Merge branch 'fix-certbot' into 'master'
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
Fix Certbot, clean reverse proxy config See merge request aurore/ansible!49
This commit is contained in:
commit
b92449a1f8
9 changed files with 174 additions and 72 deletions
|
@ -1,4 +1,3 @@
|
||||||
---
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
61333538366635353537346231363235653162356330396434383631656465616330363136306563
|
61333538366635353537346231363235653162356330396434383631656465616330363136306563
|
||||||
3861333166386536633437386335613461646466346239360a643139303037613937373631313661
|
3861333166386536633437386335613461646466346239360a643139303037613937373631313661
|
||||||
|
|
56
host_vars/proxy-local.adm.auro.re.yml
Normal file
56
host_vars/proxy-local.adm.auro.re.yml
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
---
|
||||||
|
certbot:
|
||||||
|
domains:
|
||||||
|
- bbb.auro.re
|
||||||
|
- drone.auro.re
|
||||||
|
- gitea.auro.re
|
||||||
|
- intranet.auro.re
|
||||||
|
- nextcloud.auro.re
|
||||||
|
- re2o.auro.re
|
||||||
|
- re2o-server.auro.re
|
||||||
|
- re2o-test.auro.re
|
||||||
|
|
||||||
|
dns_rfc2136_name: certbot_challenge.
|
||||||
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
|
mail: tech.aurore@lists.crans.org
|
||||||
|
certname: auro.re
|
||||||
|
dns_masters_ipv4:
|
||||||
|
- "92.222.211.196"
|
||||||
|
|
||||||
|
nginx:
|
||||||
|
ssl:
|
||||||
|
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||||
|
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||||
|
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||||
|
|
||||||
|
redirect_dnames:
|
||||||
|
- aurores.net
|
||||||
|
- fede-aurore.net
|
||||||
|
|
||||||
|
redirect_tcp:
|
||||||
|
- name: Gitea
|
||||||
|
port: 2222
|
||||||
|
destination: "10.128.0.60:2222"
|
||||||
|
|
||||||
|
redirect_sites: {}
|
||||||
|
|
||||||
|
reverseproxy_sites:
|
||||||
|
- from: re2o.auro.re
|
||||||
|
to: 10.128.0.20
|
||||||
|
- from: intranet.auro.re
|
||||||
|
to: 10.128.0.20
|
||||||
|
|
||||||
|
- from: bbb.auro.re
|
||||||
|
to: 10.128.0.54
|
||||||
|
|
||||||
|
- from: nextcloud.auro.re
|
||||||
|
to: "10.128.0.58:8080"
|
||||||
|
|
||||||
|
- from: gitea.auro.re
|
||||||
|
to: "10.128.0.60:3000"
|
||||||
|
|
||||||
|
- from: drone.auro.re
|
||||||
|
to: "10.128.0.64:8000"
|
||||||
|
|
||||||
|
- from: re2o-test.auro.re
|
||||||
|
to: 10.128.0.80
|
63
host_vars/proxy.adm.auro.re.yml
Normal file
63
host_vars/proxy.adm.auro.re.yml
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
certbot:
|
||||||
|
domains:
|
||||||
|
- auro.re
|
||||||
|
- cas.auro.re
|
||||||
|
- codimd.auro.re
|
||||||
|
- grafana.auro.re
|
||||||
|
- pad.auro.re
|
||||||
|
- passbolt.auro.re
|
||||||
|
- phabricator.auro.re
|
||||||
|
- privatebin.auro.re
|
||||||
|
- riot.auro.re
|
||||||
|
- sharelatex.auro.re
|
||||||
|
- wiki.auro.re
|
||||||
|
- www.auro.re
|
||||||
|
dns_rfc2136_name: certbot_challenge.
