6vt3k24kIRrATDHi94tCodeQbyu18llDcHGuO01cTJbtOnTyNCnwNbfA4Vf7apkr
+QPKehltViurzmfpudanztEAl8cfq3TZ/ky2U8+MTACmEsdGrVvBDv/22nwX+zxye
+JFbusCoRfBWIXVyJBBe65esA1LdvodV0uFjrJ/N/JfoFs7AIagGNbkqBwHmsErNG
+C2yRIogORVzMc5pvJOFvRbx2sJZZY34a1EFV1/DAQQIDAQABo1MwUTAdBgNVHQ4E
+FgQUQ0Hapxg3qvEjr9nsxxN38uBStY8wHwYDVR0jBBgwFoAUQ0Hapxg3qvEjr9ns
+xxN38uBStY8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjFnd
+GpVuOfMZgpstJ+LJmAjfAuZeFIEyToN6T/ZlqegMVa4s8HNW1o3b/sT/lCc36lSN
+peRh+dgg+lEcX1zz+9Q9bzWuDJ7lig9SHwEF6fEF68ilVYjqowj7reBam0pL93I+
+GtzKo2ruCV5caEuFHyXfhV1pkMEuhsI+WRX6NzDqXPMyVIDZI8fLhN917IBjsUgc
+o8wli3SKJhNl6P7tX+xH2xx8S4vsm54zwKu5zGK6dlDBildv6krMlnJWpbpV0yqz
+mKScUjHLI6zz82QNwnlXXC8AEzTAR3i3opnQgA5ecgz9E8ZO618A5RZ445HCtZEw
+1FEhCqDEasz0MFGS3w==
+-----END CERTIFICATE-----

files/nginx.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7PQDFtn2KekBA
+Hb37NZnp7SDf3VE4jy816+X/SzcGF+N8aBXjiyhI0d2P6JgswycFF/MYw2mBwP4x
+qglzw7Zo7EZg+lMVbckdM3Tbal+8Kizq+3eTbiQhGsBMMeL3i0Kh15BvK7XyWUNw
+ca47TVxMlu06dPI0KfA1t8DhV/tqmStA8p6GW1WK6vOZ+m51qfO0QCXxx+rdNn+T
+LZTz4xMAKYSx0atW8EO//bafBf7PHJ4kVu6wKhF8FYhdXIkEF7rl6wDUt2+h1XS4
+WOsn838l+gWzsAhqAY1uSoHAeawSs0YLbJEiiA5FXMxzmm8k4W9FvHawllljfhrU
+QVXX8MBBAgMBAAECggEAB1O8riAFM2gzj7bCPpyDPofeqZgG88ZJqAvoUxhZycGh
+T7bghWgmjkv1JkqpOtYztpOwegt6m17mq6Geb1LtNleprOWa3vut+zguZmA4KRxC
+5/qpfCHbJNb/x7OLkNmYpM3zW2Bb5UUYOiQet/gf6Kje1XLqX/90pJuBXygi4PHW
+asT2Px2D//UPyj7cyagYRkUp66sWMXxftIiKiUs6/iXKCAoIsWD4p2m2EEh8SQGf
+e1t2pZ6FeqTtIuFQys9vNxIokxa5WYy226gCw4tiO8NWU5AAHHRBXqn0W/oAxbDG
+Bu79Hk9XPL1taKdl3dh3KZUHmRtH3UoVhB/lN1snWQKBgQD/+tkQ7eGgjREpH57p
+77jBqE7lvOh53+3yw47mJH4bAUV3dfvby0h4GkSDOT1+HljJmwn1rts8UGxqye6a
+L2/yKFQeZ/aK2FnUnzqydK72A/yCsAoWUiZd1wM0GD+V1VFd7OWwh9OIwPDZDpiF
+rsaG0PjOqDVOTnyzf7SP6j9teQKBgQC7QMWEDhyWtiYtnj1rMSto4tXX/8SdvSFN
+RcggQlj5Z8K7QvDZ5eanVkfLpemWCkzFgMJSn1fU5FlRs3nxqbkJtc24icvRTq+U
+CGlOawItgjWZ+5e0PAd5N0tkxbMuQ7dnziujErepQdNWK6SXTEXBPBXApk5OF2s0
++bKoe0ZfCQKBgQCiShmAwDCCJ62vktqfmlpafSi4QtJpIm2rsgxRIOXKnT27hVPO
+f81MR+sT/yBba0YDW4Yu+1MHpD14Xtolatngf20Fcgg+8vfQ87q1FYEvfEuFV7Kt
+gBvO9tiTGKSHjBzwHZdqGlMkqp6IHtbYOnynUKnN65sQMHajHt4NOAhKkQKBgQCC
+4s5s9LQ1AFMFVfNWZsMSCGQzG/thyp5pddph+h5ZDpcF78+Mb29fDicXCPySPNbW
+wp6RxAFPtOFeA1a8fcbyK5sFX4QQ5LBDh/Gbt56JEtfGrx6mA8Oxjd3sLWiGcRzU
+uT61ONMZwwIm3FCq1Mx5Ojd2NojLewEbwWGI9MoGiQKBgG/82qSc6MdFhyNBtpgv
+SzNtAqI6x2t+CqipXVpMFSa/NxeQvfwavrFCfF1EMZ2nWjvxEvhtI2VevFjhEJfr
+lymufqsehJDUGbXzJc3jdpudiRTh9dSXGivAeh+JYynsAsD10DhW/qXQAVc2UVYE
+KsU7yI4Q/koSvd5iymKGC26K
+-----END PRIVATE KEY-----

templates/nginx.conf.j2

@@ -0,0 +1,18 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server ipv6only=on;
+ listen 443 ssl;
+ ssl_protocols TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ root /usr/share/nginx/html;
+ index index.html;
+ server_tokens off;
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ server_name {{ server_name }};
+ ssl_certificate {{ tls_dir }}{{ cert_file }};
+ ssl_certificate_key {{ tls_dir }}{{ key_file }};
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}

webserver-tls.yml

@@ -0,0 +1,74 @@
+- name: Configure webserver with Nginx and TLS
+  hosts: webservers
+  become: true
+  gather_facts: false
+  vars:
+    tls_dir: /etc/nginx/ssl/
+    key_file: nginx.key
+    cert_file: nginx.crt
+    conf_file: /etc/nginx/sites-available/default
+    server_name: Test01
+
+  handlers:
+    - name: Restart nginx
+      service:
+        name: nginx
+        state: restarted
+
+  tasks:
+    - name: Ensure nginx is installed
+      package:
+        name: nginx
+        update_cache: true
+      notify: Restart nginx
+
+    - name: Create directories for TLS certificates
+      file:
+        path: "{{ tls_dir }}"
+        state: directory
+        mode: '0750'
+      notify: Restart nginx
+
+    - name: Copy TLS files
+      copy:
+        src: "{{ item }}"
+        dest: "{{ tls_dir }}"
+        mode: '0600'
+      loop:
+        - "{{ key_file }}"
+        - "{{ cert_file }}"
+      notify: Restart nginx
+
+    - name: Manage nginx config template
+      template:
+        src: nginx.conf.j2
+        dest: "{{ conf_file }}"
+        mode: '0644'
+      notify: Restart nginx
+
+    - name: Enable configuration
+      file:
+        src: /etc/nginx/sites-available/default
+        dest: /etc/nginx/sites-enabled/default
+        state: link
+
+    - name: Install home page
+      template:
+        src: index.html.j2
+        dest: /usr/share/nginx/html/index.html
+        mode: '0644'
+
+    - name: Restart nginx
+      meta: flush_handlers
+
+    - name: "Test it! https://localhost:8443/index.html"
+      delegate_to: localhost
+      become: false
+      uri:
+        url: 'https://localhost:8443/index.html'
+        validate_certs: false
+        return_content: true
+      register: this
+      failed_when: "'Running on ' not in this.content"
+      tags:
+        - test

webserver.yml

@@ -2,11 +2,12 @@
 - name: Configure webserver with nginx
   hosts: webservers
   become: true
+  vars:
   tasks:
       - name: Ensure nginx is installed
         package:
           name: nginx
-      update_cache: yes
+          update_cache: true
 
       - name: Copy nginx config file
         copy: