From cd7baca5d8feaf146279c543f4b8f1cff91e00a8 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Mon, 3 Jul 2017 14:59:38 +0200
Subject: [PATCH] library/roles/nginx: handle the certificates paths when not
 using letsencrypt without duplicating files. d4science-ghn-cluster: cleanup
 the couchbase web console configuration.

---
 nginx/defaults/main.yml                      |  3 +++
 nginx/templates/nginx-server-selfssl.conf.j2 | 12 ------------
 nginx/templates/nginx-server-ssl.conf.j2     |  7 +++++--
 3 files changed, 8 insertions(+), 14 deletions(-)
 delete mode 100644 nginx/templates/nginx-server-selfssl.conf.j2

diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index 806ff6e..24fb304 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -76,6 +76,9 @@ nginx_basic_auth_users:
 nginx_letsencrypt_managed: True
 nginx_websockets_support: False
 nginx_use_common_virthost: False
+# When we do not use letsencrypt:
+# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
+# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
 
 # Virtualhost example
 # nginx_virthosts:
diff --git a/nginx/templates/nginx-server-selfssl.conf.j2 b/nginx/templates/nginx-server-selfssl.conf.j2
deleted file mode 100644
index 211e0bf..0000000
--- a/nginx/templates/nginx-server-selfssl.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-ssl_certificate /etc/nginx/ssl/server.crt;
-ssl_certificate_key /etc/nginx/ssl/server.key;
-ssl_session_cache shared:SSL:10m;
-ssl_session_timeout 10m;
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
-ssl_prefer_server_ciphers on;
-{% if ansible_distribution_version | version_compare('14.04', '>=') %}
-ssl_stapling on;
-ssl_stapling_verify on;
-add_header Strict-Transport-Security max-age=15768000;
-{% endif %}
diff --git a/nginx/templates/nginx-server-ssl.conf.j2 b/nginx/templates/nginx-server-ssl.conf.j2
index aeeb1c1..c234c99 100644
--- a/nginx/templates/nginx-server-ssl.conf.j2
+++ b/nginx/templates/nginx-server-ssl.conf.j2
@@ -1,6 +1,9 @@
 {% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-ssl_certificate {{ letsencrypt_acme_certs_dir | default('/var/lib/acme/live/{{ ansible_fqdn }}') }}/fullchain;
-ssl_certificate_key {{ letsencrypt_acme_certs_dir | default('/var/lib/acme/live/{{ ansible_fqdn }}') }}/privkey;
+ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
+ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
+{% else %}
+ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
+ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
 {% endif %}
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;