add certbot, wip
This commit is contained in:
parent
8610731ca6
commit
090db33fcf
7 changed files with 59 additions and 5 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,3 +1,3 @@
|
||||||
# ---> Ansible
|
# ---> Ansible
|
||||||
*.retry
|
*.retry
|
||||||
vault_pass.txt
|
.vault_password
|
||||||
|
|
|
@ -20,6 +20,8 @@ forks = 15
|
||||||
# Some SSH connection will take time
|
# Some SSH connection will take time
|
||||||
timeout = 60
|
timeout = 60
|
||||||
|
|
||||||
|
vault_password_file = .vault_password
|
||||||
|
|
||||||
[privilege_escalation]
|
[privilege_escalation]
|
||||||
|
|
||||||
# Use sudo to get priviledge access
|
# Use sudo to get priviledge access
|
||||||
|
|
7
group_vars/all/vault
Normal file
7
group_vars/all/vault
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
66346339616339316665383163613863376439383934626434313163376634306435656437353165
|
||||||
|
6263666165323933346232356234656137646466336466360a656639643838323563643235363933
|
||||||
|
30333435366138343930636130373239663735303164636639633039326131343533343561393561
|
||||||
|
3864653732636464320a396563643963393862353962323462616231393332633131633832336338
|
||||||
|
36633138646430623563316538643534666230363638333732633432316533343263303766616561
|
||||||
|
6431623436633030393133616166323434613464636631646338
|
5
roles/reverse_proxy/handlers/main.yml
Normal file
5
roles/reverse_proxy/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Reload nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
|
@ -19,6 +19,18 @@
|
||||||
retries: 3
|
retries: 3
|
||||||
until: apt_result is succeeded
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Ensure the cert directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/certs
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy snippets
|
||||||
|
template:
|
||||||
|
src: "nginx/snippets/{{ item }}"
|
||||||
|
dest: "/etc/nginx/snippets/{{ item }}"
|
||||||
|
loop:
|
||||||
|
- options-proxypass.conf
|
||||||
|
|
||||||
- name: Copy reverse proxy sites
|
- name: Copy reverse proxy sites
|
||||||
template:
|
template:
|
||||||
src: "nginx/sites-available/reverse_proxy"
|
src: "nginx/sites-available/reverse_proxy"
|
||||||
|
@ -33,5 +45,16 @@
|
||||||
force: yes
|
force: yes
|
||||||
loop: "{{ reverse_proxy_sites }}"
|
loop: "{{ reverse_proxy_sites }}"
|
||||||
|
|
||||||
|
- name: Stop nginx to let the certbot do its job
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: stoped
|
||||||
|
|
||||||
- name: Generate Certificate for Domains
|
- name: Generate Certificate for Domains
|
||||||
shell: certbot --nginx
|
shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect
|
||||||
|
loop: "{{ reverse_proxy_sites }}"
|
||||||
|
|
||||||
|
- name: Start nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: started
|
||||||
|
|
|
@ -14,12 +14,12 @@ server {
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
|
||||||
|
|
||||||
|
|
||||||
server_name {{ item.from }};
|
server_name {{ item.from }};
|
||||||
|
|
||||||
# SSL common conf
|
|
||||||
include "/etc/nginx/snippets/options-ssl.conf";
|
|
||||||
|
|
||||||
# Logs
|
# Logs
|
||||||
access_log /var/log/nginx/{{ item.from }}.log;
|
access_log /var/log/nginx/{{ item.from }}.log;
|
||||||
error_log /var/log/nginx/{{ item.from }}_error.log;
|
error_log /var/log/nginx/{{ item.from }}_error.log;
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
# Pass the real client IP
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
|
# Tell proxified server that we are HTTPS, fix Wordpress
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
|
||||||
|
# WebSocket support
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
Loading…
Reference in a new issue