Use regexp replace instead of jinja2 template override

README.md

@@ -15,7 +15,6 @@ Add [Cloudflare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-
 * Ubuntu 16.04 (Xenial)
 * Read about [CloudFlare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#iiobtainyourcertificateapitoken)
 * Read about [Trellis SSL](https://roots.io/trellis/docs/ssl/)
-* Read about [Trellis Nginx Includes](https://roots.io/trellis/docs/nginx-includes/)
 * Read about [Ansible Vault](https://roots.io/trellis/docs/vault/)
 
 ## Installation
@@ -24,7 +23,7 @@ Add this role to `requirements.yml`:
 
 ```yaml
 - src: TypistTech.trellis-cloudflare-origin-ca # Case-sensitive!
-  version: 0.2.0
+  version: 0.3.0
 ```
 
 Run `ansible-galaxy install -r requirements.yml` to install this new role.
@@ -43,14 +42,6 @@ Note:
 * `Origin CA Key` and `Global API Key` are different.
 * [How to obtain your Cloudflare `Origin CA Key`?](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#iiobtainyourcertificateapitoken)
 
-### `nginx_wordpress_site_conf`
-
-Define `nginx_wordpress_site_conf` in your `group_vars/all/main.yml` to use this role's nginx site template::
-
-```yaml
-nginx_wordpress_site_conf: vendor/roles/TypistTech.trellis-cloudflare-origin-ca/templates/wordpress-site.conf.child
-```
-
 ### `provider: cloudflare-origin-ca`
 Set `provider: cloudflare-origin-ca` in `group_vars/<environment>/wordpress_sites.yml`:
 
@@ -71,16 +62,23 @@ This will generate a *Cloudflare-trusted* certificate for `example.com,hi.exampl
 
 ## Hacking Trellis' Playbook
 
-Add this role to `server.yml` **immediately** above `role: wordpress-setup`:
+Add this role to `server.yml` **immediately after** `role: wordpress-setup`:
 
 ```yaml
 roles:
     # Some other Trellis roles ...
-    - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca] } # Case-sensitive!
     - { role: wordpress-setup, tags: [wordpress, wordpress-setup] }
+    - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca, wordpress-setup] } # Case-sensitive!
     # Some other Trellis roles ...
 ```
 
+## Caveats
+
+* Your Nginx site conf must contain this line:
+    ```
+      # SSL configuration
+    ```
+
 ## Support!
 
 ### Donate via PayPal [![Donate via PayPal](https://img.shields.io/badge/Donate-PayPal-blue.svg)](https://www.typist.tech/donate/trellis-cloudflare-origin-ca/)

tasks/main.yml

@@ -3,5 +3,22 @@
     msg: vault_cloudflare_origin_ca_key is not defined
   when: vault_cloudflare_origin_ca_key is not defined
 
+- fail:
+    msg: No site is using Cloudflare Origin CA
+  when: ( sites_using_cloudflare_origin_ca | count ) < 1
+
+- name: Read Nginx site confs
+  command: "cat {{ nginx_path }}/sites-available/{{ item.key }}.conf"
+  register: cat_site_confs_raw
+  with_dict: "{{ wordpress_sites }}"
+  when: ( item.key in sites_using_cloudflare_origin_ca ) # and
+
+- fail:
+    msg: "{{ item.cmd[1] }} does not contains '# SSL configuration'"
+  with_items:
+    - "{{ cat_site_confs_raw.results }}"
+  when: not ( item.stdout | search('# SSL configuration') )
+
 - include: setup.yml
 - include: certificates.yml
+- include: nginx.yml

tasks/nginx.yml

@@ -0,0 +1,21 @@
+---
+- name: Remove old SSL certificate directives from Nginx site confs
+  replace:
+    path: "{{ nginx_path }}/sites-available/{{ item.key }}.conf"
+    regexp: '^(\s+)(ssl_(trusted_)?(certificate(_key)?))(.+)?$'
+  with_dict: "{{ wordpress_sites }}"
+  when: item.key in sites_using_cloudflare_origin_ca
+  notify: reload nginx
+
+- name: Add Cloudflare Origin CA directives to Nginx site confs
+  replace:
+    path: "{{ nginx_path }}/sites-available/{{ item.key }}.conf"
+    regexp: '^(\s+)(# SSL configuration)(.+)?$'
+    replace: >
+      \1\2
+      \1ssl_certificate         {{ nginx_path }}/ssl/cloudflare-origin-ca/{{ item.key }}.pem;
+      \1ssl_trusted_certificate {{ nginx_path }}/ssl/cloudflare-origin-ca/{{ item.key }}.pem;
+      \1ssl_certificate_key     {{ nginx_path }}/ssl/cloudflare-origin-ca/{{ item.key }}.key;
+  with_dict: "{{ wordpress_sites }}"
+  when: item.key in sites_using_cloudflare_origin_ca
+  notify: reload nginx