commit 99410828e0b4b18462f34b7ef976ca7528fe381f
author Petr Michalec <epcim@apealive.net> Wed May 24 12:07:14 2017 +0200
committer Petr Michalec <epcim@apealive.net> Wed May 24 12:07:14 2017 +0200
tree 4727902f8e81e8efdf1a7d486111d4f558ed05b2
parent 3010a110e3498125f2bdd408428fae9c72265bfd

ssl - avoid hardcoded cert pahts

nginx/files/_ssl.conf

diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
index 2914885..f073653 100644
--- a/nginx/files/_ssl.conf
+++ b/nginx/files/_ssl.conf
@@ -1,5 +1,11 @@
 
   {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
+
+  {%- set ca_file=site.ssl.get('ca_file', '') %}
+  {%- set key_file=site.ssl.get('key_file', '/etc/ssl/private/{0}.key'.format(site.host.name)) %}
+  {%- set cert_file=site.ssl.get('cert_file', '/etc/ssl/certs/{0}.crt'.format(site.host.name)) %}
+  {%- set chain_file=site.ssl.get('chain_file', '/etc/ssl/certs/{0}-with-chain.crt'.format(site.host.name)) %}
+
   ssi on;
   ssl on;
   ssl_session_cache shared:SSL:10m;
@@ -7,16 +13,11 @@
 
   {%- if site.ssl.engine is not defined %}
 
-  {%- if site.ssl.key_file is defined %}
-  ssl_certificate_key {{ site.ssl.key_file }};
-  ssl_certificate {{ site.ssl.cert_file }};
-  {%- else %}
-  ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
+  ssl_certificate_key {{ key_file }};
   {%- if site.ssl.chain is defined or site.ssl.authority is defined %}
-  ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
+  ssl_certificate {{ chain_file }};
   {%- else %}
-  ssl_certificate /etc/ssl/certs/{{ site.host.name }}.crt;
-  {%- endif %}
+  ssl_certificate {{ cert_file }};
   {%- endif %}
 
   {%- elif site.ssl.engine == 'letsencrypt' %}
@@ -29,8 +30,8 @@
 
   {%- elif site.ssl.engine == 'salt' %}
 
-  ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
-  ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
+  ssl_certificate_key {{ key_file }};
+  ssl_certificate {{ chain_file }};
 
   {%- endif %}