Add nginx and acmetool basics

group_vars/all

+# This should be some e-mail address where technical messages may go.
+admin_email: "michik@michik.net"
+
 # Please feel free to add your favorite software you need absolutely everywhere
 # here. However, please do not leave too much stuff nobody else might use or
 # stuff that could be handy for an attacker.

host_vars/test01.heaven.michik.net

+acmetool_cert_domains:
+ - "test01.heaven.michik.net"
+
+#acmetool_server: "https://acme-staging.api.letsencrypt.org/directory"
+
+nginx_http_locations:
+ - location: "/"
+   config: |
+     return 301 https://$host$request_uri;
+
+nginx_https_sites:
+ - name: "test01.heaven.michik.net"
+   locations:
+    - location: "/" 
+      config: |
+        root /var/www/html;
+   headers: null
+
+# vim: set ft=yaml:

roles/acmetool/defaults/main.yml

+# Please note that acmetool_webroot is defined in the defaults of the
+# nginx-http role as it is needed for the default HTTP configuration of
+# nginx (much simpler that way).
+
+acmetool_cert_domains:
+ - "{{ ansible_fqdn }}"
+
+# This is the production environment. To use the staging environment, please
+# override for the host(s) in question with the following URL:
+# https://acme-staging.api.letsencrypt.org/directory
+#
+# When this changes, you need to delete /var/lib/acme/conf/target manually!
+acmetool_server:  "https://acme-v01.api.letsencrypt.org/directory"

roles/acmetool/meta/main.yml

+dependencies:
+ - nginx-http

roles/acmetool/tasks/main.yml

+- name: install acmetool
+  apt:
+    package: acmetool
+    state: present
+
+- name: create acmetool conf and webroot directories
+  file:
+    dest: "/var/lib/acme/{{ item }}"
+    state: directory
+  with_items:
+   - "conf"
+   - "webroot"
+
+- name: install acmetool response file
+  template:
+    src: "responses.j2"
+    dest: "/var/lib/acme/conf/responses"
+
+- name: execute acmetool quickstart
+  command: "acmetool quickstart --batch"
+  args:
+    creates: "/var/lib/acme/conf/target"
+
+- name: request a certificate
+  command: 'acmetool want --batch {{ item }}'
+  args:
+    creates: "/var/lib/acme/live/{{ item }}"
+  with_items: "{{ acmetool_cert_domains }}"

roles/acmetool/templates/responses.j2

+# {{ ansible_managed }}
+
+"acme-enter-email": "{{ admin_email }}"
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
+"acmetool-quickstart-choose-server": {{ acmetool_server }}
+"acmetool-quickstart-choose-method": webroot
+"acmetool-quickstart-webroot-path": "{{ acmetool_webroot }}/acme-challenge"
+"acmetool-quickstart-complete": true
+"acmetool-quickstart-install-cronjob": true
+"acmetool-quickstart-install-haproxy-script": true
+"acmetool-quickstart-install-redirector-systemd": true
+"acmetool-quickstart-key-type": rsa
+"acmetool-quickstart-rsa-key-size": 4096

roles/nginx-http/defaults/main.yml

+acmetool_webroot: "/var/lib/acme/webroot"
+
+nginx_http_locations:
+ - location: "/"
+   config: |
+     root /var/www/html;
+
+nginx_worker_processes: "auto"

roles/nginx-http/handlers/main.yml

+- name: restart nginx
+  systemd:
+    name: nginx
+    state: restarted

roles/nginx-http/tasks/main.yml

+- name: install nginx
+  apt:
+    package: nginx
+    state: present
+
+- name: enable nginx
+  systemd:
+    name: "nginx"
+    enabled: yes
+
+- name: configure nginx
+  template:
+    src: "nginx.conf.j2"
+    dest: "/etc/nginx/nginx.conf"
+  register: nginx_conf
+
+- name: configure the default site
+  template:
+    src: "default.j2"
+    dest: "/etc/nginx/sites-available/default"
+  register: nginx_default_config
+
+- name: enable the default site
+  file:
+    src: "/etc/nginx/sites-available/default"
+    dest: "/etc/nginx/sites-enabled/default"
+    state: link
+  register: nginx_default_enabled
+
+# We do this here instead of using the handler so that when the a role that
+# depends on this as well as on acmetool (e.g. nginx-https) is used in a
+# playbook, nginx is restarted with the proper configuration before the
+# acmetool tasks are run.
+
+- name: restart nginx
+  systemd:
+    name: "nginx"
+    state: restarted
+  when: nginx_conf.changed or nginx_default_config.changed or nginx_default_enabled.changed

roles/nginx-http/templates/default.j2

+# {{ ansible_managed }}
+
+server {
+
+  listen 80;
+  listen [::]:80;
+
+{% for location in nginx_http_locations %}
+  location {{ location.location }} {
+{{ location.config | indent(width=4, indentfirst=True) }}
+  }
+{% endfor %}
+
+  location ^~ /.well-known {
+    alias {{ acmetool_webroot }};
+  }
+
+}

roles/nginx-http/templates/nginx.conf.j2

+# {{ ansible_managed }}
+
+user www-data;
+worker_processes {{ nginx_worker_processes }};
+
+pid /run/nginx.pid;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+
+  worker_connections 1024;
+  accept_mutex off;
+  use epoll;
+
+}
+
+http {
+
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+  server_tokens off;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  gzip on;
+  gzip_types *;
+  gzip_comp_level 6;
+  gzip_disable "msie6";
+
+  #large_client_header_buffers 8 128k;
+  #http2_max_field_size 128k;
+  #http2_max_header_size 256k;
+
+  include /etc/nginx/sites-enabled/*;
+
+}

roles/nginx-https/defaults/main.yml

+nginx_ssl_protocols: "TLSv1.2"
+nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256"
+nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
+nginx_ssl_dhparam_bits: 4096
+
+nginx_https_default_headers: null
+
+nginx_https_sites:
+ - name: "{{ ansible_fqdn }}"
+   locations:
+    - location: "/"
+      config: |
+        root /var/www/html;
+   headers: null

roles/nginx-https/handlers/main.yml

+- name: restart nginx
+  systemd:
+    name: nginx
+    state: restarted

roles/nginx-https/meta/main.yml

+dependencies:
+ - nginx-http
+ - acmetool

roles/nginx-https/tasks/main.yml

+- name: create dh parameters
+  command: 'openssl dhparam -out "{{ nginx_ssl_dhparam }}" {{ nginx_ssl_dhparam_bits }}'
+  args:
+    creates: "{{ nginx_ssl_dhparam }}"
+  when: nginx_hmi_ssl_dhparam is not none
+
+- name: configure the https sites
+  template:
+    src: "https-site.j2"
+    dest: "/etc/nginx/sites-available/{{ item.name }}"
+  with_items: "{{ nginx_https_sites }}"
+  notify: restart nginx
+
+- name: enable the https sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item.name }}"
+    dest: "/etc/nginx/sites-enabled/{{ item.name }}"
+    state: link
+  with_items: "{{ nginx_https_sites }}"
+  notify: restart nginx

roles/nginx-https/templates/https-site.j2

+# {{ ansible_managed }}
+
+server {
+
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name {{ item.name }};
+
+  ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
+  ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
+  ssl_dhparam {{ nginx_ssl_dhparam }};
+  ssl_protocols {{ nginx_ssl_protocols }};
+  ssl_ciphers {{ nginx_ssl_ciphers }};
+  ssl_prefer_server_ciphers on;
+
+{% if nginx_https_default_headers %}
+{% for header in nginx_https_default_headers %}
+  add_header {{ header }};
+{% endfor %}
+{% endif %}
+
+{% if item.headers %}
+{% for header in item.headers %}
+  add_header {{ header }};
+{% endfor %}
+{% endif %}
+
+{% for location in item.locations %}
+  location {{ location.location }} {
+{{ location.config | indent(width=4, indentfirst=True) }}
+  }
+{% endfor %}
+
+}

services-base.yml

+# Install the base services like our web and mail server
+# as well as the management of SSL certificates.
+
+- name: install nginx, acmetool and postfix
+  hosts: all
+  become: yes
+  roles:
+   - nginx-http
+   - acmetool
+   - nginx-https