diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8fa4cbb..52a14ab 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,4 +1,3 @@ ---- $ANSIBLE_VAULT;1.1;AES256 61333538366635353537346231363235653162356330396434383631656465616330363136306563 3861333166386536633437386335613461646466346239360a643139303037613937373631313661 diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml new file mode 100644 index 0000000..b92c1ac --- /dev/null +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -0,0 +1,56 @@ +--- +certbot: + domains: + - bbb.auro.re + - drone.auro.re + - gitea.auro.re + - intranet.auro.re + - nextcloud.auro.re + - re2o.auro.re + - re2o-server.auro.re + - re2o-test.auro.re + + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_tcp: + - name: Gitea + port: 2222 + destination: "10.128.0.60:2222" + + redirect_sites: {} + + reverseproxy_sites: + - from: re2o.auro.re + to: 10.128.0.20 + - from: intranet.auro.re + to: 10.128.0.20 + + - from: bbb.auro.re + to: 10.128.0.54 + + - from: nextcloud.auro.re + to: "10.128.0.58:8080" + + - from: gitea.auro.re + to: "10.128.0.60:3000" + + - from: drone.auro.re + to: "10.128.0.64:8000" + + - from: re2o-test.auro.re + to: 10.128.0.80 diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml new file mode 100644 index 0000000..f4b710e --- /dev/null +++ b/host_vars/proxy.adm.auro.re.yml @@ -0,0 +1,63 @@ +--- +certbot: + domains: + - auro.re + - cas.auro.re + - codimd.auro.re + - grafana.auro.re + - pad.auro.re + - passbolt.auro.re + - phabricator.auro.re + - privatebin.auro.re + - riot.auro.re + - sharelatex.auro.re + - wiki.auro.re + - www.auro.re + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_tcp: {} + + redirect_sites: + - from: auro.re + to: www.auro.re + + reverseproxy_sites: + - from: phabricator.auro.re + to: 10.128.0.50 + + - from: wiki.auro.re + to: 10.128.0.51 + + - from: www.auro.re + to: 10.128.0.52 + + - from: passbolt.auro.re + to: 10.128.0.53 + + - from: riot.auro.re + to: "10.128.0.150:8080" + - from: codimd.auro.re + to: "10.128.0.150:8081" + - from: grafana.auro.re + to: "10.128.0.150:8082" + - from: privatebin.auro.re + to: "10.128.0.150:8083" + - from: pad.auro.re + to: "10.128.0.150:8084" + - from: cas.auro.re + to: "10.128.0.150:8085" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index d6314ac..f29d557 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,26 +1,13 @@ --- -- name: Install certbot and RFC2136 plugin +- name: Install certbot and nginx plugin apt: update_cache: true name: - certbot - - python3-certbot-dns-rfc2136 - state: present - register: apt_result + - python3-certbot-nginx + register: pkg_result retries: 3 - until: apt_result is succeeded - -- name: Lookup DNS masters IPv4 - set_fact: - dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}" - cacheable: true - -- name: Add DNS credentials - template: - src: letsencrypt/rfc2136.ini.j2 - dest: /etc/letsencrypt/rfc2136.ini - mode: 0600 - owner: root + until: pkg_result is succeeded - name: Create /etc/letsencrypt/conf.d file: @@ -33,3 +20,20 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 + register: certbot_config + +- name: Stop services to allow certbot to generate a cert. + service: + name: nginx + state: stopped + when: certbot_config.changed + +- name: Generate new certificate if the configuration changed + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + when: certbot_config.changed + +- name: Restart services to allow certbot to generate a cert. + service: + name: nginx + state: started + when: certbot_config.changed diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index b063634..c23d930 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : -# certbot --config wildcard.ini certonly +# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 @@ -15,11 +15,9 @@ email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True -# Use DNS-01 challenge -authenticator = dns-rfc2136 -dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini -dns-rfc2136-propagation-seconds = 30 +# Use nginx challenge +authenticator = nginx # Wildcard the domain cert-name = {{ certbot.certname }} -domains = {{ certbot.domains }} +domains = {{ ", ".join(certbot.domains) }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 deleted file mode 100644 index 342195d..0000000 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -dns_rfc2136_server = {{ dns_masters_ipv4 | first }} -dns_rfc2136_port = 53 -dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} -dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} -dns_rfc2136_algorithm = HMAC-SHA512 diff --git a/roles/nginx_reverseproxy/tasks/main.yml b/roles/nginx_reverseproxy/tasks/main.yml index 4ccaa2a..497048d 100644 --- a/roles/nginx_reverseproxy/tasks/main.yml +++ b/roles/nginx_reverseproxy/tasks/main.yml @@ -45,6 +45,21 @@ - redirect notify: Reload nginx +- name: Copy forward modules + template: + src: "nginx/modules-available/60-forward.conf.j2" + dest: "/etc/nginx/modules-available/60-forward.conf" + mode: 0644 + notify: Reload nginx + +- name: Activate modules + file: + src: "/etc/nginx/modules-available/60-forward.conf" + dest: "/etc/nginx/modules-enabled/60-forward.conf" + state: link + mode: 0644 + notify: Reload nginx + - name: Copy 50x error page template: src: www/html/50x.html.j2 diff --git a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 new file mode 100644 index 0000000..9a86a5d --- /dev/null +++ b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +{% for site in nginx.redirect_tcp %} +# Forward port {{ site.port }} to {{ site.name }} +stream { + server { + listen {{ site.port }}; + listen [::]:{{ site.port }}; + + proxy_pass {{ site.destination }}; + } +} + +{% endfor %} diff --git a/services_web.yml b/services_web.yml index 1d6f9ef..0fa16fa 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re roles: - docker @@ -12,46 +12,6 @@ # Deploy reverse proxy - hosts: proxy*.adm.auro.re - vars: - certbot: - dns_rfc2136_name: certbot_challenge. - dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" - mail: tech.aurore@lists.crans.org - certname: auro.re - domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net" - dns_masters_ipv4: - - "92.222.211.196" - nginx: - ssl: - cert: /etc/letsencrypt/live/auro.re/fullchain.pem - cert_key: /etc/letsencrypt/live/auro.re/privkey.pem - trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem - - redirect_dnames: - - aurores.net - - fede-aurore.net - - reverseproxy_sites: - - {from: re2o.auro.re, to: 10.128.0.10} - - {from: intranet.auro.re, to: 10.128.0.10} - - - {from: phabricator.auro.re, to: 10.128.0.50} - - {from: wiki.auro.re, to: 10.128.0.51} - - {from: www.auro.re, to: 10.128.0.52} - - - {from: drone.auro.re, to: "10.128.0.64:8000"} - - - {from: re2o-test.auro.re, to: 10.128.0.100} - - - {from: riot.auro.re, to: "10.128.0.150:8080"} - - {from: codimd.auro.re, to: "10.128.0.150:8081"} - - {from: grafana.auro.re, to: "10.128.0.150:8082"} - - {from: privatebin.auro.re, to: "10.128.0.150:8083"} - - {from: pad.auro.re, to: "10.128.0.150:8084"} - - {from: cas.auro.re, to: "10.128.0.150:8085"} - - redirect_sites: - - {from: auro.re, to: www.auro.re} roles: - certbot - nginx_reverseproxy