move nginx folder logic into proxy

consolidate cert path

Author: Anandkumar Patel

ansible/group_vars/alpha-navi-proxy.yml

@@ -10,7 +10,6 @@ container_run_opts: >
   -p 0.0.0.0:443:443
   -p 0.0.0.0:80:80
   -v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-  -v /etc/nginx/sites-available/:/etc/nginx/sites-enabled/:ro
-  -v /etc/nginx/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
+  -v /etc/nginx/sites-enabled/:/etc/nginx/sites-enabled/:ro
   -v /etc/ssl/certs/{{ user_content_domain }}:/etc/ssl/certs/{{ user_content_domain }}:ro
   -v /var/log/nginx:/var/log/nginx

ansible/navi-proxy.yml

@@ -6,6 +6,6 @@
     - role: datadog
       has_dd_integration: yes
 
-    - role: content-domain-certs
+    - role: content-domain-proxy
 
     - role: container_kill_start

ansible/navi.yml

@@ -4,7 +4,6 @@
 - hosts: mongo-navi
 - hosts: rabbitmq
 - hosts: consul
-- hosts: userland
 
 - hosts: navi
   vars_files:

ansible/roles/content-domain-certs/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: make sure cert directory is in place
+  tags: [ configure_proxy, certs ]
+  become: true
+  file:
+    dest: /etc/ssl/certs/{{ user_content_domain }}
+    state: directory
+
+- name: put certs in place
+  tags: [ configure_proxy, certs ]
+  become: true
+  register: add_certs
+  copy:
+    src: "{{ user_content_domain }}/{{ item }}"
+    dest: /etc/ssl/certs/{{ user_content_domain }}/{{ item }}
+    mode: 0400
+    owner: root
+    group: root
+  with_items:
+  - ca.pem
+  - key.pem
+  - cert.pem
+
+- name: create chained cert
+  tags: [ configure_proxy, certs ]
+  become: true
+  when: add_certs.changed
+  shell: >
+    cat
+    /etc/ssl/certs/{{ user_content_domain }}/cert.pem
+    /etc/ssl/certs/{{ user_content_domain }}/ca.pem
+    >
+    /etc/ssl/certs/{{ user_content_domain }}/chained.pem
+
+- name: create dhparam.pem
+  tags: [ configure_proxy, certs ]
+  become: yes
+  command: openssl dhparam -out /etc/ssl/certs/{{ user_content_domain }}/dhparam.pem 2048
+
+- name: make sure nginx directory is in place
+  tags: [ configure_proxy ]
+  become: true
+  file:
+    dest: /etc/nginx
+    state: directory
+
+
+- name: assert nginx sites-enabled directory
+  tags: [ configure_proxy ]
+  become: yes
+  file:
+    state: directory
+    dest: /etc/nginx/sites-enabled
+
+- name: put nginx configuration in place
+  tags: [ configure_proxy ]
+  become: yes
+  template:
+    src: proxy-nginx.conf
+    dest: /etc/nginx/nginx.conf

ansible/roles/content-domain-proxy/tasks/main.yml

@@ -15,75 +15,21 @@
   register: proxy_target_ports
 
 # everything from this point on is delegated to the nginx host
-- name: put dhparam in place
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy ]
-  become: yes
-  command: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
-
-- name: print target ports
+- name: print target info
   delegate_to: "{{ nginx_host }}"
   tags: [ configure_proxy, deploy ]
   debug:
     msg: |
       proxy target ports -- {{ proxy_target_ports }}
-
-- name: print target IP address
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  debug:
-    msg: ip -- {{ target_ip_address }}
-
-- name: assert nginx config directory
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  become: yes
-  file:
-    state: directory
-    dest: /etc/nginx
-
-- name: assert nginx sites-available directory
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  become: yes
-  file:
-    state: directory
-    dest: /etc/nginx/sites-available
-
-- name: assert nginx sites-enable directory
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  become: yes
-  file:
-    state: directory
-    dest: /etc/nginx/sites-enable
-
-- name: put nginx configuration in place
-  when: nginx_config is defined and nginx_config == "proxy"
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  become: yes
-  template:
-    src: "{{ nginx_config }}-nginx.conf"
-    dest: /etc/nginx/nginx.conf
+      ip -- {{ target_ip_address }}
 
 - name: put configuration in place
   delegate_to: "{{ nginx_host }}"
   tags: [ configure_proxy, deploy ]
   become: yes
   template:
     src: "{{ item }}"
-    dest: /etc/nginx/sites-available/{{ item }}
-  with_items: "{{ templates }}"
-
-- name: link configuration to enable
-  delegate_to: "{{ nginx_host }}"
-  tags: [ configure_proxy, deploy ]
-  become: yes
-  file:
-    state: link
     dest: /etc/nginx/sites-enabled/{{ item }}
-    src: /etc/nginx/sites-available/{{ item }}
   with_items: "{{ templates }}"
 
 - name: reload nginx

…oxied-service/templates/proxy-nginx.conf …-domain-proxy/templates/proxy-nginx.confansible/roles/nginx-proxied-service/templates/proxy-nginx.conf renamed to ansible/roles/content-domain-proxy/templates/proxy-nginx.conf ansible/roles/nginx-proxied-service/templates/proxy-nginx.conf renamed to ansible/roles/content-domain-proxy/templates/proxy-nginx.conf

@@ -38,14 +38,14 @@ server {
   ssl_certificate /etc/ssl/certs/{{ user_content_domain }}/chained.pem;
   ssl_certificate_key /etc/ssl/certs/{{ user_content_domain }}/key.pem;
   ssl_trusted_certificate /etc/ssl/certs/{{ user_content_domain }}/ca.pem;
+  ssl_dhparam /etc/ssl/certs/{{ user_content_domain }}/dhparam.pem;
 
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;
 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_prefer_server_ciphers on;
-  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
   ssl_stapling on;
   ssl_stapling_verify on;