stuffs

2021-04-05 19:02:21 +02:00 · 2021-04-05 19:02:21 +02:00 · 75fce8dd8d
commit 75fce8dd8d
parent 997c766ddb
7 changed files with 124 additions and 4 deletions
--- a/group_vars/all/web_services.yml
+++ b/group_vars/all/web_services.yml
@ -7,6 +7,6 @@ reverse_proxy_sites:
  - {from: openid.deso-palaiseau.fr,  to: "https://azerty.fil.sand.auro.re:7443"}
 sharing_sites:
-  - {from: share.deso-palaiseau.fr,                 folder: "/var/www/share/"}
+  - {from: share.deso-palaiseau.fr,                 folder: "/home/histausse/www/",            user: histausse,     group: histausse}
-  - {from: authority.deso-palaiseau.fr,             folder: "/var/www/authority/"}
+  - {from: authority.deso-palaiseau.fr,             folder: "/var/www/authority/",             user: root,          group: root}
-  - {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/"}
+  - {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/", user: root,          group: root}
--- a/roles/reverse_proxy_http/tasks/main.yml
+++ b/roles/reverse_proxy_http/tasks/main.yml
@ -38,7 +38,7 @@
  loop: "{{ reverse_proxy_sites }}"
 - name: Generate Certificate for Domains
-  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
+  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
  args:
    creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
  loop: "{{ reverse_proxy_sites }}"
--- a/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy
+++ b/roles/reverse_proxy_http/templates/nginx/sites-available/reverse_proxy
@ -11,6 +11,9 @@ server {
 	location / {
 		return 302 https://$host$request_uri;
 	}
    # "A man is not dead while his name is still spoken." -- Going Postal
    add_header X-Clacks-Overhead "GNU Terry Pratchett";
 }
 server {
@ -30,5 +33,8 @@ server {
 		proxy_pass {{ item.to }};
 		include "/etc/nginx/snippets/options-proxypass.conf";
 	}
    # "A man is not dead while his name is still spoken." -- Going Postal
    add_header X-Clacks-Overhead "GNU Terry Pratchett";
 }
--- a/roles/share_file_web/handlers/main.yml
+++ b/roles/share_file_web/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: Reload nginx
  systemd:
    name: nginx
    state: reloaded
--- a/roles/share_file_web/tasks/main.yml
+++ b/roles/share_file_web/tasks/main.yml
@ -0,0 +1,69 @@
 ---
 - name: Install certbot
  apt:
    update_cache: true
    name: 
      - certbot
      - python3-certbot-nginx
    state: latest
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Ensure the cert directory exists
  file:
    path: /etc/nginx/certs
    state: directory
 - name: Copy snippets
  template:
    src: "nginx/snippets/{{ item }}"
    dest: "/etc/nginx/snippets/{{ item }}"
  loop:
    - connection_upgrade.conf # fix some nginx bug
 - name: Ensure the shared directory exist
  file:
    path: "{{ item.folder }}"
    state: directory
    owner: "{{ item.user }}"
    group: "{{ item.group }}"
  loop: "{{ sharing_sites }}"
 - name: Copy sharing sites
  template:
    src: "nginx/sites-available/sharing_site"
    dest: "/etc/nginx/sites-available/{{ item.from }}"
  loop: "{{ sharing_sites }}"
  notify: Reload nginx
 - name: Activate sites
  file:
    src: "/etc/nginx/sites-available/{{ item.from }}"
    dest: "/etc/nginx/sites-enabled/{{ item.from }}"
    state: link
    force: yes
  loop: "{{ sharing_sites }}"
 - name: Generate Certificate for Domains
  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
  args:
    creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
  loop: "{{ sharing_sites }}"
 - name: Copy certificates
  file:
    src: "/etc/letsencrypt/live/{{ item.from }}/fullchain.pem"
    dest: "/etc/nginx/certs/{{ item.from }}.crt"
    state: link
    force: yes
  loop: "{{ sharing_sites }}"
 - name: Copy certificate keys
  file:
    src: "/etc/letsencrypt/live/{{ item.from }}/privkey.pem"
    dest: "/etc/nginx/certs/{{ item.from }}.key"
    state: link
    force: yes
  loop: "{{ sharing_sites }}"
  notify: Reload nginx
--- a/roles/share_file_web/templates/nginx/sites-available/sharing_site
+++ b/roles/share_file_web/templates/nginx/sites-available/sharing_site
@ -0,0 +1,33 @@
 {{ ansible_managed | comment }}
 include "/etc/nginx/snippets/connection_upgrade.conf";
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ item.from }};
 	# Redirect to https
 	location / {
 		return 302 https://$host$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
 	ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
 	server_name {{ item.from }};
 	# Logs
 	access_log /var/log/nginx/{{ item.from }}.log;
 	error_log /var/log/nginx/{{ item.from }}_error.log;
 	location / {
 		alias {{ item.folder }};
 	}
 }
--- a/roles/share_file_web/templates/nginx/snippets/connection_upgrade.conf
+++ b/roles/share_file_web/templates/nginx/snippets/connection_upgrade.conf
@ -0,0 +1,7 @@
 {{ ansible_managed | comment }}
 map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }