From f9b7e052b91f53a152df7e73a36f80cde02c89be Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 22:38:54 +0100 Subject: [PATCH 1/6] Store reverse proxy data in proxy host vars --- group_vars/all/vault.yml | 1 - host_vars/proxy-local.adm.auro.re.yml | 42 ++++++++++++++ host_vars/proxy.adm.auro.re.yml | 58 +++++++++++++++++++ .../letsencrypt/conf.d/certname.ini.j2 | 4 +- services_web.yml | 40 ------------- 5 files changed, 102 insertions(+), 43 deletions(-) create mode 100644 host_vars/proxy-local.adm.auro.re.yml create mode 100644 host_vars/proxy.adm.auro.re.yml diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 8fa4cbb..52a14ab 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,4 +1,3 @@ ---- $ANSIBLE_VAULT;1.1;AES256 61333538366635353537346231363235653162356330396434383631656465616330363136306563 3861333166386536633437386335613461646466346239360a643139303037613937373631313661 diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml new file mode 100644 index 0000000..1c05d6a --- /dev/null +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -0,0 +1,42 @@ +--- +certbot: + domains: + - bbb.auro.re + - drone.auro.re + - gitea.auro.re + - intranet.auro.re + - nextcloud.auro.re + - re2o.auro.re + - re2o-server.auro.re + - re2o-test.auro.re + + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_sites: {} + + reverseproxy_sites: + - from: re2o.auro.re + to: 10.128.0.10 + - from: intranet.auro.re + to: 10.128.0.10 + + - from: drone.auro.re + to: "10.128.0.64:8000" + + - from: re2o-test.auro.re + to: 10.128.0.100 diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml new file mode 100644 index 0000000..00da9b1 --- /dev/null +++ b/host_vars/proxy.adm.auro.re.yml @@ -0,0 +1,58 @@ +--- +certbot: + domains: + - auro.re + - cas.auro.re + - codimd.auro.re + - grafana.auro.re + - pad.auro.re + - passbolt.auro.re + - phabricator.auro.re + - privatebin.auro.re + - riot.auro.re + - sharelatex.auro.re + - wiki.auro.re + - www.auro.re + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + dns_masters_ipv4: + - "92.222.211.196" + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: + - aurores.net + - fede-aurore.net + + redirect_sites: + - from: auro.re + to: www.auro.re + + reverseproxy_sites: + - from: phabricator.auro.re + to: 10.128.0.50 + + - from: wiki.auro.re + to: 10.128.0.51 + + - from: www.auro.re + to: 10.128.0.52 + + - from: riot.auro.re + to: "10.128.0.150:8080" + - from: codimd.auro.re + to: "10.128.0.150:8081" + - from: grafana.auro.re + to: "10.128.0.150:8082" + - from: privatebin.auro.re + to: "10.128.0.150:8083" + - from: pad.auro.re + to: "10.128.0.150:8084" + - from: cas.auro.re + to: "10.128.0.150:8085" diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index b063634..6683792 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : -# certbot --config wildcard.ini certonly +# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 @@ -22,4 +22,4 @@ dns-rfc2136-propagation-seconds = 30 # Wildcard the domain cert-name = {{ certbot.certname }} -domains = {{ certbot.domains }} +domains = {{ ", ".join(certbot.domains) }} diff --git a/services_web.yml b/services_web.yml index 1d6f9ef..c62329a 100755 --- a/services_web.yml +++ b/services_web.yml @@ -12,46 +12,6 @@ # Deploy reverse proxy - hosts: proxy*.adm.auro.re - vars: - certbot: - dns_rfc2136_name: certbot_challenge. - dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" - mail: tech.aurore@lists.crans.org - certname: auro.re - domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net" - dns_masters_ipv4: - - "92.222.211.196" - nginx: - ssl: - cert: /etc/letsencrypt/live/auro.re/fullchain.pem - cert_key: /etc/letsencrypt/live/auro.re/privkey.pem - trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem - - redirect_dnames: - - aurores.net - - fede-aurore.net - - reverseproxy_sites: - - {from: re2o.auro.re, to: 10.128.0.10} - - {from: intranet.auro.re, to: 10.128.0.10} - - - {from: phabricator.auro.re, to: 10.128.0.50} - - {from: wiki.auro.re, to: 10.128.0.51} - - {from: www.auro.re, to: 10.128.0.52} - - - {from: drone.auro.re, to: "10.128.0.64:8000"} - - - {from: re2o-test.auro.re, to: 10.128.0.100} - - - {from: riot.auro.re, to: "10.128.0.150:8080"} - - {from: