From f426c9cd3a140b76490c626ee7f025836e551813 Mon Sep 17 00:00:00 2001 From: Andrea Cimbalo Date: Thu, 29 Jun 2017 22:48:40 +0200 Subject: [PATCH] more generic certbot --- login.yaml | 1 - roles/certbot/defaults/main.yaml | 2 + roles/certbot/tasks/main.yaml | 16 ++++---- roles/dokuwiki/meta/main.yaml | 1 + .../dokuwiki/templates/dokuwiki.conf.nginx.j2 | 7 ---- .../templates/dokuwiki.conf.nginx.j2.TODO | 36 ---------------- roles/icinga2/meta/main.yaml | 3 +- roles/icinga2/templates/icinga2.conf.nginx.j2 | 9 +--- roles/login/meta/main.yaml | 3 +- roles/login/templates/login.conf.nginx.j2 | 27 ------------ roles/nginx/defaults/main.yml | 2 +- roles/nginx/meta/main.yaml | 3 ++ roles/nginx/tasks/main.yaml | 41 +++++++++++-------- .../templates/{proxy_nginx.j2 => base.j2} | 27 +++++------- roles/nginx/templates/proxy.conf.nginx.j2 | 11 +++++ roles/reverse_proxy/templates/http.j2 | 1 + roles/roundcube/meta/main.yaml | 2 + .../templates/roundcube.conf.nginx.j2 | 4 -- roles/sympa/meta/main.yaml | 2 + roles/sympa/templates/sympa.conf.nginx.j2 | 10 +---- roles/wordpress/meta/main.yaml | 4 +- .../wordpress/templates/wordpress.apache2.j2 | 11 ----- .../templates/wordpress.conf.nginx.j2 | 28 +++++++++++++ 23 files changed, 103 insertions(+), 148 deletions(-) create mode 100644 roles/certbot/defaults/main.yaml delete mode 100644 roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO create mode 100644 roles/nginx/meta/main.yaml rename roles/nginx/templates/{proxy_nginx.j2 => base.j2} (68%) create mode 100644 roles/nginx/templates/proxy.conf.nginx.j2 delete mode 100644 roles/wordpress/templates/wordpress.apache2.j2 create mode 100644 roles/wordpress/templates/wordpress.conf.nginx.j2 diff --git a/login.yaml b/login.yaml index 32e9cff..1e2970f 100644 --- a/login.yaml +++ b/login.yaml @@ -13,4 +13,3 @@ - role: login - role: reverse_proxy hostname: login3 - - role: certbot diff --git a/roles/certbot/defaults/main.yaml b/roles/certbot/defaults/main.yaml new file mode 100644 index 0000000..d5e00bb --- /dev/null +++ b/roles/certbot/defaults/main.yaml @@ -0,0 +1,2 @@ +--- + webserver_name: nginx diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml index dd1561a..2c0e091 100644 --- a/roles/certbot/tasks/main.yaml +++ b/roles/certbot/tasks/main.yaml @@ -10,13 +10,13 @@ - cron - name: request certificate - command: certbot certonly -a standalone --preferred-challenges http -d login3.lilik.it -n + command: certbot certonly -a standalone --agree-tos --email roots@lists.lilik.it --preferred-challenges http -d {{ server_fqdn }} -d www.{{ server_fqdn }} -n args: - creates: /etc/letsencrypt/live/login3.lilik.it/cert.pem + creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem -- name: add certbot cron - cron: - name: "certbot cron" - minute: "30" - hour: "2" - job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload nginx"' +# - name: add certbot cron +# cron: +# name: "certbot cron" +# minute: "30" +# hour: "2" +# job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload {{ webserver_name }}"' diff --git a/roles/dokuwiki/meta/main.yaml b/roles/dokuwiki/meta/main.yaml index 6a02c98..1d5a598 100644 --- a/roles/dokuwiki/meta/main.yaml +++ b/roles/dokuwiki/meta/main.yaml @@ -2,4 +2,5 @@ dependencies: - role: nginx php: true + config_name: "dokuwiki" parent_role_path: "dokuwiki" diff --git a/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2 b/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2 index 459c808..7ea1a33 100644 --- a/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2 +++ b/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2 @@ -1,9 +1,3 @@ -server { - listen 80; - - client_max_body_size 4M; - client_body_buffer_size 128k; - root /usr/share/dokuwiki; index doku.php; @@ -24,4 +18,3 @@ server { fastcgi_param REDIRECT_STATUS 200; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } -} diff --git a/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO b/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO deleted file mode 100644 index b4efa10..0000000 --- a/roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO +++ /dev/null @@ -1,36 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name wiki.domain.example; - return 301 https://$server_name$request_uri; -} - -server { - listen [::]:443 ssl; - listen 443 ssl; - - client_max_body_size 4M; - client_body_buffer_size 128k; - - root /usr/share/dokuwiki; - index doku.php; - - location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; } - - location / { try_files $uri $uri/ @dokuwiki; } - - location @dokuwiki { - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - } - - location ~ \.php$ { - try_files $uri $uri/ /doku.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; - } -} diff --git a/roles/icinga2/meta/main.yaml b/roles/icinga2/meta/main.yaml index 5a7f47c..6a5a6da 100644 --- a/roles/icinga2/meta/main.yaml +++ b/roles/icinga2/meta/main.yaml @@ -2,5 +2,6 @@ dependencies: - role: nginx php: true parent_role_path: "icinga2" - config_names: "icinga2" + config_name: "icinga2" + server_fqdn: "status.lilik.it" - role: postgresql diff --git a/roles/icinga2/templates/icinga2.conf.nginx.j2 b/roles/icinga2/templates/icinga2.conf.nginx.j2 index b9ae2d9..aaf4fbb 100644 --- a/roles/icinga2/templates/icinga2.conf.nginx.j2 +++ b/roles/icinga2/templates/icinga2.conf.nginx.j2 @@ -1,10 +1,6 @@ -server { - listen 80; - - location = / { - return 301 http://$host/icingaweb2; + location / { + rewrite ^/$ /icingaweb2 permanent; } - location ~ ^/icingaweb2/index\.php(.*)$ { fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_index index.php; @@ -18,4 +14,3 @@ server { alias /usr/share/icingaweb2/public; try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args; } -} diff --git a/roles/login/meta/main.yaml b/roles/login/meta/main.yaml index 0659779..f3e6d8d 100644 --- a/roles/login/meta/main.yaml +++ b/roles/login/meta/main.yaml @@ -4,4 +4,5 @@ dependencies: is_proxy: true config_name: "login" remote_host: "http://localhost:5000" - server_name: "login.lilik.it" + server_fqdn: "login3.lilik.it" + parent_role_path: "login" diff --git a/roles/login/templates/login.conf.nginx.j2 b/roles/login/templates/login.conf.nginx.j2 index da88e21..d1c9867 100644 --- a/roles/login/templates/login.conf.nginx.j2 +++ b/roles/login/templates/login.conf.nginx.j2 @@ -1,28 +1 @@ - -server { - listen *:80; - - - server_name login.lilik.it; - - client_max_body_size 0; - - - location / { rewrite ^/$ /static/index.html permanent; - - proxy_http_version 1.1; - - proxy_set_header Host projects.leader.lilik.it; - proxy_set_header X-Forwarded-Host ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto http; - - proxy_pass http://localhost:5000; - proxy_hide_header Content-Security-Policy; - proxy_hide_header X-Frame-Options; - } - - -} diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 18488bd..db691ea 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,4 +1,4 @@ --- is_proxy: false php: false - config_names: [] + config_name: null diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml new file mode 100644 index 0000000..0a38d44 --- /dev/null +++ b/roles/nginx/meta/main.yaml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: certbot diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 250a4b5..a07a76e 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -34,31 +34,36 @@ notify: - restart nginx -- name: upload nginx proxy configuration +- name: upload nginx configuration template: - src: proxy_nginx.j2 - dest: "/etc/nginx/sites-available/{{ config_name }}.conf" - when: is_proxy | bool + src: base.j2 + dest: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf" notify: - restart nginx -- name: add nginx configurations - template: - src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2" - dest: /etc/nginx/sites-available/{{ item }}.conf - with_items: "{{ config_names }}" - notify: - - restart nginx +# - name: add nginx configurations +# template: +# src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2" +# dest: /etc/nginx/sites-available/{{ item }}.conf +# with_items: "{{ config_names }}" +# notify: +# - restart nginx -- name: add proxy to config_names - set_fact: - config_names: "{{ config_names | union( [config_name])}}" - when: is_proxy | bool +# - name: add proxy to config_names +# set_fact: +# config_names: "{{ config_names | union( [config_name])}}" +# when: is_proxy | bool + +- name: create Diffie Hellman exchange parameters + command: openssl dhparam -out /etc/nginx/dhparam.pem 2048 + args: + creates: /etc/nginx/dhparam.pem + notify: restart nginx - name: enable nginx configurations file: - src: "/etc/nginx/sites-available/{{ item }}.conf" - dest: "/etc/nginx/sites-enabled/{{ item }}.conf" + src: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf" + dest: "/etc/nginx/sites-enabled/{{ config_name|default('proxy') }}.conf" state: link - with_items: "{{ config_names }}" + # with_items: "{{ config_names }}" notify: restart nginx diff --git a/roles/nginx/templates/proxy_nginx.j2 b/roles/nginx/templates/base.j2 similarity index 68% rename from roles/nginx/templates/proxy_nginx.j2 rename to roles/nginx/templates/base.j2 index 150f1ce..0bf5639 100644 --- a/roles/nginx/templates/proxy_nginx.j2 +++ b/roles/nginx/templates/base.j2 @@ -3,14 +3,14 @@ server { listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate /etc/letsencrypt/live/login3.lilik.it/cert.pem; - ssl_certificate_key /etc/letsencrypt/live/login3.lilik.it/privkey.pem; + ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - #ssl_dhparam /path/to/dhparam.pem; + ssl_dhparam /etc/nginx/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; @@ -26,18 +26,13 @@ server { ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs - #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - - location / { - client_max_body_size 50M; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass {{ remote_host }}; - } + ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem; + +{% if config_name is not none %} +{% include "roles/%s/templates/%s.conf.nginx.j2" % (parent_role_path, config_name) %} +{% endif %} +{% if is_proxy %} +{% include "proxy.conf.nginx.j2" %} +{% endif %} } diff --git a/roles/nginx/templates/proxy.conf.nginx.j2 b/roles/nginx/templates/proxy.conf.nginx.j2 new file mode 100644 index 0000000..79a71c6 --- /dev/null +++ b/roles/nginx/templates/proxy.conf.nginx.j2 @@ -0,0 +1,11 @@ + location / { + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass {{ remote_host }}; + } diff --git a/roles/reverse_proxy/templates/http.j2 b/roles/reverse_proxy/templates/http.j2 index 3757a4a..8925a46 100644 --- a/roles/reverse_proxy/templates/http.j2 +++ b/roles/reverse_proxy/templates/http.j2 @@ -10,6 +10,7 @@ server { proxy_set_header X-NginX-Proxy true; proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }}; } + location / { if ($request_method = POST) { return 307 https://$server_name$request_uri; diff --git a/roles/roundcube/meta/main.yaml b/roles/roundcube/meta/main.yaml index 8c7674e..197844a 100644 --- a/roles/roundcube/meta/main.yaml +++ b/roles/roundcube/meta/main.yaml @@ -2,4 +2,6 @@ dependencies: - role: nginx php: true + config_name: "roundcube" + server_fqdn: "webmail.lilik.it" parent_role_path: "roundcube" diff --git a/roles/roundcube/templates/roundcube.conf.nginx.j2 b/roles/roundcube/templates/roundcube.conf.nginx.j2 index b5bd8db..3997eea 100644 --- a/roles/roundcube/templates/roundcube.conf.nginx.j2 +++ b/roles/roundcube/templates/roundcube.conf.nginx.j2 @@ -1,6 +1,3 @@ -server { - listen 80; - # support roundcubemail secure urls rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1; @@ -20,4 +17,3 @@ server { location ~ /\.ht { deny all; } -} diff --git a/roles/sympa/meta/main.yaml b/roles/sympa/meta/main.yaml index 9acd286..df06a87 100644 --- a/roles/sympa/meta/main.yaml +++ b/roles/sympa/meta/main.yaml @@ -1,6 +1,8 @@ --- dependencies: - role: nginx + config_name: "sympa" + server_fqdn: "lists.lilik.it" parent_role_path: "sympa" - role: exim4 stmp_relay: "{{ hostvars['mail'].ansible_host }}" diff --git a/roles/sympa/templates/sympa.conf.nginx.j2 b/roles/sympa/templates/sympa.conf.nginx.j2 index d94a8f4..0554d67 100644 --- a/roles/sympa/templates/sympa.conf.nginx.j2 +++ b/roles/sympa/templates/sympa.conf.nginx.j2 @@ -1,12 +1,5 @@ -# based on https://gist.github.com/bjacint/7862912 - -server { - listen 80; - - server_name *.*; + # based on https://gist.github.com/bjacint/7862912 root /usr/lib/cgi-bin/sympa; - access_log /var/log/nginx/sympa.access.log; - error_log /var/log/nginx/sympa.error.log; error_page 403 500 502 503 504 /50x.html; rewrite ^/$ /wws permanent; @@ -62,4 +55,3 @@ server { fastcgi_param HTTP_HOST $http_host; fastcgi_intercept_errors on; } -} diff --git a/roles/wordpress/meta/main.yaml b/roles/wordpress/meta/main.yaml index fa6d857..497ddd0 100644 --- a/roles/wordpress/meta/main.yaml +++ b/roles/wordpress/meta/main.yaml @@ -1,6 +1,8 @@ --- dependencies: - - role: apache2 + - role: nginx php: true parent_role_path: "wordpress" + config_name: "wordpress" + server_fqdn: "blog.lilik.it" - role: mysql diff --git a/roles/wordpress/templates/wordpress.apache2.j2 b/roles/wordpress/templates/wordpress.apache2.j2 deleted file mode 100644 index 9f3f28f..0000000 --- a/roles/wordpress/templates/wordpress.apache2.j2 +++ /dev/null @@ -1,11 +0,0 @@ - - ServerName {{ item }}.lilik.it - DocumentRoot /usr/share/wordpress - DirectoryIndex index.php - Alias /wp-content/ "/srv/www/wp-content/{{ item }}.lilik.it/" - - AllowOverride All - Order Deny,Allow - Allow from all - - diff --git a/roles/wordpress/templates/wordpress.conf.nginx.j2 b/roles/wordpress/templates/wordpress.conf.nginx.j2 new file mode 100644 index 0000000..b8e4e06 --- /dev/null +++ b/roles/wordpress/templates/wordpress.conf.nginx.j2 @@ -0,0 +1,28 @@ +root /usr/share/wordpress; + +index index.php; + +location /wp-content/ { + alias /srv/www/wp-content/$host/; +} + +location ~ \.php$ { + include snippets/fastcgi-php.conf; + + fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; +} + +#deny access to .htaccess files, if Apache's document root +#concurs with nginx's one +location ~ /\.ht { + deny all; +} + +location /files { + rewrite ^/files/(.+) /wp-includes/ms-files.php?file=$1 break; +} +location / { + if (-e $request_filename){ + rewrite ^(.*)$ /index.php break; + } +}