bitcoiner.social/ansible/playbooks/group_tasks/certbot/tasks/nginx_conf.yml

---
- name: Configure nginx for certbot challenge and TLSv1.2 for {{ acme_domain.domains[0] }}
  ansible.builtin.import_role:
    name: nginx_core.nginx_config
    allow_duplicates: true
  tags: nginx
  become: yes
  vars:
    nginx_config_dhparam: /etc/ssl/dhparams.pem
    nginx_config_http_template_enable: true
    nginx_config_http_template:
      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/acme_{{ acme_domain.domains[0] }}.conf"
        backup: false
        config:
          core:
            server_name: "{{ acme_domain.domains[0] }}"
          ssl:
            certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/fullchain.pem"
            certificate_key: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/privkey.pem"
            trusted_certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/chain.pem"
            ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
            dhparam: "{{ nginx_config_dhparam }}"
            ecdh_curve: X25519:secp521r1:secp384r1
            prefer_server_ciphers: true
            protocols:
              - TLSv1.2
              - TLSv1.3
            session_cache:
              shared:
                name: "{{ acme_domain.domains[0] }}"
                size: 1M
            session_tickets: false
            session_timeout: 1d
            ocsp: true
            ocsp_cache:
              name: cache
              size: 64k
            stapling: true
            stapling_verify: true
            ocsp_responder: http://r3.o.lencr.org
          headers:
            add_headers:
              - name: Strict-Transport-Security
                value: '"max-age=7776000"' 
                always: true
      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/http_{{ acme_domain.domains[0] }}.conf"
        backup: false
        config:
          servers:
            - core:
                server_name: "{{ acme_domain.domains[0] }}"
                listen:
                  - address: "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}:80"
              log:
                access:
                  - off
              locations:
                - location: /
                  rewrite: # https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite
                    return:
                      url: "https://{{ acme_domain.domains[0] }}$request_uri"
                      code: 301
                - location: /.well-known/acme-challenge/
                  core:
                    alias: /var/www/html/.well-known/acme-challenge/
                    try_files:
                      files: $uri
                      code: =404
Initialize newly refactored infra repo. 2024-06-15 17:09:21 +00:00			`---`
			`- name: Configure nginx for certbot challenge and TLSv1.2 for {{ acme_domain.domains[0] }}`
			`ansible.builtin.import_role:`
			`name: nginx_core.nginx_config`
			`allow_duplicates: true`
			`tags: nginx`
			`become: yes`
			`vars:`
			`nginx_config_dhparam: /etc/ssl/dhparams.pem`
			`nginx_config_http_template_enable: true`
			`nginx_config_http_template:`
			`- template_file: http/default.conf.j2`
			`deployment_location: "/etc/nginx/acme_{{ acme_domain.domains[0] }}.conf"`
			`backup: false`
			`config:`
			`core:`
			`server_name: "{{ acme_domain.domains[0] }}"`
			`ssl:`
			`certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/fullchain.pem"`
			`certificate_key: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/privkey.pem"`
			`trusted_certificate: "/etc/letsencrypt/live/{{ acme_domain.domains[0] }}/chain.pem"`
			`ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
			`dhparam: "{{ nginx_config_dhparam }}"`
			`ecdh_curve: X25519:secp521r1:secp384r1`
			`prefer_server_ciphers: true`
			`protocols:`
			`- TLSv1.2`
			`- TLSv1.3`
			`session_cache:`
			`shared:`
			`name: "{{ acme_domain.domains[0] }}"`
			`size: 1M`
			`session_tickets: false`
			`session_timeout: 1d`
			`ocsp: true`
			`ocsp_cache:`
			`name: cache`
			`size: 64k`
			`stapling: true`
			`stapling_verify: true`
			`ocsp_responder: http://r3.o.lencr.org`
			`headers:`
			`add_headers:`
			`- name: Strict-Transport-Security`
			`value: '"max-age=7776000"'`
			`always: true`
			`- template_file: http/default.conf.j2`
			`deployment_location: "/etc/nginx/conf.d/http_{{ acme_domain.domains[0] }}.conf"`
			`backup: false`
			`config:`
			`servers:`
			`- core:`
			`server_name: "{{ acme_domain.domains[0] }}"`
			`listen:`
			`- address: "{{ ansible_default_ipv4.address\|default(ansible_all_ipv4_addresses[0]) }}:80"`
			`log:`
			`access:`
			`- off`
			`locations:`
			`- location: /`
			`rewrite: # https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite`
			`return:`
			`url: "https://{{ acme_domain.domains[0] }}$request_uri"`
			`code: 301`
			`- location: /.well-known/acme-challenge/`
			`core:`
			`alias: /var/www/html/.well-known/acme-challenge/`
			`try_files:`
			`files: $uri`
			`code: =404`