This commit is contained in:
Jean-Marie Mineau 2021-04-05 19:02:21 +02:00
parent 997c766ddb
commit 75fce8dd8d
7 changed files with 124 additions and 4 deletions

View file

@ -7,6 +7,6 @@ reverse_proxy_sites:
- {from: openid.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:7443"} - {from: openid.deso-palaiseau.fr, to: "https://azerty.fil.sand.auro.re:7443"}
sharing_sites: sharing_sites:
- {from: share.deso-palaiseau.fr, folder: "/var/www/share/"} - {from: share.deso-palaiseau.fr, folder: "/home/histausse/www/", user: histausse, group: histausse}
- {from: authority.deso-palaiseau.fr, folder: "/var/www/authority/"} - {from: authority.deso-palaiseau.fr, folder: "/var/www/authority/", user: root, group: root}
- {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/"} - {from: authority-info-access.deso-palaiseau.fr, folder: "/var/www/authority_info_access/", user: root, group: root}

View file

@ -38,7 +38,7 @@
loop: "{{ reverse_proxy_sites }}" loop: "{{ reverse_proxy_sites }}"
- name: Generate Certificate for Domains - name: Generate Certificate for Domains
shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx" shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
args: args:
creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem" creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
loop: "{{ reverse_proxy_sites }}" loop: "{{ reverse_proxy_sites }}"

View file

@ -11,6 +11,9 @@ server {
location / { location / {
return 302 https://$host$request_uri; return 302 https://$host$request_uri;
} }
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
} }
server { server {
@ -30,5 +33,8 @@ server {
proxy_pass {{ item.to }}; proxy_pass {{ item.to }};
include "/etc/nginx/snippets/options-proxypass.conf"; include "/etc/nginx/snippets/options-proxypass.conf";
} }
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
} }

View file

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -0,0 +1,69 @@
---
- name: Install certbot
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
state: latest
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure the cert directory exists
file:
path: /etc/nginx/certs
state: directory
- name: Copy snippets
template:
src: "nginx/snippets/{{ item }}"
dest: "/etc/nginx/snippets/{{ item }}"
loop:
- connection_upgrade.conf # fix some nginx bug
- name: Ensure the shared directory exist
file:
path: "{{ item.folder }}"
state: directory
owner: "{{ item.user }}"
group: "{{ item.group }}"
loop: "{{ sharing_sites }}"
- name: Copy sharing sites
template:
src: "nginx/sites-available/sharing_site"
dest: "/etc/nginx/sites-available/{{ item.from }}"
loop: "{{ sharing_sites }}"
notify: Reload nginx
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item.from }}"
dest: "/etc/nginx/sites-enabled/{{ item.from }}"
state: link
force: yes
loop: "{{ sharing_sites }}"
- name: Generate Certificate for Domains
shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }} --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
args:
creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
loop: "{{ sharing_sites }}"
- name: Copy certificates
file:
src: "/etc/letsencrypt/live/{{ item.from }}/fullchain.pem"
dest: "/etc/nginx/certs/{{ item.from }}.crt"
state: link
force: yes
loop: "{{ sharing_sites }}"
- name: Copy certificate keys
file:
src: "/etc/letsencrypt/live/{{ item.from }}/privkey.pem"
dest: "/etc/nginx/certs/{{ item.from }}.key"
state: link
force: yes
loop: "{{ sharing_sites }}"
notify: Reload nginx

View file

@ -0,0 +1,33 @@
{{ ansible_managed | comment }}
include "/etc/nginx/snippets/connection_upgrade.conf";
server {
listen 80;
listen [::]:80;
server_name {{ item.from }};
# Redirect to https
location / {
return 302 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/certs/{{ item.from }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ item.from }}.key;
server_name {{ item.from }};
# Logs
access_log /var/log/nginx/{{ item.from }}.log;
error_log /var/log/nginx/{{ item.from }}_error.log;
location / {
alias {{ item.folder }};
}
}

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}