codimd.auro.re, to: "10.128.0.150:8081"} - - {from: grafana.auro.re, to: "10.128.0.150:8082"} - - {from: privatebin.auro.re, to: "10.128.0.150:8083"} - - {from: pad.auro.re, to: "10.128.0.150:8084"} - - {from: cas.auro.re, to: "10.128.0.150:8085"} - - redirect_sites: - - {from: auro.re, to: www.auro.re} roles: - certbot - nginx_reverseproxy From ac7696c81f08b7b0964bbf018199237c9ccb0235 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:07:51 +0100 Subject: [PATCH 2/6] User cerbot-nginx to create certificates --- roles/certbot/tasks/main.yml | 39 +++++++++++-------- .../letsencrypt/conf.d/certname.ini.j2 | 8 ++-- .../templates/letsencrypt/rfc2136.ini.j2 | 7 ---- 3 files changed, 26 insertions(+), 28 deletions(-) delete mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index d6314ac..0f61e91 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,26 +1,18 @@ --- -- name: Install certbot and RFC2136 plugin +- name: Install certbot and nginx plugin apt: update_cache: true name: - certbot - - python3-certbot-dns-rfc2136 - state: present - register: apt_result + - python3-certbot-nginx + register: pkg_result retries: 3 - until: apt_result is succeeded + until: pkg_result is succeeded -- name: Lookup DNS masters IPv4 - set_fact: - dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}" - cacheable: true - -- name: Add DNS credentials - template: - src: letsencrypt/rfc2136.ini.j2 - dest: /etc/letsencrypt/rfc2136.ini - mode: 0600 - owner: root +- name: Check if certificate already exists. + stat: + path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem" + register: letsencrypt_cert - name: Create /etc/letsencrypt/conf.d file: @@ -33,3 +25,18 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 + +- name: Stop services to allow certbot to generate a cert. + service: + name: nginx + state: stopped + +- name: Generate new certificate if one doesn't exist. + shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" + when: letsencrypt_cert.stat.exists == False + +- name: Restart services to allow certbot to generate a cert. + service: + name: nginx + state: started + diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index 6683792..c23d930 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Pour appliquer cette conf et générer la conf de renewal : -# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly +# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly # Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 @@ -15,10 +15,8 @@ email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True -# Use DNS-01 challenge -authenticator = dns-rfc2136 -dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini -dns-rfc2136-propagation-seconds = 30 +# Use nginx challenge +authenticator = nginx # Wildcard the domain cert-name = {{ certbot.certname }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 deleted file mode 100644 index 342195d..0000000 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -dns_rfc2136_server = {{ dns_masters_ipv4 | first }} -dns_rfc2136_port = 53 -dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} -dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} -dns_rfc2136_algorithm = HMAC-SHA512 From 9de65d25746e55d613797f081d6f452dbfe70c35 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:26:49 +0100 Subject: [PATCH 3/6] Register missing services in reverse proxy config --- host_vars/proxy-local.adm.auro.re.yml | 15 ++++++++++++--- host_vars/proxy.adm.auro.re.yml | 3 +++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index 1c05d6a..c858c5a 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -31,12 +31,21 @@ nginx: reverseproxy_sites: - from: re2o.auro.re - to: 10.128.0.10 + to: 10.128.0.20 - from: intranet.auro.re - to: 10.128.0.10 + to: 10.128.0.20 + + - from: bbb.auro.re + to: 10.128.0.54 + + - from: nextcloud.auro.re + to: "10.128.0.58:8080" + + - from: gitea.auro.re + to: "10.128.0.60:3000" - from: drone.auro.re to: "10.128.0.64:8000" - from: re2o-test.auro.re - to: 10.128.0.100 + to: 10.128.0.80 diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 00da9b1..8323cc0 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -44,6 +44,9 @@ nginx: - from: www.auro.re to: 10.128.0.52 + - from: passbolt.auro.re + to: 10.128.0.53 + - from: riot.auro.re to: "10.128.0.150:8080" - from: codimd.auro.re From 03d48a2d8213f1f64465bedbac1852a01689c227 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:49:35 +0100 Subject: [PATCH 4/6] Add possibility to configure port forwarding, like SSH for Gitea --- host_vars/proxy-local.adm.auro.re.yml | 5 +++++ host_vars/proxy.adm.auro.re.yml | 2 ++ roles/nginx_reverseproxy/tasks/main.yml | 15 +++++++++++++++ .../nginx/modules-available/60-forward.conf.j2 | 14 ++++++++++++++ 4 files changed, 36 insertions(+) create mode 100644 roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 diff --git a/host_vars/proxy-local.adm.auro.re.yml b/host_vars/proxy-local.adm.auro.re.yml index c858c5a..b92c1ac 100644 --- a/host_vars/proxy-local.adm.auro.re.yml +++ b/host_vars/proxy-local.adm.auro.re.yml @@ -27,6 +27,11 @@ nginx: - aurores.net - fede-aurore.net + redirect_tcp: + - name: Gitea + port: 2222 + destination: "10.128.0.60:2222" + redirect_sites: {} reverseproxy_sites: diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index 8323cc0..f4b710e 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -30,6 +30,8 @@ nginx: - aurores.net - fede-aurore.net + redirect_tcp: {} + redirect_sites: - from: auro.re to: www.auro.re diff --git a/roles/nginx_reverseproxy/tasks/main.yml b/roles/nginx_reverseproxy/tasks/main.yml index 4ccaa2a..497048d 100644 --- a/roles/nginx_reverseproxy/tasks/main.yml +++ b/roles/nginx_reverseproxy/tasks/main.yml @@ -45,6 +45,21 @@ - redirect notify: Reload nginx +- name: Copy forward modules + template: + src: "nginx/modules-available/60-forward.conf.j2" + dest: "/etc/nginx/modules-available/60-forward.conf" + mode: 0644 + notify: Reload nginx + +- name: Activate modules + file: + src: "/etc/nginx/modules-available/60-forward.conf" + dest: "/etc/nginx/modules-enabled/60-forward.conf" + state: link + mode: 0644 + notify: Reload nginx + - name: Copy 50x error page template: src: www/html/50x.html.j2 diff --git a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 new file mode 100644 index 0000000..9a86a5d --- /dev/null +++ b/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +{% for site in nginx.redirect_tcp %} +# Forward port {{ site.port }} to {{ site.name }} +stream { + server { + listen {{ site.port }}; + listen [::]:{{ site.port }}; + + proxy_pass {{ site.destination }}; + } +} + +{% endfor %} From b1f56938e68080d670e285deda5278370ed04058 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:51:10 +0100 Subject: [PATCH 5/6] Remove inexistant docker host --- services_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services_web.yml b/services_web.yml index c62329a..0fa16fa 100755 --- a/services_web.yml +++ b/services_web.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Docker hosts -- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re +- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re roles: - docker From 24ab53675a2f099685fdeca4b31c507417c560fa Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Wed, 4 Nov 2020 23:58:27 +0100 Subject: [PATCH 6/6] Automatically renew certificates if a new domain was added --- roles/certbot/tasks/main.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 0f61e91..f29d557 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -9,11 +9,6 @@ retries: 3 until: pkg_result is succeeded -- name: Check if certificate already exists. - stat: - path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem" - register: letsencrypt_cert - - name: Create /etc/letsencrypt/conf.d file: path: /etc/letsencrypt/conf.d @@ -25,18 +20,20 @@ src: "letsencrypt/conf.d/certname.ini.j2" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" mode: 0644 + register: certbot_config - name: Stop services to allow certbot to generate a cert. service: name: nginx state: stopped + when: certbot_config.changed -- name: Generate new certificate if one doesn't exist. +- name: Generate new certificate if the configuration changed shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" - when: letsencrypt_cert.stat.exists == False + when: certbot_config.changed - name: Restart services to allow certbot to generate a cert. service: name: nginx state: started - + when: certbot_config.changed