Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
Infrastruktur
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Himmel
Infrastruktur
Commits
5ddcacc2
Commit
5ddcacc2
authored
Jun 21, 2019
by
MichiK
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add nginx and acmetool basics
parent
4db2c58f
Changes
17
Hide whitespace changes
Inline
Side-by-side
Showing
17 changed files
with
276 additions
and
0 deletions
+276
-0
group_vars/all
group_vars/all
+3
-0
host_vars/test01.heaven.michik.net
host_vars/test01.heaven.michik.net
+19
-0
roles/acmetool/defaults/main.yml
roles/acmetool/defaults/main.yml
+13
-0
roles/acmetool/meta/main.yml
roles/acmetool/meta/main.yml
+2
-0
roles/acmetool/tasks/main.yml
roles/acmetool/tasks/main.yml
+28
-0
roles/acmetool/templates/responses.j2
roles/acmetool/templates/responses.j2
+13
-0
roles/nginx-http/defaults/main.yml
roles/nginx-http/defaults/main.yml
+8
-0
roles/nginx-http/handlers/main.yml
roles/nginx-http/handlers/main.yml
+4
-0
roles/nginx-http/tasks/main.yml
roles/nginx-http/tasks/main.yml
+39
-0
roles/nginx-http/templates/default.j2
roles/nginx-http/templates/default.j2
+18
-0
roles/nginx-http/templates/nginx.conf.j2
roles/nginx-http/templates/nginx.conf.j2
+43
-0
roles/nginx-https/defaults/main.yml
roles/nginx-https/defaults/main.yml
+14
-0
roles/nginx-https/handlers/main.yml
roles/nginx-https/handlers/main.yml
+4
-0
roles/nginx-https/meta/main.yml
roles/nginx-https/meta/main.yml
+3
-0
roles/nginx-https/tasks/main.yml
roles/nginx-https/tasks/main.yml
+20
-0
roles/nginx-https/templates/https-site.j2
roles/nginx-https/templates/https-site.j2
+35
-0
services-base.yml
services-base.yml
+10
-0
No files found.
group_vars/all
View file @
5ddcacc2
# This should be some e-mail address where technical messages may go.
admin_email
:
"
michik@michik.net"
# Please feel free to add your favorite software you need absolutely everywhere
# here. However, please do not leave too much stuff nobody else might use or
# stuff that could be handy for an attacker.
...
...
host_vars/test01.heaven.michik.net
0 → 100644
View file @
5ddcacc2
acmetool_cert_domains
:
-
"
test01.heaven.michik.net"
#acmetool_server: "https://acme-staging.api.letsencrypt.org/directory"
nginx_http_locations
:
-
location
:
"
/"
config
:
|
return 301 https://$host$request_uri;
nginx_https_sites
:
-
name
:
"
test01.heaven.michik.net"
locations
:
-
location
:
"
/"
config
:
|
root /var/www/html;
headers
:
null
# vim: set ft=yaml:
roles/acmetool/defaults/main.yml
0 → 100644
View file @
5ddcacc2
# Please note that acmetool_webroot is defined in the defaults of the
# nginx-http role as it is needed for the default HTTP configuration of
# nginx (much simpler that way).
acmetool_cert_domains
:
-
"
{{
ansible_fqdn
}}"
# This is the production environment. To use the staging environment, please
# override for the host(s) in question with the following URL:
# https://acme-staging.api.letsencrypt.org/directory
#
# When this changes, you need to delete /var/lib/acme/conf/target manually!
acmetool_server
:
"
https://acme-v01.api.letsencrypt.org/directory"
roles/acmetool/meta/main.yml
0 → 100644
View file @
5ddcacc2
dependencies
:
-
nginx-http
roles/acmetool/tasks/main.yml
0 → 100644
View file @
5ddcacc2
-
name
:
install acmetool
apt
:
package
:
acmetool
state
:
present
-
name
:
create acmetool conf and webroot directories
file
:
dest
:
"
/var/lib/acme/{{
item
}}"
state
:
directory
with_items
:
-
"
conf"
-
"
webroot"
-
name
:
install acmetool response file
template
:
src
:
"
responses.j2"
dest
:
"
/var/lib/acme/conf/responses"
-
name
:
execute acmetool quickstart
command
:
"
acmetool
quickstart
--batch"
args
:
creates
:
"
/var/lib/acme/conf/target"
-
name
:
request a certificate
command
:
'
acmetool
want
--batch
{{
item
}}'
args
:
creates
:
"
/var/lib/acme/live/{{
item
}}"
with_items
:
"
{{
acmetool_cert_domains
}}"
roles/acmetool/templates/responses.j2
0 → 100644
View file @
5ddcacc2
# {{ ansible_managed }}
"acme-enter-email": "{{ admin_email }}"
"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
"acmetool-quickstart-choose-server": {{ acmetool_server }}
"acmetool-quickstart-choose-method": webroot
"acmetool-quickstart-webroot-path": "{{ acmetool_webroot }}/acme-challenge"
"acmetool-quickstart-complete": true
"acmetool-quickstart-install-cronjob": true
"acmetool-quickstart-install-haproxy-script": true
"acmetool-quickstart-install-redirector-systemd": true
"acmetool-quickstart-key-type": rsa
"acmetool-quickstart-rsa-key-size": 4096
roles/nginx-http/defaults/main.yml
0 → 100644
View file @
5ddcacc2
acmetool_webroot
:
"
/var/lib/acme/webroot"
nginx_http_locations
:
-
location
:
"
/"
config
:
|
root /var/www/html;
nginx_worker_processes
:
"
auto"
roles/nginx-http/handlers/main.yml
0 → 100644
View file @
5ddcacc2
-
name
:
restart nginx
systemd
:
name
:
nginx
state
:
restarted
roles/nginx-http/tasks/main.yml
0 → 100644
View file @
5ddcacc2
-
name
:
install nginx
apt
:
package
:
nginx
state
:
present
-
name
:
enable nginx
systemd
:
name
:
"
nginx"
enabled
:
yes
-
name
:
configure nginx
template
:
src
:
"
nginx.conf.j2"
dest
:
"
/etc/nginx/nginx.conf"
register
:
nginx_conf
-
name
:
configure the default site
template
:
src
:
"
default.j2"
dest
:
"
/etc/nginx/sites-available/default"
register
:
nginx_default_config
-
name
:
enable the default site
file
:
src
:
"
/etc/nginx/sites-available/default"
dest
:
"
/etc/nginx/sites-enabled/default"
state
:
link
register
:
nginx_default_enabled
# We do this here instead of using the handler so that when the a role that
# depends on this as well as on acmetool (e.g. nginx-https) is used in a
# playbook, nginx is restarted with the proper configuration before the
# acmetool tasks are run.
-
name
:
restart nginx
systemd
:
name
:
"
nginx"
state
:
restarted
when
:
nginx_conf.changed or nginx_default_config.changed or nginx_default_enabled.changed
roles/nginx-http/templates/default.j2
0 → 100644
View file @
5ddcacc2
# {{ ansible_managed }}
server {
listen 80;
listen [::]:80;
{% for location in nginx_http_locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
{% endfor %}
location ^~ /.well-known {
alias {{ acmetool_webroot }};
}
}
roles/nginx-http/templates/nginx.conf.j2
0 → 100644
View file @
5ddcacc2
# {{ ansible_managed }}
user www-data;
worker_processes {{ nginx_worker_processes }};
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
accept_mutex off;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_types *;
gzip_comp_level 6;
gzip_disable "msie6";
#large_client_header_buffers 8 128k;
#http2_max_field_size 128k;
#http2_max_header_size 256k;
include /etc/nginx/sites-enabled/*;
}
roles/nginx-https/defaults/main.yml
0 → 100644
View file @
5ddcacc2
nginx_ssl_protocols
:
"
TLSv1.2"
nginx_ssl_ciphers
:
"
TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256"
nginx_ssl_dhparam
:
"
/etc/ssl/certs/dh4096.pem"
nginx_ssl_dhparam_bits
:
4096
nginx_https_default_headers
:
null
nginx_https_sites
:
-
name
:
"
{{
ansible_fqdn
}}"
locations
:
-
location
:
"
/"
config
:
|
root /var/www/html;
headers
:
null
roles/nginx-https/handlers/main.yml
0 → 100644
View file @
5ddcacc2
-
name
:
restart nginx
systemd
:
name
:
nginx
state
:
restarted
roles/nginx-https/meta/main.yml
0 → 100644
View file @
5ddcacc2
dependencies
:
-
nginx-http
-
acmetool
roles/nginx-https/tasks/main.yml
0 → 100644
View file @
5ddcacc2
-
name
:
create dh parameters
command
:
'
openssl
dhparam
-out
"{{
nginx_ssl_dhparam
}}"
{{
nginx_ssl_dhparam_bits
}}'
args
:
creates
:
"
{{
nginx_ssl_dhparam
}}"
when
:
nginx_hmi_ssl_dhparam is not none
-
name
:
configure the https sites
template
:
src
:
"
https-site.j2"
dest
:
"
/etc/nginx/sites-available/{{
item.name
}}"
with_items
:
"
{{
nginx_https_sites
}}"
notify
:
restart nginx
-
name
:
enable the https sites
file
:
src
:
"
/etc/nginx/sites-available/{{
item.name
}}"
dest
:
"
/etc/nginx/sites-enabled/{{
item.name
}}"
state
:
link
with_items
:
"
{{
nginx_https_sites
}}"
notify
:
restart nginx
roles/nginx-https/templates/https-site.j2
0 → 100644
View file @
5ddcacc2
# {{ ansible_managed }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.name }};
ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers {{ nginx_ssl_ciphers }};
ssl_prefer_server_ciphers on;
{% if nginx_https_default_headers %}
{% for header in nginx_https_default_headers %}
add_header {{ header }};
{% endfor %}
{% endif %}
{% if item.headers %}
{% for header in item.headers %}
add_header {{ header }};
{% endfor %}
{% endif %}
{% for location in item.locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
{% endfor %}
}
services-base.yml
0 → 100644
View file @
5ddcacc2
# Install the base services like our web and mail server
# as well as the management of SSL certificates.
-
name
:
install nginx, acmetool and postfix
hosts
:
all
become
:
yes
roles
:
-
nginx-http
-
acmetool
-
nginx-https
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment