Commit 5ddcacc2 authored by MichiK's avatar MichiK

Add nginx and acmetool basics

parent 4db2c58f
# This should be some e-mail address where technical messages may go.
admin_email: "michik@michik.net"
# Please feel free to add your favorite software you need absolutely everywhere
# here. However, please do not leave too much stuff nobody else might use or
# stuff that could be handy for an attacker.
......
acmetool_cert_domains:
- "test01.heaven.michik.net"
#acmetool_server: "https://acme-staging.api.letsencrypt.org/directory"
nginx_http_locations:
- location: "/"
config: |
return 301 https://$host$request_uri;
nginx_https_sites:
- name: "test01.heaven.michik.net"
locations:
- location: "/"
config: |
root /var/www/html;
headers: null
# vim: set ft=yaml:
# Please note that acmetool_webroot is defined in the defaults of the
# nginx-http role as it is needed for the default HTTP configuration of
# nginx (much simpler that way).
acmetool_cert_domains:
- "{{ ansible_fqdn }}"
# This is the production environment. To use the staging environment, please
# override for the host(s) in question with the following URL:
# https://acme-staging.api.letsencrypt.org/directory
#
# When this changes, you need to delete /var/lib/acme/conf/target manually!
acmetool_server: "https://acme-v01.api.letsencrypt.org/directory"
dependencies:
- nginx-http
- name: install acmetool
apt:
package: acmetool
state: present
- name: create acmetool conf and webroot directories
file:
dest: "/var/lib/acme/{{ item }}"
state: directory
with_items:
- "conf"
- "webroot"
- name: install acmetool response file
template:
src: "responses.j2"
dest: "/var/lib/acme/conf/responses"
- name: execute acmetool quickstart
command: "acmetool quickstart --batch"
args:
creates: "/var/lib/acme/conf/target"
- name: request a certificate
command: 'acmetool want --batch {{ item }}'
args:
creates: "/var/lib/acme/live/{{ item }}"
with_items: "{{ acmetool_cert_domains }}"
# {{ ansible_managed }}
"acme-enter-email": "{{ admin_email }}"
"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
"acmetool-quickstart-choose-server": {{ acmetool_server }}
"acmetool-quickstart-choose-method": webroot
"acmetool-quickstart-webroot-path": "{{ acmetool_webroot }}/acme-challenge"
"acmetool-quickstart-complete": true
"acmetool-quickstart-install-cronjob": true
"acmetool-quickstart-install-haproxy-script": true
"acmetool-quickstart-install-redirector-systemd": true
"acmetool-quickstart-key-type": rsa
"acmetool-quickstart-rsa-key-size": 4096
acmetool_webroot: "/var/lib/acme/webroot"
nginx_http_locations:
- location: "/"
config: |
root /var/www/html;
nginx_worker_processes: "auto"
- name: restart nginx
systemd:
name: nginx
state: restarted
- name: install nginx
apt:
package: nginx
state: present
- name: enable nginx
systemd:
name: "nginx"
enabled: yes
- name: configure nginx
template:
src: "nginx.conf.j2"
dest: "/etc/nginx/nginx.conf"
register: nginx_conf
- name: configure the default site
template:
src: "default.j2"
dest: "/etc/nginx/sites-available/default"
register: nginx_default_config
- name: enable the default site
file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
register: nginx_default_enabled
# We do this here instead of using the handler so that when the a role that
# depends on this as well as on acmetool (e.g. nginx-https) is used in a
# playbook, nginx is restarted with the proper configuration before the
# acmetool tasks are run.
- name: restart nginx
systemd:
name: "nginx"
state: restarted
when: nginx_conf.changed or nginx_default_config.changed or nginx_default_enabled.changed
# {{ ansible_managed }}
server {
listen 80;
listen [::]:80;
{% for location in nginx_http_locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
{% endfor %}
location ^~ /.well-known {
alias {{ acmetool_webroot }};
}
}
# {{ ansible_managed }}
user www-data;
worker_processes {{ nginx_worker_processes }};
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
accept_mutex off;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_types *;
gzip_comp_level 6;
gzip_disable "msie6";
#large_client_header_buffers 8 128k;
#http2_max_field_size 128k;
#http2_max_header_size 256k;
include /etc/nginx/sites-enabled/*;
}
nginx_ssl_protocols: "TLSv1.2"
nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256"
nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
nginx_ssl_dhparam_bits: 4096
nginx_https_default_headers: null
nginx_https_sites:
- name: "{{ ansible_fqdn }}"
locations:
- location: "/"
config: |
root /var/www/html;
headers: null
- name: restart nginx
systemd:
name: nginx
state: restarted
dependencies:
- nginx-http
- acmetool
- name: create dh parameters
command: 'openssl dhparam -out "{{ nginx_ssl_dhparam }}" {{ nginx_ssl_dhparam_bits }}'
args:
creates: "{{ nginx_ssl_dhparam }}"
when: nginx_hmi_ssl_dhparam is not none
- name: configure the https sites
template:
src: "https-site.j2"
dest: "/etc/nginx/sites-available/{{ item.name }}"
with_items: "{{ nginx_https_sites }}"
notify: restart nginx
- name: enable the https sites
file:
src: "/etc/nginx/sites-available/{{ item.name }}"
dest: "/etc/nginx/sites-enabled/{{ item.name }}"
state: link
with_items: "{{ nginx_https_sites }}"
notify: restart nginx
# {{ ansible_managed }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ item.name }};
ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers {{ nginx_ssl_ciphers }};
ssl_prefer_server_ciphers on;
{% if nginx_https_default_headers %}
{% for header in nginx_https_default_headers %}
add_header {{ header }};
{% endfor %}
{% endif %}
{% if item.headers %}
{% for header in item.headers %}
add_header {{ header }};
{% endfor %}
{% endif %}
{% for location in item.locations %}
location {{ location.location }} {
{{ location.config | indent(width=4, indentfirst=True) }}
}
{% endfor %}
}
# Install the base services like our web and mail server
# as well as the management of SSL certificates.
- name: install nginx, acmetool and postfix
hosts: all
become: yes
roles:
- nginx-http
- acmetool
- nginx-https
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment