add certbot, wip

4 years ago · 090db33fcf
parent 8610731ca6
commit 090db33fcf
7 changed files with 59 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 # ---> Ansible
 *.retry
-vault_pass.txt
+.vault_password
--- a/ansible.cfg
+++ b/ansible.cfg
@ -20,6 +20,8 @@ forks = 15
 # Some SSH connection will take time
 timeout = 60

+vault_password_file = .vault_password
+
 [privilege_escalation]

 # Use sudo to get priviledge access
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66346339616339316665383163613863376439383934626434313163376634306435656437353165
+6263666165323933346232356234656137646466336466360a656639643838323563643235363933
+30333435366138343930636130373239663735303164636639633039326131343533343561393561
+3864653732636464320a396563643963393862353962323462616231393332633131633832336338
+36633138646430623563316538643534666230363638333732633432316533343263303766616561
+6431623436633030393133616166323434613464636631646338
--- a/roles/reverse_proxy/handlers/main.yml
+++ b/roles/reverse_proxy/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
--- a/roles/reverse_proxy/tasks/main.yml
+++ b/roles/reverse_proxy/tasks/main.yml
@ -19,6 +19,18 @@
  retries: 3
  until: apt_result is succeeded

+- name: Ensure the cert directory exists
+  file:
+    path: /etc/nginx/certs
+    state: directory
+
+- name: Copy snippets
+  template:
+    src: "nginx/snippets/{{ item }}"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - options-proxypass.conf
+
 - name: Copy reverse proxy sites
  template:
    src: "nginx/sites-available/reverse_proxy"
@ -33,5 +45,16 @@
    force: yes
  loop: "{{ reverse_proxy_sites }}"

+- name: Stop nginx to let the certbot do its job
+  systemd:
+    name: nginx
+    state: stoped
+
 - name: Generate Certificate for Domains
-  shell: certbot --nginx
+  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect
+  loop: "{{ reverse_proxy_sites }}"
+
+- name: Start nginx
+  systemd:
+    name: nginx
+    state: started
--- a/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
+++ b/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
@ -14,11 +14,11 @@ server {
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
+	ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
+	ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;

-	server_name {{ item.from }};

-	# SSL common conf
-	include "/etc/nginx/snippets/options-ssl.conf";
+	server_name {{ item.from }};

 	# Logs
 	access_log /var/log/nginx/{{ item.from }}.log;
--- a/roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf
+++ b/roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf
@ -0,0 +1,17 @@
+{{ ansible_managed | comment }}
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+