LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

a first attempt to merge lilik nginx role with functionalities from Ginsys.nginx and to include letsencrypt automation tasks - must not break functionality of other roles using previous lilik nginx role

nginx-letsencrypt
Lorenzo 8 years ago
parent
4dcc310666
commit
94dc5d0f10
7 changed files with 201 additions and 6 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +23
    -3
      roles/nginx/defaults/main.yml
  2. +35
    -0
      roles/nginx/tasks/letsencrypt.yaml
  3. +71
    -3
      roles/nginx/tasks/main.yaml
  4. +9
    -0
      roles/nginx/tasks/store_challenge.yaml
  5. +29
    -0
      roles/nginx/templates/nginx.conf.j2
  6. +28
    -0
      roles/nginx/templates/site.j2
  7. +6
    -0
      roles/nginx/vars/main.yaml

+ 23
- 3
roles/nginx/defaults/main.yml View File

@ -1,4 +1,24 @@
--- ---
is_proxy: false
php: false
config_names: []
is_proxy: false
php: false
config_names: []
letsencrypt: false
nginx_max_clients: 512
nginx_http_params:
senfile: "on"
tcp_nopush: "on"
tcp_nodelay: "on"
keepalive_timeout: "65"
nginx_log_dir: "/var/log/nginx"
nginx_access_log_name: "access.log"
nginx_error_log_name: "error.log"
nginx_separate_logs_per_site: False
letsencrypt_account_key: "/etc/ssl/private/letsencrypt.key.pem"
letsencrypt_challenge_webroot: "/var/www/html"
nginx_sites:

+ 35
- 0
roles/nginx/tasks/letsencrypt.yaml View File

@ -0,0 +1,35 @@
- name: provision ssl host private key
openssl_privatekey:
path: "{{ item.server.ssl_certificate_key }}"
- name: generate certificate signing request
command: >
openssl req
-new
-sha256
-nodes
-key {{ item.server.ssl_certificate_key }}
-out {{ item.letsencrypt.ssl_csr }}
-subj "/C={{ item.letsencrypt.ssl_country }}
/ST={{ item.letsencrypt.ssl_state }}
/L{{ item.letsencrypt.ssl_loc }}
/O={{ item.letsencrypt.ssl_org }}
/emailAddress={{ item.letsencrypt.ssl_email }}"
- name: get challenge(s) from letsencrypt server
letsencrypt:
account_key: "{{ letsencrypt_account_key }}"
csr: "{{ item.letsencrypt.ssl_csr }}"
dest: "{{ item.server.ssl_certificate }}"
register: letsencrypt_challenge
- name: store challenge(s) in local dir
include: store_challenge.yaml
when: letsencrypt_challenge|changed
- name: get signed certificate(s) from letsencrypt server
letsencrypt:
account_key: "{{ letsencrypt_account_key }}"
csr: "{{ item.letsencrypt.ssl_csr }}"
dest: "{{ item.server.ssl_certificate }}"
data: "{{ letsencrypt_challenge }}"

+ 71
- 3
roles/nginx/tasks/main.yaml View File

@ -6,6 +6,35 @@
service_packages: service_packages:
- nginx - nginx
- name: install letsencrypt dependencies
apt:
name: "{{ item }}"
state: present
update_cache: yes
cache_valid_time: 3600
with_items: "{{ letsencrypt_requirements }}"
when: letsencrypt|bool
- name: provision directories for site specific configurations
file:
path: /etc/nginx/{{ item }}
state: directory
owner: root
group: root
mode: 0755
with_items:
- "sites-available"
- "sites-enabled"
- name: provision letsencrypt challenge folder
file:
path: "{{ letsencrypt.challenge_webroot }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: 0755
when: letsencrypt|bool
- name: disable nginx default configuration - name: disable nginx default configuration
file: file:
path: /etc/nginx/sites-enabled/default path: /etc/nginx/sites-enabled/default
@ -33,16 +62,55 @@
- enable nginx configuration - enable nginx configuration
- restart nginx - restart nginx
- name: add nginx configurations
- name: add nginx configuration custom templates
template: template:
src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2" src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
dest: /etc/nginx/sites-available/{{ item }}.conf
dest: "/etc/nginx/sites-available/{{ item }}.conf"
with_items: "{{ config_names }}" with_items: "{{ config_names }}"
- name: enable nginx configurations
- name: enable nginx configuration custom templates
file: file:
src: "/etc/nginx/sites-available/{{ item }}.conf" src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf" dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
state: link state: link
with_items: "{{ config_names }}" with_items: "{{ config_names }}"
notify: restart nginx notify: restart nginx
- name: generate nginx configurations from standard template
template:
src: site.j2
dest: "/etc/nginx/sites-available/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
- name: enable nginx configurations used for letsencrypt challenge
file:
path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
state: link
src: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
when: letsencrypt|bool and item.use_for_challenge is defined and item.use_for_challenge|bool
- name: restart nginx to start enabled configurations used for letsencrypt
service:
name: nginx
state: restarted
when: letsencrypt|bool
- name: provision letsencrypt account private key
openssl_privatekey:
path: "{{ letsencrypt_account_key }}"
when: letsencrypt|bool
- name: provision ssl cert/key(s) with letsencrypt
include: letsencrypt.yml
with_items: "{{ nginx_sites }}"
when: letsencrypt|bool and item.letsencrypt is defined
- name: enable nginx configuration generated from standard template
file:
path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
state: link
src: "/etc/nginx/sites-available/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
when: nginx_sites is defined and nginx_sites
notify: restart nginx

+ 9
- 0
roles/nginx/tasks/store_challenge.yaml View File

@ -0,0 +1,9 @@
- name: copy challenge file inside webroot
copy:
dest: "{{ letsencrypt_challenge_webroot }}/{{ chall.value.http-01.resource }}"
content: "{{ chall.value.http-01.resource_value }}"
with_dict: "{{ letsencrypt_challenge.challenge_data }}"
loop_contro:
loop_var: chall

+ 29
- 0
roles/nginx/templates/nginx.conf.j2 View File

@ -0,0 +1,29 @@
# {{ ansible_managed }}
#
user www-data;
worker_processes {{ ansible_processor_count }};
pid /var/run/nginx.pid;
events {
worker_connections {{ nginx_max_clients }};
}
http {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log {{ nginx_log_dir }}/{{ nginx_access_log_name }};
error_log {{ nginx_log_dir }}/{{ nginx_error_log_name }};
{% for k,v in nginx_http_params.iteritems() %}
{{ k }} {{ v }};
{% endfor %}
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

+ 28
- 0
roles/nginx/templates/site.j2 View File

@ -0,0 +1,28 @@
# {{ ansible_managed }}
server {
{% for key,value in item.server|dictsort if key != 'file_name' %}
{{ key }} {{ value }};
{% if nginx_separate_logs_per_site == True %}
access_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_access_log_name }};
error_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_error_log_name }};
{% endif %}
{% endfor %}
{% if item.use_for_challenge is defined %}
location /.well-known/acme-challenge {
root {{ letsencrypt_challenge_webroot }};
}
{% endif %}
{% if 'location' in item %}
{% for location in item.location if 'location' in item %}
location {{ location.name }} { {% for key,value in location|dictsort if key != 'name' %}
{{ key }} {{ value }}; {% endfor %}
}
{% endfor %}
{% endif %}
}

+ 6
- 0
roles/nginx/vars/main.yaml View File

@ -0,0 +1,6 @@
---
letsencrypt_requirements:
# - python-selinux
- openssl
- python-openssl
- ca-certificates

Write Preview
Loading…
Cancel
Save