add certbot, wip
This commit is contained in:
parent
8610731ca6
commit
090db33fcf
7 changed files with 59 additions and 5 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,3 +1,3 @@
|
|||
# ---> Ansible
|
||||
*.retry
|
||||
vault_pass.txt
|
||||
.vault_password
|
||||
|
|
|
@ -20,6 +20,8 @@ forks = 15
|
|||
# Some SSH connection will take time
|
||||
timeout = 60
|
||||
|
||||
vault_password_file = .vault_password
|
||||
|
||||
[privilege_escalation]
|
||||
|
||||
# Use sudo to get priviledge access
|
||||
|
|
7
group_vars/all/vault
Normal file
7
group_vars/all/vault
Normal file
|
@ -0,0 +1,7 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66346339616339316665383163613863376439383934626434313163376634306435656437353165
|
||||
6263666165323933346232356234656137646466336466360a656639643838323563643235363933
|
||||
30333435366138343930636130373239663735303164636639633039326131343533343561393561
|
||||
3864653732636464320a396563643963393862353962323462616231393332633131633832336338
|
||||
36633138646430623563316538643534666230363638333732633432316533343263303766616561
|
||||
6431623436633030393133616166323434613464636631646338
|
5
roles/reverse_proxy/handlers/main.yml
Normal file
5
roles/reverse_proxy/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Reload nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
|
@ -19,6 +19,18 @@
|
|||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Ensure the cert directory exists
|
||||
file:
|
||||
path: /etc/nginx/certs
|
||||
state: directory
|
||||
|
||||
- name: Copy snippets
|
||||
template:
|
||||
src: "nginx/snippets/{{ item }}"
|
||||
dest: "/etc/nginx/snippets/{{ item }}"
|
||||
loop:
|
||||
- options-proxypass.conf
|
||||
|
||||
- name: Copy reverse proxy sites
|
||||
template:
|
||||
src: "nginx/sites-available/reverse_proxy"
|
||||
|
@ -33,5 +45,16 @@
|
|||
force: yes
|
||||
loop: "{{ reverse_proxy_sites }}"
|
||||
|
||||
- name: Stop nginx to let the certbot do its job
|
||||
systemd:
|
||||
name: nginx
|
||||
state: stoped
|
||||
|
||||
- name: Generate Certificate for Domains
|
||||
shell: certbot --nginx
|
||||
shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect
|
||||
loop: "{{ reverse_proxy_sites }}"
|
||||
|
||||
- name: Start nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: started
|
||||
|
|
|
@ -14,12 +14,12 @@ server {
|
|||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
|
||||
|
||||
|
||||
server_name {{ item.from }};
|
||||
|
||||
# SSL common conf
|
||||
include "/etc/nginx/snippets/options-ssl.conf";
|
||||
|
||||
# Logs
|
||||
access_log /var/log/nginx/{{ item.from }}.log;
|
||||
error_log /var/log/nginx/{{ item.from }}_error.log;
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Pass the real client IP
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# Tell proxified server that we are HTTPS, fix Wordpress
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
# WebSocket support
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
Loading…
Reference in a new issue