add certbot, wip

This commit is contained in:
Jean-Marie Mineau 2020-10-13 01:25:02 +02:00
parent 8610731ca6
commit 090db33fcf
7 changed files with 59 additions and 5 deletions

2
.gitignore vendored
View file

@ -1,3 +1,3 @@
# ---> Ansible # ---> Ansible
*.retry *.retry
vault_pass.txt .vault_password

View file

@ -20,6 +20,8 @@ forks = 15
# Some SSH connection will take time # Some SSH connection will take time
timeout = 60 timeout = 60
vault_password_file = .vault_password
[privilege_escalation] [privilege_escalation]
# Use sudo to get priviledge access # Use sudo to get priviledge access

7
group_vars/all/vault Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
66346339616339316665383163613863376439383934626434313163376634306435656437353165
6263666165323933346232356234656137646466336466360a656639643838323563643235363933
30333435366138343930636130373239663735303164636639633039326131343533343561393561
3864653732636464320a396563643963393862353962323462616231393332633131633832336338
36633138646430623563316538643534666230363638333732633432316533343263303766616561
6431623436633030393133616166323434613464636631646338

View file

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -19,6 +19,18 @@
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Ensure the cert directory exists
file:
path: /etc/nginx/certs
state: directory
- name: Copy snippets
template:
src: "nginx/snippets/{{ item }}"
dest: "/etc/nginx/snippets/{{ item }}"
loop:
- options-proxypass.conf
- name: Copy reverse proxy sites - name: Copy reverse proxy sites
template: template:
src: "nginx/sites-available/reverse_proxy" src: "nginx/sites-available/reverse_proxy"
@ -33,5 +45,16 @@
force: yes force: yes
loop: "{{ reverse_proxy_sites }}" loop: "{{ reverse_proxy_sites }}"
- name: Stop nginx to let the certbot do its job
systemd:
name: nginx
state: stoped
- name: Generate Certificate for Domains - name: Generate Certificate for Domains
shell: certbot --nginx shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect
loop: "{{ reverse_proxy_sites }}"
- name: Start nginx
systemd:
name: nginx
state: started

View file

@ -14,12 +14,12 @@ server {
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
server_name {{ item.from }}; server_name {{ item.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
# Logs # Logs
access_log /var/log/nginx/{{ item.from }}.log; access_log /var/log/nginx/{{ item.from }}.log;
error_log /var/log/nginx/{{ item.from }}_error.log; error_log /var/log/nginx/{{ item.from }}_error.log;

View file

@ -0,0 +1,17 @@
{{ ansible_managed | comment }}
proxy_redirect off;
proxy_set_header Host $host;
# Pass the real client IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Tell proxified server that we are HTTPS, fix Wordpress
proxy_set_header X-Forwarded-Proto https;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;