diff --git a/group_vars/all/web_services.yml b/group_vars/all/web_services.yml index 0b895fc..599b35d 100644 --- a/group_vars/all/web_services.yml +++ b/group_vars/all/web_services.yml @@ -7,6 +7,6 @@ reverse_proxy_sites: - {from: openid.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:7443"} sharing_sites: - - {from: share.deso-palaiseau.fr, folder: "/var/www/share/"} - - {from: authority.deso-palaiseau.fr, folder: "/var/www/authority/"} - - {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/"} + - {from: share.deso-palaiseau.fr, folder: "/home/histausse/www/", user: histausse, group: histausse} + - {from: authority.deso-palaiseau.fr, folder: "/var/www/authority/", user: root, group: root} + - {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/", user: root, group: root} diff --git a/roles/reverse_proxy_http/tasks/main.yml b/roles/reverse_proxy_http/tasks/main.yml index 268f142..5ebf7fb 100644 --- a/roles/reverse_proxy_http/tasks/main.yml +++ b/roles/reverse_proxy_http/tasks/main.yml @@ -38,7 +38,7 @@ loop: "{{ reverse_proxy_sites }}" - name: Generate Certificate for Domains - shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx" + shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx" args: creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem" loop: "{{ reverse_proxy_sites }}" diff --git a/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy b/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy index a1e5faa..1936cc1 100644 --- a/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy +++ b/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy @@ -11,6 +11,9 @@ server { location / { return 302 https://$host$request_uri; } + + # "A man is not dead while his name is still spoken." -- Going Postal + add_header X-Clacks-Overhead "GNU Terry Pratchett"; } server { @@ -30,5 +33,8 @@ server { proxy_pass {{ item.to }}; include "/etc/nginx/snippets/options-proxypass.conf"; } + + # "A man is not dead while his name is still spoken." -- Going Postal + add_header X-Clacks-Overhead "GNU Terry Pratchett"; } diff --git a/roles/share_file_web/handlers/main.yml b/roles/share_file_web/handlers/main.yml new file mode 100644 index 0000000..6dfcdd7 --- /dev/null +++ b/roles/share_file_web/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/share_file_web/tasks/main.yml b/roles/share_file_web/tasks/main.yml new file mode 100644 index 0000000..3692806 --- /dev/null +++ b/roles/share_file_web/tasks/main.yml @@ -0,0 +1,69 @@ +--- +- name: Install certbot + apt: + update_cache: true + name: + - certbot + - python3-certbot-nginx + state: latest + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Ensure the cert directory exists + file: + path: /etc/nginx/certs + state: directory + +- name: Copy snippets + template: + src: "nginx/snippets/{{ item }}" + dest: "/etc/nginx/snippets/{{ item }}" + loop: + - connection_upgrade.conf # fix some nginx bug + +- name: Ensure the shared directory exist + file: + path: "{{ item.folder }}" + state: directory + owner: "{{ item.user }}" + group: "{{ item.group }}" + loop: "{{ sharing_sites }}" + +- name: Copy sharing sites + template: + src: "nginx/sites-available/sharing_site" + dest: "/etc/nginx/sites-available/{{ item.from }}" + loop: "{{ sharing_sites }}" + notify: Reload nginx + +- name: Activate sites + file: + src: "/etc/nginx/sites-available/{{ item.from }}" + dest: "/etc/nginx/sites-enabled/{{ item.from }}" + state: link + force: yes + loop: "{{ sharing_sites }}" + +- name: Generate Certificate for Domains + shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx" + args: + creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem" + loop: "{{ sharing_sites }}" + +- name: Copy certificates + file: + src: "/etc/letsencrypt/live/{{ item.from }}/fullchain.pem" + dest: "/etc/nginx/certs/{{ item.from }}.crt" + state: link + force: yes + loop: "{{ sharing_sites }}" + +- name: Copy certificate keys + file: + src: "/etc/letsencrypt/live/{{ item.from }}/privkey.pem" + dest: "/etc/nginx/certs/{{ item.from }}.key" + state: link + force: yes + loop: "{{ sharing_sites }}" + notify: Reload nginx diff --git a/roles/share_file_web/templates/nginx/sites-available/sharing_site b/roles/share_file_web/templates/nginx/sites-available/sharing_site new file mode 100644 index 0000000..3990100 --- /dev/null +++ b/roles/share_file_web/templates/nginx/sites-available/sharing_site @@ -0,0 +1,33 @@ +{{ ansible_managed | comment }} + +include "/etc/nginx/snippets/connection_upgrade.conf"; + +server { + listen 80; + listen [::]:80; + + server_name {{ item.from }}; + # Redirect to https + location / { + return 302 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/nginx/certs/{{ item.from }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key; + + + server_name {{ item.from }}; + + # Logs + access_log /var/log/nginx/{{ item.from }}.log; + error_log /var/log/nginx/{{ item.from }}_error.log; + + location / { + alias {{ item.folder }}; + } +} + diff --git a/roles/share_file_web/templates/nginx/snippets/connection_upgrade.conf b/roles/share_file_web/templates/nginx/snippets/connection_upgrade.conf new file mode 100644 index 0000000..27ac1b8 --- /dev/null +++ b/roles/share_file_web/templates/nginx/snippets/connection_upgrade.conf @@ -0,0 +1,7 @@ +{{ ansible_managed | comment }} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } +