Merge branch 'fix-certbot' into 'master'

Fix Certbot, clean reverse proxy config See merge request aurore/ansible!49
2020-11-05 00:04:34 +01:00 · 2020-11-05 00:04:34 +01:00 · b92449a1f8
parent 61f78f5bd3 24ab53675a
commit b92449a1f8
9 changed files with 174 additions and 72 deletions
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,4 +1,3 @@
---
 $ANSIBLE_VAULT;1.1;AES256
 61333538366635353537346231363235653162356330396434383631656465616330363136306563
 3861333166386536633437386335613461646466346239360a643139303037613937373631313661
--- a/host_vars/proxy-local.adm.auro.re.yml
+++ b/host_vars/proxy-local.adm.auro.re.yml
@ -0,0 +1,56 @@
+---
+certbot:
+  domains:
+    - bbb.auro.re
+    - drone.auro.re
+    - gitea.auro.re
+    - intranet.auro.re
+    - nextcloud.auro.re
+    - re2o.auro.re
+    - re2o-server.auro.re
+    - re2o-test.auro.re
+
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+  dns_masters_ipv4:
+    - "92.222.211.196"
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_tcp:
+    - name: Gitea
+      port: 2222
+      destination: "10.128.0.60:2222"
+
+  redirect_sites: {}
+
+  reverseproxy_sites:
+    - from: re2o.auro.re
+      to: 10.128.0.20
+    - from: intranet.auro.re
+      to: 10.128.0.20
+
+    - from: bbb.auro.re
+      to: 10.128.0.54
+
+    - from: nextcloud.auro.re
+      to: "10.128.0.58:8080"
+
+    - from: gitea.auro.re
+      to: "10.128.0.60:3000"
+
+    - from: drone.auro.re
+      to: "10.128.0.64:8000"
+
+    - from: re2o-test.auro.re
+      to: 10.128.0.80
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@ -0,0 +1,63 @@
+---
+certbot:
+  domains:
+    - auro.re
+    - cas.auro.re
+    - codimd.auro.re
+    - grafana.auro.re
+    - pad.auro.re
+    - passbolt.auro.re
+    - phabricator.auro.re
+    - privatebin.auro.re
+    - riot.auro.re
+    - sharelatex.auro.re
+    - wiki.auro.re
+    - www.auro.re
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+  dns_masters_ipv4:
+    - "92.222.211.196"
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_tcp: {}
+
+  redirect_sites:
+    - from: auro.re
+      to: www.auro.re
+
+  reverseproxy_sites:
+    - from: phabricator.auro.re
+      to: 10.128.0.50
+
+    - from: wiki.auro.re
+      to: 10.128.0.51
+
+    - from: www.auro.re
+      to: 10.128.0.52
+
+    - from: passbolt.auro.re
+      to: 10.128.0.53
+
+    - from: riot.auro.re
+      to: "10.128.0.150:8080"
+    - from: codimd.auro.re
+      to: "10.128.0.150:8081"
+    - from: grafana.auro.re
+      to: "10.128.0.150:8082"
+    - from: privatebin.auro.re
+      to: "10.128.0.150:8083"
+    - from: pad.auro.re
+      to: "10.128.0.150:8084"
+    - from: cas.auro.re
+      to: "10.128.0.150:8085"
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -1,26 +1,13 @@
 ---
- name: Install certbot and RFC2136 plugin
+- name: Install certbot and nginx plugin
  apt:
    update_cache: true
    name:
      - certbot
-      - python3-certbot-dns-rfc2136
-    state: present
-  register: apt_result
+      - python3-certbot-nginx
+  register: pkg_result
  retries: 3
-  until: apt_result is succeeded
-
- name: Lookup DNS masters IPv4
-  set_fact:
-    dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
-    cacheable: true
-
- name: Add DNS credentials
-  template:
-    src: letsencrypt/rfc2136.ini.j2
-    dest: /etc/letsencrypt/rfc2136.ini
-    mode: 0600
-    owner: root
+  until: pkg_result is succeeded

 - name: Create /etc/letsencrypt/conf.d
  file:
@ -33,3 +20,20 @@
    src: "letsencrypt/conf.d/certname.ini.j2"
    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
    mode: 0644
+  register: certbot_config
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: stopped
+  when: certbot_config.changed
+
+- name: Generate new certificate if the configuration changed
+  shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+  when: certbot_config.changed
+
+- name: Restart services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: started
+  when: certbot_config.changed
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -1,7 +1,7 @@
 # {{ ansible_managed }}

 # Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config wildcard.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly

 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@ -15,11 +15,9 @@ email = {{ certbot.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True

-# Use DNS-01 challenge
-authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
-dns-rfc2136-propagation-seconds = 30
+# Use nginx challenge
+authenticator = nginx

 # Wildcard the domain
 cert-name = {{ certbot.certname }}
-domains = {{ certbot.domains }}
+domains = {{ ", ".join(certbot.domains) }}
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -1,7 +0,0 @@
-# {{ ansible_managed }}
-
-dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
-dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
-dns_rfc2136_algorithm = HMAC-SHA512
--- a/roles/nginx_reverseproxy/tasks/main.yml
+++ b/roles/nginx_reverseproxy/tasks/main.yml
@ -45,6 +45,21 @@
    - redirect
  notify: Reload nginx

+- name: Copy forward modules
+  template:
+    src: "nginx/modules-available/60-forward.conf.j2"
+    dest: "/etc/nginx/modules-available/60-forward.conf"
+    mode: 0644
+  notify: Reload nginx
+
+- name: Activate modules
+  file:
+    src: "/etc/nginx/modules-available/60-forward.conf"
+    dest: "/etc/nginx/modules-enabled/60-forward.conf"
+    state: link
+    mode: 0644
+  notify: Reload nginx
+
 - name: Copy 50x error page
  template:
    src: www/html/50x.html.j2
--- a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+{% for site in nginx.redirect_tcp %}
+# Forward port {{ site.port }} to {{ site.name }}
+stream {
+    server {
+        listen {{ site.port }};
+        listen [::]:{{ site.port }};
+
+        proxy_pass {{ site.destination }};
+    }
+}
+
+{% endfor %}
--- a/services_web.yml
+++ b/services_web.yml
@ -1,7 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re
+- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re
  roles:
    - docker

@ -12,46 +12,6 @@

 # Deploy reverse proxy
 - hosts: proxy*.adm.auro.re
-  vars:
-    certbot:
-      dns_rfc2136_name: certbot_challenge.
-      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-      mail: tech.aurore@lists.crans.org
-      certname: auro.re
-      domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
-      dns_masters_ipv4:
-        - "92.222.211.196"
-    nginx:
-      ssl:
-        cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-        cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-        trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-      redirect_dnames:
-        - aurores.net
-        - fede-aurore.net
-
-      reverseproxy_sites:
-        - {from: re2o.auro.re, to: 10.128.0.10}
-        - {from: intranet.auro.re, to: 10.128.0.10}
-
-        - {from: phabricator.auro.re, to: 10.128.0.50}
-        - {from: wiki.auro.re, to: 10.128.0.51}
-        - {from: www.auro.re, to: 10.128.0.52}
-
-        - {from: drone.auro.re, to: "10.128.0.64:8000"}
-
-        - {from: re2o-test.auro.re, to: 10.128.0.100}
-
-        - {from: riot.auro.re, to: "10.128.0.150:8080"}
-        - {from: codimd.auro.re, to: "10.128.0.150:8081"}
-        - {from: grafana.auro.re, to: "10.128.0.150:8082"}
-        - {from: privatebin.auro.re, to: "10.128.0.150:8083"}
-        - {from: pad.auro.re, to: "10.128.0.150:8084"}
-        - {from: cas.auro.re, to: "10.128.0.150:8085"}
-
-      redirect_sites:
-        - {from: auro.re, to: www.auro.re}
  roles:
    - certbot
    - nginx_reverseproxy