Merge branch 'fix-certbot' into 'master'
Some checks failed
continuous-integration/drone/push Build is failing

Fix Certbot, clean reverse proxy config

See merge request aurore/ansible!49
This commit is contained in:
ynerant 2020-11-05 00:04:34 +01:00
commit b92449a1f8
9 changed files with 174 additions and 72 deletions

View file

@ -1,4 +1,3 @@
---
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61333538366635353537346231363235653162356330396434383631656465616330363136306563 61333538366635353537346231363235653162356330396434383631656465616330363136306563
3861333166386536633437386335613461646466346239360a643139303037613937373631313661 3861333166386536633437386335613461646466346239360a643139303037613937373631313661

View file

@ -0,0 +1,56 @@
---
certbot:
domains:
- bbb.auro.re
- drone.auro.re
- gitea.auro.re
- intranet.auro.re
- nextcloud.auro.re
- re2o.auro.re
- re2o-server.auro.re
- re2o-test.auro.re
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
dns_masters_ipv4:
- "92.222.211.196"
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp:
- name: Gitea
port: 2222
destination: "10.128.0.60:2222"
redirect_sites: {}
reverseproxy_sites:
- from: re2o.auro.re
to: 10.128.0.20
- from: intranet.auro.re
to: 10.128.0.20
- from: bbb.auro.re
to: 10.128.0.54
- from: nextcloud.auro.re
to: "10.128.0.58:8080"
- from: gitea.auro.re
to: "10.128.0.60:3000"
- from: drone.auro.re
to: "10.128.0.64:8000"
- from: re2o-test.auro.re
to: 10.128.0.80

View file

@ -0,0 +1,63 @@
---
certbot:
domains:
- auro.re
- cas.auro.re
- codimd.auro.re
- grafana.auro.re
- pad.auro.re
- passbolt.auro.re
- phabricator.auro.re
- privatebin.auro.re
- riot.auro.re
- sharelatex.auro.re
- wiki.auro.re
- www.auro.re
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
dns_masters_ipv4:
- "92.222.211.196"
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
redirect_tcp: {}
redirect_sites:
- from: auro.re
to: www.auro.re
reverseproxy_sites:
- from: phabricator.auro.re
to: 10.128.0.50
- from: wiki.auro.re
to: 10.128.0.51
- from: www.auro.re
to: 10.128.0.52
- from: passbolt.auro.re
to: 10.128.0.53
- from: riot.auro.re
to: "10.128.0.150:8080"
- from: codimd.auro.re
to: "10.128.0.150:8081"
- from: grafana.auro.re
to: "10.128.0.150:8082"
- from: privatebin.auro.re
to: "10.128.0.150:8083"
- from: pad.auro.re
to: "10.128.0.150:8084"
- from: cas.auro.re
to: "10.128.0.150:8085"

View file

@ -1,26 +1,13 @@
--- ---
- name: Install certbot and RFC2136 plugin - name: Install certbot and nginx plugin
apt: apt:
update_cache: true update_cache: true
name: name:
- certbot - certbot
- python3-certbot-dns-rfc2136 - python3-certbot-nginx
state: present register: pkg_result
register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: pkg_result is succeeded
- name: Lookup DNS masters IPv4
set_fact:
dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
cacheable: true
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: /etc/letsencrypt/rfc2136.ini
mode: 0600
owner: root
- name: Create /etc/letsencrypt/conf.d - name: Create /etc/letsencrypt/conf.d
file: file:
@ -33,3 +20,20 @@
src: "letsencrypt/conf.d/certname.ini.j2" src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini" dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644 mode: 0644
register: certbot_config
- name: Stop services to allow certbot to generate a cert.
service:
name: nginx
state: stopped
when: certbot_config.changed
- name: Generate new certificate if the configuration changed
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
when: certbot_config.changed
- name: Restart services to allow certbot to generate a cert.
service:
name: nginx
state: started
when: certbot_config.changed

View file

@ -1,7 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# Pour appliquer cette conf et générer la conf de renewal : # Pour appliquer cette conf et générer la conf de renewal :
# certbot --config wildcard.ini certonly # certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048 # Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096 rsa-key-size = 4096
@ -15,11 +15,9 @@ email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses # Uncomment to use a text interface instead of ncurses
text = True text = True
# Use DNS-01 challenge # Use nginx challenge
authenticator = dns-rfc2136 authenticator = nginx
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain # Wildcard the domain
cert-name = {{ certbot.certname }} cert-name = {{ certbot.certname }}
domains = {{ certbot.domains }} domains = {{ ", ".join(certbot.domains) }}

View file

@ -1,7 +0,0 @@
# {{ ansible_managed }}
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512

View file

@ -45,6 +45,21 @@
- redirect - redirect
notify: Reload nginx notify: Reload nginx
- name: Copy forward modules
template:
src: "nginx/modules-available/60-forward.conf.j2"
dest: "/etc/nginx/modules-available/60-forward.conf"
mode: 0644
notify: Reload nginx
- name: Activate modules
file:
src: "/etc/nginx/modules-available/60-forward.conf"
dest: "/etc/nginx/modules-enabled/60-forward.conf"
state: link
mode: 0644
notify: Reload nginx
- name: Copy 50x error page - name: Copy 50x error page
template: template:
src: www/html/50x.html.j2 src: www/html/50x.html.j2

View file

@ -0,0 +1,14 @@
# {{ ansible_managed }}
{% for site in nginx.redirect_tcp %}
# Forward port {{ site.port }} to {{ site.name }}
stream {
server {
listen {{ site.port }};
listen [::]:{{ site.port }};
proxy_pass {{ site.destination }};
}
}
{% endfor %}

View file

@ -1,7 +1,7 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy Docker hosts # Deploy Docker hosts
- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re - hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re
roles: roles:
- docker - docker
@ -12,46 +12,6 @@
# Deploy reverse proxy # Deploy reverse proxy
- hosts: proxy*.adm.auro.re - hosts: proxy*.adm.auro.re
vars:
certbot:
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
dns_masters_ipv4:
- "92.222.211.196"
nginx:
ssl:
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
redirect_dnames:
- aurores.net
- fede-aurore.net
reverseproxy_sites:
- {from: re2o.auro.re, to: 10.128.0.10}
- {from: intranet.auro.re, to: 10.128.0.10}
- {from: phabricator.auro.re, to: 10.128.0.50}
- {from: wiki.auro.re, to: 10.128.0.51}
- {from: www.auro.re, to: 10.128.0.52}
- {from: drone.auro.re, to: "10.128.0.64:8000"}
- {from: re2o-test.auro.re, to: 10.128.0.100}
- {from: riot.auro.re, to: "10.128.0.150:8080"}
- {from: codimd.auro.re, to: "10.128.0.150:8081"}
- {from: grafana.auro.re, to: "10.128.0.150:8082"}
- {from: privatebin.auro.re, to: "10.128.0.150:8083"}
- {from: pad.auro.re, to: "10.128.0.150:8084"}
- {from: cas.auro.re, to: "10.128.0.150:8085"}
redirect_sites:
- {from: auro.re, to: www.auro.re}
roles: roles:
- certbot - certbot
- nginx_reverseproxy - nginx_reverseproxy