|
||||||
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
|
mail: tech.aurore@lists.crans.org
|
||||||
|
certname: auro.re
|
||||||
|
dns_masters_ipv4:
|
||||||
|
- "92.222.211.196"
|
||||||
|
|
||||||
|
nginx:
|
||||||
|
ssl:
|
||||||
|
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||||
|
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||||
|
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||||
|
|
||||||
|
redirect_dnames:
|
||||||
|
- aurores.net
|
||||||
|
- fede-aurore.net
|
||||||
|
|
||||||
|
redirect_tcp: {}
|
||||||
|
|
||||||
|
redirect_sites:
|
||||||
|
- from: auro.re
|
||||||
|
to: www.auro.re
|
||||||
|
|
||||||
|
reverseproxy_sites:
|
||||||
|
- from: phabricator.auro.re
|
||||||
|
to: 10.128.0.50
|
||||||
|
|
||||||
|
- from: wiki.auro.re
|
||||||
|
to: 10.128.0.51
|
||||||
|
|
||||||
|
- from: www.auro.re
|
||||||
|
to: 10.128.0.52
|
||||||
|
|
||||||
|
- from: passbolt.auro.re
|
||||||
|
to: 10.128.0.53
|
||||||
|
|
||||||
|
- from: riot.auro.re
|
||||||
|
to: "10.128.0.150:8080"
|
||||||
|
- from: codimd.auro.re
|
||||||
|
to: "10.128.0.150:8081"
|
||||||
|
- from: grafana.auro.re
|
||||||
|
to: "10.128.0.150:8082"
|
||||||
|
- from: privatebin.auro.re
|
||||||
|
to: "10.128.0.150:8083"
|
||||||
|
- from: pad.auro.re
|
||||||
|
to: "10.128.0.150:8084"
|
||||||
|
- from: cas.auro.re
|
||||||
|
to: "10.128.0.150:8085"
|
|
@ -1,26 +1,13 @@
|
||||||
---
|
---
|
||||||
- name: Install certbot and RFC2136 plugin
|
- name: Install certbot and nginx plugin
|
||||||
apt:
|
apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
name:
|
name:
|
||||||
- certbot
|
- certbot
|
||||||
- python3-certbot-dns-rfc2136
|
- python3-certbot-nginx
|
||||||
state: present
|
register: pkg_result
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
retries: 3
|
||||||
until: apt_result is succeeded
|
until: pkg_result is succeeded
|
||||||
|
|
||||||
- name: Lookup DNS masters IPv4
|
|
||||||
set_fact:
|
|
||||||
dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
|
|
||||||
cacheable: true
|
|
||||||
|
|
||||||
- name: Add DNS credentials
|
|
||||||
template:
|
|
||||||
src: letsencrypt/rfc2136.ini.j2
|
|
||||||
dest: /etc/letsencrypt/rfc2136.ini
|
|
||||||
mode: 0600
|
|
||||||
owner: root
|
|
||||||
|
|
||||||
- name: Create /etc/letsencrypt/conf.d
|
- name: Create /etc/letsencrypt/conf.d
|
||||||
file:
|
file:
|
||||||
|
@ -33,3 +20,20 @@
|
||||||
src: "letsencrypt/conf.d/certname.ini.j2"
|
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||||
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
register: certbot_config
|
||||||
|
|
||||||
|
- name: Stop services to allow certbot to generate a cert.
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: stopped
|
||||||
|
when: certbot_config.changed
|
||||||
|
|
||||||
|
- name: Generate new certificate if the configuration changed
|
||||||
|
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||||
|
when: certbot_config.changed
|
||||||
|
|
||||||
|
- name: Restart services to allow certbot to generate a cert.
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: started
|
||||||
|
when: certbot_config.changed
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
# Pour appliquer cette conf et générer la conf de renewal :
|
# Pour appliquer cette conf et générer la conf de renewal :
|
||||||
# certbot --config wildcard.ini certonly
|
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
|
||||||
|
|
||||||
# Use a 4096 bit RSA key instead of 2048
|
# Use a 4096 bit RSA key instead of 2048
|
||||||
rsa-key-size = 4096
|
rsa-key-size = 4096
|
||||||
|
@ -15,11 +15,9 @@ email = {{ certbot.mail }}
|
||||||
# Uncomment to use a text interface instead of ncurses
|
# Uncomment to use a text interface instead of ncurses
|
||||||
text = True
|
text = True
|
||||||
|
|
||||||
# Use DNS-01 challenge
|
# Use nginx challenge
|
||||||
authenticator = dns-rfc2136
|
authenticator = nginx
|
||||||
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
|
|
||||||
dns-rfc2136-propagation-seconds = 30
|
|
||||||
|
|
||||||
# Wildcard the domain
|
# Wildcard the domain
|
||||||
cert-name = {{ certbot.certname }}
|
cert-name = {{ certbot.certname }}
|
||||||
domains = {{ certbot.domains }}
|
domains = {{ ", ".join(certbot.domains) }}
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
|
|
||||||
dns_rfc2136_port = 53
|
|
||||||
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
|
|
||||||
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
|
|
||||||
dns_rfc2136_algorithm = HMAC-SHA512
|
|
|
@ -45,6 +45,21 @@
|
||||||
- redirect
|
- redirect
|
||||||
notify: Reload nginx
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Copy forward modules
|
||||||
|
template:
|
||||||
|
src: "nginx/modules-available/60-forward.conf.j2"
|
||||||
|
dest: "/etc/nginx/modules-available/60-forward.conf"
|
||||||
|
mode: 0644
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate modules
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/modules-available/60-forward.conf"
|
||||||
|
dest: "/etc/nginx/modules-enabled/60-forward.conf"
|
||||||
|
state: link
|
||||||
|
mode: 0644
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
- name: Copy 50x error page
|
- name: Copy 50x error page
|
||||||
template:
|
template:
|
||||||
src: www/html/50x.html.j2
|
src: www/html/50x.html.j2
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% for site in nginx.redirect_tcp %}
|
||||||
|
# Forward port {{ site.port }} to {{ site.name }}
|
||||||
|
stream {
|
||||||
|
server {
|
||||||
|
listen {{ site.port }};
|
||||||
|
listen [::]:{{ site.port }};
|
||||||
|
|
||||||
|
proxy_pass {{ site.destination }};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endfor %}
|
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
---
|
---
|
||||||
# Deploy Docker hosts
|
# Deploy Docker hosts
|
||||||
- hosts: docker-ovh.adm.auro.re,docker-worker1-aurore.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re
|
- hosts: docker-ovh.adm.auro.re,gitea.adm.auro.re,drone.adm.auro.re
|
||||||
roles:
|
roles:
|
||||||
- docker
|
- docker
|
||||||
|
|
||||||
|
@ -12,46 +12,6 @@
|
||||||
|
|
||||||
# Deploy reverse proxy
|
# Deploy reverse proxy
|
||||||
- hosts: proxy*.adm.auro.re
|
- hosts: proxy*.adm.auro.re
|
||||||
vars:
|
|
||||||
certbot:
|
|
||||||
dns_rfc2136_name: certbot_challenge.
|
|
||||||
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
|
||||||
mail: tech.aurore@lists.crans.org
|
|
||||||
certname: auro.re
|
|
||||||
domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
|
|
||||||
dns_masters_ipv4:
|
|
||||||
- "92.222.211.196"
|
|
||||||
nginx:
|
|
||||||
ssl:
|
|
||||||
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
|
||||||
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
|
||||||
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
|
||||||
|
|
||||||
redirect_dnames:
|
|
||||||
- aurores.net
|
|
||||||
- fede-aurore.net
|
|
||||||
|
|
||||||
reverseproxy_sites:
|
|
||||||
- {from: re2o.auro.re, to: 10.128.0.10}
|
|
||||||
- {from: intranet.auro.re, to: 10.128.0.10}
|
|
||||||
|
|
||||||
- {from: phabricator.auro.re, to: 10.128.0.50}
|
|
||||||
- {from: wiki.auro.re, to: 10.128.0.51}
|
|
||||||
- {from: www.auro.re, to: 10.128.0.52}
|
|
||||||
|
|
||||||
- {from: drone.auro.re, to: "10.128.0.64:8000"}
|
|
||||||
|
|
||||||
- {from: re2o-test.auro.re, to: 10.128.0.100}
|
|
||||||
|
|
||||||
- {from: riot.auro.re, to: "10.128.0.150:8080"}
|
|
||||||
- {from: codimd.auro.re, to: "10.128.0.150:8081"}
|
|
||||||
- {from: grafana.auro.re, to: "10.128.0.150:8082"}
|
|
||||||
- {from: privatebin.auro.re, to: "10.128.0.150:8083"}
|
|
||||||
- {from: pad.auro.re, to: "10.128.0.150:8084"}
|
|
||||||
- {from: cas.auro.re, to: "10.128.0.150:8085"}
|
|
||||||
|
|
||||||
redirect_sites:
|
|
||||||
- {from: auro.re, to: www.auro.re}
|
|
||||||
roles:
|
roles:
|
||||||
- certbot
|
- certbot
|
||||||
- nginx_reverseproxy
|
- nginx_reverseproxy
|
||||||
|
|
Loading…
Reference in a new issue