diff options
Diffstat (limited to 'ansible/roles/nginx-cloudflare-mtls')
5 files changed, 77 insertions, 0 deletions
diff --git a/ansible/roles/nginx-cloudflare-mtls/README.md b/ansible/roles/nginx-cloudflare-mtls/README.md new file mode 100644 index 0000000..081cacb --- /dev/null +++ b/ansible/roles/nginx-cloudflare-mtls/README.md @@ -0,0 +1,16 @@ +# Role "nginx-cloudflare-mtls" + +Installs the certificate required for performing mutual TLS authentication +between NGINX and Cloudflare. + +To use mutual TLS in your NGINX virtual hosts, add this configuration snippet: + +```nginx +ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }}; +ssl_verify_client on; +``` + + +## Variables + +See [role defaults](./defaults/main.yml) for an annotated overview. diff --git a/ansible/roles/nginx-cloudflare-mtls/defaults/main.yml b/ansible/roles/nginx-cloudflare-mtls/defaults/main.yml new file mode 100644 index 0000000..ff1c667 --- /dev/null +++ b/ansible/roles/nginx-cloudflare-mtls/defaults/main.yml @@ -0,0 +1,3 @@ +--- +# The path at which to install the certificate. +nginx_cloudflare_mtls_certificate_path: /etc/nginx/certs/cloudflare.crt diff --git a/ansible/roles/nginx-cloudflare-mtls/files/cloudflare.crt b/ansible/roles/nginx-cloudflare-mtls/files/cloudflare.crt new file mode 100644 index 0000000..965f0bf --- /dev/null +++ b/ansible/roles/nginx-cloudflare-mtls/files/cloudflare.crt @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV +BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln +aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv +cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx +MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV +BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD +VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD +ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI +42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e +ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw +hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY +QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3 +Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn +aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5 +lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR +PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh +CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa ++4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB +AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud +DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz +alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1 +QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS +zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX +VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz +6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z +0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc +5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/ +fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j +bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm +iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F +AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM +fVQ6VpyjEXdiIXWUq/o= +-----END CERTIFICATE----- diff --git a/ansible/roles/nginx-cloudflare-mtls/meta/main.yml b/ansible/roles/nginx-cloudflare-mtls/meta/main.yml new file mode 100644 index 0000000..8b662c9 --- /dev/null +++ b/ansible/roles/nginx-cloudflare-mtls/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: nginx diff --git a/ansible/roles/nginx-cloudflare-mtls/tasks/main.yml b/ansible/roles/nginx-cloudflare-mtls/tasks/main.yml new file mode 100644 index 0000000..21d1b28 --- /dev/null +++ b/ansible/roles/nginx-cloudflare-mtls/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Create nginx certificates directory + file: + path: /etc/nginx/certs + state: directory + owner: root + group: root + mode: "0444" + tags: + - role::nginx-cloudflare-mtls + +- name: Copy the cloudflare mutual TLS certificate + copy: + src: cloudflare.crt + dest: /etc/nginx/certs/cloudflare.crt + owner: root + group: root + mode: "0444" + tags: + - role::nginx-cloudflare-mtls |