From 090db33fcf64f5199ffef034ec1e4db949bdd692 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <mineau.jean.marie@gmail.com>
Date: Tue, 13 Oct 2020 01:25:02 +0200
Subject: [PATCH] add certbot, wip

---
 .gitignore                                    |  2 +-
 ansible.cfg                                   |  2 ++
 group_vars/all/vault                          |  7 ++++++
 roles/reverse_proxy/handlers/main.yml         |  5 ++++
 roles/reverse_proxy/tasks/main.yml            | 25 ++++++++++++++++++-
 .../nginx/sites-available/reverse_proxy       |  6 ++---
 .../nginx/snippets/options-proxypass.conf     | 17 +++++++++++++
 7 files changed, 59 insertions(+), 5 deletions(-)
 create mode 100644 group_vars/all/vault
 create mode 100644 roles/reverse_proxy/handlers/main.yml
 create mode 100644 roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf

diff --git a/.gitignore b/.gitignore
index 2beaf98..65a5ef9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 # ---> Ansible
 *.retry
-vault_pass.txt
+.vault_password
diff --git a/ansible.cfg b/ansible.cfg
index 70d340f..7b4064a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -20,6 +20,8 @@ forks = 15
 # Some SSH connection will take time
 timeout = 60
 
+vault_password_file = .vault_password
+
 [privilege_escalation]
 
 # Use sudo to get priviledge access
diff --git a/group_vars/all/vault b/group_vars/all/vault
new file mode 100644
index 0000000..e6892a8
--- /dev/null
+++ b/group_vars/all/vault
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66346339616339316665383163613863376439383934626434313163376634306435656437353165
+6263666165323933346232356234656137646466336466360a656639643838323563643235363933
+30333435366138343930636130373239663735303164636639633039326131343533343561393561
+3864653732636464320a396563643963393862353962323462616231393332633131633832336338
+36633138646430623563316538643534666230363638333732633432316533343263303766616561
+6431623436633030393133616166323434613464636631646338
diff --git a/roles/reverse_proxy/handlers/main.yml b/roles/reverse_proxy/handlers/main.yml
new file mode 100644
index 0000000..6dfcdd7
--- /dev/null
+++ b/roles/reverse_proxy/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
diff --git a/roles/reverse_proxy/tasks/main.yml b/roles/reverse_proxy/tasks/main.yml
index abfa1c1..ddf1423 100644
--- a/roles/reverse_proxy/tasks/main.yml
+++ b/roles/reverse_proxy/tasks/main.yml
@@ -19,6 +19,18 @@
   retries: 3
   until: apt_result is succeeded
 
+- name: Ensure the cert directory exists
+  file:
+    path: /etc/nginx/certs
+    state: directory
+
+- name: Copy snippets
+  template:
+    src: "nginx/snippets/{{ item }}"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - options-proxypass.conf
+
 - name: Copy reverse proxy sites
   template:
     src: "nginx/sites-available/reverse_proxy"
@@ -33,5 +45,16 @@
     force: yes
   loop: "{{ reverse_proxy_sites }}"
 
+- name: Stop nginx to let the certbot do its job
+  systemd:
+    name: nginx
+    state: stoped
+
 - name: Generate Certificate for Domains
-  shell: certbot --nginx
+  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect
+  loop: "{{ reverse_proxy_sites }}"
+
+- name: Start nginx
+  systemd:
+    name: nginx
+    state: started
diff --git a/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy b/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
index a427707..61f68cd 100644
--- a/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
+++ b/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
@@ -14,11 +14,11 @@ server {
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
+	ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
+	ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
 
-	server_name {{ item.from }};
 
-	# SSL common conf
-	include "/etc/nginx/snippets/options-ssl.conf";
+	server_name {{ item.from }};
 
 	# Logs
 	access_log /var/log/nginx/{{ item.from }}.log;
diff --git a/roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf b/roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf
new file mode 100644
index 0000000..6f40096
--- /dev/null
+++ b/roles/reverse_proxy/templates/nginx/snippets/options-proxypass.conf
@@ -0,0 +1,17 @@
+{{ ansible_managed | comment }}
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+